diff --git a/.gitignore b/.gitignore index 573eb37..8ecb471 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -SOURCES/scap-security-guide-0.1.50.tar.bz2 +SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2 +SOURCES/scap-security-guide-0.1.54.tar.bz2 diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata index d7de47e..517ac64 100644 --- a/.scap-security-guide.metadata +++ b/.scap-security-guide.metadata @@ -1 +1,2 @@ -1cf4a166c153a96841eb42384c2c76a4dee36919 SOURCES/scap-security-guide-0.1.50.tar.bz2 +b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2 +9c53524d1f6741913b19394fad9216f25f3ae05d SOURCES/scap-security-guide-0.1.54.tar.bz2 diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch index 428ede7..1d82938 100644 --- a/SOURCES/disable-not-in-good-shape-profiles.patch +++ b/SOURCES/disable-not-in-good-shape-profiles.patch @@ -1,25 +1,24 @@ -From 2dfbfa76867db56ee90f168b478437d916e0cd4e Mon Sep 17 00:00:00 2001 +From 48e959ebf2b892fefa642f19bc8cc1d2d639fb29 Mon Sep 17 00:00:00 2001 From: Watson Sato -Date: Fri, 17 Jan 2020 19:01:22 +0100 +Date: Thu, 3 Dec 2020 14:35:47 +0100 Subject: [PATCH] Disable profiles that are not in good shape for RHEL8 -They raise too many errors and fails. -Also disable tables for profiles that are not built. --- - rhel8/CMakeLists.txt | 2 -- - rhel8/profiles/cjis.profile | 2 +- - rhel8/profiles/cui.profile | 2 +- - rhel8/profiles/rhelh-stig.profile | 2 +- - rhel8/profiles/rhelh-vpp.profile | 2 +- - rhel8/profiles/rht-ccp.profile | 2 +- - rhel8/profiles/standard.profile | 2 +- - 9 files changed, 8 insertions(+), 10 deletions(-) + rhel8/CMakeLists.txt | 6 ------ + rhel8/profiles/anssi_bp28_high.profile | 2 +- + rhel8/profiles/cjis.profile | 2 +- + rhel8/profiles/ism_o.profile | 2 +- + rhel8/profiles/rhelh-stig.profile | 2 +- + rhel8/profiles/rhelh-vpp.profile | 2 +- + rhel8/profiles/rht-ccp.profile | 2 +- + rhel8/profiles/standard.profile | 2 +- + 11 files changed, 10 insertions(+), 16 deletions(-) diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt -index 40f2b2b0f..492a8dae1 100644 +index d61689c97..5e444a101 100644 --- a/rhel8/CMakeLists.txt +++ b/rhel8/CMakeLists.txt -@@ -14,9 +14,8 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") +@@ -14,15 +14,9 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis") ssg_build_html_table_by_ref(${PRODUCT} "pcidss") ssg_build_html_table_by_ref(${PRODUCT} "anssi") @@ -27,28 +26,44 @@ index 40f2b2b0f..492a8dae1 100644 ssg_build_html_nistrefs_table(${PRODUCT} "ospp") ssg_build_html_nistrefs_table(${PRODUCT} "stig") - # Uncomment when anssi profiles are marked documentation_complete: true - #ssg_build_html_anssirefs_table(${PRODUCT} "nt28_minimal") +-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal") +-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary") +-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced") +-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high") +- + ssg_build_html_cce_table(${PRODUCT}) + + ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE}) +diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile +index ccad93d67..6a854378c 100644 +--- a/rhel8/profiles/anssi_bp28_high.profile ++++ b/rhel8/profiles/anssi_bp28_high.profile +@@ -1,4 +1,4 @@ +-documentation_complete: true ++documentation_complete: false + + title: 'ANSSI BP-028 (high)' + diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile -index 05ea9cdd6..9c55ac5b1 100644 +index 035d2705b..c6475f33e 100644 --- a/rhel8/profiles/cjis.profile +++ b/rhel8/profiles/cjis.profile @@ -1,4 +1,4 @@ -documentation_complete: true +documentation_complete: false - title: 'Criminal Justice Information Services (CJIS) Security Policy' - -diff --git a/rhel8/profiles/cui.profile b/rhel8/profiles/cui.profile -index eb62252a4..e8f369708 100644 ---- a/rhel8/profiles/cui.profile -+++ b/rhel8/profiles/cui.profile + metadata: + version: 5.4 +diff --git a/rhel8/profiles/ism_o.profile b/rhel8/profiles/ism_o.profile +index a3c427c01..4605dea3b 100644 +--- a/rhel8/profiles/ism_o.profile ++++ b/rhel8/profiles/ism_o.profile @@ -1,4 +1,4 @@ -documentation_complete: true +documentation_complete: false - title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)' - + metadata: + SMEs: diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile index 1efca5f44..c3d0b0964 100644 --- a/rhel8/profiles/rhelh-stig.profile @@ -90,5 +105,5 @@ index a63ae2cf3..da669bb84 100644 title: 'Standard System Security Profile for Red Hat Enterprise Linux 8' -- -2.21.1 +2.26.2 diff --git a/SOURCES/remove-ANSSI-high-ks.patch b/SOURCES/remove-ANSSI-high-ks.patch new file mode 100644 index 0000000..5298c70 --- /dev/null +++ b/SOURCES/remove-ANSSI-high-ks.patch @@ -0,0 +1,187 @@ +From 8e43a6a6432a8cbeb5742771ddbd0856669a7878 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 17 Feb 2021 15:36:59 +0100 +Subject: [PATCH] Remove kickstart for profile not shipped + +RHEL-8 ANSSI high is not shipped at the momment +--- + .../ssg-rhel8-anssi_bp28_high-ks.cfg | 167 ------------------ + 1 file changed, 167 deletions(-) + delete mode 100644 rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg + +diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg +deleted file mode 100644 +index b5c09253a..000000000 +--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg ++++ /dev/null +@@ -1,167 +0,0 @@ +-# SCAP Security Guide ANSSI BP-028 (high) profile kickstart for Red Hat Enterprise Linux 8 +-# Version: 0.0.1 +-# Date: 2020-12-10 +-# +-# Based on: +-# https://pykickstart.readthedocs.io/en/latest/ +-# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg +- +-# Specify installation method to use for installation +-# To use a different one comment out the 'url' one below, update +-# the selected choice with proper options & un-comment it +-# +-# Install from an installation tree on a remote server via FTP or HTTP: +-# --url the URL to install from +-# +-# Example: +-# +-# url --url=http://192.168.122.1/image +-# +-# Modify concrete URL in the above example appropriately to reflect the actual +-# environment machine is to be installed in +-# +-# Other possible / supported installation methods: +-# * install from the first CD-ROM/DVD drive on the system: +-# +-# cdrom +-# +-# * install from a directory of ISO images on a local drive: +-# +-# harddrive --partition=hdb2 --dir=/tmp/install-tree +-# +-# * install from provided NFS server: +-# +-# nfs --server= --dir= [--opts=] +-# +-# Set language to use during installation and the default language to use on the installed system (required) +-lang en_US.UTF-8 +- +-# Set system keyboard type / layout (required) +-keyboard us +- +-# Configure network information for target system and activate network devices in the installer environment (optional) +-# --onboot enable device at a boot time +-# --device device to be activated and / or configured with the network command +-# --bootproto method to obtain networking configuration for device (default dhcp) +-# --noipv6 disable IPv6 on this device +-# +-# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, +-# "--bootproto=static" must be used. For example: +-# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 +-# +-network --onboot yes --bootproto dhcp --noipv6 +- +-# Set the system's root password (required) +-# Plaintext password is: server +-# Refer to e.g. +-# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +-# to see how to create encrypted password form for different plaintext password +-rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 +- +-# The selected profile will restrict root login +-# Add a user that can login and escalate privileges +-# Plaintext password is: admin123 +-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted +- +-# Configure firewall settings for the system (optional) +-# --enabled reject incoming connections that are not in response to outbound requests +-# --ssh allow sshd service through the firewall +-firewall --enabled --ssh +- +-# State of SELinux on the installed system (optional) +-# Defaults to enforcing +-selinux --enforcing +- +-# Set the system time zone (required) +-timezone --utc America/New_York +- +-# Specify how the bootloader should be installed (required) +-# Plaintext password is: password +-# Refer to e.g. +-# https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw +-# to see how to create encrypted password form for different plaintext password +-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 +- +-# Initialize (format) all disks (optional) +-zerombr +- +-# The following partition layout scheme assumes disk of size 20GB or larger +-# Modify size of partitions appropriately to reflect actual machine's hardware +-# +-# Remove Linux partitions from the system prior to creating new ones (optional) +-# --linux erase all Linux partitions +-# --initlabel initialize the disk label to the default based on the underlying architecture +-clearpart --linux --initlabel +- +-# Create primary system partitions (required for installs) +-part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" +-part pv.01 --grow --size=1 +- +-# Create a Logical Volume Management (LVM) group (optional) +-volgroup VolGroup --pesize=4096 pv.01 +- +-# Create particular logical volumes (optional) +-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow +-# Ensure /usr Located On Separate Partition +-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev" +-# Ensure /opt Located On Separate Partition +-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +-# Ensure /srv Located On Separate Partition +-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +-# Ensure /home Located On Separate Partition +-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +-# Ensure /tmp Located On Separate Partition +-logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +-# Ensure /var/tmp Located On Separate Partition +-logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +-# Ensure /var Located On Separate Partition +-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +-# Ensure /var/log Located On Separate Partition +-logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +-# Ensure /var/log/audit Located On Separate Partition +-logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" +-logvol swap --name=swap --vgname=VolGroup --size=2016 +- +-# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) +-# content - security policies - on the installed system.This add-on has been enabled by default +-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this +-# functionality will automatically be installed. However, by default, no policies are enforced, +-# meaning that no checks are performed during or after installation unless specifically configured. +-# +-# Important +-# Applying a security policy is not necessary on all systems. This screen should only be used +-# when a specific policy is mandated by your organization rules or government regulations. +-# Unlike most other commands, this add-on does not accept regular options, but uses key-value +-# pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic. +-# Values can be optionally enclosed in single quotes (') or double quotes ("). +-# +-# The following keys are recognized by the add-on: +-# content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide. +-# - If the content-type is scap-security-guide, the add-on will use content provided by the +-# scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect. +-# content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location. +-# datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream. +-# xccdf-id - ID of the benchmark you want to use. +-# xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive. +-# profile - ID of the profile to be applied. Use default to apply the default profile. +-# fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url. +-# tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive. +-# +-# The following is an example %addon org_fedora_oscap section which uses content from the +-# scap-security-guide on the installation media: +-%addon org_fedora_oscap +- content-type = scap-security-guide +- profile = xccdf_org.ssgproject.content_profile_anssi_bp28_high +-%end +- +-# Packages selection (%packages section is required) +-%packages +- +-# Require @Base +-@Base +- +-%end # End of %packages section +- +-# Reboot after the installation is complete (optional) +-# --eject attempt to eject CD or DVD media before rebooting +-reboot --eject +-- +2.26.2 + diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch deleted file mode 100644 index e859c54..0000000 --- a/SOURCES/scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 8605fc4fd40f5d2067d9b81f41d5f523d9a5ba98 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 12 May 2020 08:17:20 +0200 -Subject: [PATCH 1/2] Add Ansible for ensure_logrotate_activated - ---- - .../ansible/shared.yml | 33 +++++++++++++++++++ - 1 file changed, 33 insertions(+) - create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml - -diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml -new file mode 100644 -index 0000000000..5d76b3c073 ---- /dev/null -+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/ansible/shared.yml -@@ -0,0 +1,33 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = configure -+# complexity = low -+# disruption = low -+ -+- name: Configure daily log rotation in /etc/logrotate.conf -+ lineinfile: -+ create: yes -+ dest: "/etc/logrotate.conf" -+ regexp: "^daily$" -+ line: "daily" -+ -+- name: Make sure daily log rotation setting is not overriden in /etc/logrotate.conf -+ lineinfile: -+ create: no -+ dest: "/etc/logrotate.conf" -+ regexp: "^(weekly|monthly|yearly)$" -+ state: absent -+ -+- name: Configure cron.daily if not already -+ block: -+ - name: Add shebang -+ lineinfile: -+ path: "/etc/cron.daily/logrotate" -+ line: "#!/bin/sh" -+ insertbefore: BOF -+ create: yes -+ - name: Add logrotate call -+ lineinfile: -+ path: "/etc/cron.daily/logrotate" -+ line: '/usr/sbin/logrotate /etc/logrotate.conf' -+ regexp: '^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$' - -From 085e5b2d18c9f50a6486a50f964ff71b74d5dade Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 12 May 2020 14:48:15 +0200 -Subject: [PATCH 2/2] Add test for ensure_logrotate_activated - -Test scenario when monthly is there, but weekly is not. ---- - .../tests/logrotate_conf_extra_monthly.fail.sh | 4 ++++ - 1 file changed, 4 insertions(+) - create mode 100644 linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh - -diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh -new file mode 100644 -index 0000000000..b10362989b ---- /dev/null -+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/tests/logrotate_conf_extra_monthly.fail.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+sed -i "s/weekly/daily/g" /etc/logrotate.conf -+echo "monthly" >> /etc/logrotate.conf diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch deleted file mode 100644 index a864ebf..0000000 --- a/SOURCES/scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch +++ /dev/null @@ -1,115 +0,0 @@ -From be529f2ca1f3644db9ad436dbd35aa00a9a5cf14 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 13 May 2020 20:49:08 +0200 -Subject: [PATCH 1/2] Add simple tests for sshd_set_max_sessions - ---- - .../sshd_set_max_sessions/tests/correct_value.pass.sh | 11 +++++++++++ - .../sshd_set_max_sessions/tests/wrong_value.fail.sh | 11 +++++++++++ - 2 files changed, 22 insertions(+) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh -new file mode 100644 -index 0000000000..a816eea390 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh -@@ -0,0 +1,11 @@ -+# profiles = xccdf_org.ssgproject.content_profile_cis -+# platform = Red Hat Enterprise Linux 8 -+ -+#!/bin/bash -+SSHD_CONFIG="/etc/ssh/sshd_config" -+ -+if grep -q "^MaxSessions" $SSHD_CONFIG; then -+ sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG -+ else -+ echo "MaxSessions 4" >> $SSHD_CONFIG -+fi -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh -new file mode 100644 -index 0000000000..b36125f5bb ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh -@@ -0,0 +1,11 @@ -+# profiles = xccdf_org.ssgproject.content_profile_cis -+# platform = Red Hat Enterprise Linux 8 -+ -+#!/bin/bash -+SSHD_CONFIG="/etc/ssh/sshd_config" -+ -+if grep -q "^MaxSessions" $SSHD_CONFIG; then -+ sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG -+ else -+ echo "MaxSessions 10" >> $SSHD_CONFIG -+fi - -From 027299726c805b451b02694c737514750fd14b94 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Wed, 13 May 2020 20:53:50 +0200 -Subject: [PATCH 2/2] Add remediations for sshd_set_max_sessions - ---- - .../sshd_set_max_sessions/ansible/shared.yml | 8 ++++++++ - .../ssh_server/sshd_set_max_sessions/bash/shared.sh | 12 ++++++++++++ - .../tests/correct_value.pass.sh | 2 +- - .../sshd_set_max_sessions/tests/wrong_value.fail.sh | 2 +- - 4 files changed, 22 insertions(+), 2 deletions(-) - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml - create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh - -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml -new file mode 100644 -index 0000000000..a7e171dfe9 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml -@@ -0,0 +1,8 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = configure -+# complexity = low -+# disruption = low -+- (xccdf-var var_sshd_max_sessions) -+ -+{{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions}}") }}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh -new file mode 100644 -index 0000000000..fc0a1d8b42 ---- /dev/null -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh -@@ -0,0 +1,12 @@ -+# platform = multi_platform_all -+# reboot = false -+# strategy = configure -+# complexity = low -+# disruption = low -+ -+# Include source function library. -+. /usr/share/scap-security-guide/remediation_functions -+ -+populate var_sshd_max_sessions -+ -+{{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}} -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh -index a816eea390..4cc6d65988 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/correct_value.pass.sh -@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config" - if grep -q "^MaxSessions" $SSHD_CONFIG; then - sed -i "s/^MaxSessions.*/MaxSessions 4/" $SSHD_CONFIG - else -- echo "MaxSessions 4" >> $SSHD_CONFIG -+ echo "MaxSessions 4" >> $SSHD_CONFIG - fi -diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh -index b36125f5bb..bc0c47842a 100644 ---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh -+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/tests/wrong_value.fail.sh -@@ -7,5 +7,5 @@ SSHD_CONFIG="/etc/ssh/sshd_config" - if grep -q "^MaxSessions" $SSHD_CONFIG; then - sed -i "s/^MaxSessions.*/MaxSessions 10/" $SSHD_CONFIG - else -- echo "MaxSessions 10" >> $SSHD_CONFIG -+ echo "MaxSessions 10" >> $SSHD_CONFIG - fi diff --git a/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch b/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch deleted file mode 100644 index ff529ca..0000000 --- a/SOURCES/scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch +++ /dev/null @@ -1,147 +0,0 @@ -From 2f6ceca58e64ab6c362afef629ac6ac235b0abe9 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 May 2020 11:52:35 +0200 -Subject: [PATCH 1/4] audit_rules_system_shutdown: Don't remove unrelated line - -Very likey a copy-pasta error from bash remediation for -audit_rules_immutable ---- - .../audit_rules_system_shutdown/bash/shared.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -index 1c9748ce9b..b56513cdcd 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -@@ -8,7 +8,7 @@ - # files to check if '-f .*' setting is present in that '*.rules' file already. - # If found, delete such occurrence since auditctl(8) manual page instructs the - # '-f 2' rule should be placed as the last rule in the configuration --find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-e[[:space:]]\+.*/d' {} ';' -+find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' - - # Append '-f 2' requirement at the end of both: - # * /etc/audit/audit.rules file (for auditctl case) - -From 189aed2c79620940438fc025a3cb9919cd8ee80a Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 May 2020 12:12:21 +0200 -Subject: [PATCH 2/4] Add Ansible for audit_rules_system_shutdown - -Along with very basic test scenarios ---- - .../ansible/shared.yml | 28 +++++++++++++++++++ - .../tests/augen_correct.pass.sh | 4 +++ - .../tests/augen_e_2_immutable.fail.sh | 3 ++ - 3 files changed, 35 insertions(+) - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh - create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml -new file mode 100644 -index 0000000000..b9e8fa87fa ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/ansible/shared.yml -@@ -0,0 +1,28 @@ -+# platform = multi_platform_all -+# reboot = true -+# strategy = restrict -+# complexity = low -+# disruption = low -+ -+- name: Collect all files from /etc/audit/rules.d with .rules extension -+ find: -+ paths: "/etc/audit/rules.d/" -+ patterns: "*.rules" -+ register: find_rules_d -+ -+- name: Remove the -f option from all Audit config files -+ lineinfile: -+ path: "{{ item }}" -+ regexp: '^\s*(?:-f)\s+.*$' -+ state: absent -+ loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" -+ -+- name: Add Audit -f option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules -+ lineinfile: -+ path: "{{ item }}" -+ create: True -+ line: "-f 2" -+ loop: -+ - "/etc/audit/audit.rules" -+ - "/etc/audit/rules.d/immutable.rules" -+ -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh -new file mode 100644 -index 0000000000..0587b937e0 ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_correct.pass.sh -@@ -0,0 +1,4 @@ -+#!/bin/bash -+ -+echo "-e 2" > /etc/audit/rules.d/immutable.rules -+echo "-f 2" >> /etc/audit/rules.d/immutable.rules -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh -new file mode 100644 -index 0000000000..fa5b7231df ---- /dev/null -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/tests/augen_e_2_immutable.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo "-e 2" > /etc/audit/rules.d/immutable.rules - -From d693af1e00521d85b5745001aa13860bdac16632 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 May 2020 14:06:08 +0200 -Subject: [PATCH 3/4] Clarify audit_rules_immutable Ansible task name - ---- - .../audit_rules_immutable/ansible/shared.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml -index 5ac7b3dabb..1cafb744cc 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/ansible/shared.yml -@@ -17,7 +17,7 @@ - state: absent - loop: "{{ find_rules_d.files | map(attribute='path') | list + ['/etc/audit/audit.rules'] }}" - --- name: Insert configuration into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules -+- name: Add Audit -e option into /etc/audit/rules.d/immutable.rules and /etc/audit/audit.rules - lineinfile: - path: "{{ item }}" - create: True - -From 92d38c1968059e53e3ab20f46f5ce0885a989aee Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Tue, 19 May 2020 11:02:56 +0200 -Subject: [PATCH 4/4] Remove misleading comments in system shutdown fix - ---- - .../audit_rules_system_shutdown/bash/shared.sh | 8 -------- - 1 file changed, 8 deletions(-) - -diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -index b56513cdcd..a349bb1ca1 100644 ---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/bash/shared.sh -@@ -4,16 +4,8 @@ - # - # /etc/audit/audit.rules, (for auditctl case) - # /etc/audit/rules.d/*.rules (for augenrules case) --# --# files to check if '-f .*' setting is present in that '*.rules' file already. --# If found, delete such occurrence since auditctl(8) manual page instructs the --# '-f 2' rule should be placed as the last rule in the configuration - find /etc/audit /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -exec sed -i '/-f[[:space:]]\+.*/d' {} ';' - --# Append '-f 2' requirement at the end of both: --# * /etc/audit/audit.rules file (for auditctl case) --# * /etc/audit/rules.d/immutable.rules (for augenrules case) -- - for AUDIT_FILE in "/etc/audit/audit.rules" "/etc/audit/rules.d/immutable.rules" - do - echo '' >> $AUDIT_FILE diff --git a/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch b/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch deleted file mode 100644 index 2b5acdc..0000000 --- a/SOURCES/scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 0cf31f2a9741533b98cc143ca35f589a712bd6a6 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 21 May 2020 18:16:43 +0200 -Subject: [PATCH] Attribute content to CIS - -And update the description a bit. ---- - rhel7/profiles/cis.profile | 8 +++++--- - rhel8/profiles/cis.profile | 8 +++++--- - 2 files changed, 10 insertions(+), 6 deletions(-) - -diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile -index 0826a49547..829c388133 100644 ---- a/rhel7/profiles/cis.profile -+++ b/rhel7/profiles/cis.profile -@@ -3,9 +3,11 @@ documentation_complete: true - title: 'CIS Red Hat Enterprise Linux 7 Benchmark' - - description: |- -- This baseline aligns to the Center for Internet Security -- Red Hat Enterprise Linux 7 Benchmark, v2.2.0, released -- 12-27-2017. -+ This profile defines a baseline that aligns to the Center for Internet Security® -+ Red Hat Enterprise Linux 7 Benchmark™, v2.2.0, released 12-27-2017. -+ -+ This profile includes Center for Internet Security® -+ Red Hat Enterprise Linux 7 CIS Benchmarks™ content. - - selections: - # Necessary for dconf rules -diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile -index f332ee5462..868b9f21a6 100644 ---- a/rhel8/profiles/cis.profile -+++ b/rhel8/profiles/cis.profile -@@ -3,9 +3,11 @@ documentation_complete: true - title: 'CIS Red Hat Enterprise Linux 8 Benchmark' - - description: |- -- This baseline aligns to the Center for Internet Security -- Red Hat Enterprise Linux 8 Benchmark, v1.0.0, released -- 09-30-2019. -+ This profile defines a baseline that aligns to the Center for Internet Security® -+ Red Hat Enterprise Linux 8 Benchmark™, v1.0.0, released 09-30-2019. -+ -+ This profile includes Center for Internet Security® -+ Red Hat Enterprise Linux 8 CIS Benchmarks™ content. - - selections: - # Necessary for dconf rules diff --git a/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch b/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch deleted file mode 100644 index 3c4f3b1..0000000 --- a/SOURCES/scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch +++ /dev/null @@ -1,274 +0,0 @@ -From b23fc7fe3244128940f7b1f79ad4cde13d7b62eb Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Mon, 25 May 2020 12:17:48 +0200 -Subject: [PATCH] add hipaa kickstarts for rhel7 and rhel8 - ---- - rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg | 125 +++++++++++++++++++++++++ - rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg | 125 +++++++++++++++++++++++++ - 2 files changed, 250 insertions(+) - create mode 100644 rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg - create mode 100644 rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg - -diff --git a/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg -new file mode 100644 -index 0000000000..14c82c4231 ---- /dev/null -+++ b/rhel7/kickstart/ssg-rhel7-hipaa-ks.cfg -@@ -0,0 +1,125 @@ -+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 7 Server -+# Version: 0.0.1 -+# Date: 2020-05-25 -+# -+# Based on: -+# http://fedoraproject.org/wiki/Anaconda/Kickstart -+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html -+ -+# Install a fresh new system (optional) -+install -+ -+# Specify installation method to use for installation -+# To use a different one comment out the 'url' one below, update -+# the selected choice with proper options & un-comment it -+# -+# Install from an installation tree on a remote server via FTP or HTTP: -+# --url the URL to install from -+# -+# Example: -+# -+# url --url=http://192.168.122.1/image -+# -+# Modify concrete URL in the above example appropriately to reflect the actual -+# environment machine is to be installed in -+# -+# Other possible / supported installation methods: -+# * install from the first CD-ROM/DVD drive on the system: -+# -+# cdrom -+# -+# * install from a directory of ISO images on a local drive: -+# -+# harddrive --partition=hdb2 --dir=/tmp/install-tree -+# -+# * install from provided NFS server: -+# -+# nfs --server= --dir= [--opts=] -+# -+ -+# Set language to use during installation and the default language to use on the installed system (required) -+lang en_US.UTF-8 -+ -+# Set system keyboard type / layout (required) -+keyboard us -+ -+# Configure network information for target system and activate network devices in the installer environment (optional) -+# --onboot enable device at a boot time -+# --device device to be activated and / or configured with the network command -+# --bootproto method to obtain networking configuration for device (default dhcp) -+# --noipv6 disable IPv6 on this device -+# -+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, -+# "--bootproto=static" must be used. For example: -+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 -+# -+network --onboot yes --device eth0 --bootproto dhcp --noipv6 -+ -+# Set the system's root password (required) -+# Plaintext password is: server -+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -+# encrypted password form for different plaintext password -+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 -+ -+# The selected profile will restrict root login -+# Add a user that can login and escalate privileges -+# Plaintext password is: admin123 -+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted -+ -+# Configure firewall settings for the system (optional) -+# --enabled reject incoming connections that are not in response to outbound requests -+# --ssh allow sshd service through the firewall -+firewall --enabled --ssh -+ -+# Set up the authentication options for the system (required) -+# --enableshadow enable shadowed passwords by default -+# --passalgo hash / crypt algorithm for new passwords -+# See the manual page for authconfig for a complete list of possible options. -+authconfig --enableshadow --passalgo=sha512 -+ -+# State of SELinux on the installed system (optional) -+# Defaults to enforcing -+selinux --enforcing -+ -+# Set the system time zone (required) -+timezone --utc America/New_York -+ -+# Specify how the bootloader should be installed (required) -+# Plaintext password is: password -+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -+# encrypted password form for different plaintext password -+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 -+ -+# Initialize (format) all disks (optional) -+zerombr -+ -+# The following partition layout scheme assumes disk of size 20GB or larger -+# Modify size of partitions appropriately to reflect actual machine's hardware -+# -+# Remove Linux partitions from the system prior to creating new ones (optional) -+# --linux erase all Linux partitions -+# --initlabel initialize the disk label to the default based on the underlying architecture -+clearpart --linux --initlabel -+ -+# Create primary system partitions (required for installs) -+autopart -+ -+# Harden installation with HIPAA profile -+# For more details and configuration options see command %addon org_fedora_oscap in -+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/installation_guide/sect-kickstart-syntax#sect-kickstart-commands -+%addon org_fedora_oscap -+ content-type = scap-security-guide -+ profile = xccdf_org.ssgproject.content_profile_hipaa -+%end -+ -+# Packages selection (%packages section is required) -+%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section -+ -+# Reboot after the installation is complete (optional) -+# --eject attempt to eject CD or DVD media before rebooting -+reboot --eject -diff --git a/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg -new file mode 100644 -index 0000000000..861db36f18 ---- /dev/null -+++ b/rhel8/kickstart/ssg-rhel8-hipaa-ks.cfg -@@ -0,0 +1,125 @@ -+# SCAP Security Guide HIPAA profile kickstart for Red Hat Enterprise Linux 8 Server -+# Version: 0.0.1 -+# Date: 2020-05-25 -+# -+# Based on: -+# http://fedoraproject.org/wiki/Anaconda/Kickstart -+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart -+ -+# Install a fresh new system (optional) -+install -+ -+# Specify installation method to use for installation -+# To use a different one comment out the 'url' one below, update -+# the selected choice with proper options & un-comment it -+# -+# Install from an installation tree on a remote server via FTP or HTTP: -+# --url the URL to install from -+# -+# Example: -+# -+# url --url=http://192.168.122.1/image -+# -+# Modify concrete URL in the above example appropriately to reflect the actual -+# environment machine is to be installed in -+# -+# Other possible / supported installation methods: -+# * install from the first CD-ROM/DVD drive on the system: -+# -+# cdrom -+# -+# * install from a directory of ISO images on a local drive: -+# -+# harddrive --partition=hdb2 --dir=/tmp/install-tree -+# -+# * install from provided NFS server: -+# -+# nfs --server= --dir= [--opts=] -+# -+ -+# Set language to use during installation and the default language to use on the installed system (required) -+lang en_US.UTF-8 -+ -+# Set system keyboard type / layout (required) -+keyboard us -+ -+# Configure network information for target system and activate network devices in the installer environment (optional) -+# --onboot enable device at a boot time -+# --device device to be activated and / or configured with the network command -+# --bootproto method to obtain networking configuration for device (default dhcp) -+# --noipv6 disable IPv6 on this device -+# -+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration, -+# "--bootproto=static" must be used. For example: -+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 -+# -+network --onboot yes --device eth0 --bootproto dhcp --noipv6 -+ -+# Set the system's root password (required) -+# Plaintext password is: server -+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -+# encrypted password form for different plaintext password -+rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 -+ -+# The selected profile will restrict root login -+# Add a user that can login and escalate privileges -+# Plaintext password is: admin123 -+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted -+ -+# Configure firewall settings for the system (optional) -+# --enabled reject incoming connections that are not in response to outbound requests -+# --ssh allow sshd service through the firewall -+firewall --enabled --ssh -+ -+# Set up the authentication options for the system (required) -+# sssd profile sets sha512 to hash passwords -+# passwords are shadowed by default -+# See the manual page for authselect-profile for a complete list of possible options. -+authselect select sssd -+ -+# State of SELinux on the installed system (optional) -+# Defaults to enforcing -+selinux --enforcing -+ -+# Set the system time zone (required) -+timezone --utc America/New_York -+ -+# Specify how the bootloader should be installed (required) -+# Plaintext password is: password -+# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create -+# encrypted password form for different plaintext password -+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 -+ -+# Initialize (format) all disks (optional) -+zerombr -+ -+# The following partition layout scheme assumes disk of size 20GB or larger -+# Modify size of partitions appropriately to reflect actual machine's hardware -+# -+# Remove Linux partitions from the system prior to creating new ones (optional) -+# --linux erase all Linux partitions -+# --initlabel initialize the disk label to the default based on the underlying architecture -+clearpart --linux --initlabel -+ -+# Create primary system partitions (required for installs) -+autopart -+ -+# Harden installation with HIPAA profile -+# For more details and configuration options see -+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program -+%addon org_fedora_oscap -+ content-type = scap-security-guide -+ profile = xccdf_org.ssgproject.content_profile_hipaa -+%end -+ -+# Packages selection (%packages section is required) -+%packages -+ -+# Require @Base -+@Base -+ -+%end # End of %packages section -+ -+# Reboot after the installation is complete (optional) -+# --eject attempt to eject CD or DVD media before rebooting -+reboot --eject diff --git a/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch b/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch deleted file mode 100644 index e6dc9cb..0000000 --- a/SOURCES/scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 1ee826c4b506fc4a349015e53a1c687c64423351 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 22 May 2020 14:12:18 +0200 -Subject: [PATCH] Add missing CCEs for RHEL8 - ---- - .../password_storage/no_netrc_files/rule.yml | 1 + - .../accounts_user_interactive_home_directory_exists/rule.yml | 1 + - .../file_groupownership_home_directories/rule.yml | 1 + - shared/references/cce-redhat-avail.txt | 3 --- - 4 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml -index 8547893201..1bd1f5742e 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/rule.yml -@@ -18,6 +18,7 @@ severity: medium - identifiers: - cce@rhel6: 27225-2 - cce@rhel7: 80211-6 -+ cce@rhel8: 83444-0 - cce@ocp4: 82667-7 - - references: -diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -index bedf3a0b19..e69bc9d736 100644 ---- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml -@@ -21,6 +21,7 @@ severity: medium - - identifiers: - cce@rhel7: 80529-1 -+ cce@rhel8: 83424-2 - - references: - stigid@ol7: "020620" -diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -index 1c5ac8d099..f931f6d160 100644 ---- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml -@@ -20,6 +20,7 @@ severity: medium - - identifiers: - cce@rhel7: 80532-5 -+ cce@rhel8: 83434-1 - - references: - stigid@ol7: "020650" -diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt -index 2f0d2a526b..45d03a2c1d 100644 ---- a/shared/references/cce-redhat-avail.txt -+++ b/shared/references/cce-redhat-avail.txt -@@ -95,7 +95,6 @@ CCE-83411-9 - CCE-83421-8 - CCE-83422-6 - CCE-83423-4 --CCE-83424-2 - CCE-83425-9 - CCE-83426-7 - CCE-83427-5 -@@ -105,7 +104,6 @@ CCE-83430-9 - CCE-83431-7 - CCE-83432-5 - CCE-83433-3 --CCE-83434-1 - CCE-83435-8 - CCE-83436-6 - CCE-83437-4 -@@ -115,7 +113,6 @@ CCE-83440-8 - CCE-83441-6 - CCE-83442-4 - CCE-83443-2 --CCE-83444-0 - CCE-83445-7 - CCE-83446-5 - CCE-83447-3 diff --git a/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch b/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch deleted file mode 100644 index b435b97..0000000 --- a/SOURCES/scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch +++ /dev/null @@ -1,103 +0,0 @@ -From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 21 May 2020 13:30:24 +0200 -Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins - ---- - .../root_logins/no_direct_root_logins/ansible/shared.yml | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml -index e9a29a24d5..6fbb7c72a5 100644 ---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml -@@ -3,13 +3,9 @@ - # strategy = restrict - # complexity = low - # disruption = low --- name: Test for existence of /etc/securetty -- stat: -- path: /etc/securetty -- register: securetty_empty -+ - - - name: "Direct root Logins Not Allowed" - copy: - dest: /etc/securetty - content: "" -- when: securetty_empty.stat.size > 1 - -From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 21 May 2020 14:21:38 +0200 -Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8 - ---- - shared/templates/template_ANSIBLE_sebool | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool -index 29f37081be..38d7c7c350 100644 ---- a/shared/templates/template_ANSIBLE_sebool -+++ b/shared/templates/template_ANSIBLE_sebool -@@ -13,11 +13,17 @@ - {{% else %}} - - (xccdf-var var_{{{ SEBOOLID }}}) - -+{{% if product == "rhel8" %}} -+- name: Ensure python3-libsemanage installed -+ package: -+ name: python3-libsemanage -+ state: present -+{{% else %}} - - name: Ensure libsemanage-python installed - package: - name: libsemanage-python - state: present -- -+{{% endif %}} - - name: Set SELinux boolean {{{ SEBOOLID }}} accordingly - seboolean: - name: {{{ SEBOOLID }}} - -From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 21 May 2020 14:57:05 +0200 -Subject: [PATCH 3/3] add tests for no_direct_root_logins - ---- - .../root_logins/no_direct_root_logins/tests/correct.pass.sh | 3 +++ - .../root_logins/no_direct_root_logins/tests/missing.fail.sh | 3 +++ - .../root_logins/no_direct_root_logins/tests/wrong.fail.sh | 3 +++ - 3 files changed, 9 insertions(+) - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh - create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh - -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh -new file mode 100644 -index 0000000000..17251f6a98 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo > /etc/securetty -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh -new file mode 100644 -index 0000000000..c764814b26 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+rm -f /etc/securetty -diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh -new file mode 100644 -index 0000000000..43ac341e87 ---- /dev/null -+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh -@@ -0,0 +1,3 @@ -+#!/bin/bash -+ -+echo "something" > /etc/securetty diff --git a/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch b/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch deleted file mode 100644 index 5c6664f..0000000 --- a/SOURCES/scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch +++ /dev/null @@ -1,308 +0,0 @@ -From a5281d8361dd26217e6ee1c97d5beaae02af34bc Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Tue, 26 May 2020 17:49:21 +0200 -Subject: [PATCH 1/2] Create macro for selinux ansible/bash remediation. - -Affected rules: - - selinux_policytype - - selinux_state ---- - .../selinux/selinux_policytype/ansible/shared.yml | 9 ++------- - .../selinux/selinux_policytype/bash/shared.sh | 5 +++-- - .../tests/selinuxtype_minimum.fail.sh | 10 ++++++++++ - .../selinux/selinux_state/ansible/shared.yml | 9 ++------- - .../system/selinux/selinux_state/bash/shared.sh | 5 +++-- - .../selinux_state/tests/selinux_missing.fail.sh | 5 +++++ - .../tests/selinux_permissive.fail.sh | 10 ++++++++++ - shared/macros-ansible.jinja | 11 +++++++++++ - shared/macros-bash.jinja | 15 +++++++++++++++ - 9 files changed, 61 insertions(+), 18 deletions(-) - create mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh - create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh - create mode 100644 linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh - -diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml -index 5c70cc9f7f..9f8cf66dfb 100644 ---- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml -+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml -@@ -3,11 +3,6 @@ - # strategy = restrict - # complexity = low - # disruption = low - - (xccdf-var var_selinux_policy_name) - --- name: "{{{ rule_title }}}" -- lineinfile: -- path: /etc/sysconfig/selinux -- regexp: '^SELINUXTYPE=' -- line: "SELINUXTYPE={{ var_selinux_policy_name }}" -- create: yes -+{{{ ansible_selinux_config_set(parameter="SELINUXTYPE", value="{{ var_selinux_policy_name }}") }}} -diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh -index d0fbbf4446..2b5ce31b12 100644 ---- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh -+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh -@@ -1,7 +1,8 @@ - # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv --# -+ - # Include source function library. - . /usr/share/scap-security-guide/remediation_functions -+ - populate var_selinux_policy_name - --replace_or_append '/etc/sysconfig/selinux' '^SELINUXTYPE=' $var_selinux_policy_name '@CCENUM@' '%s=%s' -+{{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}} -diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh -new file mode 100644 -index 0000000000..1a6eb94953 ---- /dev/null -+++ b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp -+ -+SELINUX_FILE='/etc/selinux/config' -+ -+if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then -+ sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE -+else -+ echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE -+fi -diff --git a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml -index b465ac6729..1c1560a86c 100644 ---- a/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml -+++ b/linux_os/guide/system/selinux/selinux_state/ansible/shared.yml -@@ -3,11 +3,6 @@ - # strategy = restrict - # complexity = low - # disruption = low - - (xccdf-var var_selinux_state) - --- name: "{{{ rule_title }}}" -- lineinfile: -- path: /etc/sysconfig/selinux -- regexp: '^SELINUX=' -- line: "SELINUX={{ var_selinux_state }}" -- create: yes -+{{{ ansible_selinux_config_set(parameter="SELINUX", value="{{ var_selinux_state }}") }}} -diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh -index 58193b5504..a402a861d7 100644 ---- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh -+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh -@@ -1,10 +1,11 @@ - # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv --# -+ - # Include source function library. - . /usr/share/scap-security-guide/remediation_functions -+ - populate var_selinux_state - --replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' -+{{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}} - - fixfiles onboot - fixfiles -f relabel -diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh -new file mode 100644 -index 0000000000..180dd80791 ---- /dev/null -+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_missing.fail.sh -@@ -0,0 +1,5 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp -+ -+SELINUX_FILE='/etc/selinux/config' -+sed -i '/^[[:space:]]*SELINUX/d' $SELINUX_FILE -diff --git a/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh -new file mode 100644 -index 0000000000..3db1e56b5f ---- /dev/null -+++ b/linux_os/guide/system/selinux/selinux_state/tests/selinux_permissive.fail.sh -@@ -0,0 +1,10 @@ -+#!/bin/bash -+# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp -+ -+SELINUX_FILE='/etc/selinux/config' -+ -+if grep -s '^[[:space:]]*SELINUX' $SELINUX_FILE; then -+ sed -i 's/^\([[:space:]]*SELINUX[[:space:]]*=[[:space:]]*\).*/\permissive/' $SELINUX_FILE -+else -+ echo 'SELINUX=permissive' >> $SELINUX_FILE -+fi -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 6798a25d1f..01d3155b37 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -217,6 +217,17 @@ value: "Setting={{ varname1 }}" - {{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}} - {{%- endmacro %}} - -+{{# -+ High level macro to set a parameter in /etc/selinux/config. -+ Parameters: -+ - msg: the name for the Ansible task -+ - parameter: parameter to be set in the configuration file -+ - value: value of the parameter -+#}} -+{{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}} -+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}} -+{{%- endmacro %}} -+ - {{# - Generates an Ansible task that puts 'contents' into a file at 'filepath' - Parameters: -diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja -index 3a94fe5dd8..2531d1c52d 100644 ---- a/shared/macros-bash.jinja -+++ b/shared/macros-bash.jinja -@@ -86,6 +86,21 @@ populate {{{ name }}} - }}} - {{%- endmacro -%}} - -+{{%- macro bash_selinux_config_set(parameter, value) -%}} -+{{{ set_config_file( -+ path="/etc/selinux/config", -+ parameter=parameter, -+ value=value, -+ create=true, -+ insert_after="", -+ insert_before="", -+ insensitive=true, -+ separator="=", -+ separator_regex="\s*=\s*", -+ prefix_regex="^\s*") -+ }}} -+{{%- endmacro -%}} -+ - {{# - # Install a package - # Uses the right command based on pkg_manger proprerty defined in product.yaml. - -From 24c3c92007e6d3f8a684282b1351703523441389 Mon Sep 17 00:00:00 2001 -From: Gabriel Becker -Date: Wed, 27 May 2020 18:48:57 +0200 -Subject: [PATCH 2/2] Remediation requires reboot. - -Update OVAL check to disallow spaces. -Removed selinuxtype_minimum test scenario since breaks the system. ---- - .../selinux/selinux_policytype/ansible/shared.yml | 2 +- - .../system/selinux/selinux_policytype/bash/shared.sh | 4 ++++ - .../system/selinux/selinux_policytype/oval/shared.xml | 2 +- - .../tests/selinuxtype_minimum.fail.sh | 10 ---------- - .../guide/system/selinux/selinux_state/bash/shared.sh | 4 ++++ - .../guide/system/selinux/selinux_state/oval/shared.xml | 2 +- - shared/macros-ansible.jinja | 2 +- - shared/macros-bash.jinja | 4 ++-- - 8 files changed, 14 insertions(+), 16 deletions(-) - delete mode 100644 linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh - -diff --git a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml -index 9f8cf66dfb..73e6ec7cd4 100644 ---- a/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml -+++ b/linux_os/guide/system/selinux/selinux_policytype/ansible/shared.yml -@@ -1,5 +1,5 @@ - # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv --# reboot = false -+# reboot = true - # strategy = restrict - # complexity = low - # disruption = low -diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh -index 2b5ce31b12..b4f79c97f9 100644 ---- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh -+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh -@@ -1,4 +1,8 @@ - # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -+# reboot = true -+# strategy = restrict -+# complexity = low -+# disruption = low - - # Include source function library. - . /usr/share/scap-security-guide/remediation_functions -diff --git a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml -index f1840a1290..3d69fff07f 100644 ---- a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml -+++ b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml -@@ -27,7 +27,7 @@ - - - /etc/selinux/config -- ^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*) -+ ^SELINUXTYPE=(.*)$ - 1 - - -diff --git a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh b/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh -deleted file mode 100644 -index 1a6eb94953..0000000000 ---- a/linux_os/guide/system/selinux/selinux_policytype/tests/selinuxtype_minimum.fail.sh -+++ /dev/null -@@ -1,10 +0,0 @@ --#!/bin/bash --# profiles = xccdf_org.ssgproject.content_profile_C2S, xccdf_org.ssgproject.content_profile_ospp -- --SELINUX_FILE='/etc/selinux/config' -- --if grep -s '^[[:space:]]*SELINUXTYPE' $SELINUX_FILE; then -- sed -i 's/^\([[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*\).*/\minimum/' $SELINUX_FILE --else -- echo 'SELINUXTYPE=minimum' >> $SELINUX_FILE --fi -diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh -index a402a861d7..645a7acab4 100644 ---- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh -+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh -@@ -1,4 +1,8 @@ - # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platorm_ol,multi_platform_rhv -+# reboot = true -+# strategy = restrict -+# complexity = low -+# disruption = low - - # Include source function library. - . /usr/share/scap-security-guide/remediation_functions -diff --git a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml -index c0881696e1..8c328060af 100644 ---- a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml -+++ b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml -@@ -18,7 +18,7 @@ - - - /etc/selinux/config -- ^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$ -+ ^SELINUX=(.*)$ - 1 - - -diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja -index 01d3155b37..580a0b948e 100644 ---- a/shared/macros-ansible.jinja -+++ b/shared/macros-ansible.jinja -@@ -225,7 +225,7 @@ value: "Setting={{ varname1 }}" - - value: value of the parameter - #}} - {{%- macro ansible_selinux_config_set(msg='', parameter='', value='') %}} --{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}} -+{{{ ansible_set_config_file(msg, "/etc/selinux/config", parameter=parameter, value=value, create="yes", separator="=", separator_regex="=", prefix_regex='^') }}} - {{%- endmacro %}} - - {{# -diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja -index 2531d1c52d..8abcc914d3 100644 ---- a/shared/macros-bash.jinja -+++ b/shared/macros-bash.jinja -@@ -96,8 +96,8 @@ populate {{{ name }}} - insert_before="", - insensitive=true, - separator="=", -- separator_regex="\s*=\s*", -- prefix_regex="^\s*") -+ separator_regex="=", -+ prefix_regex="^") - }}} - {{%- endmacro -%}} - diff --git a/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch b/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch deleted file mode 100644 index 1e028b7..0000000 --- a/SOURCES/scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 254cb60e722539032c6ea73616d6ab51eb1d4edf Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 May 2020 23:36:18 +0200 -Subject: [PATCH] Ansible mount_option: split mount and option task - -Separate task that adds mount options mounts the mountpoint into two tasks. -Conditioning the "mount" task on the absence of the target mount option -caused the task to always be skipped when mount option was alredy present, -and could result in the mount point not being mounted. ---- - shared/templates/template_ANSIBLE_mount_option | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option -index 95bede25f9..a0cf8d6b7a 100644 ---- a/shared/templates/template_ANSIBLE_mount_option -+++ b/shared/templates/template_ANSIBLE_mount_option -@@ -26,14 +26,19 @@ - - device_name.stdout is defined and device_name.stdout_lines is defined - - (device_name.stdout | length > 0) - --- name: Ensure permission {{{ MOUNTOPTION }}} are set on {{{ MOUNTPOINT }}} -+- name: Make sure {{{ MOUNTOPTION }}} option is part of the to {{{ MOUNTPOINT }}} options -+ set_fact: -+ mount_info: "{{ mount_info | combine( {'options':''~mount_info.options~',{{{ MOUNTOPTION }}}' }) }}" -+ when: -+ - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options -+ -+- name: Ensure {{{ MOUNTPOINT }}} is mounted with {{{ MOUNTOPTION }}} option - mount: - path: "{{{ MOUNTPOINT }}}" - src: "{{ mount_info.source }}" -- opts: "{{ mount_info.options }},{{{ MOUNTOPTION }}}" -+ opts: "{{ mount_info.options }}" - state: "mounted" - fstype: "{{ mount_info.fstype }}" - when: -- - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options - - device_name.stdout is defined - - (device_name.stdout | length > 0) diff --git a/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch b/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch deleted file mode 100644 index 47b9cdb..0000000 --- a/SOURCES/scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch +++ /dev/null @@ -1,33 +0,0 @@ -From bb039a92b4286c9090c0f40c82aefb967be2f5ba Mon Sep 17 00:00:00 2001 -From: Vojtech Polasek -Date: Thu, 14 May 2020 16:46:07 +0200 -Subject: [PATCH] reorder groups because of permissions verification - ---- - ssg/build_yaml.py | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py -index e3e138283c..c9f3179c08 100644 ---- a/ssg/build_yaml.py -+++ b/ssg/build_yaml.py -@@ -700,6 +700,11 @@ def to_xml_element(self): - # audit_rules_privileged_commands, othervise the rule - # does not catch newly installed screeen binary during remediation - # and report fail -+ # the software group should come before the -+ # bootloader-grub2 group because of conflict between -+ # rules rpm_verify_permissions and file_permissions_grub2_cfg -+ # specific rules concerning permissions should -+ # be applied after the general rpm_verify_permissions - # The FIPS group should come before Crypto - if we want to set a different (stricter) Crypto Policy than FIPS. - # the firewalld_activation must come before ruleset_modifications, othervise - # remediations for ruleset_modifications won't work -@@ -707,6 +712,7 @@ def to_xml_element(self): - # otherwise the remediation prints error although it is successful - priority_order = [ - "accounts", "auditing", -+ "software", "bootloader-grub2", - "fips", "crypto", - "firewalld_activation", "ruleset_modifications", - "disabling_ipv6", "configuring_ipv6" diff --git a/SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch b/SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch deleted file mode 100644 index 34531f1..0000000 --- a/SOURCES/scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch +++ /dev/null @@ -1,171 +0,0 @@ -From 179cf6b43b8f10b4907267d976cb503066710e6f Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 14 May 2020 01:20:53 +0200 -Subject: [PATCH 1/4] Do not take paths from include or IncludeConfig - -All paths in /etc/rsyslog.conf were taken as log files, but paths -in lines containing "include" or "$IncludeConfig" are config files. - -Let's not take them in as log files ---- - .../rsyslog_files_permissions/oval/shared.xml | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml -index a78cd69df2..c74f3da3f5 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml -@@ -87,8 +87,18 @@ - --> - ^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ - 1 -+ state_ignore_include_paths - - -+ -+ -+ (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) -+ -+ - - -From 4a408d29313d8ea5aed4fa65cacad86f8078159c Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Thu, 14 May 2020 00:16:37 +0200 -Subject: [PATCH 2/4] Fix permissions of files referenced by include() - -The remediation script also needs to parse the files included via -"include()". -The awk also takes into consideration the multiline aspect. ---- - .../rsyslog_files_permissions/bash/shared.sh | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -index 6cbf0c6a24..dca35301e7 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -@@ -6,12 +6,14 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" - # * And also the log file paths listed after rsyslog's $IncludeConfig directive - # (store the result into array for the case there's shell glob used as value of IncludeConfig) - readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) -+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) -+ - # Declare an array to hold the final list of different log file paths - declare -a LOG_FILE_PATHS - - # Browse each file selected above as containing paths of log files - # ('/etc/rsyslog.conf' and '/etc/rsyslog.d/*.conf' in the default configuration) --for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" -+for LOG_FILE in "${RSYSLOG_ETC_CONFIG}" "${RSYSLOG_INCLUDE_CONFIG[@]}" "${RSYSLOG_INCLUDE[@]}" - do - # From each of these files extract just particular log file path(s), thus: - # * Ignore lines starting with space (' '), comment ('#"), or variable syntax ('$') characters, - -From 812e9b487e3c11a18e5e3a965ac23ec1a0d64e91 Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 May 2020 15:53:58 +0200 -Subject: [PATCH 3/4] Make regex for include file more strict - -For some reason gensub in awk doesn't support non capturing group. -So the group with OR is capturing and we substitute everyting with the -second group, witch matches the file path. ---- - .../rsyslog_files_permissions/bash/shared.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -index dca35301e7..99d2d0e794 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/bash/shared.sh -@@ -6,7 +6,7 @@ RSYSLOG_ETC_CONFIG="/etc/rsyslog.conf" - # * And also the log file paths listed after rsyslog's $IncludeConfig directive - # (store the result into array for the case there's shell glob used as value of IncludeConfig) - readarray -t RSYSLOG_INCLUDE_CONFIG < <(grep -e "\$IncludeConfig[[:space:]]\+[^[:space:];]\+" /etc/rsyslog.conf | cut -d ' ' -f 2) --readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub(".*file=\"(\\S+)\".*","\\1",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) -+readarray -t RSYSLOG_INCLUDE < <(awk '/)/{f=0} /include\(/{f=1} f{nf=gensub("^(include\\(|\\s*)file=\"(\\S+)\".*","\\2",1); if($0!=nf){print nf}}' /etc/rsyslog.conf) - - # Declare an array to hold the final list of different log file paths - declare -a LOG_FILE_PATHS - -From c49f8aaf717313a41bbdfca188dd491a13d1133e Mon Sep 17 00:00:00 2001 -From: Watson Sato -Date: Fri, 15 May 2020 16:55:02 +0200 -Subject: [PATCH 4/4] Extend OVAL fix to groupownership and ownership - -These three files basically work the same way ---- - .../rsyslog_files_groupownership/oval/shared.xml | 10 ++++++++++ - .../rsyslog_files_ownership/oval/shared.xml | 10 ++++++++++ - .../rsyslog_files_permissions/oval/shared.xml | 4 ++-- - 3 files changed, 22 insertions(+), 2 deletions(-) - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml -index 5828f25321..9941e2b94f 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml -@@ -86,8 +86,18 @@ - --> - ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ - 1 -+ state_groupownership_ignore_include_paths - - -+ -+ -+ (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) -+ -+ - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml -index 3c46eab6d6..29dd1a989e 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml -@@ -83,8 +83,18 @@ - --> - ^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ - 1 -+ state_owner_ignore_include_paths - - -+ -+ -+ (?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+) -+ -+ - -diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml -index c74f3da3f5..da37a15b8c 100644 ---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml -+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml -@@ -87,10 +87,10 @@ - --> - ^[^\s#\$]+[\s]+.*[\s]+-?(/+[^:;\s]+);*.*$ - 1 -- state_ignore_include_paths -+ state_permissions_ignore_include_paths - - -- -+ - ++ ^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$)) ++ 1 ++ ++ +diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml +new file mode 100644 +index 000000000..a0590c8b0 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml +@@ -0,0 +1,46 @@ ++documentation_complete: true ++ ++title: "Explicit arguments in sudo specifications" ++ ++description: |- ++ All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. ++ If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification. ++ ++rationale: |- ++ Any argument can modify quite significantly the behavior of a program, whether regarding the ++ realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To ++ avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the ++ level of its specification. ++ ++ For example, on some systems, the kernel messages are only accessible by root. ++ If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted ++ in order to prevent the user from flushing the buffer through the -c option: ++ 
++    user ALL = dmesg ""
++
++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: CCE-83631-2 ++ cce@rhel8: CCE-83632-0 ++ ++references: ++ anssi: BP28(R63) ++ ++ocil_clause: '/etc/sudoers file contains user specifications that allow execution of commands with any arguments' ++ ++ocil: |- ++ To determine if arguments that commands can be executed with are restricted, run the following command: ++ 
$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))' /etc/sudoers /etc/sudoers.d/
++ The command should return no output. ++ ++platform: sudo ++ ++warnings: ++ - general: ++ This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments. ++ ++ - general: ++ The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that. ++ For example, root ALL=(ALL) echo 1\,2 allows root to execute echo 1,2, but the check would interpret it as two commands echo 1\ and 2. +diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh +new file mode 100644 +index 000000000..b0d05b2a5 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh +@@ -0,0 +1,5 @@ ++# platform = multi_platform_all ++# packages = sudo ++ ++echo '#jen,!fred ALL, !SERVERS = !/bin/sh' > /etc/sudoers ++echo '# somebody ALL=/bin/ls, (!bob,alice) !/bin/cat, /bin/dog' > /etc/sudoers.d/foo +diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh +new file mode 100644 +index 000000000..c6f885f9f +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh +@@ -0,0 +1,5 @@ ++# platform = multi_platform_all ++# packages = sudo ++# remediation = none ++ ++echo 'somebody ALL=/bin/ls, (!bob,alice) /bin/cat arg, /bin/dog' > /etc/sudoers +diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh +new file mode 100644 +index 000000000..fce851f55 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh +@@ -0,0 +1,5 @@ ++# platform = multi_platform_all ++# packages = sudo ++# remediation = none ++ ++echo 'nobody ALL=/bin/ls, (!bob,alice) /bin/dog, /bin/cat arg' > /etc/sudoers +diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh +new file mode 100644 +index 000000000..baf66468d +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh +@@ -0,0 +1,9 @@ ++# platform = multi_platform_all ++# remediation = none ++# packages = sudo ++ ++# The val1\,val2 is the first argument of the /bin/dog command that contains a comma. ++# Our check tends to interpret the comma as commad delimiter, so the dog arg is val1\ ++# and val2 is another command in the user spec. ++echo 'nobody ALL=/bin/ls "", (!bob,alice) /bin/dog val1\,val2, /bin/cat ""' > /etc/sudoers ++ +diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh +new file mode 100644 +index 000000000..9a04a205a +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh +@@ -0,0 +1,5 @@ ++# platform = multi_platform_all ++# packages = sudo ++# remediation = none ++ ++echo 'jen,!fred ALL,SERVERS = /bin/sh ' > /etc/sudoers +diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh +new file mode 100644 +index 000000000..4a3a7c94b +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_all ++# packages = sudo ++ ++echo 'nobody ALL=/bin/ls "", (!bob,alice) /bin/dog arg, /bin/cat ""' > /etc/sudoers ++echo 'jen,!fred ALL,!SERVERS = /bin/sh arg' >> /etc/sudoers ++echo 'nobody ALL=/bin/ls arg arg, (bob,!alice) /bin/dog arg, /bin/cat arg' > /etc/sudoers.d/foo +diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh +new file mode 100644 +index 000000000..9643a3337 +--- /dev/null ++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh +@@ -0,0 +1,9 @@ ++# platform = multi_platform_all ++# packages = sudo ++# remediation = none ++ ++echo 'nobody ALL=/bin/ls, (!bob,alice) /bin/dog arg, /bin/cat ""' > /etc/sudoers ++echo 'jen,!fred ALL,!SERVERS = /bin/sh arg' >> /etc/sudoers ++echo 'nobody ALL=/bin/ls, (bob,!alice) /bin/dog arg, /bin/cat arg' > /etc/sudoers.d/foo ++ ++echo 'user ALL = ALL' > /etc/sudoers.d/bar +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 4dbec8255..94a116b59 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -140,8 +140,6 @@ CCE-83626-2 + CCE-83627-0 + CCE-83628-8 + CCE-83629-6 +-CCE-83631-2 +-CCE-83632-0 + CCE-83633-8 + CCE-83634-6 + CCE-83635-3 diff --git a/SOURCES/scap-security-guide-0.1.55-adjust_ks_partion_sizes-PR_6600.patch b/SOURCES/scap-security-guide-0.1.55-adjust_ks_partion_sizes-PR_6600.patch new file mode 100644 index 0000000..74a0793 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-adjust_ks_partion_sizes-PR_6600.patch @@ -0,0 +1,213 @@ +From afa3b348ed0af551967870f48334afbabecb89ab Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Thu, 4 Feb 2021 09:43:51 +0100 +Subject: [PATCH] Extend /var partition to 3GB in rhel8 kickstarts + +--- + rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 4 ++-- + rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 4 ++-- + rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 4 ++-- + rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg | 4 ++-- + rhel8/kickstart/ssg-rhel8-cis-ks.cfg | 4 ++-- + rhel8/kickstart/ssg-rhel8-cui-ks.cfg | 4 ++-- + rhel8/kickstart/ssg-rhel8-ospp-ks.cfg | 4 ++-- + rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg | 4 ++-- + rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 4 ++-- + 9 files changed, 18 insertions(+), 18 deletions(-) + +diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg +index 52af3ef47e..4e249f61e2 100644 +--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg +@@ -110,7 +110,7 @@ part pv.01 --grow --size=1 + volgroup VolGroup --pesize=4096 pv.01 + + # Create particular logical volumes (optional) +-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow + # Ensure /usr Located On Separate Partition + logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev" + # Ensure /opt Located On Separate Partition +@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n + # Ensure /var/tmp Located On Separate Partition + logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var Located On Separate Partition +-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" + # Ensure /var/log Located On Separate Partition + logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var/log/audit Located On Separate Partition +diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg +index 702f23d4dc..a1511b157a 100644 +--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg +@@ -110,7 +110,7 @@ part pv.01 --grow --size=1 + volgroup VolGroup --pesize=4096 pv.01 + + # Create particular logical volumes (optional) +-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow + # Ensure /usr Located On Separate Partition + logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev" + # Ensure /opt Located On Separate Partition +@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n + # Ensure /var/tmp Located On Separate Partition + logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var Located On Separate Partition +-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" + # Ensure /var/log Located On Separate Partition + logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var/log/audit Located On Separate Partition +diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg +index b875692944..981d291847 100644 +--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg +@@ -110,7 +110,7 @@ part pv.01 --grow --size=1 + volgroup VolGroup --pesize=4096 pv.01 + + # Create particular logical volumes (optional) +-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow + # Ensure /usr Located On Separate Partition + logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev" + # Ensure /opt Located On Separate Partition +@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n + # Ensure /var/tmp Located On Separate Partition + logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var Located On Separate Partition +-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" + # Ensure /var/log Located On Separate Partition + logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var/log/audit Located On Separate Partition +diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg +index 4a114aebb6..7fc4945518 100644 +--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg +@@ -110,7 +110,7 @@ part pv.01 --grow --size=1 + volgroup VolGroup --pesize=4096 pv.01 + + # Create particular logical volumes (optional) +-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow + # Ensure /usr Located On Separate Partition + logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev" + # Ensure /opt Located On Separate Partition +@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n + # Ensure /var/tmp Located On Separate Partition + logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var Located On Separate Partition +-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" + # Ensure /var/log Located On Separate Partition + logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var/log/audit Located On Separate Partition +diff --git a/rhel8/kickstart/ssg-rhel8-cis-ks.cfg b/rhel8/kickstart/ssg-rhel8-cis-ks.cfg +index bf3804b3fa..ee3a20bcc2 100644 +--- a/rhel8/kickstart/ssg-rhel8-cis-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-cis-ks.cfg +@@ -109,7 +109,7 @@ part pv.01 --grow --size=1 + volgroup VolGroup --pesize=4096 pv.01 + + # Create particular logical volumes (optional) +-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow + # Ensure /home Located On Separate Partition + logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" + # Ensure /tmp Located On Separate Partition +@@ -117,7 +117,7 @@ logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptio + # Ensure /var/tmp Located On Separate Partition + logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var Located On Separate Partition +-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 ++logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072 + # Ensure /var/log Located On Separate Partition + logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 + # Ensure /var/log/audit Located On Separate Partition +diff --git a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg +index 6e0f83ebb7..8e4b92584f 100644 +--- a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg +@@ -107,7 +107,7 @@ part pv.01 --grow --size=1 + volgroup VolGroup --pesize=4096 pv.01 + + # Create particular logical volumes (optional) +-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow + # Ensure /home Located On Separate Partition + logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" + # Ensure /tmp Located On Separate Partition +@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n + # Ensure /var/tmp Located On Separate Partition + logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var Located On Separate Partition +-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" + # Ensure /var/log Located On Separate Partition + logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var/log/audit Located On Separate Partition +diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg +index 119e98364f..ec490c38ee 100644 +--- a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg +@@ -107,7 +107,7 @@ part pv.01 --grow --size=1 + volgroup VolGroup --pesize=4096 pv.01 + + # Create particular logical volumes (optional) +-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow + # Ensure /home Located On Separate Partition + logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" + # Ensure /tmp Located On Separate Partition +@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n + # Ensure /var/tmp Located On Separate Partition + logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var Located On Separate Partition +-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" + # Ensure /var/log Located On Separate Partition + logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var/log/audit Located On Separate Partition +diff --git a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg +index 21a50f52fd..386cbcc169 100644 +--- a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg +@@ -103,13 +103,13 @@ part pv.01 --grow --size=1 + volgroup VolGroup --pesize=4096 pv.01 + + # Create particular logical volumes (optional) +-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=12288 --grow ++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow + # CCE-26557-9: Ensure /home Located On Separate Partition + logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" + # CCE-26435-8: Ensure /tmp Located On Separate Partition + logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" + # CCE-26639-5: Ensure /var Located On Separate Partition +-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev" ++logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072 --fsoptions="nodev" + # CCE-26215-4: Ensure /var/log Located On Separate Partition + logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev" + # CCE-26436-6: Ensure /var/log/audit Located On Separate Partition +diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg +index a3e5e5fec1..28f7ff0927 100644 +--- a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg +@@ -107,7 +107,7 @@ part pv.01 --grow --size=1 + volgroup VolGroup --pesize=4096 pv.01 + + # Create particular logical volumes (optional) +-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow ++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow + # Ensure /home Located On Separate Partition + logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" + # Ensure /tmp Located On Separate Partition +@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n + # Ensure /var/tmp Located On Separate Partition + logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var Located On Separate Partition +-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev" ++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" + # Ensure /var/log Located On Separate Partition + logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" + # Ensure /var/log/audit Located On Separate Partition diff --git a/SOURCES/scap-security-guide-0.1.55-better_align_anssi_ks-PR_6589.patch b/SOURCES/scap-security-guide-0.1.55-better_align_anssi_ks-PR_6589.patch new file mode 100644 index 0000000..4f32181 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-better_align_anssi_ks-PR_6589.patch @@ -0,0 +1,426 @@ +From fad3761eff3a3857bb4201ac90642dfc37217a2a Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 2 Feb 2021 09:41:26 +0100 +Subject: [PATCH 1/4] Remove extra configurations from ANSSI minimal ks + +- No need to restrict IPv6 +- Root login is not restricted +- Simplify boot command +- Simplify paritioning +- No requirement to enforce use of SELinux +--- + .../ssg-rhel7-anssi_nt28_minimal-ks.cfg | 46 ++-------------- + .../ssg-rhel8-anssi_bp28_minimal-ks.cfg | 53 +------------------ + 2 files changed, 5 insertions(+), 94 deletions(-) + +diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg +index 4160ac094c..9bc4eae44f 100644 +--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg ++++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg +@@ -54,7 +54,7 @@ keyboard us + # "--bootproto=static" must be used. For example: + # network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 + # +-network --onboot yes --device eth0 --bootproto dhcp --noipv6 ++network --onboot yes --device eth0 --bootproto dhcp + + # Set the system's root password (required) + # Plaintext password is: server +@@ -62,26 +62,12 @@ network --onboot yes --device eth0 --bootproto dhcp --noipv6 + # encrypted password form for different plaintext password + rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0 + +-# The selected profile will restrict root login +-# Add a user that can login and escalate privileges +-# Plaintext password is: admin123 +-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted +- +-# Configure firewall settings for the system (optional) +-# --enabled reject incoming connections that are not in response to outbound requests +-# --ssh allow sshd service through the firewall +-firewall --enabled --ssh +- + # Set up the authentication options for the system (required) + # --enableshadow enable shadowed passwords by default + # --passalgo hash / crypt algorithm for new passwords + # See the manual page for authconfig for a complete list of possible options. + authconfig --enableshadow --passalgo=sha512 + +-# State of SELinux on the installed system (optional) +-# Defaults to enforcing +-selinux --enforcing +- + # Set the system time zone (required) + timezone --utc America/New_York + +@@ -89,7 +75,7 @@ timezone --utc America/New_York + # Plaintext password is: password + # Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create + # encrypted password form for different plaintext password +-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --location=mbr + + # Initialize (format) all disks (optional) + zerombr +@@ -103,33 +89,7 @@ zerombr + clearpart --linux --initlabel + + # Create primary system partitions (required for installs) +-part /boot --fstype=xfs --size=512 +-part pv.01 --grow --size=1 +- +-# Create a Logical Volume Management (LVM) group (optional) +-volgroup VolGroup --pesize=4096 pv.01 +- +-# Create particular logical volumes (optional) +-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow +-# Ensure /usr Located On Separate Partition +-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev" +-# Ensure /opt Located On Separate Partition +-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +-# Ensure /srv Located On Separate Partition +-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +-# Ensure /home Located On Separate Partition +-logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev" +-# Ensure /tmp Located On Separate Partition +-logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" +-# Ensure /var/tmp Located On Separate Partition +-logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +-# Ensure /var Located On Separate Partition +-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev" +-# Ensure /var/log Located On Separate Partition +-logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev" +-# Ensure /var/log/audit Located On Separate Partition +-logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev" +-logvol swap --name=lv_swap --vgname=VolGroup --size=2016 ++autopart + + # Despite the ID referencing NT-28, the profile is aligned to BP-028 + %addon org_fedora_oscap +diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg +index 7fc4945518..1d62b55d55 100644 +--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg +@@ -6,9 +6,6 @@ + # https://pykickstart.readthedocs.io/en/latest/ + # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg + +-# Install a fresh new system (optional) +-install +- + # Specify installation method to use for installation + # To use a different one comment out the 'url' one below, update + # the selected choice with proper options & un-comment it +@@ -61,26 +58,6 @@ network --onboot yes --bootproto dhcp + # to see how to create encrypted password form for different plaintext password + rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220 + +-# The selected profile will restrict root login +-# Add a user that can login and escalate privileges +-# Plaintext password is: admin123 +-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted +- +-# Configure firewall settings for the system (optional) +-# --enabled reject incoming connections that are not in response to outbound requests +-# --ssh allow sshd service through the firewall +-firewall --enabled --ssh +- +-# Set up the authentication options for the system (required) +-# --enableshadow enable shadowed passwords by default +-# --passalgo hash / crypt algorithm for new passwords +-# See the manual page for authconfig for a complete list of possible options. +-authconfig --enableshadow --passalgo=sha512 +- +-# State of SELinux on the installed system (optional) +-# Defaults to enforcing +-selinux --enforcing +- + # Set the system time zone (required) + timezone --utc America/New_York + +@@ -89,7 +66,7 @@ timezone --utc America/New_York + # Refer to e.g. + # https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw + # to see how to create encrypted password form for different plaintext password +-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --location=mbr + + # Initialize (format) all disks (optional) + zerombr +@@ -103,33 +80,7 @@ zerombr + clearpart --linux --initlabel + + # Create primary system partitions (required for installs) +-part /boot --fstype=xfs --size=512 +-part pv.01 --grow --size=1 +- +-# Create a Logical Volume Management (LVM) group (optional) +-volgroup VolGroup --pesize=4096 pv.01 +- +-# Create particular logical volumes (optional) +-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow +-# Ensure /usr Located On Separate Partition +-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev" +-# Ensure /opt Located On Separate Partition +-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +-# Ensure /srv Located On Separate Partition +-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid" +-# Ensure /home Located On Separate Partition +-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" +-# Ensure /tmp Located On Separate Partition +-logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +-# Ensure /var/tmp Located On Separate Partition +-logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +-# Ensure /var Located On Separate Partition +-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev" +-# Ensure /var/log Located On Separate Partition +-logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec" +-# Ensure /var/log/audit Located On Separate Partition +-logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" +-logvol swap --name=swap --vgname=VolGroup --size=2016 ++autopart + + # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol) + # content - security policies - on the installed system.This add-on has been enabled by default + +From 3884ae59b59d69c928acb1d3d52a3f68834aa709 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 2 Feb 2021 09:53:20 +0100 +Subject: [PATCH 2/4] Align ANSSI kickstarts with intermediary level + +- Simplify boot command +- No requirement to enforce use of SELinux +--- + .../ssg-rhel7-anssi_nt28_intermediary-ks.cfg | 6 +----- + .../ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 17 ++--------------- + 2 files changed, 3 insertions(+), 20 deletions(-) + +diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg +index ab654410b5..20c4c59a78 100644 +--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg ++++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg +@@ -78,10 +78,6 @@ firewall --enabled --ssh + # See the manual page for authconfig for a complete list of possible options. + authconfig --enableshadow --passalgo=sha512 + +-# State of SELinux on the installed system (optional) +-# Defaults to enforcing +-selinux --enforcing +- + # Set the system time zone (required) + timezone --utc America/New_York + +@@ -89,7 +85,7 @@ timezone --utc America/New_York + # Plaintext password is: password + # Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create + # encrypted password form for different plaintext password +-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --location=mbr --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 + + # Initialize (format) all disks (optional) + zerombr +diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg +index 981d291847..3a241b06f4 100644 +--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg +@@ -6,9 +6,6 @@ + # https://pykickstart.readthedocs.io/en/latest/ + # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg + +-# Install a fresh new system (optional) +-install +- + # Specify installation method to use for installation + # To use a different one comment out the 'url' one below, update + # the selected choice with proper options & un-comment it +@@ -52,7 +49,7 @@ keyboard us + # "--bootproto=static" must be used. For example: + # network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 + # +-network --onboot yes --bootproto dhcp ++network --onboot yes --bootproto dhcp --noipv6 + + # Set the system's root password (required) + # Plaintext password is: server +@@ -71,16 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf + # --ssh allow sshd service through the firewall + firewall --enabled --ssh + +-# Set up the authentication options for the system (required) +-# --enableshadow enable shadowed passwords by default +-# --passalgo hash / crypt algorithm for new passwords +-# See the manual page for authconfig for a complete list of possible options. +-authconfig --enableshadow --passalgo=sha512 +- +-# State of SELinux on the installed system (optional) +-# Defaults to enforcing +-selinux --enforcing +- + # Set the system time zone (required) + timezone --utc America/New_York + +@@ -89,7 +76,7 @@ timezone --utc America/New_York + # Refer to e.g. + # https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw + # to see how to create encrypted password form for different plaintext password +-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --location=mbr + + # Initialize (format) all disks (optional) + zerombr + +From 745ec9b02bb45ca89d2705e79b36b17060508765 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 2 Feb 2021 14:03:09 +0100 +Subject: [PATCH 3/4] Align ANSSI kickstarts with enhanced level + +- Keep restricting IPv6 +- Audit enabled during boot +- No requirement to enforce use of SELinux +--- + .../ssg-rhel7-anssi_nt28_enhanced-ks.cfg | 6 +----- + .../ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 17 ++--------------- + 2 files changed, 3 insertions(+), 20 deletions(-) + +diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg +index 2e75873a28..1d35bedb91 100644 +--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg ++++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg +@@ -78,10 +78,6 @@ firewall --enabled --ssh + # See the manual page for authconfig for a complete list of possible options. + authconfig --enableshadow --passalgo=sha512 + +-# State of SELinux on the installed system (optional) +-# Defaults to enforcing +-selinux --enforcing +- + # Set the system time zone (required) + timezone --utc America/New_York + +@@ -89,7 +85,7 @@ timezone --utc America/New_York + # Plaintext password is: password + # Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create + # encrypted password form for different plaintext password +-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --location=mbr --append="audit=1 audit_backlog_limig=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 + + # Initialize (format) all disks (optional) + zerombr +diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg +index 4e249f61e2..728946ecb7 100644 +--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg +@@ -6,9 +6,6 @@ + # https://pykickstart.readthedocs.io/en/latest/ + # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg + +-# Install a fresh new system (optional) +-install +- + # Specify installation method to use for installation + # To use a different one comment out the 'url' one below, update + # the selected choice with proper options & un-comment it +@@ -52,7 +49,7 @@ keyboard us + # "--bootproto=static" must be used. For example: + # network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 + # +-network --onboot yes --bootproto dhcp ++network --onboot yes --bootproto dhcp --noipv6 + + # Set the system's root password (required) + # Plaintext password is: server +@@ -71,16 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf + # --ssh allow sshd service through the firewall + firewall --enabled --ssh + +-# Set up the authentication options for the system (required) +-# --enableshadow enable shadowed passwords by default +-# --passalgo hash / crypt algorithm for new passwords +-# See the manual page for authconfig for a complete list of possible options. +-authconfig --enableshadow --passalgo=sha512 +- +-# State of SELinux on the installed system (optional) +-# Defaults to enforcing +-selinux --enforcing +- + # Set the system time zone (required) + timezone --utc America/New_York + +@@ -89,7 +76,7 @@ timezone --utc America/New_York + # Refer to e.g. + # https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw + # to see how to create encrypted password form for different plaintext password +-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 + + # Initialize (format) all disks (optional) + zerombr + +From 6804cdfbdea9992daf48fe545d8005be9f37bc56 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 2 Feb 2021 14:08:15 +0100 +Subject: [PATCH 4/4] Align ANSSI Kickstarts with high level + +--- + rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg | 2 +- + rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 13 ++----------- + 2 files changed, 3 insertions(+), 12 deletions(-) + +diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg +index 745dcbd058..73225c2fab 100644 +--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg ++++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg +@@ -89,7 +89,7 @@ timezone --utc America/New_York + # Plaintext password is: password + # Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create + # encrypted password form for different plaintext password +-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 + + # Initialize (format) all disks (optional) + zerombr +diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg +index a1511b157a..cd0eff2625 100644 +--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg +@@ -6,9 +6,6 @@ + # https://pykickstart.readthedocs.io/en/latest/ + # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg + +-# Install a fresh new system (optional) +-install +- + # Specify installation method to use for installation + # To use a different one comment out the 'url' one below, update + # the selected choice with proper options & un-comment it +@@ -52,7 +49,7 @@ keyboard us + # "--bootproto=static" must be used. For example: + # network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1 + # +-network --onboot yes --bootproto dhcp ++network --onboot yes --bootproto dhcp --noipv6 + + # Set the system's root password (required) + # Plaintext password is: server +@@ -71,12 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf + # --ssh allow sshd service through the firewall + firewall --enabled --ssh + +-# Set up the authentication options for the system (required) +-# --enableshadow enable shadowed passwords by default +-# --passalgo hash / crypt algorithm for new passwords +-# See the manual page for authconfig for a complete list of possible options. +-authconfig --enableshadow --passalgo=sha512 +- + # State of SELinux on the installed system (optional) + # Defaults to enforcing + selinux --enforcing +@@ -89,7 +80,7 @@ timezone --utc America/New_York + # Refer to e.g. + # https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw + # to see how to create encrypted password form for different plaintext password +-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 ++bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 + + # Initialize (format) all disks (optional) + zerombr diff --git a/SOURCES/scap-security-guide-0.1.55-drop_fix_sysctl_kernel_modules_disabled-PR_6586.patch b/SOURCES/scap-security-guide-0.1.55-drop_fix_sysctl_kernel_modules_disabled-PR_6586.patch new file mode 100644 index 0000000..622cfd7 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-drop_fix_sysctl_kernel_modules_disabled-PR_6586.patch @@ -0,0 +1,57 @@ +From 01b1ade0e5713bf3f11f78cc0ca7e43f74eb8a46 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 2 Feb 2021 01:02:48 +0100 +Subject: [PATCH 1/2] Drop remediation for sysctl_kernel_modules_disabled + +Remediating this during kickstart install time renders the machine +unbootable. +--- + .../restrictions/sysctl_kernel_modules_disabled/rule.yml | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml +index 1811c43815..34e8290f74 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml +@@ -32,3 +32,6 @@ template: + sysctlvar: kernel.modules_disabled + sysctlval: '1' + datatype: int ++ backends: ++ # Automated remediation of this rule disrupts installs via kickstart ++ bash: 'off' + +From 77eeafd1af1445a185651c77b143bce0004badda Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Tue, 2 Feb 2021 09:23:17 +0100 +Subject: [PATCH 2/2] Add warning why rule has no remediation + +Rule sysctl_kernel_modules_disabled disrupts the install and boot +process if remediated during installation. +--- + .../restrictions/sysctl_kernel_modules_disabled/rule.yml | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml +index 34e8290f74..438cd2759e 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml +@@ -26,6 +26,11 @@ references: + + platform: machine + ++warnings: ++ - general: ++ This rule doesn't come with Bash remediation. ++ Remediating this rule during the installation process disrupts the install and boot process. ++ + template: + name: sysctl + vars: +@@ -33,5 +38,5 @@ template: + sysctlval: '1' + datatype: int + backends: +- # Automated remediation of this rule disrupts installs via kickstart ++ # Automated remediation of this rule during installations disrupts the first boot + bash: 'off' diff --git a/SOURCES/scap-security-guide-0.1.55-drop_kernel_module_vfat_disabled-PR_6613.patch b/SOURCES/scap-security-guide-0.1.55-drop_kernel_module_vfat_disabled-PR_6613.patch new file mode 100644 index 0000000..66e2a29 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-drop_kernel_module_vfat_disabled-PR_6613.patch @@ -0,0 +1,62 @@ +From eea787e1453b19aa949903c39189479538fbbab9 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Fri, 12 Feb 2021 10:36:10 +0100 +Subject: [PATCH] remove mrules disabling vfat file systems from cis profiles + +--- + rhcos4/profiles/moderate.profile | 1 - + rhel7/profiles/cis.profile | 3 +-- + rhel8/profiles/cis.profile | 4 ++-- + sle15/profiles/cis.profile | 1 - + 4 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/rhcos4/profiles/moderate.profile b/rhcos4/profiles/moderate.profile +index 4e715cae9a..966e092c97 100644 +--- a/rhcos4/profiles/moderate.profile ++++ b/rhcos4/profiles/moderate.profile +@@ -627,4 +627,3 @@ selections: + - kernel_module_squashfs_disabled + - kernel_module_udf_disabled + - kernel_module_usb-storage_disabled +- - kernel_module_vfat_disabled +diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile +index 22d5117546..093d2b5759 100644 +--- a/rhel7/profiles/cis.profile ++++ b/rhel7/profiles/cis.profile +@@ -46,8 +46,7 @@ selections: + #### 1.1.1.7 Ensure mounting of udf filesystems is disabled (Scored) + - kernel_module_udf_disabled + +- #### 1.1.1.8 Ensure mounting of FAT filesystems is disabled (Scored) +- - kernel_module_vfat_disabled ++ #### 1.1.1.8 Ensure mounting of FAT filesystems is disabled (Manual) + + ### 1.1.2 Ensure separate partition exists for /tmp (Scored) + - partition_for_tmp +diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile +index 9ceeb74f9a..e96d2fbb9d 100644 +--- a/rhel8/profiles/cis.profile ++++ b/rhel8/profiles/cis.profile +@@ -31,8 +31,8 @@ selections: + #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored) + - kernel_module_cramfs_disabled + +- #### 1.1.1.2 Ensure mounting of vFAT flesystems is limited (Not Scored) +- - kernel_module_vfat_disabled ++ #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored) ++ + + #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored) + - kernel_module_squashfs_disabled +diff --git a/sle15/profiles/cis.profile b/sle15/profiles/cis.profile +index 9a0efedbdd..fa9ff3b775 100644 +--- a/sle15/profiles/cis.profile ++++ b/sle15/profiles/cis.profile +@@ -25,7 +25,6 @@ selections: + - kernel_module_udf_disabled + + #### 1.1.1.4 Ensure mounting of vFAT flesystems is limited (Not Scored) +- - kernel_module_vfat_disabled + + ### 1.1.2 Ensure /tmp is configured (Scored) + - partition_for_tmp diff --git a/SOURCES/scap-security-guide-0.1.55-fix_cce_rhel7_mac-PR_6564.patch b/SOURCES/scap-security-guide-0.1.55-fix_cce_rhel7_mac-PR_6564.patch new file mode 100644 index 0000000..da64d12 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-fix_cce_rhel7_mac-PR_6564.patch @@ -0,0 +1,24 @@ +From 67f33ad17c234106bb3243af9f63ae478daa11ec Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 25 Jan 2021 18:28:26 +0100 +Subject: [PATCH] Reassign a new unique CCE identifier to approved macs STIG + rule. + +--- + .../ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml | 2 +- + shared/references/cce-redhat-avail.txt | 1 - + 2 files changed, 1 insertion(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml +index dc9f7dca7c..88d2d77e14 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml +@@ -19,7 +19,7 @@ rationale: |- + severity: medium + + identifiers: +- cce@rhel7: CCE-83398-8 ++ cce@rhel7: CCE-83636-1 + + references: + disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123 diff --git a/SOURCES/scap-security-guide-0.1.55-remove_auditd_data_retention_space_left_from_RHEL8_STIG-PR_6615.patch b/SOURCES/scap-security-guide-0.1.55-remove_auditd_data_retention_space_left_from_RHEL8_STIG-PR_6615.patch new file mode 100644 index 0000000..99c08ab --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-remove_auditd_data_retention_space_left_from_RHEL8_STIG-PR_6615.patch @@ -0,0 +1,39 @@ +From 9c6bdd92d2980aff87d1de0085250078ac131eda Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 16 Feb 2021 15:49:46 +0100 +Subject: [PATCH] Remove auditd_data_retention_space_left from RHEL8 STIG + profile. + +This rule is not aligned with STIG because it checks for space left in +megabytes, whereas STIG demands space left in percentage. +--- + rhel8/profiles/stig.profile | 3 ++- + tests/data/profile_stability/rhel8/stig.profile | 1 - + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 0aa6f28986..dccfb548b7 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -219,7 +219,8 @@ selections: + - package_rsyslog_installed + - package_rsyslog-gnutls_installed + - rsyslog_remote_loghost +- - auditd_data_retention_space_left ++ # this rule expects configuration in MB instead percentage as how STIG demands ++ # - auditd_data_retention_space_left + - auditd_data_retention_space_left_action + # remediation fails because default configuration file contains pool instead of server keyword + - chronyd_or_ntpd_set_maxpoll +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 55b645b67b..41782dcf3d 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -63,7 +63,6 @@ selections: + - auditd_data_disk_full_action + - auditd_data_retention_action_mail_acct + - auditd_data_retention_max_log_file_action +-- auditd_data_retention_space_left + - auditd_data_retention_space_left_action + - auditd_local_events + - auditd_log_format diff --git a/SOURCES/scap-security-guide-0.1.55-remove_pam_rule_from_rhel8_stig-PR_6528.patch b/SOURCES/scap-security-guide-0.1.55-remove_pam_rule_from_rhel8_stig-PR_6528.patch new file mode 100644 index 0000000..61ed167 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-remove_pam_rule_from_rhel8_stig-PR_6528.patch @@ -0,0 +1,43 @@ +From 0f10e6fe07e068f3fac8cb9563141530f3d8b9e8 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 12 Jan 2021 16:23:07 +0100 +Subject: [PATCH 1/2] remove rule from rhel8 stig + +--- + rhel8/profiles/stig.profile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 882c481066..cda0239433 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -45,7 +45,6 @@ selections: + - package_audispd-plugins_installed + - package_libcap-ng-utils_installed + - auditd_audispd_syslog_plugin_activated +- - accounts_passwords_pam_faillock_enforce_local + - accounts_password_pam_enforce_local + - accounts_password_pam_enforce_root + + +From b558c9030d2f16e59571e1730a3b0350d257d298 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 12 Jan 2021 16:23:25 +0100 +Subject: [PATCH 2/2] modify profile stability test + +--- + tests/data/profile_stability/rhel8/stig.profile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index a4ad24aec2..6676ca497c 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -41,7 +41,6 @@ selections: + - accounts_password_set_max_life_existing + - accounts_password_set_min_life_existing + - accounts_passwords_pam_faillock_deny +-- accounts_passwords_pam_faillock_enforce_local + - accounts_passwords_pam_faillock_interval + - accounts_passwords_pam_faillock_unlock_time + - accounts_umask_etc_bashrc diff --git a/SOURCES/scap-security-guide-0.1.55-rhel8_stig_v1r1-PR_6579.patch b/SOURCES/scap-security-guide-0.1.55-rhel8_stig_v1r1-PR_6579.patch new file mode 100644 index 0000000..29854fc --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-rhel8_stig_v1r1-PR_6579.patch @@ -0,0 +1,6088 @@ +From dc92e454b7c3e11b3545b86f1c78b26aeb3f82aa Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 28 Jan 2021 17:45:20 +0100 +Subject: [PATCH 01/21] Add initial RHEL8 STIG V1R1 profile. + +--- + .../auditing/service_auditd_enabled/rule.yml | 1 + + .../base/package_abrt_removed/rule.yml | 1 + + .../base/service_kdump_disabled/rule.yml | 1 + + .../package_fapolicyd_installed/rule.yml | 1 + + .../service_fapolicyd_enabled/rule.yml | 1 + + .../package_vsftpd_removed/rule.yml | 1 + + .../kerberos_disable_no_keytab/rule.yml | 1 + + .../mail/package_sendmail_removed/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../services/ntp/chronyd_client_only/rule.yml | 1 + + .../ntp/chronyd_no_chronyc_network/rule.yml | 1 + + .../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 1 + + .../r_services/no_host_based_files/rule.yml | 1 + + .../no_user_host_based_files/rule.yml | 1 + + .../package_rsh-server_removed/rule.yml | 1 + + .../package_telnet-server_removed/rule.yml | 1 + + .../tftp/package_tftp-server_removed/rule.yml | 1 + + .../tftp/tftpd_uses_secure_mode/rule.yml | 1 + + .../rng/service_rngd_enabled/rule.yml | 1 + + .../rule.yml | 1 + + .../file_permissions_sshd_pub_key/rule.yml | 1 + + .../package_openssh-server_installed/rule.yml | 1 + + .../ssh/service_sshd_enabled/rule.yml | 1 + + .../sshd_allow_only_protocol2/rule.yml | 1 + + .../sshd_disable_compression/rule.yml | 1 + + .../sshd_disable_gssapi_auth/rule.yml | 1 + + .../sshd_disable_kerb_auth/rule.yml | 1 + + .../sshd_disable_root_login/rule.yml | 1 + + .../sshd_disable_user_known_hosts/rule.yml | 1 + + .../sshd_disable_x11_forwarding/rule.yml | 1 + + .../sshd_do_not_permit_user_env/rule.yml | 1 + + .../sshd_enable_strictmodes/rule.yml | 1 + + .../sshd_enable_warning_banner/rule.yml | 1 + + .../ssh_server/sshd_print_last_log/rule.yml | 1 + + .../ssh/ssh_server/sshd_rekey_limit/rule.yml | 1 + + .../ssh_server/sshd_set_idle_timeout/rule.yml | 1 + + .../ssh_server/sshd_set_keepalive/rule.yml | 1 + + .../sshd_x11_use_localhost/rule.yml | 3 +- + .../sssd/sssd_enable_smartcards/rule.yml | 1 + + .../sssd_offline_cred_expiration/rule.yml | 1 + + .../configure_usbguard_auditbackend/rule.yml | 1 + + .../package_usbguard_installed/rule.yml | 1 + + .../service_usbguard_enabled/rule.yml | 1 + + .../rule.yml | 1 + + .../banner_etc_issue/rule.yml | 1 + + .../dconf_gnome_banner_enabled/rule.yml | 1 + + .../dconf_gnome_login_banner_text/rule.yml | 1 + + .../display_login_attempts/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 2 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../accounts_password_pam_dcredit/rule.yml | 1 + + .../accounts_password_pam_difok/rule.yml | 1 + + .../accounts_password_pam_lcredit/rule.yml | 1 + + .../rule.yml | 1 + + .../accounts_password_pam_maxrepeat/rule.yml | 1 + + .../accounts_password_pam_minclass/rule.yml | 1 + + .../accounts_password_pam_minlen/rule.yml | 1 + + .../accounts_password_pam_ocredit/rule.yml | 1 + + .../accounts_password_pam_retry/rule.yml | 1 + + .../accounts_password_pam_ucredit/rule.yml | 1 + + .../rule.yml | 1 + + .../disable_ctrlaltdel_burstaction/rule.yml | 1 + + .../disable_ctrlaltdel_reboot/rule.yml | 1 + + .../require_emergency_target_auth/rule.yml | 1 + + .../require_singleuser_auth/rule.yml | 1 + + .../configure_bashrc_exec_tmux/rule.yml | 1 + + .../configure_tmux_lock_after_time/rule.yml | 1 + + .../configure_tmux_lock_command/rule.yml | 1 + + .../no_tmux_in_shells/rule.yml | 1 + + .../package_tmux_installed/rule.yml | 1 + + .../install_smartcard_packages/rule.yml | 3 +- + .../package_opensc_installed/rule.yml | 1 + + .../service_debug-shell_disabled/rule.yml | 1 + + .../rule.yml | 1 + + .../account_temp_expire_date/rule.yml | 1 + + .../accounts_maximum_age_login_defs/rule.yml | 1 + + .../accounts_minimum_age_login_defs/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../no_empty_passwords/rule.yml | 1 + + .../accounts_no_uid_except_zero/rule.yml | 1 + + .../accounts_have_homedir_login_defs/rule.yml | 1 + + .../accounts_logon_fail_delay/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../accounts_user_home_paths_only/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../file_permission_user_init_files/rule.yml | 1 + + .../rule.yml | 1 + + .../accounts_umask_etc_bashrc/rule.yml | 1 + + .../accounts_umask_etc_login_defs/rule.yml | 1 + + .../accounts_umask_interactive_users/rule.yml | 1 + + .../audit_rules_login_events_lastlog/rule.yml | 1 + + .../audit_rules_immutable/rule.yml | 1 + + .../audit_rules_sysadmin_actions/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../file_ownership_var_log_audit/rule.yml | 1 + + .../file_permissions_var_log_audit/rule.yml | 1 + + .../auditd_data_disk_error_action/rule.yml | 1 + + .../auditd_data_disk_full_action/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../auditd_data_retention_space_left/rule.yml | 1 + + .../rule.yml | 2 + + .../auditd_local_events/rule.yml | 1 + + .../auditd_log_format/rule.yml | 1 + + .../auditd_name_format/rule.yml | 1 + + .../auditing/grub2_audit_argument/rule.yml | 1 + + .../rule.yml | 1 + + .../auditing/package_audit_installed/rule.yml | 1 + + .../audit_immutable_login_uids/rule.yml | 1 + + .../auditing/service_auditd_enabled/rule.yml | 1 + + .../grub2_pti_argument/rule.yml | 1 + + .../grub2_vsyscall_argument/rule.yml | 1 + + .../non-uefi/grub2_admin_username/rule.yml | 1 + + .../non-uefi/grub2_password/rule.yml | 1 + + .../uefi/grub2_uefi_admin_username/rule.yml | 1 + + .../uefi/grub2_uefi_password/rule.yml | 1 + + .../rsyslog_cron_logging/rule.yml | 1 + + .../package_rsyslog-gnutls_installed/rule.yml | 1 + + .../package_rsyslog_installed/rule.yml | 1 + + .../rsyslog_remote_loghost/rule.yml | 1 + + .../logging/service_rsyslog_enabled/rule.yml | 1 + + .../package_firewalld_installed/rule.yml | 1 + + .../service_firewalld_enabled/rule.yml | 1 + + .../configure_firewalld_ports/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../sysctl_net_ipv4_ip_forward/rule.yml | 1 + + .../kernel_module_atm_disabled/rule.yml | 1 + + .../kernel_module_can_disabled/rule.yml | 1 + + .../rule.yml | 1 + + .../kernel_module_sctp_disabled/rule.yml | 1 + + .../kernel_module_tipc_disabled/rule.yml | 1 + + .../kernel_module_bluetooth_disabled/rule.yml | 1 + + .../wireless_disable_interfaces/rule.yml | 1 + + .../rule.yml | 1 + + .../network/network_sniffer_disabled/rule.yml | 1 + + .../rule.yml | 1 + + .../file_permissions_ungroupowned/rule.yml | 1 + + .../files/no_files_unowned_by_user/rule.yml | 1 + + .../file_ownership_binary_dirs/rule.yml | 1 + + .../file_ownership_library_dirs/rule.yml | 1 + + .../file_permissions_binary_dirs/rule.yml | 1 + + .../file_permissions_library_dirs/rule.yml | 1 + + .../sysctl_fs_protected_hardlinks/rule.yml | 1 + + .../sysctl_fs_protected_symlinks/rule.yml | 1 + + .../kernel_module_cramfs_disabled/rule.yml | 1 + + .../rule.yml | 1 + + .../mounting/service_autofs_disabled/rule.yml | 1 + + .../mount_option_boot_nosuid/rule.yml | 1 + + .../mount_option_dev_shm_nodev/rule.yml | 1 + + .../mount_option_dev_shm_noexec/rule.yml | 1 + + .../mount_option_dev_shm_nosuid/rule.yml | 1 + + .../mount_option_home_nosuid/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../mount_option_tmp_nodev/rule.yml | 1 + + .../mount_option_tmp_noexec/rule.yml | 1 + + .../mount_option_tmp_nosuid/rule.yml | 1 + + .../mount_option_var_log_audit_nodev/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../mount_option_var_log_nodev/rule.yml | 1 + + .../mount_option_var_log_noexec/rule.yml | 1 + + .../mount_option_var_log_nosuid/rule.yml | 1 + + .../mount_option_var_tmp_nodev/rule.yml | 1 + + .../mount_option_var_tmp_noexec/rule.yml | 1 + + .../mount_option_var_tmp_nosuid/rule.yml | 1 + + .../coredump_disable_backtraces/rule.yml | 1 + + .../coredump_disable_storage/rule.yml | 1 + + .../disable_users_coredumps/rule.yml | 1 + + .../rule.yml | 1 + + .../sysctl_kernel_kptr_restrict/rule.yml | 1 + + .../sysctl_kernel_randomize_va_space/rule.yml | 1 + + .../grub2_page_poison_argument/rule.yml | 1 + + .../grub2_slub_debug_argument/rule.yml | 1 + + .../sysctl_kernel_core_pattern/rule.yml | 1 + + .../sysctl_kernel_dmesg_restrict/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../sysctl_kernel_yama_ptrace_scope/rule.yml | 1 + + .../sysctl_user_max_user_namespaces/rule.yml | 1 + + .../rule.yml | 1 + + .../selinux/selinux_policytype/rule.yml | 1 + + .../system/selinux/selinux_state/rule.yml | 1 + + .../encrypt_partitions/rule.yml | 1 + + .../partition_for_home/rule.yml | 1 + + .../partition_for_tmp/rule.yml | 1 + + .../partition_for_var/rule.yml | 1 + + .../partition_for_var_log/rule.yml | 2 + + .../partition_for_var_log_audit/rule.yml | 3 + + .../partition_for_var_tmp/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../installed_OS_is_vendor_supported/rule.yml | 1 + + .../crypto/ssh_client_rekey_limit/rule.yml | 1 + + .../integrity/fips/enable_fips_mode/rule.yml | 1 + + .../fips/grub2_enable_fips_mode/rule.yml | 1 + + .../fips/sysctl_crypto_fips_enabled/rule.yml | 1 + + .../aide/aide_scan_notification/rule.yml | 1 + + .../aide/aide_verify_acls/rule.yml | 1 + + .../aide/aide_verify_ext_attributes/rule.yml | 1 + + .../aide/package_aide_installed/rule.yml | 1 + + .../accounts_authorized_local_users/rule.yml | 3 + + .../sudo/sudo_remove_no_authenticate/rule.yml | 1 + + .../sudo/sudo_remove_nopasswd/rule.yml | 1 + + .../package_abrt-addon-ccpp_removed/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../package_abrt-cli_removed/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../package_gssproxy_removed/rule.yml | 3 +- + .../package_iprutils_removed/rule.yml | 1 + + .../package_krb5-workstation_removed/rule.yml | 1 + + .../package_tuned_removed/rule.yml | 1 + + .../clean_components_post_updating/rule.yml | 1 + + .../rule.yml | 1 + + .../ensure_gpgcheck_local_packages/rule.yml | 1 + + .../security_patches_up_to_date/rule.yml | 1 + + rhel8/profiles/stig.profile | 310 ++++++++++++++++-- + 259 files changed, 543 insertions(+), 38 deletions(-) + +diff --git a/apple_os/auditing/service_auditd_enabled/rule.yml b/apple_os/auditing/service_auditd_enabled/rule.yml +index bbb5132b5f..0c34cae438 100644 +--- a/apple_os/auditing/service_auditd_enabled/rule.yml ++++ b/apple_os/auditing/service_auditd_enabled/rule.yml +@@ -35,6 +35,7 @@ references: + nist: AU-3,AU-3(1),AU-8(a),AU-8(b),AU-12(3),AU-14(1) + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00020,SRG-OS-000042-GPOS-00021,SRG-OS-000055-GPOS-00026,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000303-GPOS-00120,SRG-OS-000337-GPOS-00129,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146 + stigid: AOSX-14-001013 ++ stigid@rhel8: RHEL-08-010560 + + ocil_clause: 'auditing is not enabled or running' + +diff --git a/linux_os/guide/services/base/package_abrt_removed/rule.yml b/linux_os/guide/services/base/package_abrt_removed/rule.yml +index 3cee145e25..03f8a5b6a0 100644 +--- a/linux_os/guide/services/base/package_abrt_removed/rule.yml ++++ b/linux_os/guide/services/base/package_abrt_removed/rule.yml +@@ -25,6 +25,7 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 ++ stigid@rhel8: RHEL-08-040001 + + {{{ complete_ocil_entry_package(package="abrt") }}} + +diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml +index ff9d439b4f..8676710018 100644 +--- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml +@@ -39,6 +39,7 @@ references: + iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2 + cis-csc: 11,12,14,15,3,8,9 + ospp: FMT_SMF_EXT.1.1 ++ stigid@rhel8: RHEL-08-010670 + + ocil: '{{{ ocil_service_disabled(service="kdump") }}}' + +diff --git a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml +index 5869cac7ab..a35cb48f83 100644 +--- a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml ++++ b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml +@@ -20,6 +20,7 @@ identifiers: + references: + nist: CM-6(a),SI-4(22) + srg: SRG-OS-000370-GPOS-00155 ++ stigid@rhel8: RHEL-08-040135 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml +index 11f2e9cf7a..44b97a8d6f 100644 +--- a/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml ++++ b/linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml +@@ -22,6 +22,7 @@ references: + nist: CM-6(a),SI-4(22) + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000370-GPOS-00155 ++ stigid@rhel8: RHEL-08-040135 + + ocil_clause: 'the service is not enabled' + +diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml +index 737d9b9cb6..dc7d79af44 100644 +--- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml ++++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml +@@ -28,6 +28,7 @@ references: + cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06 + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 + cis-csc: 11,14,3,9 ++ stigid@rhel8: RHEL-08-040360 + + {{{ complete_ocil_entry_package(package="vsftpd") }}} + +diff --git a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml +index c552fa7889..d29370c9e9 100644 +--- a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml ++++ b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml +@@ -20,6 +20,7 @@ references: + ospp: FTP_ITC_EXT.1 + srg: SRG-OS-000120-GPOS-00061 + ism: 0418,1055,1402 ++ stigid@rhel8: RHEL-08-010161 + + ocil_clause: 'it is present on the system' + +diff --git a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml +index 1b62fb49fb..ed29daa2f6 100644 +--- a/linux_os/guide/services/mail/package_sendmail_removed/rule.yml ++++ b/linux_os/guide/services/mail/package_sendmail_removed/rule.yml +@@ -30,6 +30,7 @@ references: + cis-csc: 11,14,3,9 + anssi: BP28(R1) + srg: SRG-OS-000480-GPOS-00227 ++ stigid@rhel8: RHEL-08-040002 + + {{{ complete_ocil_entry_package(package="sendmail") }}} + +diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml +index 1c4bfb60bf..96601ebb87 100644 +--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml ++++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml +@@ -31,6 +31,7 @@ references: + disa@sle12: CCI-000139 + nist@sle12: AU-5(a),AU-5.1(ii) + anssi: BP28(R49) ++ stigid@rhel8: RHEL-08-030030 + + ocil_clause: 'it is not' + +diff --git a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml +index c2357fe9ee..4bfcc16c7f 100644 +--- a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml ++++ b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml +@@ -24,6 +24,7 @@ references: + disa: CCI-000366 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-040680 ++ stigid@rhel8: RHEL-08-040290 + + ocil_clause: 'it is not' + +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml +index b3be78ef91..3349a7963a 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml +@@ -23,6 +23,7 @@ references: + cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS05.06,DSS06.06 + iso27001-2013: A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.2 + cis-csc: 11,13,14,3,8,9 ++ stigid@rhel8: RHEL-08-010640 + + ocil_clause: 'the setting does not show' + +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml +index d9c17fb416..ee6b9aa54a 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml +@@ -31,6 +31,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 + stigid@sle12: SLES-12-010820 ++ stigid@rhel8: RHEL-08-010630 + + ocil_clause: 'the setting does not show' + +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml +index c14b0aeefb..6b71f94c2b 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml +@@ -29,6 +29,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 + stigid@sle12: SLES-12-010810 ++ stigid@rhel8: RHEL-08-010650 + + ocil_clause: 'the setting does not show' + +diff --git a/linux_os/guide/services/ntp/chronyd_client_only/rule.yml b/linux_os/guide/services/ntp/chronyd_client_only/rule.yml +index 76e13f8eb1..071934387c 100644 +--- a/linux_os/guide/services/ntp/chronyd_client_only/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_client_only/rule.yml +@@ -24,6 +24,7 @@ identifiers: + references: + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000096-GPOS-00050 ++ stigid@rhel8: RHEL-08-030741 + + ocil_clause: 'it does not exist or port is set to non-zero value' + +diff --git a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml +index 1312c1cfb5..cbc9cc670c 100644 +--- a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml +@@ -24,6 +24,7 @@ identifiers: + references: + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000096-GPOS-00050 ++ stigid@rhel8: RHEL-08-030742 + + ocil_clause: 'it does not exist or port is set to non-zero value' + +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml +index 4e4be3002f..9a802b5d5d 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml +@@ -42,6 +42,7 @@ references: + cis-csc: 1,14,15,16,3,5,6 + stigid@sle12: SLES-12-030300 + nist@sle12: AU-8(1)(a),AU-8(1)(b) ++ stigid@rhel8: RHEL-08-030740 + + ocil_clause: 'it does not exist or maxpoll has not been set to the expected value' + +diff --git a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml +index 9891cedab0..01eb9e5f99 100644 +--- a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml +@@ -29,6 +29,7 @@ references: + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-040550 + stigid@sle12: SLES-12-010410 ++ stigid@rhel8: RHEL-08-010460 + + ocil_clause: 'these files exist' + +diff --git a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml +index a7f4996f3b..48bff043a6 100644 +--- a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml +@@ -30,6 +30,7 @@ references: + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-040540 + stigid@sle12: SLES-12-010400 ++ stigid@rhel8: RHEL-08-010470 + + ocil_clause: 'these files exist' + +diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml +index e5deb01ddb..23d30cb5af 100644 +--- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml +@@ -34,6 +34,7 @@ references: + isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 + cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 + cis-csc: 11,12,14,15,3,8,9 ++ stigid@rhel8: RHEL-08-040010 + + {{{ complete_ocil_entry_package(package="rsh-server") }}} + +diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +index 619b3f0b7d..f42bcba15e 100644 +--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +@@ -44,6 +44,7 @@ references: + isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 + cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 + cis-csc: 11,12,14,15,3,8,9 ++ stigid@rhel8: RHEL-08-040000 + + {{{ complete_ocil_entry_package(package="telnet-server") }}} + +diff --git a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +index 57f3c0f8bc..2d0258db1e 100644 +--- a/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml +@@ -33,6 +33,7 @@ references: + cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06 + iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2 + cis-csc: 11,12,14,15,3,8,9 ++ stigid@rhel8: RHEL-08-040190 + + {{{ complete_ocil_entry_package(package="tftp-server") }}} + +diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml +index b2d87944f1..24cefbb6f9 100644 +--- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml ++++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml +@@ -38,6 +38,7 @@ references: + cobit5: APO01.06,APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 11,12,13,14,15,16,18,3,5,8,9 ++ stigid@rhel8: RHEL-08-040350 + + ocil_clause: 'this flag is missing' + +diff --git a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml +index 1cc21d0d00..feebdff4eb 100644 +--- a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml ++++ b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml +@@ -21,6 +21,7 @@ identifiers: + references: + ospp: FCS_RBG_EXT.1 + srg: SRG-OS-000480-GPOS-00227 ++ stigid@rhel8: RHEL-08-010471 + + ocil_clause: 'the service is not enabled' + +diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml +index d460411667..5397a3fdce 100644 +--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml ++++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml +@@ -35,6 +35,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 + cis@rhel8: 5.2.3 ++ stigid@rhel8: RHEL-08-010490 + + ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms="-rw-r-----") }}}' + +diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml +index b9e07d71af..d49e375df4 100644 +--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml ++++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml +@@ -30,6 +30,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 + cis@rhel8: 5.2.4 ++ stigid@rhel8: RHEL-08-010480 + + ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*.pub", perms="-rw-r--r--") }}}' + +diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +index 84882d52b3..4fda79df25 100644 +--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml ++++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +@@ -31,6 +31,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 13,14 + ospp: FIA_UAU.5,FTP_ITC_EXT.1 ++ stigid@rhel8: RHEL-08-040160 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml +index f0e258bf04..81d63480c3 100644 +--- a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml ++++ b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml +@@ -38,6 +38,7 @@ references: + cobit5: APO01.06,DSS05.02,DSS05.04,DSS05.07,DSS06.02,DSS06.06 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 13,14 ++ stigid@rhel8: RHEL-08-040160 + + ocil: '{{{ ocil_service_enabled(service="sshd") }}}' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml +index 2f5bdfdee3..fc6175e446 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/rule.yml +@@ -41,6 +41,7 @@ references: + iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.14.1.3,A.18.1.4,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5,8 + ism: 0487,1449,1506 ++ stigid@rhel8: RHEL-08-040060 + + ocil_clause: 'it is commented out or is not set correctly to Protocol 2' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml +index f8eec6a074..9e4e2f48b4 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml +@@ -39,6 +39,7 @@ references: + cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 + cis-csc: 11,3,9 ++ stigid@rhel8: RHEL-08-010510 + + ocil_clause: 'it is commented out, or is not set to no or delayed' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml +index c79d0b5e07..f9ece13f51 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml +@@ -36,6 +36,7 @@ references: + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 + cis-csc: 11,3,9 + ism: 0418,1055,1402 ++ stigid@rhel8: RHEL-08-010521 + + ocil_clause: 'it is commented out or is not disabled' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml +index 1f1380127c..50eb7a28cb 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml +@@ -37,6 +37,7 @@ references: + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 + cis-csc: 11,3,9 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 ++ stigid@rhel8: RHEL-08-010521 + + ocil_clause: 'it is commented out or is not disabled' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +index 287954db61..8360f5fa34 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +@@ -46,6 +46,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,3,5 + anssi: BP28(R19),NT007(R21) ++ stigid@rhel8: RHEL-08-010550 + + {{{ complete_ocil_entry_sshd_option(default="no", option="PermitRootLogin", value="no") }}} + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml +index 93ff19deff..b55e749139 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml +@@ -38,6 +38,7 @@ references: + cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 + cis-csc: 11,3,9 ++ stigid@rhel8: RHEL-08-010520 + + {{{ complete_ocil_entry_sshd_option(default="no", option="IgnoreUserKnownHosts", value="yes") }}} + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +index 5d01170aab..14f0270c78 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +@@ -37,6 +37,7 @@ references: + srg: SRG-OS-000480-GPOS-00227 + disa: CCI-000366 + nist: CM-6(b) ++ stigid@rhel8: RHEL-08-040340 + + template: + name: sshd_lineinfile +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +index e5d54261d3..b1d33d3f86 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +@@ -39,6 +39,7 @@ references: + cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 + cis-csc: 11,3,9 ++ stigid@rhel8: RHEL-08-010830 + + ocil_clause: 'PermitUserEnvironment is not disabled' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml +index 601f6a0ca2..9eeb8f8985 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml +@@ -36,6 +36,7 @@ references: + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 ++ stigid@rhel8: RHEL-08-010500 + + ocil_clause: 'it is commented out or is not enabled' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +index c93ef6340f..2eb688c1ec 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +@@ -43,6 +43,7 @@ references: + cobit5: DSS05.04,DSS05.10,DSS06.10 + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 ++ stigid@rhel8: RHEL-08-010040 + + {{{ complete_ocil_entry_sshd_option(default="no", option="Banner", value="/etc/issue") }}} + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml +index 0ce5da30b2..cb15b1e9e9 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml +@@ -32,6 +32,7 @@ references: + cobit5: DSS05.04,DSS05.10,DSS06.10 + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 ++ stigid@rhel8: RHEL-08-020350 + + ocil_clause: 'it is commented out or is not enabled' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml +index d7941f9c0e..f3f15251b2 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml +@@ -22,6 +22,7 @@ identifiers: + references: + ospp: FCS_SSHS_EXT.1 + srg: SRG-OS-000480-GPOS-00227 ++ stigid@rhel8: RHEL-08-040161 + + ocil_clause: 'it is commented out or is not set' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +index 7c6cb7a2d0..19151f0273 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +@@ -52,6 +52,7 @@ references: + iso27001-2013: A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4,A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,12,13,14,15,16,18,3,5,7,8 + anssi: BP28(R29) ++ stigid@rhel8: RHEL-08-010200 + + requires: + - sshd_set_keepalive +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +index c43fce001a..8987c9b9ed 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +@@ -47,6 +47,7 @@ references: + cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 + iso27001-2013: A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4,A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,12,13,14,15,16,18,3,5,7,8 ++ stigid@rhel8: RHEL-08-010200 + + requires: + - sshd_set_idle_timeout +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml +index b0fe065d86..bee39a3904 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,rhel7 ++prodtype: fedora,ol7,ol8,rhel7,rhel8 + + title: 'Prevent remote hosts from connecting to the proxy display' + +@@ -29,6 +29,7 @@ references: + stig@ol7: OL07-00-040711 + disa: CCI-000366 + nist: CM-6(b) ++ stigid@rhel8: RHEL-08-040341 + + ocil_clause: "the display proxy is listening on wildcard address" + +diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml +index 7a51b3960f..bcf9d58e62 100644 +--- a/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml ++++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml +@@ -38,6 +38,7 @@ references: + srg: SRG-OS-000375-GPOS-00160 + vmmsrg: SRG-OS-000107-VMM-000530 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 ++ stigid@rhel8: RHEL-08-020250 + + ocil_clause: 'smart cards are not enabled in SSSD' + +diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml +index b2c450b58e..09ee5187a6 100644 +--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml ++++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml +@@ -36,6 +36,7 @@ references: + cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 + iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5 ++ stigid@rhel8: RHEL-08-020290 + + ocil_clause: 'it does not exist or is not configured properly' + +diff --git a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml +index 2b87e7964f..b2fc36bbfc 100644 +--- a/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml ++++ b/linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml +@@ -23,6 +23,7 @@ identifiers: + references: + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000062-GPOS-00031 ++ stigid@rhel8: RHEL-08-030603 + + ocil_clause: 'AuditBackend is not set to LinuxAudit' + +diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml +index f23176d83e..6806e0861d 100644 +--- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml ++++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml +@@ -22,6 +22,7 @@ identifiers: + references: + srg: SRG-OS-000378-GPOS-00163 + ism: "1418" ++ stigid@rhel8: RHEL-08-040140 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml +index 3f357aa8b7..918a29945d 100644 +--- a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml ++++ b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml +@@ -24,6 +24,7 @@ references: + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000378-GPOS-00163 + ism: "1418" ++ stigid@rhel8: RHEL-08-040140 + + ocil_clause: 'the service is not enabled' + +diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +index 2c34030cdb..789b84643a 100644 +--- a/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml ++++ b/linux_os/guide/services/xwindows/disabling_xwindows/package_xorg-x11-server-common_removed/rule.yml +@@ -40,6 +40,7 @@ references: + iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.14.1.3,A.6.2.1,A.6.2.2 + cis-csc: 12,15,8 + cis@sle15: 2.2.2 ++ stigid@rhel8: RHEL-08-040320 + + ocil_clause: 'the X Windows package group or xorg-x11-server-common has not be removed' + +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml +index 637d8ee528..5e00846773 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml +@@ -71,6 +71,7 @@ references: + cobit5: DSS05.04,DSS05.10,DSS06.10 + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 ++ stigid@rhel8: RHEL-08-010060 + + ocil_clause: 'it does not display the required banner' + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml +index 47c4edad90..c364bdb9e1 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml +@@ -49,6 +49,7 @@ references: + cobit5: DSS05.04,DSS05.10,DSS06.10 + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 ++ stigid@rhel8: RHEL-08-010050 + + ocil_clause: 'it is not' + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml +index c600620f18..135f15e1be 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml +@@ -47,6 +47,7 @@ references: + cobit5: DSS05.04,DSS05.10,DSS06.10 + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 ++ stigid@rhel8: RHEL-08-010050 + + ocil_clause: 'it does not' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml +index 3ba5b642db..a6eefa9c15 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml +@@ -38,6 +38,7 @@ references: + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 + ism: 0582,0584,05885,0586,0846,0957 ++ stigid@rhel8: RHEL-08-020340 + + ocil_clause: 'that is not the case' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +index 1669db1231..78247557de 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +@@ -46,6 +46,7 @@ references: + cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 + iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5 ++ stigid@rhel8: RHEL-08-020220 + + ocil_clause: 'the value of remember is not set equal to or greater than the expected setting' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +index ccee5dd048..85a0ba18a3 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml +@@ -47,6 +47,7 @@ references: + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 ++ stigid@rhel8: RHEL-08-020010 + + ocil_clause: 'that is not the case' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml +index 882b57654e..4b7ee01946 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml +@@ -44,6 +44,8 @@ references: + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 ++ stigid@rhel8: RHEL-08-020010 ++ stigid@rhel8: RHEL-08-020022 + + ocil_clause: 'that is not the case' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml +index d1b9c396ae..6bc0f02afc 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml +@@ -53,6 +53,7 @@ references: + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 ++ stigid@rhel8: RHEL-08-020012 + + ocil_clause: 'fail_interval is less than the required value' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +index 2fff1c6011..ead8f697f4 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml +@@ -50,6 +50,7 @@ references: + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 ++ stigid@rhel8: RHEL-08-020014 + + ocil_clause: 'unlock_time is less than the expected value' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml +index 8519b72a6b..11040cfa87 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml +@@ -46,6 +46,7 @@ references: + iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 ++ stigid@rhel8: RHEL-08-020130 + + ocil_clause: 'dcredit is not found or not equal to or less than the required value' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml +index fb64b61520..d659f480d2 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml +@@ -47,6 +47,7 @@ references: + cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 + iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5 ++ stigid@rhel8: RHEL-08-020170 + + ocil_clause: 'difok is not found or not equal to or greater than the required value' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml +index 26fc519e3d..086354372f 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml +@@ -45,6 +45,7 @@ references: + iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 ++ stigid@rhel8: RHEL-08-020120 + + ocil_clause: 'lcredit is not found or not less than or equal to the required value' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml +index d449c97950..5bac335e2d 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml +@@ -38,6 +38,7 @@ references: + cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 + iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5 ++ stigid@rhel8: RHEL-08-020140 + + ocil_clause: 'that is not the case' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml +index cb2755b255..42d5584a9d 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml +@@ -40,6 +40,7 @@ references: + cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 + iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5 ++ stigid@rhel8: RHEL-08-020150 + + ocil_clause: 'maxrepeat is not found or not greater than or equal to the required value' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml +index dfd34c893e..3e71d9094b 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml +@@ -53,6 +53,7 @@ references: + iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 ++ stigid@rhel8: RHEL-08-020160 + + ocil_clause: 'minclass is not found or not set equal to or greater than the required value' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml +index 0776e196f6..a79a03f374 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml +@@ -44,6 +44,7 @@ references: + iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 ++ stigid@rhel8: RHEL-08-020230 + + ocil_clause: 'minlen is not found, or not equal to or greater than the required value' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml +index b82667936b..dd05085fa3 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml +@@ -46,6 +46,7 @@ references: + iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 ++ stigid@rhel8: RHEL-08-020280 + + ocil_clause: 'ocredit is not found or not equal to or less than the required value' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +index 6b1534adde..90f74b2d3c 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml +@@ -38,6 +38,7 @@ references: + cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,11,12,15,16,3,5,9 ++ stigid@rhel8: RHEL-08-020100 + + ocil_clause: 'it is not the required value' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml +index c2d8f3a1eb..5a656a42a0 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml +@@ -43,6 +43,7 @@ references: + iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 ++ stigid@rhel8: RHEL-08-020110 + + ocil_clause: 'ucredit is not found or not set less than or equal to the required value' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml +index 96ffec0eaa..bbfcd7fc28 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml +@@ -42,6 +42,7 @@ references: + cis-csc: 1,12,15,16,5 + anssi: BP28(R32) + ism: 0418,1055,1402 ++ stigid@rhel8: RHEL-08-010110 + + ocil_clause: 'it does not' + +diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml +index a9e86f2ddd..7192666fc8 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml +@@ -37,6 +37,7 @@ references: + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 ++ stigid@rhel8: RHEL-08-040172 + + ocil_clause: 'the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.' + +diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml +index 5824f7b2ca..6066c9391b 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml +@@ -47,6 +47,7 @@ references: + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 ++ stigid@rhel8: RHEL-08-040170 + + ocil_clause: 'the system is configured to reboot when Ctrl-Alt-Del is pressed' + +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +index f9959f0720..2e902739ae 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +@@ -42,6 +42,7 @@ references: + iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,14,15,16,18,3,5 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 ++ stigid@rhel8: RHEL-08-010151 + + ocil_clause: 'the output is different' + +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +index b3afff50c5..8acaaa862c 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +@@ -44,6 +44,7 @@ references: + iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,14,15,16,18,3,5 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 ++ stigid@rhel8: RHEL-08-010151 + + ocil_clause: 'the output is different' + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml +index 21edfc9f0b..2582145a8c 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml +@@ -21,6 +21,7 @@ identifiers: + references: + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000031-GPOS-00012 ++ stigid@rhel8: RHEL-08-020041 + + ocil_clause: 'exec tmux is not present at the end of bashrc' + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml +index 7816ebc8f9..fe99051eb6 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml +@@ -22,6 +22,7 @@ identifiers: + references: + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000029-GPOS-00010 ++ stigid@rhel8: RHEL-08-020070 + + ocil_clause: 'lock-after-time is not set or set to zero' + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml +index bf1ea79df9..88ce99f41b 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/rule.yml +@@ -26,6 +26,7 @@ identifiers: + references: + disa: CCI-000056,CCI-000058 + nist: AC-11(a),AC-11(b),CM-6(a) ++ stigid@rhel8: RHEL-08-020040 + + vmmsrg: SRG-OS-000028-VMM-000090,SRG-OS-000030-VMM-000110 + srg: SRG-OS-000028-GPOS-00009 +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml +index 596126aafa..ecd9e8f147 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml +@@ -22,6 +22,7 @@ identifiers: + references: + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000324-GPOS-00125 ++ stigid@rhel8: RHEL-08-020042 + + ocil_clause: 'tmux is listed in /etc/shells' + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml +index c900612b1b..d57802a37e 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml +@@ -40,6 +40,7 @@ references: + cobit5: DSS05.04,DSS05.10,DSS06.10 + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 ++ stigid@rhel8: RHEL-08-020040 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +index b3210d6adc..29aa49483d 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,rhel7 ++prodtype: fedora,ol7,rhel7,rhel8 + + title: 'Install Smart Card Packages For Multifactor Authentication' + +@@ -32,6 +32,7 @@ references: + nist: CM-6(a) + srg: SRG-OS-000105-GPOS-00052,SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000377-GPOS-00162 + stigid@rhel7: RHEL-07-041001 ++ stigid@rhel8: RHEL-08-010390 + + ocil_clause: 'smartcard software is not installed' + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml +index 2770b637f0..74da38fa22 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml +@@ -31,6 +31,7 @@ references: + srg: SRG-OS-000375-GPOS-00160 + vmmsrg: SRG-OS-000376-VMM-001520 + ism: 1382,1384,1386 ++ stigid@rhel8: RHEL-08-010410 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml +index 0f22245e6f..1f712eed7e 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml +@@ -32,6 +32,7 @@ references: + hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii) + ospp: FIA_UAU.1 + srg: SRG-OS-000324-GPOS-00125 ++ stigid@rhel8: RHEL-08-040180 + + ocil: '{{{ ocil_service_disabled(service="debug-shell") }}}' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +index add8ac0dbd..7e6b5d794e 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +@@ -47,6 +47,7 @@ references: + cobit5: DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 + iso27001-2013: A.12.4.1,A.12.4.3,A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,12,13,14,15,16,18,3,5,7,8 ++ stigid@rhel8: RHEL-08-020260 + + ocil_clause: 'the value of INACTIVE is greater than the expected value' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml +index b647776778..ced7a52a67 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml +@@ -44,6 +44,7 @@ references: + iso27001-2013: A.12.4.1,A.12.4.3,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,12,13,14,15,16,18,3,5,7,8 + stigid@sle12: SLES-12-010360 ++ stigid@rhel8: RHEL-08-020000 + + ocil_clause: 'any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +index d8ccd9e086..15ccf530c6 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +@@ -47,6 +47,7 @@ references: + iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5 + ism: 0418,1055,1402 ++ stigid@rhel8: RHEL-08-020200 + + ocil_clause: 'PASS_MAX_DAYS is not set equal to or greater than the required value' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +index 0b6f878378..36a611e3d2 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +@@ -45,6 +45,7 @@ references: + cis-csc: 1,12,15,16,5 + cis@rhel8: 5.5.1.2 + ism: 0418,1055,1402 ++ stigid@rhel8: RHEL-08-020190 + + ocil_clause: 'it is not equal to or greater than the required value' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml +index 909b51faa8..f9884fd9b4 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml +@@ -42,6 +42,7 @@ references: + cis-csc: 1,12,15,16,5 + srg: SRG-OS-000078-GPOS-00046 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 ++ stigid@rhel8: RHEL-08-020231 + + ocil_clause: 'it is not set to the required value' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml +index 6d91224cd9..0ef1fcfe8d 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml +@@ -31,6 +31,7 @@ references: + vmmsrg: SRG-OS-000076-VMM-000430 + stigid@rhel7: RHEL-07-010260 + stigid@sle12: SLES-12-010290 ++ stigid@rhel8: RHEL-08-020210 + + ocil_clause: 'existing passwords are not configured correctly' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml +index 44da709702..cc073067fb 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml +@@ -31,6 +31,7 @@ references: + vmmsrg: SRG-OS-000075-VMM000420 + stigid@rhel7: RHEL-07-010240 + stigid@sle12: SLES-12-010260 ++ stigid@rhel8: RHEL-08-020180 + + ocil_clause: 'existing passwords are not configured correctly' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml +index 0e36afc8dc..df6da6b913 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml +@@ -45,6 +45,7 @@ references: + cobit5: APO01.06,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.02,DSS06.03,DSS06.10 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,12,13,14,15,16,18,3,5 ++ stigid@rhel8: sshd_disable_empty_passwords + + ocil_clause: 'NULL passwords can be used' + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml +index 7fd291caea..6b3c71fa80 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml +@@ -42,6 +42,7 @@ references: + cobit5: APO01.06,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.02,DSS06.03,DSS06.10 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,12,13,14,15,16,18,3,5 ++ stigid@rhel8: RHEL-08-040200 + + ocil_clause: 'any account other than root has a UID of 0' + +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml +index fdd7c6f603..9e19b908c4 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml +@@ -29,6 +29,7 @@ references: + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-020610 + stigid@sle12: SLES-12-010720 ++ stigid@rhel8: RHEL-08-010760 + + ocil_clause: 'the value of CREATE_HOME is not set to yes, is missing, or the line is commented out' + +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml +index 84b38afc2c..e62e3cc62b 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml +@@ -30,6 +30,7 @@ references: + cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 + cis-csc: 11,3,9 ++ stigid@rhel8: RHEL-08-020310 + + ocil_clause: 'the above command returns no output, or FAIL_DELAY is configured less than the expected value' + +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml +index 32412aa482..5787380d65 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml +@@ -37,6 +37,7 @@ references: + cobit5: DSS01.05,DSS05.02 + iso27001-2013: A.13.1.1,A.13.1.3,A.13.2.1,A.14.1.2,A.14.1.3 + cis-csc: 14,15,18,9 ++ stigid@rhel8: RHEL-08-020024 + + ocil_clause: 'maxlogins is not equal to or less than the expected value' + +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +index 77f3a12148..b73743ebcb 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +@@ -28,6 +28,7 @@ references: + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-020730 + stigid@sle12: SLES-12-010780 ++ stigid@rhel8: RHEL-08-010660 + + ocil_clause: 'files are executing world-writable programs' + +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml +index 0154c1d73b..b70bfc171a 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml +@@ -32,6 +32,7 @@ references: + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-020720 + stigid@sle12: SLES-12-010770 ++ stigid@rhel8: RHEL-08-010690 + + ocil_clause: 'paths contain more than local home directories' + +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml +index 9ee21744b2..a0e6277ec6 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml +@@ -24,6 +24,7 @@ references: + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-020600 + stigid@sle12: SLES-12-010710 ++ stigid@rhel8: RHEL-08-010720 + + ocil_clause: 'users home directory is not defined' + +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +index a262abba7a..1c8fb04df7 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +@@ -31,6 +31,7 @@ references: + stigid@rhel7: RHEL-07-020620 + cis@rhel8: 6.2.20 + stigid@sle12: SLES-12-010730 ++ stigid@rhel8: RHEL-08-010750 + + ocil_clause: 'users home directory does not exist' + +diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +index dfcbbafd17..6c70cc8abf 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +@@ -30,6 +30,7 @@ references: + stigid@rhel7: RHEL-07-020650 + cis@rhel8: 6.2.8 + stigid@sle12: SLES-12-010750 ++ stigid@rhel8: RHEL-08-010740 + + ocil_clause: 'the group ownership is incorrect' + +diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +index 4810c941d6..411a46dd00 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +@@ -26,6 +26,7 @@ references: + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-020710 + stigid@sle12: SLES-12-010760 ++ stigid@rhel8: RHEL-08-010770 + + ocil_clause: 'they are not 0740 or more permissive' + +diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +index 4898bfa6b6..62d603cfbb 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +@@ -26,6 +26,7 @@ references: + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-020630 + stigid@sle12: SLES-12-010740 ++ stigid@rhel8: RHEL-08-010730 + + ocil_clause: 'they are more permissive' + +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +index 8acc92b311..1c8219de70 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +@@ -32,6 +32,7 @@ references: + iso27001-2013: A.14.1.1,A.14.2.1,A.14.2.5,A.6.1.5 + cis-csc: '18' + srg: SRG-OS-000480-GPOS-00228 ++ stigid@rhel8: RHEL-08-020353 + + ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly' + +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +index 0f4eb59188..0c86e6e9f7 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +@@ -33,6 +33,7 @@ references: + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.1.1,A.14.2.1,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.5,A.6.1.5 + cis-csc: 11,18,3,9 + anssi: BP28(R35) ++ stigid@rhel8: RHEL-08-020351 + + ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly' + +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml +index 6279928044..7629fcb3e4 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml +@@ -24,6 +24,7 @@ references: + disa: CCI-000366,CCI-001814 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-021040 ++ stigid@rhel8: RHEL-08-020352 + + ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +index 54e820c309..1d8a6f72cb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +@@ -50,6 +50,7 @@ references: + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2 + cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 ++ stigid@rhel8: RHEL-08-030600 + + ocil_clause: 'there is not output' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml +index d264af9e2b..1f563ae0d0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/rule.yml +@@ -42,4 +42,5 @@ references: + cobit5: APO01.06,APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 ++ stigid@rhel8: RHEL-08-030121 + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +index f03069bae6..df14260d6d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +@@ -46,6 +46,7 @@ references: + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 ++ stigid@rhel8: RHEL-08-030172 + + ocil_clause: 'there is not output' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +index e4b2b8dcb8..0af217801a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +@@ -53,6 +53,7 @@ references: + iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 + stigid@sle12: SLES-12-020210 ++ stigid@rhel8: RHEL-08-030170 + + ocil_clause: 'the system is not configured to audit account changes' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +index 0b5707f596..f4dce5557c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +@@ -53,6 +53,7 @@ references: + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 ++ stigid@rhel8: RHEL-08-030160 + + ocil_clause: 'the system is not configured to audit account changes' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +index 41434f664a..240d4d8e2e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +@@ -54,6 +54,7 @@ references: + cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 + srg@sle12: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221 + stigid@sle12: SLES-12-020230 ++ stigid@rhel8: RHEL-08-030140 + + ocil_clause: 'the system is not configured to audit account changes' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +index bae0a29903..069916da1b 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +@@ -53,6 +53,7 @@ references: + iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 + stigid@sle12: SLES-12-020200 ++ stigid@rhel8: RHEL-08-030150 + + ocil_clause: 'the system is not configured to audit account changes' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +index f3d9cf9cd2..5c13ca58f6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +@@ -54,6 +54,7 @@ references: + cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 + stigid@sle12: SLES-12-020220 + srg@sle12: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221 ++ stigid@rhel8: RHEL-08-030130 + + ocil_clause: 'the system is not configured to audit account changes' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml +index 671eb1ff9f..09618d986d 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml +@@ -25,6 +25,7 @@ references: + cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 ++ stigid@rhel8: RHEL-08-030120 + + ocil_clause: 'any are more permissive' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml +index 2bcfdca4b6..e495992ecb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml +@@ -33,6 +33,7 @@ references: + cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 ++ stigid@rhel8: RHEL-08-030080 + + ocil: |- + {{{ describe_file_owner(file="/var/log/audit", owner="root") }}} +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml +index 2ec44f4041..eae8a2dfd0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml +@@ -36,6 +36,7 @@ references: + cobit5: APO01.06,APO11.04,APO12.06,BAI03.05,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,DSS06.02,MEA02.01 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 ++ stigid@rhel8: RHEL-08-030070 + + ocil_clause: 'any are more permissive' + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml +index 5cd6c55411..442b693951 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml +@@ -33,6 +33,7 @@ references: + cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 + iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 + cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 ++ stigid@rhel8: RHEL-08-030040 + + ocil_clause: 'the system is not configured to switch to single-user mode for corrective action' + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml +index f3b477da69..01a5c5201d 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml +@@ -40,6 +40,7 @@ references: + srg@sle12: SRG-OS-000047-GPOS-00023 + disa@sle12: CCI-000140 + nist@sle12: AU-5(b),AU-5.1(iv) ++ stigid@rhel8: RHEL-08-030060 + + ocil_clause: 'the system is not configured to switch to single-user mode for corrective action' + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml +index fd7b3ef1b3..8325306ac6 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml +@@ -43,6 +43,7 @@ references: + srg@sle12: SRG-OS-000046-GPOS-00022 + disa@sle12: CCI-000139 + nist@sle12: AU-5(a),AU-5.1(ii) ++ stigid@rhel8: RHEL-08-030020 + + ocil_clause: 'auditd is not configured to send emails per identified actions' + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml +index 9fa2ca6f46..6a32a85fe5 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml +@@ -44,6 +44,7 @@ references: + isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 + cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 ++ stigid@rhel8: RHEL-08-030050 + + ocil_clause: 'the system has not been properly configured to rotate audit logs' + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +index 6b9d2e5f83..2f37c5b0e4 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +@@ -42,6 +42,7 @@ references: + srg@sle12: SRG-OS-000343-GPOS-00134 + disa@sle12: CCI-001855 + nist@sle12: AU-5(1) ++ stigid@rhel8: RHEL-08-030730 + + ocil_clause: 'the system is not configured a specfic size in MB to notify administrators of an issue' + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml +index bdc86cf35b..1009699e77 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml +@@ -51,6 +51,8 @@ references: + isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 + cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 ++ stigid@rhel8: RHEL-08-030730 ++ stigid@rhel8: RHEL-08-030730 + + ocil_clause: 'the system is not configured to send an email to the system administrator when disk space is starting to run low' + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml +index 8f20910163..5afb2c8f30 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_local_events/rule.yml +@@ -21,6 +21,7 @@ identifiers: + references: + ospp: FAU_GEN.1.1.c + srg: SRG-OS-000062-GPOS-00031 ++ stigid@rhel8: RHEL-08-030061 + + ocil_clause: local_events isn't set to yes + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml +index 250dff5e13..76d31a6ff5 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_log_format/rule.yml +@@ -22,6 +22,7 @@ identifiers: + references: + ospp: FAU_GEN.1 + srg: SRG-OS-000255-GPOS-00096 ++ stigid@rhel8: RHEL-08-030063 + + ocil_clause: log_format isn't set to ENRICHED + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml +index fb6a49708c..a778d5faf2 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml +@@ -25,6 +25,7 @@ references: + disa: CCI-001851 + ospp: FAU_GEN.1 + srg: SRG-OS-000039-GPOS-00017,SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 ++ stigid@rhel8: RHEL-08-030062 + + ocil_clause: name_format isn't set to hostname + +diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +index 11020f93b3..d033770f57 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_argument/rule.yml +@@ -45,6 +45,7 @@ references: + iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2 + cis-csc: 1,11,12,13,14,15,16,19,3,4,5,6,7,8 + srg: SRG-OS-000254-GPOS-00095 ++ stigid@rhel8: RHEL-08-030601 + + ocil_clause: 'auditing is not enabled at boot time' + +diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +index 750dd2001e..27e19e7c9a 100644 +--- a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml ++++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/rule.yml +@@ -27,6 +27,7 @@ references: + srg: SRG-OS-000254-GPOS-00095 + nist: CM-6(a) + cis@rhel8: 4.1.1.4 ++ stigid@rhel8: RHEL-08-030602 + + ocil_clause: 'audit backlog limit is not configured' + +diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml +index 2fc431c1ae..577176ff00 100644 +--- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml ++++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml +@@ -26,6 +26,7 @@ references: + srg@sle12: SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146,SRG-OS-000365-GPOS-00152,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220 + disa@sle12: CCI-000172,CCI-001814,CCI-001875,CCI-001877,CCI-001878,CCI-001879,CCI-001880,CCI-001881,CCI-001882,CCI-001889,CCI-001914 + nist@sle12: AU-7(a),AU-7(b),AU-8(b),AU-12.1(iv),AU-12(3),AU-12(c),CM-5(1) ++ stigid@rhel8: service_auditd_enabled + + template: + name: package_installed +diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml +index e9b85f815b..073f29c9fe 100644 +--- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml ++++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml +@@ -37,6 +37,7 @@ references: + ospp: FAU_GEN.1.1.c + nist: AU-2(a) + srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220 ++ stigid@rhel8: RHEL-08-030122 + + ocil_clause: 'the file does not exist or the content differs' + +diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml +index 0696ce915a..d09446bde8 100644 +--- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml ++++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml +@@ -52,6 +52,7 @@ references: + srg@sle12: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00021,SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000122-GPOS-00063,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000392-GPOS-00172,SRG-OS-000480-GPOS-00227 + disa@sle12: CCI-000130,CCI-000131,CCI-000132,CCI-000133,CCI-000134,CCI-000135,CCI-000154,CCI-000158,CCI-000366,CCI-001464,CCI-001487,CCI-001876,CCI-002884 + nist@sle12: AU-3,AU-3(1),AU-3(1).1(ii),AU-3.1,AU-6(4),AU-6(4).1,AU-7(1),AU-7(1).1,AU-7(a),AU-14(1),AU-14(1).1,CM-6(b),CM-6.1(iv),MA-4(1)(a) ++ stigid@rhel8: RHEL-08-010560 + + ocil: '{{{ ocil_service_enabled(service="auditd") }}}' + +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml +index a77ebf9041..e3b63d960d 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_pti_argument/rule.yml +@@ -25,6 +25,7 @@ identifiers: + references: + srg: SRG-OS-000433-GPOS-00193 + nist: SI-16 ++ stigid@rhel8: RHEL-08-040004 + + ocil_clause: 'Kernel page-table isolation is not enabled' + +diff --git a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml +index ea0079db52..b090492046 100644 +--- a/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/grub2_vsyscall_argument/rule.yml +@@ -24,6 +24,7 @@ identifiers: + references: + srg: SRG-OS-000480-GPOS-00227 + nist: CM-7(a) ++ stigid@rhel8: RHEL-08-010422 + + ocil_clause: 'vsyscalls are enabled' + +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +index 4b04936ee2..0690cfbcda 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +@@ -49,6 +49,7 @@ references: + iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,14,15,16,18,3,5 + anssi: BP28(R17) ++ stigid@rhel8: RHEL-08-010150 + + ocil_clause: 'it does not' + +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +index b2338a5035..92129ab744 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +@@ -63,6 +63,7 @@ references: + iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,14,15,16,18,3,5 + anssi: BP28(R17) ++ stigid@rhel8: RHEL-08-010150 + + ocil_clause: 'it does not' + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +index ea5c80f163..08e1da4369 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +@@ -56,6 +56,7 @@ references: + iso27001-2013: A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 11,12,14,15,16,18,3,5 + anssi: BP28(R17) ++ stigid@rhel8: RHEL-08-010140 + + ocil_clause: 'it does not' + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +index a423564c23..decb94b92e 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +@@ -67,6 +67,7 @@ references: + iso27001-2013: A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 11,12,14,15,16,18,3,5 + anssi: BP28(R17) ++ stigid@rhel8: RHEL-08-010140 + + ocil_clause: 'it does not' + +diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml +index c1f14c4d7e..5e8f08fd5c 100644 +--- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml ++++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml +@@ -36,6 +36,7 @@ references: + iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.15.2.1,A.15.2.2 + cis-csc: 1,14,15,16,3,5,6 + ism: 0988,1405 ++ stigid@rhel8: RHEL-08-030010 + + ocil_clause: 'cron is not logging to rsyslog' + +diff --git a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml +index aae3d94903..4e969a3079 100644 +--- a/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml ++++ b/linux_os/guide/system/logging/package_rsyslog-gnutls_installed/rule.yml +@@ -18,6 +18,7 @@ identifiers: + references: + ospp: FTP_ITC_EXT.1.1 + srg: SRG-OS-000480-GPOS-00227,SRG-OS-000120-GPOS-00061 ++ stigid@rhel8: RHEL-08-030680 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml +index 3016a87700..7fb9ee408b 100644 +--- a/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml ++++ b/linux_os/guide/system/logging/package_rsyslog_installed/rule.yml +@@ -28,6 +28,7 @@ references: + cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01 + cis-csc: 1,14,15,16,3,5,6 + srg: SRG-OS-000479-GPOS-00224,SRG-OS-000051-GPOS-00024 ++ stigid@rhel8: RHEL-08-030670 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +index ba51a1506b..8d8be95f23 100644 +--- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml ++++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +@@ -58,6 +58,7 @@ references: + cobit5: APO11.04,APO13.01,BAI03.05,BAI04.04,DSS05.04,DSS05.07,MEA02.01 + cis-csc: 1,13,14,15,16,2,3,5,6 + ism: 0988,1405 ++ stigid@rhel8: RHEL-08-030690 + + ocil_clause: 'none of these are present' + +diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml +index 12ec48ad15..3ef70473de 100644 +--- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml ++++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml +@@ -29,6 +29,7 @@ references: + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO13.01,BAI03.05,BAI04.04,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9 + cis@ubuntu2004: 4.2.1.2 ++ stigid@rhel8: RHEL-08-010561 + + ocil: '{{{ ocil_service_enabled(service="rsyslog") }}}' + +diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml +index 7aea04c670..e82f50f9a0 100644 +--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml +@@ -20,6 +20,7 @@ references: + nist: CM-6(a) + srg: SRG-OS-000480-GPOS-00227,SRG-OS-000298-GPOS-00116 + cis@rhel8: 3.4.1.1 ++ stigid@rhel8: RHEL-08-040100 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +index 2646a5219c..818edc3cba 100644 +--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +@@ -34,6 +34,7 @@ references: + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 + cis-csc: 11,3,9 + cis@sle15: 3.5.1.4 ++ stigid@rhel8: RHEL-08-040100 + + ocil: '{{{ ocil_service_enabled(service="firewalld") }}}' + +diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml +index 7d399274d5..04c7cebc2f 100644 +--- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/rule.yml +@@ -53,6 +53,7 @@ references: + iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2 + cis-csc: 11,12,14,15,3,8,9 + ism: "1416" ++ stigid@rhel8: RHEL-08-040030 + + ocil_clause: 'the default rules are not configured' + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml +index 47c811290c..8e7eabc336 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml +@@ -27,6 +27,7 @@ references: + cis-csc: 11,14,3,9 + srg: SRG-OS-000480-GPOS-00227 + cis@sle15: 3.3.9 ++ stigid@rhel8: RHEL-08-040261 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml +index 5b5bfc9633..04fa55f524 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml +@@ -16,6 +16,7 @@ identifiers: + + references: + anssi: BP28(R22) ++ stigid@rhel8: RHEL-08-040261 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_defrtr", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml +index d75989fca1..304c549b0b 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml +@@ -16,6 +16,7 @@ identifiers: + + references: + anssi: BP28(R22) ++ stigid@rhel8: RHEL-08-040261 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_pinfo", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml +index 09d263cf00..d3b8347573 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml +@@ -16,6 +16,7 @@ identifiers: + + references: + anssi: BP28(R22) ++ stigid@rhel8: RHEL-08-040261 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_rtr_pref", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +index 9253f7235a..ae67ab248d 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +@@ -28,6 +28,7 @@ references: + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 + cis-csc: 11,14,3,9 + srg: SRG-OS-000480-GPOS-00227 ++ stigid@rhel8: RHEL-08-040280 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_redirects", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +index 8767a5226f..ac9218fe34 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +@@ -40,6 +40,7 @@ references: + cobit5: APO01.06,APO13.01,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.07,DSS06.02 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,12,13,14,15,16,18,4,6,8,9 ++ stigid@rhel8: RHEL-08-040240 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_source_route", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml +index d9b2acdec3..dcf480ef63 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml +@@ -27,6 +27,7 @@ references: + cis-csc: 11,14,3,9 + srg: SRG-OS-000480-GPOS-00227 + cis@sle15: 3.3.9 ++ stigid@rhel8: RHEL-08-040262 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml +index 5cf98305c7..eca95f75b5 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml +@@ -16,6 +16,7 @@ identifiers: + + references: + anssi: BP28(R22) ++ stigid@rhel8: RHEL-08-040262 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_defrtr", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml +index d7dad19f3a..f030cd9221 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml +@@ -16,6 +16,7 @@ identifiers: + + references: + anssi: BP28(R22) ++ stigid@rhel8: RHEL-08-040262 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_pinfo", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml +index b6ee061057..43c901e3a4 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml +@@ -16,6 +16,7 @@ identifiers: + + references: + anssi: BP28(R22) ++ stigid@rhel8: RHEL-08-040262 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_rtr_pref", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml +index 970db38b33..fdd8572cf5 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml +@@ -28,6 +28,7 @@ references: + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 + cis-csc: 11,14,3,9 + srg: SRG-OS-000480-GPOS-00227 ++ stigid@rhel8: RHEL-08-040210 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_redirects", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +index 361073e99c..ffbc45225d 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +@@ -41,6 +41,7 @@ references: + iso27001-2013: A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.9.1.2 + cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9 + cis@sle15: 3.3.2 ++ stigid@rhel8: RHEL-08-040280 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.accept_redirects", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +index 7bc4e3b9b7..4bb38a2e5c 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +@@ -41,6 +41,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 + cis@sle15: 3.3.1 ++ stigid@rhel8: RHEL-08-040240 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.accept_source_route", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +index 8d22d12b28..3d1dfb6eb7 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_rp_filter/rule.yml +@@ -36,6 +36,7 @@ references: + srg: SRG-OS-000480-GPOS-00227 + cis@sle15: 3.3.7 + stigid@rhel7: RHEL-07-040611 ++ stigid@rhel8: RHEL-08-040285 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.rp_filter", value="1") }}} + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +index ed4a024797..4486a92e11 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +@@ -41,6 +41,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 + cis@sle15: 3.3.3 ++ stigid@rhel8: RHEL-08-040210 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.accept_redirects", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +index ef659ec1c2..f1c4947d34 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +@@ -38,6 +38,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 + cis@sle15: 3.3.5 ++ stigid@rhel8: RHEL-08-040230 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.icmp_echo_ignore_broadcasts", value="1") }}} + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +index f49353c25c..779b92682d 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +@@ -39,6 +39,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 + cis@sle15: 3.2.2 ++ stigid@rhel8: RHEL-08-040220 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.send_redirects", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +index d7d5bfe607..ade1338bae 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +@@ -39,6 +39,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 + cis@sle15: 3.2.2 ++ stigid@rhel8: RHEL-08-040270 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.send_redirects", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +index b9f3d060d5..6274897a21 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +@@ -36,6 +36,7 @@ references: + iso27001-2013: A.12.1.2,A.12.1.3,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.17.2.1,A.9.1.2 + cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9 + cis@sle15: 3.2.1 ++ stigid@rhel8: RHEL-08-040260 + + ocil: |- + {{{ ocil_sysctl_option_value(sysctl="net.ipv4.ip_forward", value="0") }}} +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml +index d34f1610f1..caff3aaa00 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_atm_disabled/rule.yml +@@ -24,6 +24,7 @@ identifiers: + references: + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000095-GPOS-00049 ++ stigid@rhel8: RHEL-08-040021 + + {{{ complete_ocil_entry_module_disable(module="atm") }}} + +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml +index 16807a4e81..f25e86ab4d 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_can_disabled/rule.yml +@@ -24,6 +24,7 @@ identifiers: + references: + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000095-GPOS-00049 ++ stigid@rhel8: RHEL-08-040022 + + {{{ complete_ocil_entry_module_disable(module="can") }}} + +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml +index aae80b232e..3c8564759c 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_firewire-core_disabled/rule.yml +@@ -23,6 +23,7 @@ identifiers: + references: + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000095-GPOS-00049 ++ stigid@rhel8: RHEL-08-040026 + + {{{ complete_ocil_entry_module_disable(module="firewire-core") }}} + +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +index 55602ac8be..8db0f11579 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml +@@ -34,6 +34,7 @@ references: + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 + cis-csc: 11,14,3,9 + srg: SRG-OS-000095-GPOS-00049 ++ stigid@rhel8: RHEL-08-040023 + + {{{ complete_ocil_entry_module_disable(module="sctp") }}} + +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml +index 425fa216e5..5953d5ca1d 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_tipc_disabled/rule.yml +@@ -37,6 +37,7 @@ references: + cis-csc: 11,14,3,9 + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000095-GPOS-00049 ++ stigid@rhel8: RHEL-08-040024 + + {{{ complete_ocil_entry_module_disable(module="tipc") }}} + +diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml +index 496480a0a8..a6c9b7ede4 100644 +--- a/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml +@@ -35,6 +35,7 @@ references: + iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2 + cis-csc: 11,12,14,15,3,8,9 + srg: SRG-OS-000095-GPOS-00049 ++ stigid@rhel8: RHEL-08-040111 + + {{{ complete_ocil_entry_module_disable(module="bluetooth") }}} + +diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +index e76619cd2b..d683b2eda0 100644 +--- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml ++++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +@@ -45,6 +45,7 @@ references: + cis-csc: 11,12,14,15,3,8,9 + cis@sle15: 3.1.2 + ism: 1315,1319 ++ stigid@rhel8: RHEL-08-040110 + + ocil_clause: 'it is not' + +diff --git a/linux_os/guide/system/network/network_configure_name_resolution/rule.yml b/linux_os/guide/system/network/network_configure_name_resolution/rule.yml +index 08049f76cb..a9c6550b47 100644 +--- a/linux_os/guide/system/network/network_configure_name_resolution/rule.yml ++++ b/linux_os/guide/system/network/network_configure_name_resolution/rule.yml +@@ -38,6 +38,7 @@ references: + cobit5: APO13.01,DSS05.02 + iso27001-2013: A.13.1.1,A.13.2.1,A.14.1.3 + cis-csc: 12,15,8 ++ stigid@rhel8: RHEL-08-010680 + + ocil_clause: 'it does not exist or is not properly configured or less than 2 ''nameserver'' entries exist' + +diff --git a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml +index 208d15234e..222063ae09 100644 +--- a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml ++++ b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml +@@ -42,6 +42,7 @@ references: + cobit5: APO11.06,APO12.06,BAI03.10,BAI09.01,BAI09.02,BAI09.03,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.05,DSS04.05,DSS05.02,DSS05.05,DSS06.06 + iso27001-2013: A.11.1.2,A.11.2.4,A.11.2.5,A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.16.1.6,A.8.1.1,A.8.1.2,A.9.1.2 + cis-csc: 1,11,14,3,9 ++ stigid@rhel8: RHEL-08-040330 + + ocil_clause: 'any network device is in promiscuous mode' + +diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml +index f479ed3d17..90011f5f92 100644 +--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml ++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml +@@ -24,6 +24,7 @@ identifiers: + + references: + anssi: BP28(R40) ++ stigid@rhel8: RHEL-08-010700 + + ocil_clause: 'there is output' + +diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +index 79594c701f..a9efbdda1e 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +@@ -42,6 +42,7 @@ references: + cis-csc: 1,11,12,13,14,15,16,18,3,5 + cis@sle15: 6.1.12 + stigid@sle12: SLES-12-010700 ++ stigid@rhel8: RHEL-08-010790 + + ocil_clause: 'there is output' + +diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +index faab0b8822..6acae65b78 100644 +--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml ++++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +@@ -42,6 +42,7 @@ references: + cis-csc: 11,12,13,14,15,16,18,3,5,9 + cis@sle15: 6.1.11 + stigid@sle12: SLES-12-010690 ++ stigid@rhel8: RHEL-08-010780 + + ocil_clause: 'files exist that are not owned by a valid user' + +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml +index cfa7ae4dc5..fa53de9041 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml +@@ -36,6 +36,7 @@ references: + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 ++ stigid@rhel8: RHEL-08-010310 + + ocil_clause: 'any system executables are found to not be owned by root' + +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml +index 53e1a24c42..e40b5f47d8 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml +@@ -37,6 +37,7 @@ references: + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 ++ stigid@rhel8: RHEL-08-010340 + + ocil_clause: 'any of these files are not owned by root' + +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml +index c2bba15f83..3ec56361dc 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml +@@ -36,6 +36,7 @@ references: + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 ++ stigid@rhel8: RHEL-08-010300 + + ocil_clause: 'any system executables are found to be group or world writable' + +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +index c09024a224..83add611b9 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +@@ -37,6 +37,7 @@ references: + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 ++ stigid@rhel8: RHEL-08-010330 + + ocil_clause: 'any of these files are group-writable or world-writable' + +diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml +index 3b04abbf9b..0aefe8ae50 100644 +--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml ++++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml +@@ -22,6 +22,7 @@ references: + cis: 1.6.1 + nist: CM-6(a),AC-6(1) + srg: SRG-OS-000324-GPOS-00125 ++ stigid@rhel8: RHEL-08-010374 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="fs.protected_hardlinks", value="1") }}} + +diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml +index aead2022ee..86a9f8e2d9 100644 +--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml ++++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml +@@ -24,6 +24,7 @@ references: + cis: 1.6.1 + nist: CM-6(a),AC-6(1) + srg: SRG-OS-000324-GPOS-00125 ++ stigid@rhel8: RHEL-08-010373 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="fs.protected_symlinks", value="1") }}} + +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml +index d2ba212350..302154b636 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_cramfs_disabled/rule.yml +@@ -39,6 +39,7 @@ references: + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 + cis-csc: 11,14,3,9 + srg: SRG-OS-000095-GPOS-00049 ++ stigid@rhel8: RHEL-08-040025 + + {{{ complete_ocil_entry_module_disable(module="cramfs") }}} + +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +index 24e77cc74e..d1d2bf97f7 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +@@ -41,6 +41,7 @@ references: + cis@rhel8: 1.1.23 + cis@sle15: 1.1.3 + stigid@sle12: SLES-12-010580 ++ stigid@rhel8: RHEL-08-040080 + + {{{ complete_ocil_entry_module_disable(module="usb-storage") }}} + +diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +index 001b9466ae..00d1282a05 100644 +--- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +@@ -46,6 +46,7 @@ references: + iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.18.1.4,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5 + cis@sle15: 1.1.23 ++ stigid@rhel8: RHEL-08-040070 + + ocil: '{{{ ocil_service_disabled(service="autofs") }}}' + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml +index 8410964438..a4da22f666 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_boot_nosuid/rule.yml +@@ -27,6 +27,7 @@ references: + nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 + srg: SRG-OS-000368-GPOS-00154 + anssi: BP28(R12) ++ stigid@rhel8: RHEL-08-010571 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml +index 140a2eafc0..318117fcca 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml +@@ -36,6 +36,7 @@ references: + cis-csc: 11,13,14,3,8,9 + srg: SRG-OS-000368-GPOS-00154 + cis@sle15: 1.1.16 ++ stigid@rhel8: RHEL-08-040120 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml +index 2f740c31a6..f41387ab9f 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml +@@ -39,6 +39,7 @@ references: + cis-csc: 11,13,14,3,8,9 + srg: SRG-OS-000368-GPOS-00154 + cis@sle15: 1.1.17 ++ stigid@rhel8: RHEL-08-040122 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml +index be127be367..d844c9c3b3 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml +@@ -36,6 +36,7 @@ references: + cis-csc: 11,13,14,3,8,9 + srg: SRG-OS-000368-GPOS-00154 + cis@sle15: 1.1.18 ++ stigid@rhel8: RHEL-08-040121 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +index 3652cf9f2b..37e8f7fb99 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +@@ -38,6 +38,7 @@ references: + anssi: BP28(R12) + srg: SRG-OS-000368-GPOS-00154,SRG-OS-000480-GPOS-00227 + stigid@sle12: SLES-12-010790 ++ stigid@rhel8: RHEL-08-010570 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml +index c9f52b36d1..f40daec6c8 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml +@@ -42,5 +42,6 @@ references: + cis-csc: 11,14,3,9 + srg: SRG-OS-000368-GPOS-00154 + anssi: BP28(R12) ++ stigid@rhel8: RHEL-08-010580 + + platform: machine +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml +index 30c7065bcc..602ce2da35 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml +@@ -36,6 +36,7 @@ references: + iso27001-2013: A.11.2.6,A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.7.1.1,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.2,A.9.2.1 + cis-csc: 11,12,13,14,16,3,8,9 + cis@sle15: 1.1.19 ++ stigid@rhel8: RHEL-08-010600 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +index 47435d887a..4d2bd0eceb 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +@@ -34,6 +34,7 @@ references: + iso27001-2013: A.11.2.6,A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.7.1.1,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.2,A.9.2.1 + cis-csc: 11,12,13,14,16,3,8,9 + cis@sle15: 1.1.20 ++ stigid@rhel8: RHEL-08-010610 + + ocil_clause: 'removable media partitions are present' + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml +index 5f19864ded..9ed257aa22 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml +@@ -41,6 +41,7 @@ references: + cis-csc: 11,12,13,14,15,16,18,3,5,8,9 + cis@sle15: 1.1.21 + stigid@sle12: SLES-12-010800 ++ stigid@rhel8: RHEL-08-010620 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml +index bcd15e1596..ed27226855 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml +@@ -35,6 +35,7 @@ references: + anssi: BP28(R12) + srg: SRG-OS-000368-GPOS-00154 + cis@sle15: 1.1.4 ++ stigid@rhel8: RHEL-08-040123 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml +index 7c8bf290fe..77ae8a664f 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml +@@ -34,6 +34,7 @@ references: + cis-csc: 11,13,14,3,8,9 + anssi: BP28(R12) + srg: SRG-OS-000368-GPOS-00154 ++ stigid@rhel8: RHEL-08-040125 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml +index 0f4a028834..b7e171fb02 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml +@@ -35,6 +35,7 @@ references: + anssi: BP28(R12) + srg: SRG-OS-000368-GPOS-00154 + cis@sle15: 1.1.5 ++ stigid@rhel8: RHEL-08-040124 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml +index c2765b6c61..404386d777 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml +@@ -28,6 +28,7 @@ references: + nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 + nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 + srg: SRG-OS-000368-GPOS-00154 ++ stigid@rhel8: RHEL-08-040129 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml +index 820c8385b3..93c63a75f7 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml +@@ -26,6 +26,7 @@ references: + nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 + nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 + srg: SRG-OS-000368-GPOS-00154 ++ stigid@rhel8: RHEL-08-040131 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml +index 344bafd252..7ee7213995 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml +@@ -27,6 +27,7 @@ references: + nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 + nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 + srg: SRG-OS-000368-GPOS-00154 ++ stigid@rhel8: RHEL-08-040130 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml +index 4647f2e1c0..8959bd0bb5 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nodev/rule.yml +@@ -28,6 +28,7 @@ references: + nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7 + nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 + srg: SRG-OS-000368-GPOS-00154 ++ stigid@rhel8: RHEL-08-040126 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml +index 0bced14721..baf1eea424 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_noexec/rule.yml +@@ -27,6 +27,7 @@ references: + nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 + srg: SRG-OS-000368-GPOS-00154 + anssi: BP28(R12) ++ stigid@rhel8: RHEL-08-040128 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml +index c4e3d32997..beee543cf2 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_log_nosuid/rule.yml +@@ -28,6 +28,7 @@ references: + nist-csf: PR.IP-1,PR.PT-2,PR.PT-3 + srg: SRG-OS-000368-GPOS-00154 + anssi: BP28(R12) ++ stigid@rhel8: RHEL-08-040127 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +index 233870fed8..4e76e61bb2 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +@@ -29,6 +29,7 @@ references: + anssi: BP28(R12) + srg: SRG-OS-000368-GPOS-00154 + cis@sle15: 1.1.9 ++ stigid@rhel8: RHEL-08-040132 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +index 081b3a4b32..f2b108d58d 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +@@ -29,6 +29,7 @@ references: + anssi: BP28(R12) + srg: SRG-OS-000368-GPOS-00154 + cis@sle15: 1.1.11 ++ stigid@rhel8: RHEL-08-040134 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +index 97a8312536..11bfe2661d 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +@@ -29,6 +29,7 @@ references: + anssi: BP28(R12) + srg: SRG-OS-000368-GPOS-00154 + cis@sle15: 1.1.10 ++ stigid@rhel8: RHEL-08-040133 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml +index 1bef2966d2..04b580e64e 100644 +--- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml +@@ -30,6 +30,7 @@ references: + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000480-GPOS-00227 + cis@rhel8: 1.6.1 ++ stigid@rhel8: RHEL-08-010675 + + ocil_clause: ProcessSizeMax is not set to zero + +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml +index 953cd1598b..3225785a8f 100644 +--- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml +@@ -26,6 +26,7 @@ references: + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000480-GPOS-00227 + cis@rhel8: 1.6.1 ++ stigid@rhel8: RHEL-08-010674 + + ocil_clause: Storage is not set to none + +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml +index 833fa046d6..c50a366512 100644 +--- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml +@@ -30,6 +30,7 @@ references: + iso27001-2013: A.12.1.3,A.17.2.1 + cis-csc: 1,12,13,15,16,2,7,8 + srg: SRG-OS-000480-GPOS-00227 ++ stigid@rhel8: RHEL-08-010673 + + ocil_clause: 'it is not' + +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml +index ff8cd4279f..fd12fbbb50 100644 +--- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml +@@ -25,6 +25,7 @@ identifiers: + references: + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000480-GPOS-00227 ++ stigid@rhel8: RHEL-08-010672 + + ocil_clause: unit systemd-coredump.socket is not masked or running + +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +index c4b9a0dc88..c9794729dd 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +@@ -22,6 +22,7 @@ references: + anssi: BP28(R23) + nist: SC-30,SC-30(2),SC-30(5),CM-6(a) + srg: SRG-OS-000132-GPOS-00067 ++ stigid@rhel8: RHEL-08-040283 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}} + +diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml +index d7d0736a94..950ae6b00b 100644 +--- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml +@@ -29,6 +29,7 @@ references: + nist: SC-30,SC-30(2),CM-6(a) + srg: SRG-OS-000433-GPOS-00193,SRG-OS-000480-GPOS-00227 + anssi: BP28(R23) ++ stigid@rhel8: RHEL-08-010430 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.randomize_va_space", value="2") }}} + +diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +index d5808b1861..48acc4d2fd 100644 +--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_page_poison_argument/rule.yml +@@ -27,6 +27,7 @@ identifiers: + references: + srg: SRG-OS-000480-GPOS-00227 + nist: CM-6(a) ++ stigid@rhel8: RHEL-08-010421 + + ocil_clause: 'page allocator poisoning is not enabled' + +diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +index 477fa57011..516409b6c6 100644 +--- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/rule.yml +@@ -27,6 +27,7 @@ identifiers: + references: + srg: SRG-OS-000433-GPOS-00192 + nist: CM-6(a) ++ stigid@rhel8: RHEL-08-010423 + + ocil_clause: 'SLUB/SLAB poisoning is not enabled' + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +index eaed28cab1..b82e0fcce3 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +@@ -20,6 +20,7 @@ identifiers: + references: + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000480-GPOS-00227 ++ stigid@rhel8: RHEL-08-010671 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.core_pattern", value="|/bin/false") }}} + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +index eeec4f1723..90fcd34f73 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +@@ -24,6 +24,7 @@ references: + nist: SI-11(a),SI-11(b) + anssi: BP28(R23) + srg: SRG-OS-000132-GPOS-00067 ++ stigid@rhel8: RHEL-08-010375 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.dmesg_restrict", value="1") }}} + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml +index 7048a4baa7..83710b7c01 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml +@@ -19,6 +19,7 @@ identifiers: + + references: + srg: SRG-OS-000480-GPOS-00227 ++ stigid@rhel8: RHEL-08-010372 + + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kexec_load_disabled", value="1") }}} +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml +index da90c26f2f..c9fe044a06 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_perf_event_paranoid/rule.yml +@@ -20,6 +20,7 @@ references: + anssi: BP28(R23) + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000132-GPOS-00067 ++ stigid@rhel8: RHEL-08-010376 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.perf_event_paranoid", value="2") }}} + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml +index 883a2fc830..200c2eba46 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml +@@ -20,6 +20,7 @@ identifiers: + references: + ospp: FMT_SMF_EXT.1 + srg: SRG-OS-000132-GPOS-00067 ++ stigid@rhel8: RHEL-08-040281 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.unprivileged_bpf_disabled", value="1") }}} + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +index 5332a2552d..68483432a3 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml +@@ -22,6 +22,7 @@ identifiers: + references: + anssi: BP28(R25) + srg: SRG-OS-000132-GPOS-00067 ++ stigid@rhel8: RHEL-08-040282 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.yama.ptrace_scope", value="1") }}} + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml +index e89e70d2e4..5e3929ec1a 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_user_max_user_namespaces/rule.yml +@@ -29,6 +29,7 @@ references: + ospp: FMT_SMF_EXT.1 + nist: SC-39,CM-6(a) + srg: SRG-OS-000480-GPOS-00227 ++ stigid@rhel8: RHEL-08-040284 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="user.max_user_namespaces", value="0") }}} + +diff --git a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml +index df9053bb9f..a107af62ea 100644 +--- a/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml ++++ b/linux_os/guide/system/selinux/package_policycoreutils_installed/rule.yml +@@ -30,6 +30,7 @@ identifiers: + + references: + srg: SRG-OS-000480-GPOS-00227 ++ stigid@rhel8: RHEL-08-010171 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml +index ba2b9dc94f..f7d6ce6bf1 100644 +--- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml +@@ -49,6 +49,7 @@ references: + cobit5: APO01.06,APO11.04,APO13.01,BAI03.05,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.03,DSS06.06,MEA02.01 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 ++ stigid@rhel8: RHEL-08-010450 + + ocil_clause: 'it does not' + +diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml +index 65cb503d39..0c4056dfe0 100644 +--- a/linux_os/guide/system/selinux/selinux_state/rule.yml ++++ b/linux_os/guide/system/selinux/selinux_state/rule.yml +@@ -40,6 +40,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9 + anssi: BP28(R4),BP28(R66) ++ stigid@rhel8: RHEL-08-010170 + + ocil_clause: 'SELINUX is not set to enforcing' + +diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +index fe370a4323..8d5b722c07 100644 +--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +@@ -64,6 +64,7 @@ references: + cobit5: APO01.06,BAI02.01,BAI06.01,DSS04.07,DSS05.03,DSS05.04,DSS05.07,DSS06.02,DSS06.06 + cis-csc: 13,14 + stigid@sle12: SLES-12-010450 ++ stigid@rhel8: RHEL-08-010030 + + ocil_clause: 'partitions do not have a type of crypto_LUKS' + +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml +index 0c3cc8908e..061eeae93c 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml +@@ -37,6 +37,7 @@ references: + iso27001-2013: A.13.1.1,A.13.2.1,A.14.1.3 + cis-csc: 12,15,8 + cis@sle15: 1.1.14 ++ stigid@rhel8: RHEL-08-010800 + + {{{ complete_ocil_entry_separate_partition(part="/home") }}} + +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml +index 9fc2d4251a..a4db4948c6 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_tmp/rule.yml +@@ -34,6 +34,7 @@ references: + iso27001-2013: A.13.1.1,A.13.2.1,A.14.1.3 + cis-csc: 12,15,8 + cis@sle15: 1.1.2 ++ stigid@rhel8: RHEL-08-010543 + + {{{ complete_ocil_entry_separate_partition(part="/tmp") }}} + +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml +index 4ef85ef818..8190a4a4ca 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml +@@ -37,6 +37,7 @@ references: + iso27001-2013: A.13.1.1,A.13.2.1,A.14.1.3 + cis-csc: 12,15,8 + cis@sle15: 1.1.7 ++ stigid@rhel8: RHEL-08-010540 + + {{{ complete_ocil_entry_separate_partition(part="/var") }}} + +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml +index fa0c4ab95d..b90f93deee 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml +@@ -33,6 +33,8 @@ references: + cis-csc: 1,12,14,15,16,3,5,6,8 + srg: SRG-OS-000480-GPOS-00227 + cis@sle: 1.1.12 ++ stigid@rhel8: RHEL-08-010540 ++ stigid@rhel8: RHEL-08-010541 + + {{{ complete_ocil_entry_separate_partition(part="/var/log") }}} + +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml +index e1bc3ad113..73b5cd50ed 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml +@@ -40,6 +40,9 @@ references: + cobit5: APO11.04,APO13.01,BAI03.05,BAI04.04,DSS05.02,DSS05.04,DSS05.07,MEA02.01 + cis-csc: 1,12,13,14,15,16,2,3,5,6,8 + cis@sle15: 1.1.13 ++ stigid@rhel8: RHEL-08-010540 ++ stigid@rhel8: RHEL-08-010541 ++ stigid@rhel8: RHEL-08-010542 + + {{{ complete_ocil_entry_separate_partition(part="/var/log/audit") }}} + +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +index 340af24c82..fde3338f40 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +@@ -26,6 +26,7 @@ references: + cis@ubuntu1804: 1.1.6 + anssi: BP28(R12) + cis@sle15: 1.1.8 ++ stigid@rhel8: RHEL-08-010540 + + {{{ complete_ocil_entry_separate_partition(part="/var/tmp") }}} + +diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml +index 85423650fa..0594702aa4 100644 +--- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml +@@ -39,6 +39,7 @@ references: + cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 + cis-csc: 11,3,9 ++ stigid@rhel8: RHEL-08-010820 + + ocil_clause: 'GDM allows users to automatically login' + +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml +index bec17bc68b..cd33cd5b62 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml +@@ -48,6 +48,7 @@ references: + cobit5: DSS05.04,DSS05.10,DSS06.10 + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 ++ stigid@rhel8: RHEL-08-020060 + + ocil_clause: 'idle-delay is not equal to or less than the expected value' + +diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml +index b27b34dcf7..aa492e1c9c 100644 +--- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml +@@ -43,6 +43,7 @@ references: + cobit5: DSS05.04,DSS05.10,DSS06.10 + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 ++ stigid@rhel8: RHEL-08-020030 + + ocil_clause: 'screensaver locking is not enabled and/or has not been set or configured correctly' + +diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml +index 31712897eb..fae18baff6 100644 +--- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml +@@ -44,6 +44,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 + stigid@rhel7: RHEL-07-020231 ++ stigid@rhel8: RHEL-08-040171 + + ocil_clause: 'GNOME3 is configured to reboot when Ctrl-Alt-Del is pressed' + +diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +index fba676f0b9..d9eb1b8a61 100644 +--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml ++++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +@@ -48,6 +48,7 @@ references: + cobit5: APO12.01,APO12.02,APO12.03,APO12.04,BAI03.10,DSS05.01,DSS05.02 + iso27001-2013: A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3 + cis-csc: 18,20,4 ++ stigid@rhel8: RHEL-08-010000 + + ocil_clause: 'the installed operating system is not supported' + +diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +index e911216101..e054892daf 100644 +--- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml ++++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml +@@ -31,6 +31,7 @@ identifiers: + references: + ospp: FCS_SSHS_EXT.1 + srg: SRG-OS-000423-GPOS-00187 ++ stigid@rhel8: RHEL-08-040162 + + ocil_clause: 'it is commented out or is not set' + +diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +index 565dabb4b9..558dfc89dd 100644 +--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +@@ -39,6 +39,7 @@ references: + ospp: FCS_COP.1(1),FCS_COP.1(2),FCS_COP.1(3),FCS_COP.1(4),FCS_CKM.1,FCS_CKM.2,FCS_TLSC_EXT.1 + srg: SRG-OS-000478-GPOS-00223,SRG-OS-000396-GPOS-00176 + ism: "1446" ++ stigid@rhel8: RHEL-08-010020 + + ocil_clause: 'FIPS mode is not enabled' + +diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +index 77c78d5705..5879bc2bdb 100644 +--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +@@ -47,6 +47,7 @@ references: + cobit5: APO13.01,DSS01.04,DSS05.02,DSS05.03 + iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.14.1.3,A.6.2.1,A.6.2.2 + cis-csc: 12,15,8 ++ stigid@rhel8: RHEL-08-010020 + + ocil_clause: 'FIPS is not configured or enabled in grub' + +diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +index 59af9a96e7..0807f512fb 100644 +--- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +@@ -28,6 +28,7 @@ references: + disa: CCI-000068,CCI-000803,CCI-002450 + nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12 + vmmsrg: SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590 ++ stigid@rhel8: RHEL-08-010020 + + ocil_clause: 'crypto.fips_enabled is not 1' + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml +index cc696141f6..80a0bce1cc 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml +@@ -50,6 +50,7 @@ references: + stigid@sle12: SLES-12-010510 + srg@sle12: SRG-OS-000447-GPOS-00201 + disa@sle12: CCI-002702 ++ stigid@rhel8: RHEL-08-010360 + + ocil_clause: 'AIDE has not been configured or has not been configured to notify personnel of scan details' + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml +index 93bdb1715d..451ad97613 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml +@@ -36,6 +36,7 @@ references: + cobit5: APO01.06,BAI03.05,BAI06.01,DSS06.02 + iso27001-2013: A.11.2.4,A.12.2.1,A.12.5.1,A.14.1.2,A.14.1.3,A.14.2.4 + cis-csc: 2,3 ++ stigid@rhel8: RHEL-08-040310 + + ocil_clause: 'the acl option is missing or not added to the correct ruleset' + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml +index 2e81a270c5..3be8209a71 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml +@@ -36,6 +36,7 @@ references: + cobit5: APO01.06,BAI03.05,BAI06.01,DSS06.02 + iso27001-2013: A.11.2.4,A.12.2.1,A.12.5.1,A.14.1.2,A.14.1.3,A.14.2.4 + cis-csc: 2,3 ++ stigid@rhel8: RHEL-08-040300 + + ocil_clause: 'the xattrs option is missing or not added to the correct ruleset' + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +index abf13a274a..1667604386 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +@@ -33,6 +33,7 @@ references: + ism: 1034,1288,1341,1417 + stigid@sle12: SLES-12-010500 + disa@sle12: CCI-002699 ++ stigid@rhel8: RHEL-08-010360 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml +index 435630d85c..51b839b55a 100644 +--- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml ++++ b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/rule.yml +@@ -25,6 +25,9 @@ rationale: |- + + severity: medium + ++references: ++ stigid@rhel8: RHEL-08-020320 ++ + ocil_clause: 'there are unauthorized local user accounts on the system' + + ocil: |- +diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml +index e704df8983..d01fa44615 100644 +--- a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml +@@ -37,6 +37,7 @@ references: + cobit5: DSS05.04,DSS05.10,DSS06.03,DSS06.10 + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5 ++ stigid@rhel8: RHEL-08-010381 + + ocil_clause: "!authenticate is enabled in sudo" + +diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml +index 8aee5edfa3..382c4b8851 100644 +--- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml ++++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml +@@ -38,6 +38,7 @@ references: + cobit5: DSS05.04,DSS05.10,DSS06.03,DSS06.10 + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16,5 ++ stigid@rhel8: RHEL-08-010380 + + ocil_clause: 'nopasswd is enabled in sudo' + +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml +index ed2fc64d08..5482cdf3af 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml +@@ -19,6 +19,7 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 ++ stigid@rhel8: RHEL-08-040001 + + {{{ complete_ocil_entry_package(package="abrt-addon-ccpp") }}} + +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml +index 8bbf9ea53d..3b12bfb5b0 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml +@@ -19,6 +19,7 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 ++ stigid@rhel8: RHEL-08-040001 + + {{{ complete_ocil_entry_package(package="abrt-addon-kerneloops") }}} + +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml +index 9be8b08b0f..00b1a36714 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml +@@ -19,6 +19,7 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 ++ stigid@rhel8: RHEL-08-040001 + + {{{ complete_ocil_entry_package(package="abrt-addon-python") }}} + +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml +index 9aa7f11ada..0412e8b82b 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml +@@ -19,6 +19,7 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 ++ stigid@rhel8: RHEL-08-040001 + + {{{ complete_ocil_entry_package(package="abrt-cli") }}} + +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml +index d970def693..9d10076523 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml +@@ -19,6 +19,7 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 ++ stigid@rhel8: RHEL-08-040001 + + {{{ complete_ocil_entry_package(package="abrt-plugin-logger") }}} + +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml +index 7f7787a19a..addb652e92 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml +@@ -19,6 +19,7 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 ++ stigid@rhel8: RHEL-08-040001 + + {{{ complete_ocil_entry_package(package="abrt-plugin-rhtsupport") }}} + +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml +index 6107659d94..6647186cc7 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml +@@ -18,6 +18,7 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 ++ stigid@rhel8: RHEL-08-040001 + + {{{ complete_ocil_entry_package(package="abrt-plugin-sosreport") }}} + +diff --git a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml +index 3fea028d70..fa94959f68 100644 +--- a/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_gssproxy_removed/rule.yml +@@ -18,7 +18,8 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 +- ++ stigid@rhel8: RHEL-08-040370 ++ + {{{ complete_ocil_entry_package(package="gssproxy") }}} + + template: +diff --git a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml +index 2c0bdee8a6..9ec5c88c50 100644 +--- a/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_iprutils_removed/rule.yml +@@ -19,6 +19,7 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 ++ stigid@rhel8: RHEL-08-040380 + + {{{ complete_ocil_entry_package(package="iprutils") }}} + +diff --git a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml +index b7e1b4adff..9753c2c773 100644 +--- a/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_krb5-workstation_removed/rule.yml +@@ -22,6 +22,7 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049,SRG-OS-000120-GPOS-00061 ++ stigid@rhel8: RHEL-08-010162 + + {{{ complete_ocil_entry_package(package="krb5-workstation") }}} + +diff --git a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml +index 65c7a22e3e..f12bbc2093 100644 +--- a/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_tuned_removed/rule.yml +@@ -21,6 +21,7 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 ++ stigid@rhel8: RHEL-08-040390 + + {{{ complete_ocil_entry_package(package="tuned") }}} + +diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml +index f9defcfdc1..6239e950a1 100644 +--- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml ++++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml +@@ -33,6 +33,7 @@ references: + cobit5: APO12.01,APO12.02,APO12.03,APO12.04,BAI03.10,DSS05.01,DSS05.02 + iso27001-2013: A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3 + cis-csc: 18,20,4 ++ stigid@rhel8: RHEL-08-010440 + + ocil_clause: 'clean_requirements_on_remove is not enabled or configured correctly' + +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +index 1f86aff1e9..7d031c93f1 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +@@ -56,6 +56,7 @@ references: + cis-csc: 11,2,3,9 + anssi: BP28(R15) + stigid@sle12: SLES-12-010550 ++ stigid@rhel8: RHEL-08-010370 + + ocil_clause: 'GPG checking is not enabled' + +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml +index 440f02b2a7..54a584cc9d 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/rule.yml +@@ -40,6 +40,7 @@ references: + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 + cis-csc: 11,3,9 + anssi: BP28(R15) ++ stigid@rhel8: RHEL-08-010371 + + ocil_clause: 'gpgcheck is not enabled or configured correctly to verify local packages' + +diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml +index 25459f4abb..32f67fe0e3 100644 +--- a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml ++++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml +@@ -59,6 +59,7 @@ references: + iso27001-2013: A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3 + cis-csc: 18,20,4 + anssi: BP28(R08) ++ stigid@rhel8: RHEL-08-010010 + + + # SCAP 1.3 content should reference flat non compressed xml files +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index cda0239433..03ce772734 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -1,13 +1,13 @@ + documentation_complete: true + + metadata: +- version: V1R0.1-Draft ++ version: V1R1 + SMEs: + - carlosmmatos + + reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + +-title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8' ++title: 'DISA STIG for Red Hat Enterprise Linux 8' + + description: |- + This profile contains configuration checks that align to the +@@ -23,46 +23,286 @@ description: |- + - Red Hat Storage + - Red Hat Containers with a Red Hat Enterprise Linux 8 image + +-extends: ospp +- + selections: +- - login_banner_text=dod_banners +- - dconf_db_up_to_date ++ - var_rekey_limit_size=1G ++ - var_rekey_limit_time=1hour ++ - var_accounts_user_umask=077 ++ - var_password_pam_difok=4 ++ - var_password_pam_maxrepeat=3 ++ - var_password_pam_maxclassrepeat=4 ++ - var_accounts_max_concurrent_login_sessions=10 ++ - var_password_pam_unix_remember=5 ++ - var_selinux_state=enforcing ++ - var_selinux_policy_name=targeted ++ - var_system_crypto_policy=fips_ospp ++ - var_accounts_password_minlen_login_defs=15 ++ - var_password_pam_minlen=15 ++ - var_password_pam_ocredit=1 ++ - var_password_pam_dcredit=1 ++ - var_password_pam_ucredit=1 ++ - var_password_pam_lcredit=1 ++ - sshd_idle_timeout_value=10_minutes ++ - var_accounts_passwords_pam_faillock_deny=3 ++ - var_accounts_passwords_pam_faillock_fail_interval=900 ++ - var_accounts_passwords_pam_faillock_unlock_time=never ++ - var_ssh_client_rekey_limit_size=1G ++ - var_ssh_client_rekey_limit_time=1hour ++ - var_accounts_fail_delay=4 ++ ++ ++ - installed_OS_is_vendor_supported ++ - security_patches_up_to_date ++ - enable_fips_mode ++ - sysctl_crypto_fips_enabled ++ - encrypt_partitions ++ - sshd_enable_warning_banner + - dconf_gnome_banner_enabled + - dconf_gnome_login_banner_text + - banner_etc_issue ++ - set_password_hashing_algorithm_logindefs ++ - grub2_uefi_password ++ - grub2_uefi_admin_username ++ - grub2_password ++ - grub2_admin_username ++ - kerberos_disable_no_keytab ++ - package_krb5-workstation_removed ++ - selinux_state ++ - package_policycoreutils_installed ++ - sshd_set_idle_timeout ++ - sshd_set_keepalive ++ - sshd_use_strong_rng ++ - file_permissions_binary_dirs ++ - file_ownership_binary_dirs ++ - file_permissions_library_dirs ++ - file_ownership_library_dirs ++ - ensure_gpgcheck_globally_activated ++ - ensure_gpgcheck_local_packages ++ - sysctl_kernel_kexec_load_disabled ++ - sysctl_fs_protected_symlinks ++ - sysctl_fs_protected_hardlinks ++ - sysctl_kernel_dmesg_restrict ++ - sysctl_kernel_perf_event_paranoid ++ - sudo_remove_nopasswd ++ - sudo_remove_no_authenticate ++ - package_opensc_installed ++ - grub2_page_poison_argument ++ - grub2_vsyscall_argument ++ - grub2_slub_debug_argument ++ - sysctl_kernel_randomize_va_space ++ - clean_components_post_updating ++ - selinux_policytype ++ - no_host_based_files ++ - no_user_host_based_files ++ - service_rngd_enabled ++ - file_permissions_sshd_pub_key ++ - file_permissions_sshd_private_key ++ - sshd_enable_strictmodes ++ - sshd_disable_compression ++ - sshd_disable_user_known_hosts ++ - partition_for_var ++ - partition_for_var_log ++ - partition_for_var_log_audit ++ - partition_for_tmp ++ - sshd_disable_root_login ++ - service_auditd_enabled ++ - service_rsyslog_enabled ++ - mount_option_home_nosuid ++ - mount_option_boot_nosuid ++ - mount_option_nodev_nonroot_local_partitions ++ - mount_option_nodev_removable_partitions ++ - mount_option_noexec_removable_partitions ++ - mount_option_nosuid_removable_partitions ++ - mount_option_noexec_remote_filesystems ++ - mount_option_nodev_remote_filesystems ++ - mount_option_nosuid_remote_filesystems ++ - service_kdump_disabled ++ - sysctl_kernel_core_pattern ++ - service_systemd-coredump_disabled ++ - disable_users_coredumps ++ - coredump_disable_storage ++ - coredump_disable_backtraces ++ - accounts_user_home_paths_only ++ - accounts_user_interactive_home_directory_defined ++ - file_permissions_home_directories ++ - file_groupownership_home_directories ++ - accounts_user_interactive_home_directory_exists ++ - accounts_have_homedir_login_defs ++ - file_permission_user_init_files ++ - no_files_unowned_by_user ++ - file_permissions_ungroupowned ++ - partition_for_home ++ - gnome_gdm_disable_automatic_login ++ - sshd_do_not_permit_user_env ++ - account_temp_expire_date ++ - accounts_passwords_pam_faillock_deny ++ - accounts_passwords_pam_faillock_interval ++ - accounts_passwords_pam_faillock_unlock_time ++ - accounts_passwords_pam_faillock_deny_root ++ - accounts_max_concurrent_login_sessions ++ - dconf_gnome_screensaver_lock_enabled ++ - configure_bashrc_exec_tmux ++ - no_tmux_in_shells ++ - dconf_gnome_screensaver_idle_delay ++ - configure_tmux_lock_after_time ++ - accounts_password_pam_ucredit ++ - accounts_password_pam_lcredit ++ - accounts_password_pam_dcredit ++ - accounts_password_pam_maxclassrepeat ++ - accounts_password_pam_maxrepeat ++ - accounts_password_pam_minclass ++ - accounts_password_pam_difok + - accounts_password_set_min_life_existing ++ - accounts_minimum_age_login_defs ++ - accounts_maximum_age_login_defs + - accounts_password_set_max_life_existing ++ - accounts_password_pam_unix_remember ++ - accounts_password_pam_minlen ++ - accounts_password_minlen_login_defs + - account_disable_post_pw_expiration +- - account_temp_expire_date +- - audit_rules_usergroup_modification_passwd +- - sssd_enable_smartcards ++ - accounts_password_pam_ocredit + - sssd_offline_cred_expiration +- - smartcard_configure_cert_checking +- - encrypt_partitions +- - sysctl_net_ipv4_tcp_syncookies +- - clean_components_post_updating +- - package_audispd-plugins_installed +- - package_libcap-ng-utils_installed +- - auditd_audispd_syslog_plugin_activated +- - accounts_password_pam_enforce_local +- - accounts_password_pam_enforce_root +- +- # Configure TLS for remote logging ++ - accounts_logon_fail_delay ++ - display_login_attempts ++ - sshd_print_last_log ++ - accounts_umask_etc_login_defs ++ - accounts_umask_interactive_users ++ - accounts_umask_etc_bashrc ++ - rsyslog_cron_logging ++ - auditd_data_retention_action_mail_acct ++ - postfix_client_configure_mail_alias ++ - auditd_data_disk_error_action ++ - auditd_data_retention_max_log_file_action ++ - auditd_data_disk_full_action ++ - auditd_local_events ++ - auditd_name_format ++ - auditd_log_format ++ - file_permissions_var_log_audit ++ - directory_permissions_var_log_audit ++ - audit_rules_immutable ++ - audit_immutable_login_uids ++ - audit_rules_usergroup_modification_shadow ++ - audit_rules_usergroup_modification_opasswd ++ - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_gshadow ++ - audit_rules_usergroup_modification_group ++ - audit_rules_login_events_lastlog ++ - grub2_audit_argument ++ - grub2_audit_backlog_limit_argument ++ - configure_usbguard_auditbackend + - package_rsyslog_installed + - package_rsyslog-gnutls_installed +- - rsyslog_remote_tls +- - rsyslog_remote_tls_cacert +- +- # Unselect zIPL rules from OSPP +- - "!zipl_bls_entries_only" +- - "!zipl_bootmap_is_up_to_date" +- - "!zipl_audit_argument" +- - "!zipl_audit_backlog_limit_argument" +- - "!zipl_page_poison_argument" +- - "!zipl_slub_debug_argument" +- - "!zipl_vsyscall_argument" +- - "!zipl_vsyscall_argument.role=unscored" +- - "!zipl_vsyscall_argument.severity=info" +- +- - installed_OS_is_vendor_supported ++ - rsyslog_remote_loghost ++ - auditd_data_retention_space_left ++ - auditd_data_retention_space_left_action ++ - chronyd_or_ntpd_set_maxpoll ++ - chronyd_client_only ++ - chronyd_no_chronyc_network ++ - package_telnet-server_removed ++ - package_abrt_removed ++ - package_abrt-addon-ccpp_removed ++ - package_abrt-addon-kerneloops_removed ++ - package_abrt-addon-python_removed ++ - package_abrt-cli_removed ++ - package_abrt-plugin-logger_removed ++ - package_abrt-plugin-rhtsupport_removed ++ - package_abrt-plugin-sosreport_removed ++ - package_sendmail_removed ++ - package_gssproxy_removed ++ - grub2_pti_argument ++ - package_rsh-server_removed ++ - kernel_module_atm_disabled ++ - kernel_module_can_disabled ++ - kernel_module_sctp_disabled ++ - kernel_module_tipc_disabled ++ - kernel_module_cramfs_disabled ++ - kernel_module_firewire-core_disabled ++ - configure_firewalld_ports ++ - service_autofs_disabled ++ - kernel_module_usb-storage_disabled ++ - service_firewalld_enabled ++ - package_firewalld_installed ++ - wireless_disable_interfaces ++ - kernel_module_bluetooth_disabled ++ - mount_option_dev_shm_nodev ++ - mount_option_dev_shm_nosuid ++ - mount_option_dev_shm_noexec ++ - mount_option_tmp_nodev ++ - mount_option_tmp_nosuid ++ - mount_option_tmp_noexec ++ - mount_option_var_log_nodev ++ - mount_option_var_log_nosuid ++ - mount_option_var_log_noexec ++ - mount_option_var_log_audit_nodev ++ - mount_option_var_log_audit_nosuid ++ - mount_option_var_log_audit_noexec ++ - mount_option_var_tmp_nodev ++ - mount_option_var_tmp_nosuid ++ - mount_option_var_tmp_noexec ++ - package_openssh-server_installed ++ - service_sshd_enabled ++ - sshd_rekey_limit ++ - ssh_client_rekey_limit ++ - disable_ctrlaltdel_reboot ++ - dconf_gnome_disable_ctrlaltdel_reboot ++ - disable_ctrlaltdel_burstaction ++ - service_debug-shell_disabled ++ - package_tftp-server_removed ++ - accounts_no_uid_except_zero ++ - sysctl_net_ipv4_conf_default_accept_redirects ++ - sysctl_net_ipv6_conf_default_accept_redirects ++ - sysctl_net_ipv4_conf_all_send_redirects ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_default_accept_source_route ++ - sysctl_net_ipv6_conf_default_accept_source_route ++ - sysctl_net_ipv4_ip_forward ++ - sysctl_net_ipv6_conf_all_accept_ra ++ - sysctl_net_ipv6_conf_default_accept_ra ++ - sysctl_net_ipv4_conf_default_send_redirects ++ - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_all_accept_redirects ++ - sysctl_kernel_unprivileged_bpf_disabled ++ - sysctl_kernel_yama_ptrace_scope ++ - sysctl_kernel_kptr_restrict ++ - sysctl_user_max_user_namespaces ++ - sysctl_net_ipv4_conf_all_rp_filter ++ - postfix_prevent_unrestricted_relay ++ - aide_verify_ext_attributes ++ - aide_verify_acls ++ - package_xorg-x11-server-common_removed ++ - sshd_disable_x11_forwarding ++ - sshd_x11_use_localhost ++ - tftpd_uses_secure_mode ++ - package_vsftpd_removed ++ - package_gssproxy_removed ++ - package_iprutils_removed ++ - package_tuned_removed ++ - require_emergency_target_auth ++ - require_singleuser_auth ++ - set_password_hashing_algorithm_systemauth ++ - dir_perms_world_writable_sticky_bits ++ - package_aide_installed ++ - aide_scan_notification ++ - install_smartcard_packages ++ - sshd_disable_kerb_auth ++ - sshd_disable_gssapi_auth ++ - accounts_user_dot_no_world_writable_programs ++ - network_configure_name_resolution ++ - dir_perms_world_writable_root_owned ++ - package_tmux_installed ++ - configure_tmux_lock_command ++ - accounts_password_pam_retry ++ - sssd_enable_smartcards ++ - no_empty_passwords ++ - sshd_disable_empty_passwords ++ - file_ownership_var_log_audit ++ - audit_rules_sysadmin_actions ++ - package_audit_installed ++ - service_auditd_enabled ++ - sshd_allow_only_protocol2 ++ - package_fapolicyd_installed ++ - service_fapolicyd_enabled ++ - package_usbguard_installed ++ - service_usbguard_enabled ++ - network_sniffer_disabled + +From 22cac40b15eb5beb4144c2521021e093509c05ad Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 29 Jan 2021 11:34:57 +0100 +Subject: [PATCH 02/21] Add correct variables to RHEL8 STIG missing from OSPP. + +They have either a different value from OSPP or they are being +explicitly set even if they are default values. +--- + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 1 + + .../ntp/var_time_service_set_maxpoll.var | 1 + + .../r_services/no_host_based_files/rule.yml | 2 ++ + .../no_user_host_based_files/rule.yml | 1 + + .../sshd_x11_use_localhost/rule.yml | 1 + + .../install_smartcard_packages/rule.yml | 1 + + .../accounts_logon_fail_delay/rule.yml | 1 + + .../rule.yml | 1 + + .../accounts_user_home_paths_only/rule.yml | 1 + + .../rule.yml | 1 + + .../file_permission_user_init_files/rule.yml | 1 + + .../rule.yml | 1 + + .../accounts_umask_interactive_users/rule.yml | 1 + + .../rule.yml | 1 + + .../auditd_data_disk_error_action/rule.yml | 1 + + .../auditd_data_disk_full_action/rule.yml | 1 + + .../auditd_data_retention_space_left/rule.yml | 1 + + .../rule.yml | 1 + + .../rule.yml | 1 + + .../fips/sysctl_crypto_fips_enabled/rule.yml | 1 + + rhel8/profiles/stig.profile | 20 +++++++++++++++++-- + 25 files changed, 43 insertions(+), 2 deletions(-) + +diff --git a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml +index 4bfcc16c7f..0a3d818831 100644 +--- a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml ++++ b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml +@@ -18,6 +18,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-80512-7 ++ cce@rhel8: CCE-84054-6 + + references: + stigid@ol7: OL07-00-040680 +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml +index 3349a7963a..9374bdc065 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml +@@ -14,6 +14,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-80239-7 ++ cce@rhel8: CCE-84052-0 + + references: + nist: CM-6(a),MP-2 +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml +index ee6b9aa54a..4a50d79600 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80436-9 + cce@sle12: CCE-83103-2 ++ cce@rhel8: CCE-84050-4 + + references: + stigid@ol7: OL07-00-021021 +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml +index 6b71f94c2b..695e1a1e6c 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml +@@ -15,6 +15,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80240-5 + cce@sle12: CCE-83102-4 ++ cce@rhel8: CCE-84053-8 + + references: + stigid@ol7: OL07-00-021020 +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml +index 9a802b5d5d..8d12b741a9 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml +@@ -27,6 +27,7 @@ identifiers: + cce@rhel7: CCE-80439-3 + cce@rhcos4: CCE-82684-2 + cce@sle12: CCE-83124-8 ++ cce@rhel8: CCE-84059-5 + + references: + stigid@ol7: OL07-00-040500 +diff --git a/linux_os/guide/services/ntp/var_time_service_set_maxpoll.var b/linux_os/guide/services/ntp/var_time_service_set_maxpoll.var +index 81a7debf25..6dd3ec434c 100644 +--- a/linux_os/guide/services/ntp/var_time_service_set_maxpoll.var ++++ b/linux_os/guide/services/ntp/var_time_service_set_maxpoll.var +@@ -10,5 +10,6 @@ interactive: false + + options: + 36_hours: 17 ++ 18_hours: 16 + default: 10 + system_default: 10 +diff --git a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml +index 01eb9e5f99..4944530617 100644 +--- a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml +@@ -23,6 +23,8 @@ severity: high + identifiers: + cce@rhel7: CCE-80513-5 + cce@sle12: CCE-83022-4 ++ cce@rhel8: CCE-84055-3 ++ + references: + stigid@ol7: OL07-00-040550 + disa: CCI-000366 +diff --git a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml +index 48bff043a6..efb6386261 100644 +--- a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml ++++ b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml +@@ -23,6 +23,7 @@ severity: high + identifiers: + cce@rhel7: CCE-80514-3 + cce@sle12: CCE-83021-6 ++ cce@rhel8: CCE-84056-1 + + references: + stigid@ol7: OL07-00-040540 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml +index bee39a3904..664db5e626 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml +@@ -22,6 +22,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-83404-4 ++ cce@rhel8: CCE-84058-7 + + references: + srg: SRG-OS-000480-GPOS-00227 +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +index 29aa49483d..4b8a9c29f5 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +@@ -25,6 +25,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-80519-2 ++ cce@rhel8: CCE-84029-8 + + references: + stigid@ol7: OL07-00-041001 +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml +index e62e3cc62b..d1da3b6963 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml +@@ -16,6 +16,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80352-8 + cce@sle12: CCE-83028-1 ++ cce@rhel8: CCE-84037-1 + + references: + stigid@ol7: OL07-00-010430 +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +index b73743ebcb..d41cc0cca4 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80523-4 + cce@sle12: CCE-83099-2 ++ cce@rhel8: CCE-84039-7 + + references: + stigid@ol7: OL07-00-020730 +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml +index b70bfc171a..143920449b 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml +@@ -25,6 +25,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80524-2 + cce@sle12: CCE-83098-4 ++ cce@rhel8: CCE-84040-5 + + references: + stigid@ol7: OL07-00-020720 +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml +index a0e6277ec6..a4cf5c2b2d 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80528-3 + cce@sle12: CCE-83075-2 ++ cce@rhel8: CCE-84036-3 + + references: + stigid@ol7: OL07-00-020600 +diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +index 411a46dd00..ef6280203f 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80525-9 + cce@sle12: CCE-83097-6 ++ cce@rhel8: CCE-84043-9 + + references: + stigid@ol7: OL07-00-020710 +diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +index 62d603cfbb..561f9f1394 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +@@ -19,6 +19,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80530-9 + cce@sle12: CCE-83076-0 ++ cce@rhel8: CCE-84038-9 + + references: + stigid@ol7: OL07-00-020630 +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml +index 7629fcb3e4..f3648011c5 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml +@@ -18,6 +18,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-80536-6 ++ cce@rhel8: CCE-84044-7 + + references: + stigid@ol7: OL07-00-021040 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml +index 09618d986d..b9ff8233bb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml +@@ -16,6 +16,7 @@ severity: unknown + + identifiers: + cce@rhcos4: CCE-82692-5 ++ cce@rhel8: CCE-84048-8 + + references: + nist: CM-6(a),AC-6(1),AU-9 +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml +index 442b693951..d3646de8ff 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml +@@ -24,6 +24,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80646-3 + cce@rhcos4: CCE-82679-2 ++ cce@rhel8: CCE-84046-2 + + references: + nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml +index 01a5c5201d..d92afe34e8 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml +@@ -27,6 +27,7 @@ severity: medium + identifiers: + cce@rhcos4: CCE-82676-8 + cce@sle12: CCE-83032-3 ++ cce@rhel8: CCE-84045-4 + + references: + nist: AU-5(b),AU-5(2),AU-5(1),AU-5(4),CM-6(a) +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +index 2f37c5b0e4..f1a742a810 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +@@ -23,6 +23,7 @@ identifiers: + cce@rhel7: CCE-80537-4 + cce@rhcos4: CCE-82681-8 + cce@sle12: CCE-83026-5 ++ cce@rhel8: CCE-84047-0 + + references: + stigid@ol7: OL07-00-030330 +diff --git a/linux_os/guide/system/network/network_configure_name_resolution/rule.yml b/linux_os/guide/system/network/network_configure_name_resolution/rule.yml +index a9c6550b47..8450e29bf7 100644 +--- a/linux_os/guide/system/network/network_configure_name_resolution/rule.yml ++++ b/linux_os/guide/system/network/network_configure_name_resolution/rule.yml +@@ -26,6 +26,7 @@ severity: low + + identifiers: + cce@rhel7: CCE-80438-5 ++ cce@rhel8: CCE-84049-6 + + references: + stigid@ol7: OL07-00-040600 +diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml +index fae18baff6..d89bc407c7 100644 +--- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml ++++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml +@@ -30,6 +30,7 @@ severity: high + + identifiers: + cce@rhel7: CCE-80124-1 ++ cce@rhel8: CCE-84028-0 + + references: + stigid@ol7: OL07-00-020231 +diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +index 0807f512fb..8753e4aeef 100644 +--- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +@@ -23,6 +23,7 @@ platform: machine # The oscap sysctl probe doesn't support offline mode + + identifiers: + cce@rhel7: CCE-80658-8 ++ cce@rhel8: CCE-84027-2 + + references: + disa: CCI-000068,CCI-000803,CCI-002450 +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 03ce772734..66cc5007be 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -24,12 +24,16 @@ description: |- + - Red Hat Containers with a Red Hat Enterprise Linux 8 image + + selections: ++ # variables + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour + - var_accounts_user_umask=077 +- - var_password_pam_difok=4 ++ - var_password_pam_difok=8 + - var_password_pam_maxrepeat=3 ++ - var_sshd_disable_compression=no + - var_password_pam_maxclassrepeat=4 ++ - var_password_pam_minclass=4 ++ - var_accounts_minimum_age_login_defs=1 + - var_accounts_max_concurrent_login_sessions=10 + - var_password_pam_unix_remember=5 + - var_selinux_state=enforcing +@@ -41,6 +45,8 @@ selections: + - var_password_pam_dcredit=1 + - var_password_pam_ucredit=1 + - var_password_pam_lcredit=1 ++ - var_password_pam_retry=3 ++ - var_password_pam_minlen=15 + - sshd_idle_timeout_value=10_minutes + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 +@@ -48,8 +54,18 @@ selections: + - var_ssh_client_rekey_limit_size=1G + - var_ssh_client_rekey_limit_time=1hour + - var_accounts_fail_delay=4 ++ - var_account_disable_post_pw_expiration=35 ++ - var_auditd_action_mail_acct=root ++ - var_time_service_set_maxpoll=18_hours ++ - var_password_hashing_algorithm=SHA512 ++ - var_accounts_maximum_age_login_defs=60 ++ - var_auditd_space_left=250MB ++ - var_auditd_space_left_action=email ++ - var_auditd_disk_error_action=halt ++ - var_auditd_max_log_file_action=syslog ++ - var_auditd_disk_full_action=halt + +- ++ # rules + - installed_OS_is_vendor_supported + - security_patches_up_to_date + - enable_fips_mode + +From e9d4aa6be77d6da201a748652effcf150cfaf18e Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 29 Jan 2021 13:52:43 +0100 +Subject: [PATCH 03/21] Update RHEL8 STIG profile stability data. + +--- + .../data/profile_stability/rhel8/stig.profile | 207 +++++++++++------- + 1 file changed, 122 insertions(+), 85 deletions(-) + +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 6676ca497c..9089f7ef4f 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -25,92 +25,110 @@ reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-s + selections: + - account_disable_post_pw_expiration + - account_temp_expire_date ++- accounts_have_homedir_login_defs ++- accounts_logon_fail_delay + - accounts_max_concurrent_login_sessions ++- accounts_maximum_age_login_defs ++- accounts_minimum_age_login_defs ++- accounts_no_uid_except_zero + - accounts_password_minlen_login_defs + - accounts_password_pam_dcredit + - accounts_password_pam_difok +-- accounts_password_pam_enforce_local +-- accounts_password_pam_enforce_root + - accounts_password_pam_lcredit + - accounts_password_pam_maxclassrepeat + - accounts_password_pam_maxrepeat ++- accounts_password_pam_minclass + - accounts_password_pam_minlen + - accounts_password_pam_ocredit ++- accounts_password_pam_retry + - accounts_password_pam_ucredit + - accounts_password_pam_unix_remember + - accounts_password_set_max_life_existing + - accounts_password_set_min_life_existing + - accounts_passwords_pam_faillock_deny ++- accounts_passwords_pam_faillock_deny_root + - accounts_passwords_pam_faillock_interval + - accounts_passwords_pam_faillock_unlock_time + - accounts_umask_etc_bashrc +-- accounts_umask_etc_csh_cshrc +-- accounts_umask_etc_profile +-- audit_access_failed +-- audit_access_success +-- audit_basic_configuration +-- audit_create_failed +-- audit_create_success +-- audit_delete_failed +-- audit_delete_success ++- accounts_umask_etc_login_defs ++- accounts_umask_interactive_users ++- accounts_user_dot_no_world_writable_programs ++- accounts_user_home_paths_only ++- accounts_user_interactive_home_directory_defined ++- accounts_user_interactive_home_directory_exists ++- aide_scan_notification ++- aide_verify_acls ++- aide_verify_ext_attributes + - audit_immutable_login_uids +-- audit_modify_failed +-- audit_modify_success +-- audit_module_load +-- audit_ospp_general +-- audit_owner_change_failed +-- audit_owner_change_success +-- audit_perm_change_failed +-- audit_perm_change_success ++- audit_rules_immutable ++- audit_rules_login_events_lastlog ++- audit_rules_sysadmin_actions ++- audit_rules_usergroup_modification_group ++- audit_rules_usergroup_modification_gshadow ++- audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd +-- auditd_audispd_syslog_plugin_activated +-- auditd_data_retention_flush +-- auditd_freq ++- audit_rules_usergroup_modification_shadow ++- auditd_data_disk_error_action ++- auditd_data_disk_full_action ++- auditd_data_retention_action_mail_acct ++- auditd_data_retention_max_log_file_action ++- auditd_data_retention_space_left ++- auditd_data_retention_space_left_action + - auditd_local_events + - auditd_log_format + - auditd_name_format +-- auditd_write_logs + - banner_etc_issue + - chronyd_client_only + - chronyd_no_chronyc_network ++- chronyd_or_ntpd_set_maxpoll + - clean_components_post_updating + - configure_bashrc_exec_tmux +-- configure_bind_crypto_policy +-- configure_crypto_policy +-- configure_kerberos_crypto_policy +-- configure_libreswan_crypto_policy +-- configure_openssl_crypto_policy +-- configure_ssh_crypto_policy ++- configure_firewalld_ports + - configure_tmux_lock_after_time + - configure_tmux_lock_command + - configure_usbguard_auditbackend + - coredump_disable_backtraces + - coredump_disable_storage +-- dconf_db_up_to_date + - dconf_gnome_banner_enabled ++- dconf_gnome_disable_ctrlaltdel_reboot + - dconf_gnome_login_banner_text ++- dconf_gnome_screensaver_idle_delay ++- dconf_gnome_screensaver_lock_enabled ++- dir_perms_world_writable_root_owned ++- dir_perms_world_writable_sticky_bits ++- directory_permissions_var_log_audit + - disable_ctrlaltdel_burstaction + - disable_ctrlaltdel_reboot +-- disable_host_auth + - disable_users_coredumps +-- dnf-automatic_apply_updates +-- dnf-automatic_security_updates_only +-- enable_dracut_fips_module ++- display_login_attempts + - enable_fips_mode + - encrypt_partitions + - ensure_gpgcheck_globally_activated + - ensure_gpgcheck_local_packages +-- ensure_gpgcheck_never_disabled +-- ensure_redhat_gpgkey_installed ++- file_groupownership_home_directories ++- file_ownership_binary_dirs ++- file_ownership_library_dirs ++- file_ownership_var_log_audit ++- file_permission_user_init_files ++- file_permissions_binary_dirs ++- file_permissions_home_directories ++- file_permissions_library_dirs ++- file_permissions_sshd_private_key ++- file_permissions_sshd_pub_key ++- file_permissions_ungroupowned ++- file_permissions_var_log_audit ++- gnome_gdm_disable_automatic_login ++- grub2_admin_username + - grub2_audit_argument + - grub2_audit_backlog_limit_argument +-- grub2_disable_interactive_boot +-- grub2_kernel_trust_cpu_rng + - grub2_page_poison_argument ++- grub2_password + - grub2_pti_argument + - grub2_slub_debug_argument ++- grub2_uefi_admin_username + - grub2_uefi_password + - grub2_vsyscall_argument ++- install_smartcard_packages + - installed_OS_is_vendor_supported + - kerberos_disable_no_keytab + - kernel_module_atm_disabled +@@ -120,14 +138,19 @@ selections: + - kernel_module_firewire-core_disabled + - kernel_module_sctp_disabled + - kernel_module_tipc_disabled +-- mount_option_boot_nodev ++- kernel_module_usb-storage_disabled + - mount_option_boot_nosuid + - mount_option_dev_shm_nodev + - mount_option_dev_shm_noexec + - mount_option_dev_shm_nosuid +-- mount_option_home_nodev + - mount_option_home_nosuid + - mount_option_nodev_nonroot_local_partitions ++- mount_option_nodev_remote_filesystems ++- mount_option_nodev_removable_partitions ++- mount_option_noexec_remote_filesystems ++- mount_option_noexec_removable_partitions ++- mount_option_nosuid_remote_filesystems ++- mount_option_nosuid_removable_partitions + - mount_option_tmp_nodev + - mount_option_tmp_noexec + - mount_option_tmp_nosuid +@@ -137,13 +160,16 @@ selections: + - mount_option_var_log_nodev + - mount_option_var_log_noexec + - mount_option_var_log_nosuid +-- mount_option_var_nodev + - mount_option_var_tmp_nodev + - mount_option_var_tmp_noexec + - mount_option_var_tmp_nosuid ++- network_configure_name_resolution ++- network_sniffer_disabled + - no_empty_passwords ++- no_files_unowned_by_user ++- no_host_based_files + - no_tmux_in_shells +-- openssl_use_strong_entropy ++- no_user_host_based_files + - package_abrt-addon-ccpp_removed + - package_abrt-addon-kerneloops_removed + - package_abrt-addon-python_removed +@@ -153,66 +179,76 @@ selections: + - package_abrt-plugin-sosreport_removed + - package_abrt_removed + - package_aide_installed +-- package_audispd-plugins_installed + - package_audit_installed +-- package_chrony_installed +-- package_crypto-policies_installed +-- package_dnf-automatic_installed +-- package_dnf-plugin-subscription-manager_installed + - package_fapolicyd_installed + - package_firewalld_installed +-- package_gnutls-utils_installed + - package_gssproxy_removed + - package_iprutils_removed + - package_krb5-workstation_removed +-- package_libcap-ng-utils_installed +-- package_nfs-utils_removed +-- package_openscap-scanner_installed +-- package_openssh-clients_installed ++- package_opensc_installed + - package_openssh-server_installed +-- package_policycoreutils-python-utils_installed + - package_policycoreutils_installed ++- package_rsh-server_removed + - package_rsyslog-gnutls_installed + - package_rsyslog_installed +-- package_scap-security-guide_installed + - package_sendmail_removed +-- package_subscription-manager_installed +-- package_sudo_installed ++- package_telnet-server_removed ++- package_tftp-server_removed + - package_tmux_installed ++- package_tuned_removed + - package_usbguard_installed ++- package_vsftpd_removed ++- package_xorg-x11-server-common_removed + - partition_for_home ++- partition_for_tmp + - partition_for_var + - partition_for_var_log + - partition_for_var_log_audit ++- postfix_client_configure_mail_alias ++- postfix_prevent_unrestricted_relay ++- require_emergency_target_auth + - require_singleuser_auth +-- rsyslog_remote_tls +-- rsyslog_remote_tls_cacert +-- securetty_root_login_console_only ++- rsyslog_cron_logging ++- rsyslog_remote_loghost ++- security_patches_up_to_date + - selinux_policytype + - selinux_state + - service_auditd_enabled ++- service_autofs_disabled + - service_debug-shell_disabled + - service_fapolicyd_enabled + - service_firewalld_enabled + - service_kdump_disabled ++- service_rngd_enabled ++- service_rsyslog_enabled ++- service_sshd_enabled + - service_systemd-coredump_disabled + - service_usbguard_enabled +-- smartcard_configure_cert_checking ++- set_password_hashing_algorithm_logindefs ++- set_password_hashing_algorithm_systemauth + - ssh_client_rekey_limit +-- ssh_client_use_strong_rng_csh +-- ssh_client_use_strong_rng_sh ++- sshd_allow_only_protocol2 ++- sshd_disable_compression + - sshd_disable_empty_passwords + - sshd_disable_gssapi_auth + - sshd_disable_kerb_auth + - sshd_disable_root_login ++- sshd_disable_user_known_hosts ++- sshd_disable_x11_forwarding ++- sshd_do_not_permit_user_env + - sshd_enable_strictmodes + - sshd_enable_warning_banner ++- sshd_print_last_log + - sshd_rekey_limit + - sshd_set_idle_timeout + - sshd_set_keepalive + - sshd_use_strong_rng ++- sshd_x11_use_localhost + - sssd_enable_smartcards + - sssd_offline_cred_expiration ++- sudo_remove_no_authenticate ++- sudo_remove_nopasswd ++- sysctl_crypto_fips_enabled + - sysctl_fs_protected_hardlinks + - sysctl_fs_protected_symlinks + - sysctl_kernel_core_pattern +@@ -220,25 +256,18 @@ selections: + - sysctl_kernel_kexec_load_disabled + - sysctl_kernel_kptr_restrict + - sysctl_kernel_perf_event_paranoid ++- sysctl_kernel_randomize_va_space + - sysctl_kernel_unprivileged_bpf_disabled + - sysctl_kernel_yama_ptrace_scope +-- sysctl_net_core_bpf_jit_harden + - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_all_accept_source_route +-- sysctl_net_ipv4_conf_all_log_martians + - sysctl_net_ipv4_conf_all_rp_filter +-- sysctl_net_ipv4_conf_all_secure_redirects + - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_conf_default_accept_redirects + - sysctl_net_ipv4_conf_default_accept_source_route +-- sysctl_net_ipv4_conf_default_log_martians +-- sysctl_net_ipv4_conf_default_rp_filter +-- sysctl_net_ipv4_conf_default_secure_redirects + - sysctl_net_ipv4_conf_default_send_redirects + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts +-- sysctl_net_ipv4_icmp_ignore_bogus_error_responses + - sysctl_net_ipv4_ip_forward +-- sysctl_net_ipv4_tcp_syncookies + - sysctl_net_ipv6_conf_all_accept_ra + - sysctl_net_ipv6_conf_all_accept_redirects + - sysctl_net_ipv6_conf_all_accept_source_route +@@ -246,36 +275,44 @@ selections: + - sysctl_net_ipv6_conf_default_accept_redirects + - sysctl_net_ipv6_conf_default_accept_source_route + - sysctl_user_max_user_namespaces +-- timer_dnf-automatic_enabled +-- usbguard_allow_hid_and_hub +-- use_pam_wheel_for_su ++- tftpd_uses_secure_mode ++- wireless_disable_interfaces + - var_rekey_limit_size=1G + - var_rekey_limit_time=1hour +-- var_accounts_user_umask=027 +-- var_password_pam_difok=4 ++- var_accounts_user_umask=077 ++- var_password_pam_difok=8 + - var_password_pam_maxrepeat=3 ++- var_sshd_disable_compression=no + - var_password_pam_maxclassrepeat=4 +-- var_auditd_flush=incremental_async ++- var_password_pam_minclass=4 ++- var_accounts_minimum_age_login_defs=1 + - var_accounts_max_concurrent_login_sessions=10 + - var_password_pam_unix_remember=5 + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted + - var_system_crypto_policy=fips_ospp +-- var_accounts_password_minlen_login_defs=12 +-- var_password_pam_minlen=12 ++- var_accounts_password_minlen_login_defs=15 ++- var_password_pam_minlen=15 + - var_password_pam_ocredit=1 + - var_password_pam_dcredit=1 + - var_password_pam_ucredit=1 + - var_password_pam_lcredit=1 +-- sshd_idle_timeout_value=14_minutes ++- var_password_pam_retry=3 ++- sshd_idle_timeout_value=10_minutes + - var_accounts_passwords_pam_faillock_deny=3 + - var_accounts_passwords_pam_faillock_fail_interval=900 + - var_accounts_passwords_pam_faillock_unlock_time=never + - var_ssh_client_rekey_limit_size=1G + - var_ssh_client_rekey_limit_time=1hour +-- login_banner_text=dod_banners +-- grub2_vsyscall_argument.role=unscored +-- grub2_vsyscall_argument.severity=info +-- sysctl_user_max_user_namespaces.role=unscored +-- sysctl_user_max_user_namespaces.severity=info +-title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux 8' ++- var_accounts_fail_delay=4 ++- var_account_disable_post_pw_expiration=35 ++- var_auditd_action_mail_acct=root ++- var_time_service_set_maxpoll=18_hours ++- var_password_hashing_algorithm=SHA512 ++- var_accounts_maximum_age_login_defs=60 ++- var_auditd_space_left=250MB ++- var_auditd_space_left_action=email ++- var_auditd_disk_error_action=halt ++- var_auditd_max_log_file_action=syslog ++- var_auditd_disk_full_action=halt ++title: DISA STIG for Red Hat Enterprise Linux 8 + +From 443d09de1487b35d4fc8bbc146ddd74a4412f7f4 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 2 Feb 2021 13:42:40 +0100 +Subject: [PATCH 04/21] Set openssl-pkcs11 as default package for + install_smartcard_packages. + +--- + .../install_smartcard_packages/rule.yml | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +index 4b8a9c29f5..d64240dce2 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +@@ -7,7 +7,11 @@ title: 'Install Smart Card Packages For Multifactor Authentication' + description: |- + Configure the operating system to implement multifactor authentication by + installing the required package with the following command: ++ {{%- if product in ["rhel7", "ol7"] %}} + {{{ describe_package_install(package="pam_pkcs11") }}} ++ {{%- else %}} ++ {{{ describe_package_install(package="openssl-pkcs11") }}} ++ {{%- endif %}} + + rationale: |- + Using an authentication device, such as a CAC or token that is separate from +@@ -37,9 +41,15 @@ references: + + ocil_clause: 'smartcard software is not installed' + ++{{%- if product in ["rhel7", "ol7"] %}} + ocil: '{{{ ocil_package(package="pam_pkcs11") }}}' ++{{%- else %}} ++ocil: '{{{ ocil_package(package="openssl-pkcs11") }}}' ++{{%- endif %}} + + template: + name: package_installed + vars: +- pkgname: pam_pkcs11 ++ pkgname: openssl-pkcs11 ++ pkgname@rhel7: pam_pkcs11 ++ pkgname@ol7: pam_pkcs11 + +From 628065d65e0ab363dcdbb513f17a28ae839cefb5 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 4 Feb 2021 19:09:44 +0100 +Subject: [PATCH 05/21] Remove conflicting rules from RHEL8 STIG profile. + +--- + rhel8/profiles/stig.profile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 66cc5007be..24eb0f9e21 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -223,7 +223,7 @@ selections: + - package_abrt-plugin-rhtsupport_removed + - package_abrt-plugin-sosreport_removed + - package_sendmail_removed +- - package_gssproxy_removed ++ # - package_gssproxy_removed + - grub2_pti_argument + - package_rsh-server_removed + - kernel_module_atm_disabled +@@ -286,7 +286,7 @@ selections: + - postfix_prevent_unrestricted_relay + - aide_verify_ext_attributes + - aide_verify_acls +- - package_xorg-x11-server-common_removed ++ # - package_xorg-x11-server-common_removed + - sshd_disable_x11_forwarding + - sshd_x11_use_localhost + - tftpd_uses_secure_mode + +From 917744300baa99686955239f6e73b193a7c1e2b9 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 8 Feb 2021 15:47:09 +0100 +Subject: [PATCH 06/21] Remove duplicate rule gssproxy package removed from + STIG. + +--- + rhel8/profiles/stig.profile | 1 - + tests/data/profile_stability/rhel8/stig.profile | 2 -- + 2 files changed, 3 deletions(-) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 24eb0f9e21..34f9f79461 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -291,7 +291,6 @@ selections: + - sshd_x11_use_localhost + - tftpd_uses_secure_mode + - package_vsftpd_removed +- - package_gssproxy_removed + - package_iprutils_removed + - package_tuned_removed + - require_emergency_target_auth +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 9089f7ef4f..bc5153fa99 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -182,7 +182,6 @@ selections: + - package_audit_installed + - package_fapolicyd_installed + - package_firewalld_installed +-- package_gssproxy_removed + - package_iprutils_removed + - package_krb5-workstation_removed + - package_opensc_installed +@@ -198,7 +197,6 @@ selections: + - package_tuned_removed + - package_usbguard_installed + - package_vsftpd_removed +-- package_xorg-x11-server-common_removed + - partition_for_home + - partition_for_tmp + - partition_for_var + +From 9455a5059b09de9bb9d4f5faeca7896246bc2e0e Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 8 Feb 2021 17:54:07 +0100 +Subject: [PATCH 07/21] Remove one file based audit rule from RHEL8 STIG + profile. + +--- + rhel8/profiles/stig.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 34f9f79461..a5f8f54de1 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -195,7 +195,7 @@ selections: + - file_permissions_var_log_audit + - directory_permissions_var_log_audit + - audit_rules_immutable +- - audit_immutable_login_uids ++ # - audit_immutable_login_uids + - audit_rules_usergroup_modification_shadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + +From 987b198504bd45e40a3c4e090ebf36e69f18d43c Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Mon, 8 Feb 2021 17:54:26 +0100 +Subject: [PATCH 08/21] Increase size of /var partition in RHEL8 STIG + kickstart. + +Set mount options nosuid, nodev and noexec to /boot partition. +--- + rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg +index 28f7ff0927..3e8be668bd 100644 +--- a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg +@@ -100,7 +100,7 @@ zerombr + clearpart --linux --initlabel + + # Create primary system partitions (required for installs) +-part /boot --fstype=xfs --size=512 ++part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" + part pv.01 --grow --size=1 + + # Create a Logical Volume Management (LVM) group (optional) + +From 446e9b79aa6cc40ab42c95292914835fa18d0b69 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 9 Feb 2021 14:33:30 +0100 +Subject: [PATCH 09/21] Add package_rng-tools_installed because it is + dependency of rngd service. + +--- + rhel8/profiles/stig.profile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index a5f8f54de1..91ce77b4de 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -110,6 +110,7 @@ selections: + - no_host_based_files + - no_user_host_based_files + - service_rngd_enabled ++ - package_rng-tools_installed + - file_permissions_sshd_pub_key + - file_permissions_sshd_private_key + - sshd_enable_strictmodes + +From d61652ed418bb4d6b07a88f1bee1bda15196e23e Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Tue, 9 Feb 2021 14:35:53 +0100 +Subject: [PATCH 10/21] Remove draft verbiage from description in RHEL8 STIG + profile. + +--- + rhel8/profiles/stig.profile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 91ce77b4de..017e72ee2d 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8' + + description: |- + This profile contains configuration checks that align to the +- [DRAFT] DISA STIG for Red Hat Enterprise Linux 8. ++ DISA STIG for Red Hat Enterprise Linux 8. + + In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this + configuration baseline as applicable to the operating system tier of + +From 9fa00acb2c1b551c26418ce2ff606a579e7fe192 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 10 Feb 2021 12:24:05 +0100 +Subject: [PATCH 11/21] Update RHEL8 STIG profile stability data. + +--- + tests/data/profile_stability/rhel8/stig.profile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index bc5153fa99..668c258306 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -1,6 +1,6 @@ + description: 'This profile contains configuration checks that align to the + +- [DRAFT] DISA STIG for Red Hat Enterprise Linux 8. ++ DISA STIG for Red Hat Enterprise Linux 8. + + + In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes +@@ -59,7 +59,6 @@ selections: + - aide_scan_notification + - aide_verify_acls + - aide_verify_ext_attributes +-- audit_immutable_login_uids + - audit_rules_immutable + - audit_rules_login_events_lastlog + - audit_rules_sysadmin_actions +@@ -187,6 +186,7 @@ selections: + - package_opensc_installed + - package_openssh-server_installed + - package_policycoreutils_installed ++- package_rng-tools_installed + - package_rsh-server_removed + - package_rsyslog-gnutls_installed + - package_rsyslog_installed + +From 91a77ac9fce7ba96ba80d2d33efa0b82c5329807 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Wed, 10 Feb 2021 12:47:45 +0100 +Subject: [PATCH 12/21] Fix duplicated CCE. + +--- + .../auditd_data_retention_space_left/rule.yml | 2 +- + shared/references/cce-redhat-avail.txt | 1 - + 2 files changed, 1 insertion(+), 2 deletions(-) + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +index f1a742a810..7d84595498 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +@@ -23,7 +23,7 @@ identifiers: + cce@rhel7: CCE-80537-4 + cce@rhcos4: CCE-82681-8 + cce@sle12: CCE-83026-5 +- cce@rhel8: CCE-84047-0 ++ cce@rhel8: CCE-83619-7 + + references: + stigid@ol7: OL07-00-030330 +diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt +index 15bf569a4a..9a5b9703af 100644 +--- a/shared/references/cce-redhat-avail.txt ++++ b/shared/references/cce-redhat-avail.txt +@@ -124,7 +124,6 @@ CCE-83615-5 + CCE-83616-3 + CCE-83617-1 + CCE-83618-9 +-CCE-83619-7 + CCE-83620-5 + CCE-83621-3 + CCE-83622-1 + +From ba53084a041ae151d50f237c58efd136be89012c Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 11 Feb 2021 12:47:56 +0100 +Subject: [PATCH 13/21] Add bootloader password to RHEL8 STIG kickstart + example. + +--- + rhel8/kickstart/ssg-rhel8-stig-ks.cfg | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg +index 3e8be668bd..0ec942bb8b 100644 +--- a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg +@@ -83,10 +83,11 @@ selinux --enforcing + timezone --utc America/New_York + + # Specify how the bootloader should be installed (required) ++# Plaintext password is: password + # Refer to e.g. + # https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw + # to see how to create encrypted password form for different plaintext password +-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" ++bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0 + + # Initialize (format) all disks (optional) + zerombr + +From 8c7bea0728745c6a25502d26fbb30053b7888261 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 11 Feb 2021 12:49:02 +0100 +Subject: [PATCH 14/21] Update RHEL8 STIG profile with FIPS rules. + +--- + rhel8/profiles/stig.profile | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 017e72ee2d..201a5c6ca6 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -38,7 +38,6 @@ selections: + - var_password_pam_unix_remember=5 + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted +- - var_system_crypto_policy=fips_ospp + - var_accounts_password_minlen_login_defs=15 + - var_password_pam_minlen=15 + - var_password_pam_ocredit=1 +@@ -65,10 +64,21 @@ selections: + - var_auditd_max_log_file_action=syslog + - var_auditd_disk_full_action=halt + ++ ### Enable / Configure FIPS ++ - enable_fips_mode ++ - var_system_crypto_policy=fips ++ - configure_crypto_policy ++ - configure_ssh_crypto_policy ++ - configure_bind_crypto_policy ++ - configure_openssl_crypto_policy ++ - configure_libreswan_crypto_policy ++ - configure_kerberos_crypto_policy ++ - enable_dracut_fips_module ++ + # rules + - installed_OS_is_vendor_supported + - security_patches_up_to_date +- - enable_fips_mode ++ + - sysctl_crypto_fips_enabled + - encrypt_partitions + - sshd_enable_warning_banner +@@ -211,6 +221,7 @@ selections: + - rsyslog_remote_loghost + - auditd_data_retention_space_left + - auditd_data_retention_space_left_action ++ # remediation fails because default configuration file contains pool instead of server keyword + - chronyd_or_ntpd_set_maxpoll + - chronyd_client_only + - chronyd_no_chronyc_network +@@ -284,6 +295,7 @@ selections: + - sysctl_kernel_kptr_restrict + - sysctl_user_max_user_namespaces + - sysctl_net_ipv4_conf_all_rp_filter ++ # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation + - postfix_prevent_unrestricted_relay + - aide_verify_ext_attributes + - aide_verify_acls + +From 6735cc0b910e75a1909d774efbf033781c6ad424 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 11 Feb 2021 13:29:33 +0100 +Subject: [PATCH 15/21] Update RHEL8 STIG profile stability test data. + +--- + tests/data/profile_stability/rhel8/stig.profile | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 668c258306..f120201c91 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -82,7 +82,13 @@ selections: + - chronyd_or_ntpd_set_maxpoll + - clean_components_post_updating + - configure_bashrc_exec_tmux ++- configure_bind_crypto_policy ++- configure_crypto_policy + - configure_firewalld_ports ++- configure_kerberos_crypto_policy ++- configure_libreswan_crypto_policy ++- configure_openssl_crypto_policy ++- configure_ssh_crypto_policy + - configure_tmux_lock_after_time + - configure_tmux_lock_command + - configure_usbguard_auditbackend +@@ -100,6 +106,7 @@ selections: + - disable_ctrlaltdel_reboot + - disable_users_coredumps + - display_login_attempts ++- enable_dracut_fips_module + - enable_fips_mode + - encrypt_partitions + - ensure_gpgcheck_globally_activated +@@ -288,7 +295,6 @@ selections: + - var_password_pam_unix_remember=5 + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted +-- var_system_crypto_policy=fips_ospp + - var_accounts_password_minlen_login_defs=15 + - var_password_pam_minlen=15 + - var_password_pam_ocredit=1 +@@ -313,4 +319,5 @@ selections: + - var_auditd_disk_error_action=halt + - var_auditd_max_log_file_action=syslog + - var_auditd_disk_full_action=halt ++- var_system_crypto_policy=fips + title: DISA STIG for Red Hat Enterprise Linux 8 + +From b8068d4c2edfb90b4ec75f9d1bb83af78dbb468e Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 11 Feb 2021 17:40:40 +0100 +Subject: [PATCH 16/21] Remove postfix_prevent_unrestricted_relay from RHEL8 + STIG profile. + +The check doesn't consider if the package postfix is installed or not, +which in this case is a hard requirement. +--- + rhel8/profiles/stig.profile | 3 ++- + tests/data/profile_stability/rhel8/stig.profile | 1 - + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 201a5c6ca6..7aea226c95 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -296,7 +296,8 @@ selections: + - sysctl_user_max_user_namespaces + - sysctl_net_ipv4_conf_all_rp_filter + # /etc/postfix/main.cf does not exist on default installation resulting in error during remediation +- - postfix_prevent_unrestricted_relay ++ # there needs to be a new platform check to identify when postfix is installed or not ++ # - postfix_prevent_unrestricted_relay + - aide_verify_ext_attributes + - aide_verify_acls + # - package_xorg-x11-server-common_removed +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index f120201c91..2c574382a8 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -210,7 +210,6 @@ selections: + - partition_for_var_log + - partition_for_var_log_audit + - postfix_client_configure_mail_alias +-- postfix_prevent_unrestricted_relay + - require_emergency_target_auth + - require_singleuser_auth + - rsyslog_cron_logging + +From ee253e573e7b571e593666dfe12a5ac0fb240bf5 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Thu, 11 Feb 2021 17:58:43 +0100 +Subject: [PATCH 17/21] Disable audit rules from RHEL8 STIG profile + temporarily. + +Audit rules should be evaluated first implemented using new approach. +--- + rhel8/profiles/stig.profile | 16 ++++++++-------- + tests/data/profile_stability/rhel8/stig.profile | 7 ------- + 2 files changed, 8 insertions(+), 15 deletions(-) + +diff --git a/rhel8/profiles/stig.profile b/rhel8/profiles/stig.profile +index 7aea226c95..0aa6f28986 100644 +--- a/rhel8/profiles/stig.profile ++++ b/rhel8/profiles/stig.profile +@@ -205,14 +205,14 @@ selections: + - auditd_log_format + - file_permissions_var_log_audit + - directory_permissions_var_log_audit +- - audit_rules_immutable ++ # - audit_rules_immutable + # - audit_immutable_login_uids +- - audit_rules_usergroup_modification_shadow +- - audit_rules_usergroup_modification_opasswd +- - audit_rules_usergroup_modification_passwd +- - audit_rules_usergroup_modification_gshadow +- - audit_rules_usergroup_modification_group +- - audit_rules_login_events_lastlog ++ # - audit_rules_usergroup_modification_shadow ++ # - audit_rules_usergroup_modification_opasswd ++ # - audit_rules_usergroup_modification_passwd ++ # - audit_rules_usergroup_modification_gshadow ++ # - audit_rules_usergroup_modification_group ++ # - audit_rules_login_events_lastlog + - grub2_audit_argument + - grub2_audit_backlog_limit_argument + - configure_usbguard_auditbackend +@@ -326,7 +326,7 @@ selections: + - no_empty_passwords + - sshd_disable_empty_passwords + - file_ownership_var_log_audit +- - audit_rules_sysadmin_actions ++ # - audit_rules_sysadmin_actions + - package_audit_installed + - service_auditd_enabled + - sshd_allow_only_protocol2 +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 2c574382a8..58fc365707 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -60,13 +60,6 @@ selections: + - aide_verify_acls + - aide_verify_ext_attributes + - audit_rules_immutable +-- audit_rules_login_events_lastlog +-- audit_rules_sysadmin_actions +-- audit_rules_usergroup_modification_group +-- audit_rules_usergroup_modification_gshadow +-- audit_rules_usergroup_modification_opasswd +-- audit_rules_usergroup_modification_passwd +-- audit_rules_usergroup_modification_shadow + - auditd_data_disk_error_action + - auditd_data_disk_full_action + - auditd_data_retention_action_mail_acct + +From 99cf1438cf9ac71af398b34247aec389b3163d7c Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 12 Feb 2021 09:57:35 +0100 +Subject: [PATCH 18/21] Add missing SRG mapping for RHEL8 STIG profile rules. + +--- + .../postfix_client_configure_mail_alias/rule.yml | 1 + + .../mount_option_nodev_remote_filesystems/rule.yml | 1 + + .../directory_permissions_var_log_audit/rule.yml | 1 + + .../auditd_data_disk_error_action/rule.yml | 1 + + .../auditd_data_disk_full_action/rule.yml | 1 + + .../auditd_data_retention_max_log_file_action/rule.yml | 1 + + .../guide/system/logging/service_rsyslog_enabled/rule.yml | 1 + + .../files/dir_perms_world_writable_root_owned/rule.yml | 1 + + .../files/dir_perms_world_writable_sticky_bits/rule.yml | 4 +++- + .../file_ownership_binary_dirs/rule.yml | 1 + + .../file_ownership_library_dirs/rule.yml | 1 + + .../file_permissions_binary_dirs/rule.yml | 1 + + .../file_permissions_library_dirs/rule.yml | 1 + + .../mount_option_nodev_removable_partitions/rule.yml | 1 + + .../mount_option_noexec_removable_partitions/rule.yml | 1 + + .../integrity/fips/sysctl_crypto_fips_enabled/rule.yml | 1 + + 16 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml +index 96601ebb87..ea30438a5f 100644 +--- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml ++++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml +@@ -32,6 +32,7 @@ references: + nist@sle12: AU-5(a),AU-5.1(ii) + anssi: BP28(R49) + stigid@rhel8: RHEL-08-030030 ++ srg: SRG-OS-000046-GPOS-00022 + + ocil_clause: 'it is not' + +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml +index 9374bdc065..66f4558923 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml +@@ -25,6 +25,7 @@ references: + iso27001-2013: A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.2 + cis-csc: 11,13,14,3,8,9 + stigid@rhel8: RHEL-08-010640 ++ srg: SRG-OS-000480-GPOS-00227 + + ocil_clause: 'the setting does not show' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml +index b9ff8233bb..64c7927021 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml +@@ -27,6 +27,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,19,3,4,5,6,7,8 + stigid@rhel8: RHEL-08-030120 ++ srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029 + + ocil_clause: 'any are more permissive' + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml +index d3646de8ff..8e6836ae2f 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml +@@ -35,6 +35,7 @@ references: + iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 + cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 + stigid@rhel8: RHEL-08-030040 ++ srg: SRG-OS-000047-GPOS-00023 + + ocil_clause: 'the system is not configured to switch to single-user mode for corrective action' + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml +index d92afe34e8..6b7dddb0ee 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml +@@ -42,6 +42,7 @@ references: + disa@sle12: CCI-000140 + nist@sle12: AU-5(b),AU-5.1(iv) + stigid@rhel8: RHEL-08-030060 ++ srg: SRG-OS-000047-GPOS-00023 + + ocil_clause: 'the system is not configured to switch to single-user mode for corrective action' + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml +index 6a32a85fe5..07c21ca5ab 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml +@@ -45,6 +45,7 @@ references: + cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 + cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 + stigid@rhel8: RHEL-08-030050 ++ srg: SRG-OS-000047-GPOS-00023 + + ocil_clause: 'the system has not been properly configured to rotate audit logs' + +diff --git a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml +index 3ef70473de..a87d19fc10 100644 +--- a/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml ++++ b/linux_os/guide/system/logging/service_rsyslog_enabled/rule.yml +@@ -30,6 +30,7 @@ references: + cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9 + cis@ubuntu2004: 4.2.1.2 + stigid@rhel8: RHEL-08-010561 ++ srg: SRG-OS-000480-GPOS-00227 + + ocil: '{{{ ocil_service_enabled(service="rsyslog") }}}' + +diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml +index 90011f5f92..02e9ce0100 100644 +--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml ++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_root_owned/rule.yml +@@ -25,6 +25,7 @@ identifiers: + references: + anssi: BP28(R40) + stigid@rhel8: RHEL-08-010700 ++ srg: SRG-OS-000480-GPOS-00227 + + ocil_clause: 'there is output' + +diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml +index 5bb3cf3713..3c9e31b97e 100644 +--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml ++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml +@@ -47,7 +47,9 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 + cis@sle15: 1.1.22 +- stigid@sle12: SLES-12-010460 ++ stigid@sle12: SLES-12-010460 ++ stigid@rhel8: RHEL-08-010190 ++ srg: SRG-OS-000138-GPOS-00069 + + ocil_clause: 'any world-writable directories are missing the sticky bit' + +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml +index fa53de9041..36943519fa 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml +@@ -37,6 +37,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 + stigid@rhel8: RHEL-08-010310 ++ srg: SRG-OS-000259-GPOS-00100 + + ocil_clause: 'any system executables are found to not be owned by root' + +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml +index e40b5f47d8..c39997169b 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml +@@ -38,6 +38,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 + stigid@rhel8: RHEL-08-010340 ++ srg: SRG-OS-000259-GPOS-00100 + + ocil_clause: 'any of these files are not owned by root' + +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml +index 3ec56361dc..efe4a723d7 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml +@@ -37,6 +37,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 + stigid@rhel8: RHEL-08-010300 ++ srg: SRG-OS-000259-GPOS-00100 + + ocil_clause: 'any system executables are found to be group or world writable' + +diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +index 83add611b9..e3a067e0b8 100644 +--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml ++++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +@@ -38,6 +38,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 + stigid@rhel8: RHEL-08-010330 ++ srg: SRG-OS-000259-GPOS-00100 + + ocil_clause: 'any of these files are group-writable or world-writable' + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml +index 602ce2da35..5912fb9d8c 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_removable_partitions/rule.yml +@@ -37,6 +37,7 @@ references: + cis-csc: 11,12,13,14,16,3,8,9 + cis@sle15: 1.1.19 + stigid@rhel8: RHEL-08-010600 ++ srg: SRG-OS-000480-GPOS-00227 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +index 4d2bd0eceb..6e17c9f514 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +@@ -35,6 +35,7 @@ references: + cis-csc: 11,12,13,14,16,3,8,9 + cis@sle15: 1.1.20 + stigid@rhel8: RHEL-08-010610 ++ srg: SRG-OS-000480-GPOS-00227 + + ocil_clause: 'removable media partitions are present' + +diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +index 8753e4aeef..129df45d54 100644 +--- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +@@ -30,6 +30,7 @@ references: + nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12 + vmmsrg: SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590 + stigid@rhel8: RHEL-08-010020 ++ srg: SRG-OS-000033-GPOS-00014,SRG-OS-000125-GPOS-00065,SRG-OS-000396-GPOS-00176,SRG-OS-000423-GPOS-00187,SRG-OS-000478-GPOS-00223 + + ocil_clause: 'crypto.fips_enabled is not 1' + + +From 76f5b95600228ff64a8730155256e045124d0f58 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 12 Feb 2021 13:58:12 +0100 +Subject: [PATCH 19/21] Update RHEL8 STIG profile stability test data. + +--- + tests/data/profile_stability/rhel8/stig.profile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile +index 58fc365707..55b645b67b 100644 +--- a/tests/data/profile_stability/rhel8/stig.profile ++++ b/tests/data/profile_stability/rhel8/stig.profile +@@ -59,7 +59,6 @@ selections: + - aide_scan_notification + - aide_verify_acls + - aide_verify_ext_attributes +-- audit_rules_immutable + - auditd_data_disk_error_action + - auditd_data_disk_full_action + - auditd_data_retention_action_mail_acct + +From e0765fb6c96510ac015388b94e82938370792e12 Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 12 Feb 2021 14:22:48 +0100 +Subject: [PATCH 20/21] Fix RHEL8 STIG ID references. + +--- + apple_os/auditing/service_auditd_enabled/rule.yml | 1 - + .../services/fapolicyd/package_fapolicyd_installed/rule.yml | 1 - + .../services/ssh/package_openssh-server_installed/rule.yml | 1 - + .../services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml | 1 - + .../guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml | 1 - + .../guide/services/usbguard/package_usbguard_installed/rule.yml | 1 - + .../gui_login_banner/dconf_gnome_banner_enabled/rule.yml | 1 - + .../accounts_passwords_pam_faillock_deny_root/rule.yml | 1 - + .../accounts-physical/require_emergency_target_auth/rule.yml | 1 - + .../console_screen_locking/package_tmux_installed/rule.yml | 1 - + .../auditd_data_retention_space_left_action/rule.yml | 2 -- + linux_os/guide/system/auditing/package_audit_installed/rule.yml | 1 - + .../bootloader-grub2/non-uefi/grub2_admin_username/rule.yml | 1 - + .../bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml | 1 - + .../firewalld_activation/package_firewalld_installed/rule.yml | 1 - + .../sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml | 1 - + .../sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml | 1 - + .../sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml | 1 - + .../sysctl_net_ipv6_conf_all_accept_redirects/rule.yml | 1 - + .../sysctl_net_ipv6_conf_all_accept_source_route/rule.yml | 1 - + .../sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml | 1 - + .../sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml | 1 - + .../sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml | 1 - + .../sysctl_net_ipv6_conf_default_accept_redirects/rule.yml | 1 - + .../software/disk_partitioning/partition_for_var_log/rule.yml | 1 - + .../disk_partitioning/partition_for_var_log_audit/rule.yml | 2 -- + .../software/disk_partitioning/partition_for_var_tmp/rule.yml | 1 - + .../certified-vendor/installed_OS_is_vendor_supported/rule.yml | 1 - + .../software/integrity/fips/grub2_enable_fips_mode/rule.yml | 1 - + .../software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml | 1 - + .../software-integrity/aide/package_aide_installed/rule.yml | 1 - + .../system-tools/package_abrt-addon-ccpp_removed/rule.yml | 1 - + .../system-tools/package_abrt-addon-kerneloops_removed/rule.yml | 1 - + .../system-tools/package_abrt-addon-python_removed/rule.yml | 1 - + .../software/system-tools/package_abrt-cli_removed/rule.yml | 1 - + .../system-tools/package_abrt-plugin-logger_removed/rule.yml | 1 - + .../package_abrt-plugin-rhtsupport_removed/rule.yml | 1 - + .../system-tools/package_abrt-plugin-sosreport_removed/rule.yml | 1 - + 38 files changed, 40 deletions(-) + +diff --git a/apple_os/auditing/service_auditd_enabled/rule.yml b/apple_os/auditing/service_auditd_enabled/rule.yml +index 0c34cae438..bbb5132b5f 100644 +--- a/apple_os/auditing/service_auditd_enabled/rule.yml ++++ b/apple_os/auditing/service_auditd_enabled/rule.yml +@@ -35,7 +35,6 @@ references: + nist: AU-3,AU-3(1),AU-8(a),AU-8(b),AU-12(3),AU-14(1) + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00020,SRG-OS-000042-GPOS-00021,SRG-OS-000055-GPOS-00026,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000303-GPOS-00120,SRG-OS-000337-GPOS-00129,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146 + stigid: AOSX-14-001013 +- stigid@rhel8: RHEL-08-010560 + + ocil_clause: 'auditing is not enabled or running' + +diff --git a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml +index a35cb48f83..5869cac7ab 100644 +--- a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml ++++ b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml +@@ -20,7 +20,6 @@ identifiers: + references: + nist: CM-6(a),SI-4(22) + srg: SRG-OS-000370-GPOS-00155 +- stigid@rhel8: RHEL-08-040135 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +index 4fda79df25..84882d52b3 100644 +--- a/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml ++++ b/linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml +@@ -31,7 +31,6 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 13,14 + ospp: FIA_UAU.5,FTP_ITC_EXT.1 +- stigid@rhel8: RHEL-08-040160 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml +index 50eb7a28cb..1f1380127c 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml +@@ -37,7 +37,6 @@ references: + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4 + cis-csc: 11,3,9 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 +- stigid@rhel8: RHEL-08-010521 + + ocil_clause: 'it is commented out or is not disabled' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +index 8987c9b9ed..c43fce001a 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +@@ -47,7 +47,6 @@ references: + cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03,DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10 + iso27001-2013: A.12.4.1,A.12.4.3,A.14.1.1,A.14.2.1,A.14.2.5,A.18.1.4,A.6.1.2,A.6.1.5,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,12,13,14,15,16,18,3,5,7,8 +- stigid@rhel8: RHEL-08-010200 + + requires: + - sshd_set_idle_timeout +diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml +index 6806e0861d..f23176d83e 100644 +--- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml ++++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml +@@ -22,7 +22,6 @@ identifiers: + references: + srg: SRG-OS-000378-GPOS-00163 + ism: "1418" +- stigid@rhel8: RHEL-08-040140 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml +index c364bdb9e1..47c4edad90 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml +@@ -49,7 +49,6 @@ references: + cobit5: DSS05.04,DSS05.10,DSS06.10 + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 +- stigid@rhel8: RHEL-08-010050 + + ocil_clause: 'it is not' + +diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml +index 4b7ee01946..fb7a2d37ae 100644 +--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml +@@ -44,7 +44,6 @@ references: + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 +- stigid@rhel8: RHEL-08-020010 + stigid@rhel8: RHEL-08-020022 + + ocil_clause: 'that is not the case' +diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +index 2e902739ae..f9959f0720 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml +@@ -42,7 +42,6 @@ references: + iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,14,15,16,18,3,5 + ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561 +- stigid@rhel8: RHEL-08-010151 + + ocil_clause: 'the output is different' + +diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml +index d57802a37e..c900612b1b 100644 +--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml +@@ -40,7 +40,6 @@ references: + cobit5: DSS05.04,DSS05.10,DSS06.10 + iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3 + cis-csc: 1,12,15,16 +- stigid@rhel8: RHEL-08-020040 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml +index 1009699e77..bdc86cf35b 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/rule.yml +@@ -51,8 +51,6 @@ references: + isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 + cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 +- stigid@rhel8: RHEL-08-030730 +- stigid@rhel8: RHEL-08-030730 + + ocil_clause: 'the system is not configured to send an email to the system administrator when disk space is starting to run low' + +diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml +index 577176ff00..2fc431c1ae 100644 +--- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml ++++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml +@@ -26,7 +26,6 @@ references: + srg@sle12: SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146,SRG-OS-000365-GPOS-00152,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220 + disa@sle12: CCI-000172,CCI-001814,CCI-001875,CCI-001877,CCI-001878,CCI-001879,CCI-001880,CCI-001881,CCI-001882,CCI-001889,CCI-001914 + nist@sle12: AU-7(a),AU-7(b),AU-8(b),AU-12.1(iv),AU-12(3),AU-12(c),CM-5(1) +- stigid@rhel8: service_auditd_enabled + + template: + name: package_installed +diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +index 0690cfbcda..4b04936ee2 100644 +--- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml +@@ -49,7 +49,6 @@ references: + iso27001-2013: A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,14,15,16,18,3,5 + anssi: BP28(R17) +- stigid@rhel8: RHEL-08-010150 + + ocil_clause: 'it does not' + +diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +index 08e1da4369..ea5c80f163 100644 +--- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml ++++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml +@@ -56,7 +56,6 @@ references: + iso27001-2013: A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 11,12,14,15,16,18,3,5 + anssi: BP28(R17) +- stigid@rhel8: RHEL-08-010140 + + ocil_clause: 'it does not' + +diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml +index e82f50f9a0..7aea04c670 100644 +--- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml ++++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml +@@ -20,7 +20,6 @@ references: + nist: CM-6(a) + srg: SRG-OS-000480-GPOS-00227,SRG-OS-000298-GPOS-00116 + cis@rhel8: 3.4.1.1 +- stigid@rhel8: RHEL-08-040100 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml +index 04fa55f524..5b5bfc9633 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_defrtr/rule.yml +@@ -16,7 +16,6 @@ identifiers: + + references: + anssi: BP28(R22) +- stigid@rhel8: RHEL-08-040261 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_defrtr", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml +index 304c549b0b..d75989fca1 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_pinfo/rule.yml +@@ -16,7 +16,6 @@ identifiers: + + references: + anssi: BP28(R22) +- stigid@rhel8: RHEL-08-040261 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_pinfo", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml +index d3b8347573..09d263cf00 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra_rtr_pref/rule.yml +@@ -16,7 +16,6 @@ identifiers: + + references: + anssi: BP28(R22) +- stigid@rhel8: RHEL-08-040261 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ra_rtr_pref", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +index ae67ab248d..9253f7235a 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +@@ -28,7 +28,6 @@ references: + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 + cis-csc: 11,14,3,9 + srg: SRG-OS-000480-GPOS-00227 +- stigid@rhel8: RHEL-08-040280 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_redirects", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +index ac9218fe34..8767a5226f 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +@@ -40,7 +40,6 @@ references: + cobit5: APO01.06,APO13.01,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.07,DSS06.02 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,12,13,14,15,16,18,4,6,8,9 +- stigid@rhel8: RHEL-08-040240 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_source_route", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml +index eca95f75b5..5cf98305c7 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_defrtr/rule.yml +@@ -16,7 +16,6 @@ identifiers: + + references: + anssi: BP28(R22) +- stigid@rhel8: RHEL-08-040262 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_defrtr", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml +index f030cd9221..d7dad19f3a 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_pinfo/rule.yml +@@ -16,7 +16,6 @@ identifiers: + + references: + anssi: BP28(R22) +- stigid@rhel8: RHEL-08-040262 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_pinfo", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml +index 43c901e3a4..b6ee061057 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra_rtr_pref/rule.yml +@@ -16,7 +16,6 @@ identifiers: + + references: + anssi: BP28(R22) +- stigid@rhel8: RHEL-08-040262 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_ra_rtr_pref", value="0") }}} + +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml +index fdd8572cf5..970db38b33 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml +@@ -28,7 +28,6 @@ references: + iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2 + cis-csc: 11,14,3,9 + srg: SRG-OS-000480-GPOS-00227 +- stigid@rhel8: RHEL-08-040210 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_redirects", value="0") }}} + +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml +index b90f93deee..77ea8196c1 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log/rule.yml +@@ -33,7 +33,6 @@ references: + cis-csc: 1,12,14,15,16,3,5,6,8 + srg: SRG-OS-000480-GPOS-00227 + cis@sle: 1.1.12 +- stigid@rhel8: RHEL-08-010540 + stigid@rhel8: RHEL-08-010541 + + {{{ complete_ocil_entry_separate_partition(part="/var/log") }}} +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml +index 73b5cd50ed..3ff8be67b5 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml +@@ -40,8 +40,6 @@ references: + cobit5: APO11.04,APO13.01,BAI03.05,BAI04.04,DSS05.02,DSS05.04,DSS05.07,MEA02.01 + cis-csc: 1,12,13,14,15,16,2,3,5,6,8 + cis@sle15: 1.1.13 +- stigid@rhel8: RHEL-08-010540 +- stigid@rhel8: RHEL-08-010541 + stigid@rhel8: RHEL-08-010542 + + {{{ complete_ocil_entry_separate_partition(part="/var/log/audit") }}} +diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +index fde3338f40..340af24c82 100644 +--- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_tmp/rule.yml +@@ -26,7 +26,6 @@ references: + cis@ubuntu1804: 1.1.6 + anssi: BP28(R12) + cis@sle15: 1.1.8 +- stigid@rhel8: RHEL-08-010540 + + {{{ complete_ocil_entry_separate_partition(part="/var/tmp") }}} + +diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +index d9eb1b8a61..fba676f0b9 100644 +--- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml ++++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +@@ -48,7 +48,6 @@ references: + cobit5: APO12.01,APO12.02,APO12.03,APO12.04,BAI03.10,DSS05.01,DSS05.02 + iso27001-2013: A.12.6.1,A.14.2.3,A.16.1.3,A.18.2.2,A.18.2.3 + cis-csc: 18,20,4 +- stigid@rhel8: RHEL-08-010000 + + ocil_clause: 'the installed operating system is not supported' + +diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +index 5879bc2bdb..77c78d5705 100644 +--- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +@@ -47,7 +47,6 @@ references: + cobit5: APO13.01,DSS01.04,DSS05.02,DSS05.03 + iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.14.1.3,A.6.2.1,A.6.2.2 + cis-csc: 12,15,8 +- stigid@rhel8: RHEL-08-010020 + + ocil_clause: 'FIPS is not configured or enabled in grub' + +diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +index 129df45d54..b439a0305f 100644 +--- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml ++++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +@@ -29,7 +29,6 @@ references: + disa: CCI-000068,CCI-000803,CCI-002450 + nist: SC-12(2),SC-12(3),IA-7,SC-13,CM-6(a),SC-12 + vmmsrg: SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590 +- stigid@rhel8: RHEL-08-010020 + srg: SRG-OS-000033-GPOS-00014,SRG-OS-000125-GPOS-00065,SRG-OS-000396-GPOS-00176,SRG-OS-000423-GPOS-00187,SRG-OS-000478-GPOS-00223 + + ocil_clause: 'crypto.fips_enabled is not 1' +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +index 1667604386..abf13a274a 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +@@ -33,7 +33,6 @@ references: + ism: 1034,1288,1341,1417 + stigid@sle12: SLES-12-010500 + disa@sle12: CCI-002699 +- stigid@rhel8: RHEL-08-010360 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml +index 5482cdf3af..ed2fc64d08 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-ccpp_removed/rule.yml +@@ -19,7 +19,6 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 +- stigid@rhel8: RHEL-08-040001 + + {{{ complete_ocil_entry_package(package="abrt-addon-ccpp") }}} + +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml +index 3b12bfb5b0..8bbf9ea53d 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-kerneloops_removed/rule.yml +@@ -19,7 +19,6 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 +- stigid@rhel8: RHEL-08-040001 + + {{{ complete_ocil_entry_package(package="abrt-addon-kerneloops") }}} + +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml +index 00b1a36714..9be8b08b0f 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-addon-python_removed/rule.yml +@@ -19,7 +19,6 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 +- stigid@rhel8: RHEL-08-040001 + + {{{ complete_ocil_entry_package(package="abrt-addon-python") }}} + +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml +index 0412e8b82b..9aa7f11ada 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-cli_removed/rule.yml +@@ -19,7 +19,6 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 +- stigid@rhel8: RHEL-08-040001 + + {{{ complete_ocil_entry_package(package="abrt-cli") }}} + +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml +index 9d10076523..d970def693 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-logger_removed/rule.yml +@@ -19,7 +19,6 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 +- stigid@rhel8: RHEL-08-040001 + + {{{ complete_ocil_entry_package(package="abrt-plugin-logger") }}} + +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml +index addb652e92..7f7787a19a 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-rhtsupport_removed/rule.yml +@@ -19,7 +19,6 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 +- stigid@rhel8: RHEL-08-040001 + + {{{ complete_ocil_entry_package(package="abrt-plugin-rhtsupport") }}} + +diff --git a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml +index 6647186cc7..6107659d94 100644 +--- a/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml ++++ b/linux_os/guide/system/software/system-tools/package_abrt-plugin-sosreport_removed/rule.yml +@@ -18,7 +18,6 @@ identifiers: + + references: + srg: SRG-OS-000095-GPOS-00049 +- stigid@rhel8: RHEL-08-040001 + + {{{ complete_ocil_entry_package(package="abrt-plugin-sosreport") }}} + + +From 7724efd079c177adaa3ab70056b57f57b9424e9f Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 12 Feb 2021 16:26:49 +0100 +Subject: [PATCH 21/21] Add severity according RHEL8 STIG for rules that had + unknown severity. + +--- + linux_os/guide/services/ntp/chronyd_client_only/rule.yml | 2 +- + linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml | 2 +- + .../account_expiration/account_temp_expire_date/rule.yml | 2 +- + .../user_umask/accounts_umask_etc_bashrc/rule.yml | 2 +- + .../directory_permissions_var_log_audit/rule.yml | 2 +- + .../sysctl_net_ipv6_conf_all_accept_ra/rule.yml | 2 +- + .../sysctl_net_ipv6_conf_default_accept_ra/rule.yml | 2 +- + .../permissions/files/sysctl_fs_protected_hardlinks/rule.yml | 2 +- + .../permissions/files/sysctl_fs_protected_symlinks/rule.yml | 2 +- + .../mount_option_nodev_nonroot_local_partitions/rule.yml | 2 +- + .../mount_option_noexec_removable_partitions/rule.yml | 2 +- + .../permissions/partitions/mount_option_tmp_nodev/rule.yml | 2 +- + .../permissions/partitions/mount_option_tmp_noexec/rule.yml | 2 +- + .../permissions/partitions/mount_option_tmp_nosuid/rule.yml | 2 +- + .../permissions/partitions/mount_option_var_tmp_nodev/rule.yml | 2 +- + .../permissions/partitions/mount_option_var_tmp_noexec/rule.yml | 2 +- + .../permissions/partitions/mount_option_var_tmp_nosuid/rule.yml | 2 +- + .../restrictions/coredumps/coredump_disable_backtraces/rule.yml | 2 +- + .../restrictions/coredumps/coredump_disable_storage/rule.yml | 2 +- + .../restrictions/coredumps/disable_users_coredumps/rule.yml | 2 +- + .../coredumps/service_systemd-coredump_disabled/rule.yml | 2 +- + .../restrictions/sysctl_kernel_core_pattern/rule.yml | 2 +- + 22 files changed, 22 insertions(+), 22 deletions(-) + +diff --git a/linux_os/guide/services/ntp/chronyd_client_only/rule.yml b/linux_os/guide/services/ntp/chronyd_client_only/rule.yml +index 071934387c..83d1ba0df1 100644 +--- a/linux_os/guide/services/ntp/chronyd_client_only/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_client_only/rule.yml +@@ -13,7 +13,7 @@ rationale: |- + Minimizing the exposure of the server functionality of the chrony + daemon diminishes the attack surface. + +-severity: unknown ++severity: low + + platform: machine # The check uses service_... extended definition, which doesnt support offline mode + +diff --git a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml +index cbc9cc670c..d6d776a9a3 100644 +--- a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml +@@ -13,7 +13,7 @@ rationale: |- + Not exposing the management interface of the chrony daemon on + the network diminishes the attack space. + +-severity: unknown ++severity: low + + platform: machine # The check uses service_... extended definition, which doesnt support offline mode + +diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml +index ced7a52a67..c3a2a13bed 100644 +--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml +@@ -25,7 +25,7 @@ rationale: |- + must be set upon account creation. +
+ +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: CCE-81000-2 +diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +index 1c8219de70..e06ae36196 100644 +--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml +@@ -15,7 +15,7 @@ rationale: |- + A misconfigured umask value could result in files with excessive permissions that can be read or + written to by unauthorized users. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: CCE-80202-5 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml +index 64c7927021..65dc7861ce 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/rule.yml +@@ -12,7 +12,7 @@ description: |- + + rationale: 'If users can write to audit logs, audit trails can be modified or destroyed.' + +-severity: unknown ++severity: medium + + identifiers: + cce@rhcos4: CCE-82692-5 +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml +index 8e7eabc336..0b38e2f414 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_ra/rule.yml +@@ -8,7 +8,7 @@ description: '{{{ describe_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_ + + rationale: 'An illicit router advertisement message could result in a man-in-the-middle attack.' + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: CCE-80180-3 +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml +index dcf480ef63..167fb59f48 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_ra/rule.yml +@@ -8,7 +8,7 @@ description: '{{{ describe_sysctl_option_value(sysctl="net.ipv6.conf.default.acc + + rationale: 'An illicit router advertisement message could result in a man-in-the-middle attack.' + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: CCE-80181-1 +diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml +index 0aefe8ae50..9874bb19dc 100644 +--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml ++++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_hardlinks/rule.yml +@@ -10,7 +10,7 @@ rationale: |- + based on insecure file system accessed by privileged programs, avoiding an + exploitation vector exploiting unsafe use of open() or creat(). + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: CCE-81026-7 +diff --git a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml +index 86a9f8e2d9..655283997a 100644 +--- a/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml ++++ b/linux_os/guide/system/permissions/files/sysctl_fs_protected_symlinks/rule.yml +@@ -12,7 +12,7 @@ rationale: |- + accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of + open() or creat(). + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: CCE-81029-1 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml +index f40daec6c8..f7c3502b00 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/rule.yml +@@ -25,7 +25,7 @@ ocil: | + + ocil_clause: "some mounts appear among output lines" + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: CCE-80145-6 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +index 6e17c9f514..d329ad2962 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_noexec_removable_partitions/rule.yml +@@ -15,7 +15,7 @@ rationale: |- + Allowing users to execute binaries from removable media such as USB keys exposes + the system to potential compromise. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: CCE-80147-2 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml +index ed27226855..35173f9e61 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nodev/rule.yml +@@ -16,7 +16,7 @@ rationale: |- + + {{{ complete_ocil_entry_mount_option("/tmp", "nodev") }}} + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: CCE-80149-8 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml +index 77ae8a664f..4f831bdacb 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_noexec/rule.yml +@@ -16,7 +16,7 @@ rationale: |- + + {{{ complete_ocil_entry_mount_option("/tmp", "noexec") }}} + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: CCE-80150-6 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml +index b7e171fb02..5bcbebdfda 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_tmp_nosuid/rule.yml +@@ -16,7 +16,7 @@ rationale: |- + + {{{ complete_ocil_entry_mount_option("/tmp", "nosuid") }}} + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: CCE-80151-4 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +index 4e76e61bb2..136ba137a2 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nodev/rule.yml +@@ -16,7 +16,7 @@ rationale: |- + + {{{ complete_ocil_entry_mount_option("/var/tmp", "nodev") }}} + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: CCE-81052-3 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +index f2b108d58d..8eb0eafc72 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_noexec/rule.yml +@@ -16,7 +16,7 @@ rationale: |- + + {{{ complete_ocil_entry_mount_option("/var/tmp", "noexec") }}} + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: CCE-82150-4 +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +index 11bfe2661d..90c578791c 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_nosuid/rule.yml +@@ -16,7 +16,7 @@ rationale: |- + + {{{ complete_ocil_entry_mount_option("/var/tmp", "nosuid") }}} + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: CCE-82153-8 +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml +index 04b580e64e..79af205224 100644 +--- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml +@@ -20,7 +20,7 @@ rationale: |- + debuging. Permitting temporary enablement of core dumps during such situations + should be reviewed through local needs and policy. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel8: CCE-82251-0 +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml +index 3225785a8f..9fdb4d8fd1 100644 +--- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml +@@ -16,7 +16,7 @@ rationale: |- + debuging. Permitting temporary enablement of core dumps during such situations + should be reviewed through local needs and policy. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel8: CCE-82252-8 +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml +index c50a366512..991c92dd0a 100644 +--- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/rule.yml +@@ -15,7 +15,7 @@ rationale: |- + terminates an application. The memory image could contain sensitive data and is generally useful + only for developers trying to debug problems. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel7: CCE-80169-6 +diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml +index fd12fbbb50..125e764b3a 100644 +--- a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml +@@ -14,7 +14,7 @@ rationale: |- + terminates an application. The memory image could contain sensitive data + and is generally useful only for developers trying to debug problems. + +-severity: unknown ++severity: medium + + platform: machine + +diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +index b82e0fcce3..60e5048462 100644 +--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml ++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern/rule.yml +@@ -11,7 +11,7 @@ rationale: |- + terminates an application. The memory image could contain sensitive data and is generally useful + only for developers trying to debug problems. + +-severity: unknown ++severity: medium + + identifiers: + cce@rhel8: CCE-82215-5 diff --git a/SOURCES/scap-security-guide-0.1.55-sles12_stigs-PR_6524.patch b/SOURCES/scap-security-guide-0.1.55-sles12_stigs-PR_6524.patch new file mode 100644 index 0000000..890333b --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-sles12_stigs-PR_6524.patch @@ -0,0 +1,843 @@ +From c5f46d9166d0629740deb3cc5c45d3925345df09 Mon Sep 17 00:00:00 2001 +From: Guang Yee +Date: Mon, 11 Jan 2021 12:55:43 -0800 +Subject: [PATCH] Enable checks and remediations for the following SLES-12 + STIGs: + + - SLES-12-010030 'banner_etc_issue' + - SLES-12-010120 'accounts_max_concurrent_login_sessions' + - SLES-12-010450 'encrypt_partitions' + - SLES-12-010460 'dir_perms_world_writable_sticky_bits' + - SLES-12-010500 'package_aide_installed' + - SLES-12-010550 'ensure_gpgcheck_globally_activated' + - SLES-12-010580 'kernel_module_usb-storage_disabled' + - SLES-12-010599 'package_MFEhiplsm_installed' + - SLES-12-010690 'no_files_unowned_by_user' + - SLES-12-030000 'package_telnet-server_removed' + - SLES-12-030010 'ftp_present_banner' + - SLES-12-030050 'sshd_enable_warning_banner' + - SLES-12-030110 'sshd_set_loglevel_verbose' + - SLES-12-030130 'sshd_print_last_log' + - SLES-12-030210 'file_permissions_sshd_pub_key' + - SLES-12-030220 'file_permissions_sshd_private_key' + - SLES-12-030230 'sshd_enable_strictmodes' + - SLES-12-030240 'sshd_use_priv_separation' + - SLES-12-030250 'sshd_disable_compression' + - SLES-12-030340 'auditd_audispd_encrypt_sent_records' + - SLES-12-030360 'sysctl_net_ipv4_conf_all_accept_source_route' + - SLES-12-030361 'sysctl_net_ipv6_conf_all_accept_source_route' + - SLES-12-030370 'sysctl_net_ipv4_conf_default_accept_source_route' + - SLES-12-030420 'sysctl_net_ipv4_conf_default_send_redirects' +--- + .../ftp_present_banner/rule.yml | 1 + + .../package_telnet-server_removed/rule.yml | 1 + + .../rule.yml | 1 + + .../file_permissions_sshd_pub_key/rule.yml | 1 + + .../ansible/shared.yml | 2 +- + .../sshd_disable_compression/rule.yml | 1 + + .../sshd_enable_strictmodes/rule.yml | 1 + + .../sshd_enable_warning_banner/rule.yml | 1 + + .../ssh_server/sshd_print_last_log/rule.yml | 1 + + .../sshd_set_loglevel_verbose/rule.yml | 1 + + .../sshd_use_priv_separation/rule.yml | 1 + + .../banner_etc_issue/ansible/shared.yml | 2 +- + .../banner_etc_issue/rule.yml | 4 ++- + .../ansible/shared.yml | 2 +- + .../rule.yml | 2 ++ + .../ansible/shared.yml | 2 +- + .../rule.yml | 4 ++- + .../rule.yml | 4 ++- + .../rule.yml | 4 ++- + .../rule.yml | 4 ++- + .../rule.yml | 4 ++- + .../bash/shared.sh | 2 +- + .../rule.yml | 2 ++ + .../files/no_files_unowned_by_user/rule.yml | 4 ++- + .../rule.yml | 4 ++- + .../encrypt_partitions/rule.yml | 8 +++++- + .../package_MFEhiplsm_installed/rule.yml | 2 ++ + .../aide/package_aide_installed/rule.yml | 3 +++ + .../ansible/sle12.yml | 13 ++++++++++ + .../rule.yml | 8 +++++- + shared/applicability/general.yml | 4 +++ + .../oval/installed_env_has_zypper_package.xml | 25 +++++++++++++++++++ + .../kernel_module_disabled/ansible.template | 12 +++++++-- + .../kernel_module_disabled/bash.template | 9 ++++++- + .../kernel_module_disabled/oval.template | 5 ++++ + sle12/product.yml | 1 + + sle12/profiles/stig.profile | 25 +++++++++++++++++++ + 37 files changed, 153 insertions(+), 18 deletions(-) + create mode 100644 linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml + create mode 100644 shared/checks/oval/installed_env_has_zypper_package.xml + +diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml +index 35ba09b0d0..3590a085b6 100644 +--- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml ++++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml +@@ -19,6 +19,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-80248-8 ++ cce@sle12: CCE-83059-6 + + references: + stigid@sle12: SLES-12-030010 +diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +index 317eecdc3d..619b3f0b7d 100644 +--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml ++++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +@@ -27,6 +27,7 @@ severity: high + identifiers: + cce@rhel7: CCE-27165-0 + cce@rhel8: CCE-82182-7 ++ cce@sle12: CCE-83084-4 + + references: + stigid@ol7: OL07-00-021710 +diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml +index 2e52219ece..d460411667 100644 +--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml ++++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27485-2 + cce@rhel8: CCE-82424-3 ++ cce@sle12: CCE-83058-8 + + references: + stigid@ol7: OL07-00-040420 +diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml +index e59ddc0770..b9e07d71af 100644 +--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml ++++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml +@@ -13,6 +13,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27311-0 + cce@rhel8: CCE-82428-4 ++ cce@sle12: CCE-83057-0 + + references: + stigid@ol7: OL07-00-040410 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml +index e07e436d60..f8d422c6c4 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle + # reboot = false + # strategy = restrict + # complexity = low +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml +index fe7e67c1c2..f8eec6a074 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80224-9 + cce@rhel8: CCE-80895-6 ++ cce@sle12: CCE-83062-0 + + references: + stigid@ol7: OL07-00-040470 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml +index 22b98c71a2..601f6a0ca2 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80222-3 + cce@rhel8: CCE-80904-6 ++ cce@sle12: CCE-83060-4 + + references: + stigid@ol7: OL07-00-040450 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +index 2199d61ca9..c93ef6340f 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +@@ -20,6 +20,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27314-4 + cce@rhel8: CCE-80905-3 ++ cce@sle12: CCE-83066-1 + + references: + stigid@ol7: OL07-00-040170 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml +index a0b8ed38ae..0ce5da30b2 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80225-6 + cce@rhel8: CCE-82281-7 ++ cce@sle12: CCE-83083-6 + + references: + stigid@ol7: OL07-00-040360 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +index 28ce48de8e..2180398855 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-82419-3 + cce@rhel8: CCE-82420-1 ++ cce@sle12: CCE-83077-8 + + references: + srg: SRG-OS-000032-GPOS-00013 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml +index 14d1acfd22..d65ddb6cd1 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml +@@ -18,6 +18,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80223-1 + cce@rhel8: CCE-80908-7 ++ cce@sle12: CCE-83061-2 + + references: + stigid@ol7: OL07-00-040460 +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +index f3a0c85ea5..ff6b6eab42 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle + # reboot = false + # strategy = unknown + # complexity = low +diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml +index a86ede70f8..637d8ee528 100644 +--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 + + title: 'Modify the System Login Banner' + +@@ -52,6 +52,7 @@ identifiers: + cce@rhel7: CCE-27303-7 + cce@rhel8: CCE-80763-6 + cce@rhcos4: CCE-82555-4 ++ cce@sle12: CCE-83054-7 + + references: + stigid@ol7: OL07-00-010050 +@@ -64,6 +65,7 @@ references: + srg: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007 + vmmsrg: SRG-OS-000023-VMM-000060,SRG-OS-000024-VMM-000070 + stigid@rhel7: RHEL-07-010050 ++ stigid@sle12: SLES-12-010030 + isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9' + isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 + cobit5: DSS05.04,DSS05.10,DSS06.10 +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml +index 9d50a9d20c..536ac29569 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml +@@ -1,4 +1,4 @@ +-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel ++# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle + # reboot = false + # strategy = restrict + # complexity = low +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml +index e598f4e8cb..32412aa482 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml +@@ -20,6 +20,7 @@ severity: low + identifiers: + cce@rhel7: CCE-82041-5 + cce@rhel8: CCE-80955-8 ++ cce@sle12: CCE-83065-3 + + references: + stigid@ol7: OL07-00-040000 +@@ -30,6 +31,7 @@ references: + srg: SRG-OS-000027-GPOS-00008 + vmmsrg: SRG-OS-000027-VMM-000080 + stigid@rhel7: RHEL-07-040000 ++ stigid@sle12: SLES-12-010120 + isa-62443-2013: 'SR 3.1,SR 3.8' + isa-62443-2009: 4.3.3.4 + cobit5: DSS01.05,DSS05.02 +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml +index 23bcdf8641..007b23ba24 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml +@@ -1,4 +1,4 @@ +-# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4 ++# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_sle + # reboot = false + # complexity = low + # disruption = low +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml +index 4c27eb11fd..1943a00fb2 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Encrypt Audit Records Sent With audispd Plugin' + +@@ -26,6 +26,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80540-8 + cce@rhel8: CCE-80926-9 ++ cce@sle12: CCE-83063-8 + + references: + stigid@ol7: OL07-00-030310 +@@ -33,6 +34,7 @@ references: + nist: AU-9(3),CM-6(a) + srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 + stigid@rhel7: RHEL-07-030310 ++ stigid@sle12: SLES-12-030340 + ospp: FAU_GEN.1.1.c + + ocil_clause: 'audispd is not encrypting audit records when sent over the network' +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +index a3f78cb910..8767a5226f 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces' + +@@ -22,6 +22,7 @@ identifiers: + cce@rhel7: CCE-80179-5 + cce@rhel8: CCE-81013-5 + cce@rhcos4: CCE-82480-5 ++ cce@sle12: CCE-83078-6 + + references: + stigid@ol7: OL07-00-040830 +@@ -33,6 +34,7 @@ references: + nist-csf: DE.AE-1,ID.AM-3,PR.AC-5,PR.DS-5,PR.PT-4 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-040830 ++ stigid@sle12: SLES-12-030361 + isa-62443-2013: 'SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.4,4.3.3.4,4.4.3.3 + cobit5: APO01.06,APO13.01,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.07,DSS06.02 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +index 0cd3dbc143..7bc4e3b9b7 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 + + title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces' + +@@ -22,6 +22,7 @@ identifiers: + cce@rhel7: CCE-27434-0 + cce@rhel8: CCE-81011-9 + cce@rhcos4: CCE-82478-9 ++ cce@sle12: CCE-83064-6 + + references: + stigid@ol7: OL07-00-040610 +@@ -33,6 +34,7 @@ references: + nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-040610 ++ stigid@sle12: SLES-12-030360 + isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6' + isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3 + cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +index c48ec8de3d..f7ee2e9818 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 + + title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default' + +@@ -22,6 +22,7 @@ identifiers: + cce@rhel7: CCE-80162-1 + cce@rhel8: CCE-80920-2 + cce@rhcos4: CCE-82479-7 ++ cce@sle12: CCE-83079-4 + + references: + stigid@ol7: OL07-00-040620 +@@ -34,6 +35,7 @@ references: + nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-040620 ++ stigid@sle12: SLES-12-030370 + isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6' + isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3 + cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +index ddf6b07758..861c3485f3 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 + + title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default' + +@@ -19,6 +19,7 @@ identifiers: + cce@rhel7: CCE-80999-6 + cce@rhel8: CCE-80921-0 + cce@rhcos4: CCE-82485-4 ++ cce@sle12: CCE-83086-9 + + references: + stigid@ol7: OL07-00-040650 +@@ -31,6 +32,7 @@ references: + nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-040650 ++ stigid@sle12: SLES-12-030420 + isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6' + isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3 + cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 +diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh +index 0a829df187..e49942d1cc 100644 +--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh ++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh +@@ -1,4 +1,4 @@ +-# platform = Red Hat Virtualization 4,multi_platform_rhel ++# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_sle + df --local -P | awk '{if (NR!=1) print $6}' \ + | xargs -I '{}' find '{}' -xdev -type d \ + \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ +diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml +index d04df8df86..5bb3cf3713 100644 +--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml ++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml +@@ -34,6 +34,7 @@ identifiers: + cce@rhel7: CCE-80130-8 + cce@rhel8: CCE-80783-4 + cce@rhcos4: CCE-82753-5 ++ cce@sle12: CCE-83047-1 + + references: + cis@rhe8: 1.1.21 +@@ -46,6 +47,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 + cis@sle15: 1.1.22 ++ stigid@sle12: SLES-12-010460 + + ocil_clause: 'any world-writable directories are missing the sticky bit' + +diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +index e664cf9215..faab0b8822 100644 +--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml ++++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019 + + title: 'Ensure All Files Are Owned by a User' + +@@ -24,6 +24,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80134-0 + cce@rhel8: CCE-83499-4 ++ cce@sle12: CCE-83072-9 + + references: + stigid@ol7: OL07-00-020320 +@@ -40,6 +41,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 11,12,13,14,15,16,18,3,5,9 + cis@sle15: 6.1.11 ++ stigid@sle12: SLES-12-010690 + + ocil_clause: 'files exist that are not owned by a valid user' + +diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +index c78b570efb..24e77cc74e 100644 +--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml ++++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019 + + title: 'Disable Modprobe Loading of USB Storage Driver' + +@@ -22,6 +22,7 @@ identifiers: + cce@rhel7: CCE-27277-3 + cce@rhel8: CCE-80835-2 + cce@rhcos4: CCE-82719-6 ++ cce@sle12: CCE-83069-5 + + references: + stigid@ol7: OL07-00-020100 +@@ -39,6 +40,7 @@ references: + cis-csc: 1,12,15,16,5 + cis@rhel8: 1.1.23 + cis@sle15: 1.1.3 ++ stigid@sle12: SLES-12-010580 + + {{{ complete_ocil_entry_module_disable(module="usb-storage") }}} + +diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +index 80d1856778..fe370a4323 100644 +--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml ++++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4 ++prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4,sle12 + + title: 'Encrypt Partitions' + +@@ -14,6 +14,7 @@ description: |- + option is selected the system will prompt for a passphrase to use in + decrypting the partition. The passphrase will subsequently need to be entered manually + every time the system boots. ++ {{% if product != "sle12" %}} +

+ For automated/unattended installations, it is possible to use Kickstart by adding + the --encrypted and --passphrase= options to the definition of each partition to be +@@ -26,11 +27,14 @@ description: |- +

+ By default, the Anaconda installer uses aes-xts-plain64 cipher + with a minimum 512 bit key size which should be compatible with FIPS enabled. ++ {{% endif %}} +

+ Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on + the {{{ full_name }}} Documentation web site:
+ {{% if product in ["ol7", "ol8"] %}} + {{{ weblink(link="https://docs.oracle.com/cd/E52668_01/E54670/html/ol7-encrypt-sec.html") }}}. ++ {{% elif product == "sle12" %}} ++ {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}} + {{% else %}} + {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}. + {{% endif %}} +@@ -45,6 +49,7 @@ severity: high + identifiers: + cce@rhel7: CCE-27128-8 + cce@rhel8: CCE-80789-1 ++ cce@sle12: CCE-83046-3 + + references: + cui: 3.13.16 +@@ -58,6 +63,7 @@ references: + isa-62443-2013: 'SR 3.4,SR 4.1,SR 5.2' + cobit5: APO01.06,BAI02.01,BAI06.01,DSS04.07,DSS05.03,DSS05.04,DSS05.07,DSS06.02,DSS06.06 + cis-csc: 13,14 ++ stigid@sle12: SLES-12-010450 + + ocil_clause: 'partitions do not have a type of crypto_LUKS' + +diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml +index f96cfc925b..c0bf1ee908 100644 +--- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml ++++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml +@@ -18,6 +18,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-80368-4 ++ cce@sle12: CCE-83071-1 + + references: + disa: CCI-000366,CCI-001263 +@@ -31,6 +32,7 @@ references: + iso27001-2013: 'A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.3,A.12.5.1,A.12.6.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.7,A.14.2.8,A.15.2.1,A.16.1.1,A.16.1.2,A.16.1.3,A.16.1.4,A.16.1.5,A.16.1.6,A.16.1.7,A.18.1.4,A.18.2.2,A.18.2.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,Clause 16.1.2,Clause 7.4' + cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 + stigid@rhel7: RHEL-07-020019 ++ stigid@sle12: SLES-12-010599 + + ocil_clause: 'the HBSS HIPS module is not installed' + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +index 699992b48c..23e939bbec 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +@@ -14,6 +14,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27096-7 + cce@rhel8: CCE-80844-4 ++ cce@sle12: CCE-83048-9 + + references: + cis@rhel8: 1.4.1 +@@ -30,6 +31,8 @@ references: + srg: SRG-OS-000363-GPOS-00150 + cis@sle15: 1.4.1 + ism: 1034,1288,1341,1417 ++ stigid@sle12: SLES-12-010500 ++ disa@sle12: CCI-002699 + + ocil_clause: 'the package is not installed' + +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml +new file mode 100644 +index 0000000000..6fca48166a +--- /dev/null ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml +@@ -0,0 +1,13 @@ ++# platform = multi_platform_sle ++# reboot = false ++# strategy = unknown ++# complexity = low ++# disruption = medium ++- name: Ensure GPG check is globally activated (zypper) ++ ini_file: ++ dest: /etc/zypp/zypp.conf ++ section: main ++ option: gpgcheck ++ value: 1 ++ no_extra_spaces: yes ++ create: False +diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +index 24cef5499c..1f86aff1e9 100644 +--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml ++++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15 + + title: 'Ensure gpgcheck Enabled In Main {{{ pkg_manager }}} Configuration' + +@@ -33,6 +33,7 @@ severity: high + identifiers: + cce@rhel7: CCE-26989-4 + cce@rhel8: CCE-80790-9 ++ cce@sle12: CCE-83068-7 + + references: + stigid@ol7: OL07-00-020050 +@@ -54,6 +55,7 @@ references: + iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4 + cis-csc: 11,2,3,9 + anssi: BP28(R15) ++ stigid@sle12: SLES-12-010550 + + ocil_clause: 'GPG checking is not enabled' + +@@ -66,4 +68,8 @@ ocil: |- + gpgcheck line or a setting of 0 indicates that it is + disabled. + ++{{% if product == 'sle12' %}} ++platform: zypper ++{{% else %}} + platform: yum ++{{% endif %}} +diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml +index a6581fd713..7382b7dd30 100644 +--- a/shared/applicability/general.yml ++++ b/shared/applicability/general.yml +@@ -74,3 +74,7 @@ cpes: + title: "Package yum is installed" + check_id: installed_env_has_yum_package + ++ - zypper: ++ name: "cpe:/a:zypper" ++ title: "Package zypper is installed" ++ check_id: installed_env_has_zypper_package +diff --git a/shared/checks/oval/installed_env_has_zypper_package.xml b/shared/checks/oval/installed_env_has_zypper_package.xml +new file mode 100644 +index 0000000000..cf14e6af3c +--- /dev/null ++++ b/shared/checks/oval/installed_env_has_zypper_package.xml +@@ -0,0 +1,25 @@ ++ ++ ++ ++ Package zypper is installed ++ ++ multi_platform_sle ++ ++ Checks if package zypper is installed. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ zypper ++ ++ +diff --git a/shared/templates/kernel_module_disabled/ansible.template b/shared/templates/kernel_module_disabled/ansible.template +index 47deee6e54..c4a83ad325 100644 +--- a/shared/templates/kernel_module_disabled/ansible.template ++++ b/shared/templates/kernel_module_disabled/ansible.template +@@ -1,12 +1,20 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu ++# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle + # reboot = true + # strategy = disable + # complexity = low + # disruption = medium ++{{% if product == "sle12" %}} ++- name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled ++ lineinfile: ++ create: yes ++ dest: "/etc/modprobe.d/50-blacklist.conf" ++ regexp: '^blacklist {{{ KERNMODULE }}}$' ++ line: "blacklist {{{ KERNMODULE }}}" ++{{% else %}} + - name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled + lineinfile: + create: yes + dest: "/etc/modprobe.d/{{{ KERNMODULE }}}.conf" + regexp: '{{{ KERNMODULE }}}' + line: "install {{{ KERNMODULE }}} /bin/true" +- ++{{% endif %}} +diff --git a/shared/templates/kernel_module_disabled/bash.template b/shared/templates/kernel_module_disabled/bash.template +index 42c0830b5f..f70a9925cd 100644 +--- a/shared/templates/kernel_module_disabled/bash.template ++++ b/shared/templates/kernel_module_disabled/bash.template +@@ -1,11 +1,18 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle + # reboot = true + # strategy = disable + # complexity = low + # disruption = medium ++{{% if product == "sle12" %}} ++if ! LC_ALL=C grep -q -m 1 "^blacklist {{{ KERNMODULE }}}$" /etc/modprobe.d/50-blacklist.conf ; then ++ echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/50-blacklist.conf ++ echo "blacklist {{{ KERNMODULE }}}" >> /etc/modprobe.d/50-blacklist.conf ++fi ++{{% else %}} + if LC_ALL=C grep -q -m 1 "^install {{{ KERNMODULE }}}" /etc/modprobe.d/{{{ KERNMODULE }}}.conf ; then + sed -i 's/^install {{{ KERNMODULE }}}.*/install {{{ KERNMODULE }}} /bin/true/g' /etc/modprobe.d/{{{ KERNMODULE }}}.conf + else + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf + echo "install {{{ KERNMODULE }}} /bin/true" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf + fi ++{{% endif %}} +diff --git a/shared/templates/kernel_module_disabled/oval.template b/shared/templates/kernel_module_disabled/oval.template +index e5a7aaa8b4..737ae3c796 100644 +--- a/shared/templates/kernel_module_disabled/oval.template ++++ b/shared/templates/kernel_module_disabled/oval.template +@@ -54,9 +54,14 @@ + + ++ {{% if product == "sle12" %}} ++ /etc/modprobe.d/50-blacklist.conf ++ ^blacklist\s+{{{ KERNMODULE }}}$ ++ {{% else %}} + /etc/modprobe.d + ^.*\.conf$ + ^\s*install\s+{{{ KERNMODULE }}}\s+(/bin/false|/bin/true)$ ++ {{% endif %}} + 1 + + +diff --git a/sle12/product.yml b/sle12/product.yml +index e465a6d687..d83ad88c21 100644 +--- a/sle12/product.yml ++++ b/sle12/product.yml +@@ -9,6 +9,7 @@ profiles_root: "./profiles" + init_system: "systemd" + + pkg_manager: "zypper" ++pkg_manager_config_file: "/etc/zypp/zypp.conf" + oval_feed_url: "https://support.novell.com/security/oval/suse.linux.enterprise.12.xml" + + cpes_root: "../shared/applicability" +diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile +index 6cf3339569..15c4f70336 100644 +--- a/sle12/profiles/stig.profile ++++ b/sle12/profiles/stig.profile +@@ -12,34 +12,59 @@ selections: + - account_temp_expire_date + - accounts_have_homedir_login_defs + - accounts_logon_fail_delay ++ - accounts_max_concurrent_login_sessions + - accounts_maximum_age_login_defs ++ - accounts_minimum_age_login_defs + - accounts_no_uid_except_zero + - accounts_password_set_max_life_existing + - accounts_password_set_min_life_existing + - accounts_umask_etc_login_defs ++ - auditd_audispd_encrypt_sent_records + - auditd_data_disk_full_action + - auditd_data_retention_action_mail_acct + - auditd_data_retention_space_left ++ - banner_etc_issue + - banner_etc_motd ++ - dir_perms_world_writable_sticky_bits + - disable_ctrlaltdel_reboot ++ - encrypt_partitions ++ - ensure_gpgcheck_globally_activated ++ - file_permissions_sshd_private_key ++ - file_permissions_sshd_pub_key ++ - ftp_present_banner + - gnome_gdm_disable_automatic_login + - grub2_password + - grub2_uefi_password + - installed_OS_is_vendor_supported ++ - kernel_module_usb-storage_disabled + - no_empty_passwords ++ - no_files_unowned_by_user + - no_host_based_files + - no_user_host_based_files ++ - package_MFEhiplsm_installed ++ - package_aide_installed + - package_audit-audispd-plugins_installed + - package_audit_installed ++ - package_telnet-server_removed + - postfix_client_configure_mail_alias + - security_patches_up_to_date + - service_auditd_enabled + - set_password_hashing_algorithm_logindefs ++ - sshd_disable_compression + - sshd_disable_empty_passwords + - sshd_disable_user_known_hosts + - sshd_do_not_permit_user_env ++ - sshd_enable_strictmodes ++ - sshd_enable_warning_banner + - sshd_enable_x11_forwarding ++ - sshd_print_last_log + - sshd_set_idle_timeout + - sshd_set_keepalive ++ - sshd_set_loglevel_verbose ++ - sshd_use_priv_separation + - sudo_remove_no_authenticate + - sudo_remove_nopasswd ++ - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_default_accept_source_route ++ - sysctl_net_ipv4_conf_default_send_redirects ++ - sysctl_net_ipv6_conf_all_accept_source_route diff --git a/SOURCES/scap-security-guide-0.1.55-sles12_stigs_2-PR_6561.patch b/SOURCES/scap-security-guide-0.1.55-sles12_stigs_2-PR_6561.patch new file mode 100644 index 0000000..d117cdf --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-sles12_stigs_2-PR_6561.patch @@ -0,0 +1,1313 @@ +From 0e28027e3094a219956bbd8d9f6ead1375b901fe Mon Sep 17 00:00:00 2001 +From: Guang Yee +Date: Fri, 22 Jan 2021 12:20:03 -0800 +Subject: [PATCH] Enable checks and remediations for the following SLES-12 + STIGs: + + - SLES-12-010510 'aide_scan_notification' + - SLES-12-010700 'file_permissions_ungroupowned' + - SLES-12-010710 'accounts_user_interactive_home_directory_defined' + - SLES-12-010730 'accounts_user_interactive_home_directory_exists' + - SLES-12-010740 'file_permissions_home_directories' + - SLES-12-010750 'file_groupownership_home_directories' + - SLES-12-010760 'file_permission_user_init_files' + - SLES-12-010770 'accounts_user_home_paths_only' + - SLES-12-010780 'accounts_user_dot_no_world_writable_programs' + - SLES-12-010790 'mount_option_home_nosuid' + - SLES-12-010800 'mount_option_nosuid_removable_partitions' + - SLES-12-010810 'mount_option_nosuid_remote_filesystems' + - SLES-12-010820 'mount_option_noexec_remote_filesystems' + - SLES-12-010830 'dir_perms_world_writable_system_owned_group' + - SLES-12-010840 'service_kdump_disabled' + - SLES-12-010880 'run_chkstat' + - SLES-12-020500 'audit_rules_unsuccessful_file_modification_truncate' + - SLES-12-020510 'audit_rules_unsuccessful_file_modification_ftruncate' + - SLES-12-020520 'audit_rules_unsuccessful_file_modification_creat' + - SLES-12-020530 'audit_rules_unsuccessful_file_modification_openat' + - SLES-12-020540 'audit_rules_unsuccessful_file_modification_open_by_handle_at' + - SLES-12-020590 'audit_rules_usergroup_modification_gshadow' + - SLES-12-020600 'audit_rules_dac_modification_chmod' + - SLES-12-020650 'audit_rules_login_events_tallylog' + - SLES-12-020660 'audit_rules_login_events_lastlog' + - SLES-12-020680 'audit_rules_privileged_commands_unix_chkpwd' + - SLES-12-020690 'audit_rules_privileged_commands_chage' + - SLES-12-030030 'kernel_module_dccp_disabled' + - SLES-12-030140 'sshd_disable_root_login' + - SLES-12-030180 'sshd_use_approved_macs' + - SLES-12-030380 'sysctl_net_ipv4_icmp_echo_ignore_broadcasts' + - SLES-12-030390 'sysctl_net_ipv4_conf_all_accept_redirects' + - SLES-12-030400 'sysctl_net_ipv4_conf_default_accept_redirects' + - SLES-12-030401 'sysctl_net_ipv6_conf_default_accept_source_route' + - SLES-12-030420 'sysctl_net_ipv4_conf_all_send_redirects' + - SLES-12-030430 'sysctl_net_ipv4_ip_forward' + +Corrections: + + - Rule 'sysctl_net_ipv4_conf_default_send_redirects' was originally submitted + with an incorrect SLES12 STIG ID. The correct SLES12 STIG ID should + be 'SLES-12-030410'. +--- + .../base/service_kdump_disabled/rule.yml | 1 + + .../rule.yml | 4 +- + .../rule.yml | 4 +- + .../sshd_disable_root_login/rule.yml | 1 + + .../sshd_use_approved_macs/ansible/shared.yml | 2 +- + .../sshd_use_approved_macs/rule.yml | 1 + + .../rule.yml | 6 ++- + .../accounts_user_home_paths_only/rule.yml | 4 +- + .../rule.yml | 4 +- + .../rule.yml | 4 +- + .../rule.yml | 4 +- + .../file_permission_user_init_files/rule.yml | 4 +- + .../rule.yml | 4 +- + .../rule.yml | 2 + + .../rule.yml | 2 + + .../rule.yml | 2 + + .../rule.yml | 2 + + .../rule.yml | 2 + + .../rule.yml | 2 + + .../audit_rules_login_events_lastlog/rule.yml | 2 + + .../rule.yml | 2 + + .../rule.yml | 4 +- + .../rule.yml | 4 +- + .../rule.yml | 4 +- + .../rule.yml | 4 +- + .../rule.yml | 4 +- + .../rule.yml | 5 +- + .../rule.yml | 4 +- + .../rule.yml | 4 +- + .../rule.yml | 2 +- + .../sysctl_net_ipv4_ip_forward/rule.yml | 4 +- + .../kernel_module_dccp_disabled/rule.yml | 4 +- + .../rule.yml | 9 ++-- + .../file_permissions_ungroupowned/rule.yml | 4 +- + .../mount_option_home_nosuid/rule.yml | 4 +- + .../rule.yml | 4 +- + .../permissions/permissions_local/group.yml | 12 +++++ + .../permissions_local/run_chkstat/rule.yml | 50 +++++++++++++++++++ + .../aide_scan_notification/bash/shared.sh | 13 ++++- + .../aide_scan_notification/oval/shared.xml | 12 +++-- + .../aide/aide_scan_notification/rule.yml | 8 ++- + .../aide/package_aide_installed/rule.yml | 2 +- + .../ansible.template | 2 +- + .../audit_rules_login_events/ansible.template | 2 +- + .../ansible.template | 2 +- + .../ansible.template | 2 +- + .../ansible.template | 2 +- + sle12/profiles/stig.profile | 39 +++++++++++++++ + 48 files changed, 229 insertions(+), 40 deletions(-) + create mode 100644 linux_os/guide/system/permissions/permissions_local/group.yml + create mode 100644 linux_os/guide/system/permissions/permissions_local/run_chkstat/rule.yml + +diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml +index 3737b264ce..ff9d439b4f 100644 +--- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml ++++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80258-7 + cce@rhel8: CCE-80878-2 ++ cce@sle12: CCE-83105-7 + + references: + stigid@ol7: OL07-00-021300 +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml +index a4a8160aa9..d9c17fb416 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Mount Remote Filesystems with noexec' + +@@ -16,6 +16,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-80436-9 ++ cce@sle12: CCE-83103-2 + + references: + stigid@ol7: OL07-00-021021 +@@ -29,6 +30,7 @@ references: + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 ++ stigid@sle12: SLES-12-010820 + + ocil_clause: 'the setting does not show' + +diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml +index 7a40ea2b27..c14b0aeefb 100644 +--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml ++++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Mount Remote Filesystems with nosuid' + +@@ -14,6 +14,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-80240-5 ++ cce@sle12: CCE-83102-4 + + references: + stigid@ol7: OL07-00-021020 +@@ -27,6 +28,7 @@ references: + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 12,13,14,15,16,18,3,5 ++ stigid@sle12: SLES-12-010810 + + ocil_clause: 'the setting does not show' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +index 74002ded9a..287954db61 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27445-6 + cce@rhel8: CCE-80901-2 ++ cce@sle12: CCE-83035-6 + + references: + stigid@ol7: OL07-00-040370 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml +index 1a9b6990e9..2c5cf7e1c7 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml +@@ -1,4 +1,4 @@ +-# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 ++# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle + # reboot = false + # strategy = restrict + # complexity = low +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml +index 394c733f51..a0bc4578a6 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml +@@ -43,6 +43,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27455-5 + cce@rhel8: CCE-82198-3 ++ cce@sle12: CCE-83036-4 + + references: + stigid@ol7: OL07-00-040400 +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +index ad337e982c..77f3a12148 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'User Initialization Files Must Not Run World-Writable Programs' + +@@ -20,17 +20,19 @@ severity: medium + + identifiers: + cce@rhel7: CCE-80523-4 ++ cce@sle12: CCE-83099-2 + + references: + stigid@ol7: OL07-00-020730 + disa: CCI-000366 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-020730 ++ stigid@sle12: SLES-12-010780 + + ocil_clause: 'files are executing world-writable programs' + + ocil: |- + To verify that local initialization files do not execute world-writable programs, + execute the following command: +- 
$ sudo find /home -perm -002 -type f -exec ls -ld {} -name ".[^.]*" \;
++ 
$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \;
+ There should be no output. +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml +index 9c9dd92fb0..0154c1d73b 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Ensure that Users Path Contains Only Local Directories' + +@@ -24,12 +24,14 @@ severity: medium + + identifiers: + cce@rhel7: CCE-80524-2 ++ cce@sle12: CCE-83098-4 + + references: + stigid@ol7: OL07-00-020720 + disa: CCI-000366 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-020720 ++ stigid@sle12: SLES-12-010770 + + ocil_clause: 'paths contain more than local home directories' + +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml +index 6d6c28eb85..9ee21744b2 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'All Interactive Users Must Have A Home Directory Defined' + +@@ -16,12 +16,14 @@ severity: medium + + identifiers: + cce@rhel7: CCE-80528-3 ++ cce@sle12: CCE-83075-2 + + references: + stigid@ol7: OL07-00-020600 + disa: CCI-000366 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-020600 ++ stigid@sle12: SLES-12-010710 + + ocil_clause: 'users home directory is not defined' + +diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +index 42dfdeabed..a262abba7a 100644 +--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'All Interactive Users Home Directories Must Exist' + +@@ -22,6 +22,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80529-1 + cce@rhel8: CCE-83424-2 ++ cce@sle12: CCE-83074-5 + + references: + stigid@ol7: OL07-00-020620 +@@ -29,6 +30,7 @@ references: + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-020620 + cis@rhel8: 6.2.20 ++ stigid@sle12: SLES-12-010730 + + ocil_clause: 'users home directory does not exist' + +diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +index 0efb03da74..820a942220 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'All Interactive User Home Directories Must Be Group-Owned By The Primary User' + +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80532-5 + cce@rhel8: CCE-83434-1 ++ cce@sle12: CCE-83096-8 + + references: + stigid@ol7: OL07-00-020650 +@@ -28,6 +29,7 @@ references: + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-020650 + cis@rhel8: 6.2.8 ++ stigid@sle12: SLES-12-010750 + + ocil_clause: 'the group ownership is incorrect' + +diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +index 6d719039a3..4810c941d6 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Ensure All User Initialization Files Have Mode 0740 Or Less Permissive' + +@@ -18,12 +18,14 @@ severity: medium + + identifiers: + cce@rhel7: CCE-80525-9 ++ cce@sle12: CCE-83097-6 + + references: + stigid@ol7: OL07-00-020710 + disa: CCI-000366 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-020710 ++ stigid@sle12: SLES-12-010760 + + ocil_clause: 'they are not 0740 or more permissive' + +diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +index edb1b821d3..4898bfa6b6 100644 +--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml ++++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'All Interactive User Home Directories Must Have mode 0750 Or Less Permissive' + +@@ -18,12 +18,14 @@ severity: medium + + identifiers: + cce@rhel7: CCE-80530-9 ++ cce@sle12: CCE-83076-0 + + references: + stigid@ol7: OL07-00-020630 + disa: CCI-000366 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-020630 ++ stigid@sle12: SLES-12-010740 + + ocil_clause: 'they are more permissive' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +index 5dc589b5fc..22031b6517 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +@@ -30,6 +30,7 @@ identifiers: + cce@rhel7: CCE-27339-1 + cce@rhel8: CCE-80685-1 + cce@rhcos4: CCE-82556-2 ++ cce@sle12: CCE-83106-5 + + references: + stigid@ol7: OL07-00-030410 +@@ -45,6 +46,7 @@ references: + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 + stigid@rhel7: RHEL-07-030410 ++ stigid@sle12: SLES-12-020600 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +index cd550e7c0a..b5abef23d9 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +@@ -36,6 +36,7 @@ identifiers: + cce@rhel7: CCE-80385-8 + cce@rhel8: CCE-80751-1 + cce@rhcos4: CCE-82621-4 ++ cce@sle12: CCE-83092-7 + + references: + stigid@ol7: OL07-00-030500 +@@ -50,6 +51,7 @@ references: + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 + stigid@rhel7: RHEL-07-030500 ++ stigid@sle12: SLES-12-020520 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +index 9696633f7e..9ed6b36699 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +@@ -39,6 +39,7 @@ identifiers: + cce@rhel7: CCE-80390-8 + cce@rhel8: CCE-80752-9 + cce@rhcos4: CCE-82629-7 ++ cce@sle12: CCE-83091-9 + + references: + stigid@ol7: OL07-00-030550 +@@ -53,6 +54,7 @@ references: + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 + stigid@rhel7: RHEL-07-030550 ++ stigid@sle12: SLES-12-020510 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +index 08cd7a656c..28076744c3 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +@@ -36,6 +36,7 @@ identifiers: + cce@rhel7: CCE-80388-2 + cce@rhel8: CCE-80755-2 + cce@rhcos4: CCE-82640-4 ++ cce@sle12: CCE-83094-3 + + references: + stigid@ol7: OL07-00-030530 +@@ -50,6 +51,7 @@ references: + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 + stigid@rhel7: RHEL-07-030530 ++ stigid@sle12: SLES-12-020540 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +index 32501fd295..f1699ab14e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +@@ -39,6 +39,7 @@ identifiers: + cce@rhel7: CCE-80387-4 + cce@rhel8: CCE-80754-5 + cce@rhcos4: CCE-82634-7 ++ cce@sle12: CCE-83093-5 + + references: + stigid@ol7: OL07-00-030520 +@@ -53,6 +54,7 @@ references: + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 + stigid@rhel7: RHEL-07-030520 ++ stigid@sle12: SLES-12-020530 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +index 037812a685..60d98c5803 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +@@ -39,6 +39,7 @@ identifiers: + cce@rhel7: CCE-80389-0 + cce@rhel8: CCE-80756-0 + cce@rhcos4: CCE-82651-1 ++ cce@sle12: CCE-83085-1 + + references: + stigid@ol7: OL07-00-030540 +@@ -53,6 +54,7 @@ references: + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 + stigid@rhel7: RHEL-07-030540 ++ stigid@sle12: SLES-12-020500 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +index 7590cb2353..54e820c309 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +@@ -28,6 +28,7 @@ identifiers: + cce@rhel7: CCE-80384-1 + cce@rhel8: CCE-80719-8 + cce@rhcos4: CCE-82584-4 ++ cce@sle12: CCE-83108-1 + + references: + cis@rhel7: 4.1.8 +@@ -43,6 +44,7 @@ references: + srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218 + vmmsrg: SRG-OS-000473-VMM-001930,SRG-OS-000470-VMM-001900 + stigid@rhel7: RHEL-07-030620 ++ stigid@sle12: SLES-12-020660 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +index 267cafb758..730b7d7201 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +@@ -28,6 +28,7 @@ identifiers: + cce@rhel7: CCE-80994-7 + cce@rhel8: CCE-80720-6 + cce@rhcos4: CCE-82585-1 ++ cce@sle12: CCE-83107-3 + + references: + cis: 5.2.8 +@@ -41,6 +42,7 @@ references: + srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218 + vmmsrg: SRG-OS-000473-VMM-001930,SRG-OS-000470-VMM-001900 + stigid@rhel7: RHEL-07-030600 ++ stigid@sle12: SLES-12-020650 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +index 9503765c88..0fcf3fb9f6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Ensure auditd Collects Information on the Use of Privileged Commands - chage' + +@@ -34,6 +34,7 @@ identifiers: + cce@rhel7: CCE-80398-1 + cce@rhel8: CCE-80725-5 + cce@rhcos4: CCE-82591-9 ++ cce@sle12: CCE-83110-7 + + references: + stigid@ol7: OL07-00-030660 +@@ -45,6 +46,7 @@ references: + srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 + vmmsrg: SRG-OS-000471-VMM-001910 + stigid@rhel7: RHEL-07-030660 ++ stigid@sle12: SLES-12-020690 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +index 0171bd3758..b458ed6d8c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd' + +@@ -34,6 +34,7 @@ identifiers: + cce@rhel7: CCE-80396-5 + cce@rhel8: CCE-80740-4 + cce@rhcos4: CCE-82609-9 ++ cce@sle12: CCE-83109-9 + + references: + stigid@ol7: OL07-00-030640 +@@ -46,6 +47,7 @@ references: + srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 + vmmsrg: SRG-OS-000471-VMM-001910 + stigid@rhel7: RHEL-07-030640 ++ stigid@sle12: SLES-12-020680 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +index 9ee6de4b51..0b5707f596 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Record Events that Modify User/Group Information - /etc/gshadow' + +@@ -31,6 +31,7 @@ identifiers: + cce@rhel7: CCE-80432-8 + cce@rhel8: CCE-80759-4 + cce@rhcos4: CCE-82655-2 ++ cce@sle12: CCE-83095-0 + + references: + stigid@ol7: OL07-00-030872 +@@ -46,6 +47,7 @@ references: + srg: SRG-OS-000004-GPOS-00004 + vmmsrg: SRG-OS-000004-VMM-000040,SRG-OS-000239-VMM-000810,SRG-OS-000240-VMM-000820,SRG-OS-000241-VMM-000830,SRG-OS-000274-VMM-000960,SRG-OS-000275-VMM-000970,SRG-OS-000276-VMM-000980,SRG-OS-000277-VMM-000990,SRG-OS-000303-VMM-001090,SRG-OS-000304-VMM-001100,SRG-OS-000476-VMM-001960 + stigid@rhel7: RHEL-07-030872 ++ stigid@sle12: SLES-12-020590 + isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml +index 76aed7c565..af6be9505a 100644 +--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml ++++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4 ++prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12 + + title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default' + +@@ -22,6 +22,7 @@ identifiers: + cce@rhel7: CCE-80355-1 + cce@rhel8: CCE-81015-0 + cce@rhcos4: CCE-82481-3 ++ cce@sle12: CCE-83087-7 + + references: + anssi: BP28(R22) +@@ -35,6 +36,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 1,12,13,14,15,16,18,4,6,8,9 + srg: SRG-OS-000480-GPOS-00227 ++ stigid@sle12: SLES-12-030401 + cis@rhel8: 3.2.1 + + {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_source_route", value="0") }}} +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +index 5a529710db..361073e99c 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 + + title: 'Disable Accepting ICMP Redirects for All IPv4 Interfaces' + +@@ -21,6 +21,7 @@ identifiers: + cce@rhel7: CCE-80158-9 + cce@rhel8: CCE-80917-8 + cce@rhcos4: CCE-82469-8 ++ cce@sle12: CCE-83090-1 + + references: + stigid@ol7: OL07-00-040641 +@@ -33,6 +34,7 @@ references: + nist-csf: DE.CM-1,PR.DS-4,PR.IP-1,PR.PT-3 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-040641 ++ stigid@sle12: SLES-12-030390 + isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 6.2,SR 7.1,SR 7.2,SR 7.6' + isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 + cobit5: APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.05,DSS05.07,DSS06.06 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +index d3336d246f..ed4a024797 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,sle12 + + title: 'Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces' + +@@ -20,6 +20,7 @@ identifiers: + cce@rhel7: CCE-80163-9 + cce@rhel8: CCE-80919-4 + cce@rhcos4: CCE-82470-6 ++ cce@sle12: CCE-83081-0 + + references: + stigid@ol7: OL07-00-040640 +@@ -32,6 +33,8 @@ references: + nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-040640 ++ stigid@sle12: SLES-12-030400 ++ + isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6' + isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3 + cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +index a7f24853f6..ef659ec1c2 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 + + title: 'Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces' + +@@ -19,6 +19,7 @@ identifiers: + cce@rhel7: CCE-80165-4 + cce@rhel8: CCE-80922-8 + cce@rhcos4: CCE-82491-2 ++ cce@sle12: CCE-83080-2 + + references: + stigid@ol7: OL07-00-040630 +@@ -30,6 +31,7 @@ references: + nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-040630 ++ stigid@sle12: SLES-12-030380 + isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6' + isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3 + cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +index d610f022fe..f49353c25c 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 + + title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces' + +@@ -19,6 +19,7 @@ identifiers: + cce@rhel7: CCE-80156-3 + cce@rhel8: CCE-80918-6 + cce@rhcos4: CCE-82484-7 ++ cce@sle12: CCE-83089-3 + + references: + stigid@ol7: OL07-00-040660 +@@ -31,6 +32,7 @@ references: + nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-040660 ++ stigid@sle12: SLES-12-030420 + isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6' + isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3 + cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +index 861c3485f3..d7d5bfe607 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +@@ -32,7 +32,7 @@ references: + nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-040650 +- stigid@sle12: SLES-12-030420 ++ stigid@sle12: SLES-12-030410 + isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6' + isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3 + cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 +diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +index 12d84a2604..b9f3d060d5 100644 +--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml ++++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,rhcos4 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,rhcos4,sle12 + + title: 'Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces' + +@@ -17,6 +17,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80157-1 + cce@rhel8: CCE-81024-2 ++ cce@sle12: CCE-83088-5 + + references: + stigid@ol7: OL07-00-040740 +@@ -28,6 +29,7 @@ references: + nist-csf: DE.CM-1,PR.DS-4,PR.IP-1,PR.PT-3,PR.PT-4 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-040740 ++ stigid@sle12: SLES-12-030430 + isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6' + isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 + cobit5: APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.05,DSS05.07,DSS06.06 +diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml +index ee7140be4b..d9db321b70 100644 +--- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml ++++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 + + title: 'Disable DCCP Support' + +@@ -19,10 +19,12 @@ severity: medium + identifiers: + cce@rhel7: CCE-82024-1 + cce@rhel8: CCE-80833-7 ++ cce@sle12: CCE-83055-4 + + references: + stigid@ol7: OL07-00-020101 + stigid@rhel7: RHEL-07-020101 ++ stigid@sle12: SLES-12-030030 + cis@rhel8: 3.3.1 + cjis: 5.10.1 + cui: 3.4.6 +diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml +index 1e3c60b7e3..8578172a99 100644 +--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml ++++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Ensure All World-Writable Directories Are Group Owned by a System Account' + +@@ -22,14 +22,17 @@ severity: medium + + identifiers: + cce@rhel7: CCE-83923-3 ++ cce@sle12: CCE-83104-0 + + references: + stigid@ol7: OL07-00-021030 + disa: CCI-000366 + nist: CM-6(a),AC-6(1) ++ nist@sle12: CM-6(b) + nist-csf: PR.AC-4,PR.DS-5 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel7: RHEL-07-021030 ++ stigid@sle12: SLES-12-010830 + isa-62443-2013: 'SR 2.1,SR 5.2' + isa-62443-2009: 4.3.3.7.3 + cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 +@@ -41,5 +44,5 @@ ocil_clause: 'there is output' + ocil: |- + The following command will discover and print world-writable directories that + are not group owned by a system account, given the assumption that only system +- accounts have a gid lower than 500. Run it once for each local partition PART: +- 
$ sudo find PART -xdev -type d -perm -0002 -gid +499 -print
++ accounts have a gid lower than {{{ auid }}}. Run it once for each local partition PART: ++ 
$ sudo find PART -xdev -type d -perm -0002 -gid +{{{ auid - 1 }}} -print
+diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +index 68fd6821b8..79594c701f 100644 +--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml ++++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019 + + title: 'Ensure All Files Are Owned by a Group' + +@@ -24,6 +24,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80135-7 + cce@rhel8: CCE-83497-8 ++ cce@sle12: CCE-83073-7 + + references: + stigid@ol7: OL07-00-020330 +@@ -40,6 +41,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,3,5 + cis@sle15: 6.1.12 ++ stigid@sle12: SLES-12-010700 + + ocil_clause: 'there is output' + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +index dadd3fa3e9..3652cf9f2b 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,rhcos4 ++prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,rhcos4,sle12 + + title: 'Add nosuid Option to /home' + +@@ -21,6 +21,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-81153-9 + cce@rhel8: CCE-81050-7 ++ cce@sle12: CCE-83100-8 + + references: + stigid@ol7: OL07-00-021000 +@@ -36,6 +37,7 @@ references: + cis-csc: 11,13,14,3,8,9 + anssi: BP28(R12) + srg: SRG-OS-000368-GPOS-00154,SRG-OS-000480-GPOS-00227 ++ stigid@sle12: SLES-12-010790 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml +index e507bb4465..5f19864ded 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,rhcos4,ubuntu1804 ++prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019,rhcos4,ubuntu1804 + + title: 'Add nosuid Option to Removable Media Partitions' + +@@ -23,6 +23,7 @@ identifiers: + cce@rhel7: CCE-80148-0 + cce@rhel8: CCE-82744-4 + cce@rhcos4: CCE-82745-1 ++ cce@sle12: CCE-83101-6 + + references: + cis@rhel8: 1.1.19 +@@ -39,6 +40,7 @@ references: + iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.11.2.6,A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 + cis-csc: 11,12,13,14,15,16,18,3,5,8,9 + cis@sle15: 1.1.21 ++ stigid@sle12: SLES-12-010800 + + platform: machine + +diff --git a/linux_os/guide/system/permissions/permissions_local/group.yml b/linux_os/guide/system/permissions/permissions_local/group.yml +new file mode 100644 +index 0000000000..6e13c74f51 +--- /dev/null ++++ b/linux_os/guide/system/permissions/permissions_local/group.yml +@@ -0,0 +1,12 @@ ++documentation_complete: true ++ ++title: |- ++ Verify Permissions on Important Files and ++ Directories Are Configured in /etc/permissions.local ++ ++description: |- ++ Permissions for many files on a system must be set ++ restrictively to ensure sensitive information is properly protected. ++ This section discusses the /etc/permissions.local file, where ++ expected permissions can be configured to be checked and fixed through ++ usage of the chkstat command. +diff --git a/linux_os/guide/system/permissions/permissions_local/run_chkstat/rule.yml b/linux_os/guide/system/permissions/permissions_local/run_chkstat/rule.yml +new file mode 100644 +index 0000000000..8c28313067 +--- /dev/null ++++ b/linux_os/guide/system/permissions/permissions_local/run_chkstat/rule.yml +@@ -0,0 +1,50 @@ ++documentation_complete: true ++ ++prodtype: sle12 ++ ++title: 'OS commands and libraries must have the proper permissions to protect from unauthorized access' ++ ++description: |- ++ Verify that the SUSE operating system prevents unauthorized users from ++ accessing system command and library files. ++ ++ Check that all of the audit information files and folders have the correct ++ permissions with the following command: ++ 
# sudo chkstat --warn --system
++ ++ Set the correct permissions with the following command: ++ ++ 
# sudo chkstat --set --system
++ ++rationale: |- ++ If the SUSE operating system were to allow any user to make changes to ++ software libraries, those changes might be implemented without undergoing ++ the appropriate testing and approvals that are part of a robust change ++ management process. ++ ++ This requirement applies to SUSE operating systems with software libraries ++ that are accessible and configurable, as in the case of interpreted ++ languages. Software libraries also include privileged programs that execute ++ with escalated privileges. Only qualified and authorized individuals must ++ be allowed to obtain access to information system components to initiate ++ changes, including upgrades and modifications. ++ ++severity: medium ++ ++identifiers: ++ cce@sle12: CCE-83111-5 ++ ++references: ++ disa@sle12: CCI-001499 ++ nist@sle12: CM-5(6) ++ srg@sle12: SRG-OS-000259-GPOS-00100 ++ stigid@sle12: SLES-12-010880 ++ ++ocil: |- ++ Check that all of the audit information files and folders have the correct ++ permissions with the following command: ++ 
# sudo chkstat --warn --system
++ ++ If you get any warnings, set the correct permissions with the following command: ++ ++ 
# sudo chkstat --set --system
+diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh +index 9b2e235311..fbe9ddbb3e 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh +@@ -1,15 +1,24 @@ +-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_wrlinux,multi_platform_ol ++# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_wrlinux,multi_platform_ol,multi_platform_sle + + {{{ bash_package_install("aide") }}} + + CRONTAB=/etc/crontab + CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly' + ++# NOTE: on some platforms, /etc/crontab may not exist ++if [ -f /etc/crontab ]; then ++ CRONTAB_EXIST=/etc/crontab ++fi ++ + if [ -f /var/spool/cron/root ]; then + VARSPOOL=/var/spool/cron/root + fi + +-if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then ++if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then ++{{% if product == "sle12" %}} ++ echo '0 5 * * * root /usr/bin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB ++{{% else %}} + echo '0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB ++{{% endif %}} + fi + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml +index d6d9f2542e..7f557bd6a3 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml +@@ -1,3 +1,9 @@ ++{{% if product in ["sle12", "sle15"] %}} ++{{% set aide_bin_path = "/usr/bin/aide" %}} ++{{% else %}} ++{{% set aide_bin_path = "/usr/sbin/aide" %}} ++{{% endif %}} ++ + + + {{{ oval_metadata("AIDE should notify appropriate personnel of the details +@@ -17,7 +23,7 @@ + + + /etc/crontab +- ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ ++ ^.*{{{ aide_bin_path }}}[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ + 1 + + +@@ -26,7 +32,7 @@ + + + /var/spool/cron/root +- ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ ++ ^.*{{{ aide_bin_path }}}[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ + 1 + + +@@ -36,7 +42,7 @@ + + ^/etc/cron.(d|daily|weekly|monthly)$ + ^.*$ +- ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ ++ ^.*{{{ aide_bin_path }}}[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ + 1 + + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml +index 3ed6a7bb37..cc696141f6 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Configure Notification of Post-AIDE Scan Details' + +@@ -30,6 +30,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-80374-2 + cce@rhel8: CCE-82891-3 ++ cce@sle12: CCE-83048-9 + + references: + stigid@ol7: OL07-00-020040 +@@ -44,6 +45,11 @@ references: + cobit5: BAI01.06,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.05,DSS05.07 + iso27001-2013: A.12.1.2,A.12.4.1,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1 + cis-csc: 1,11,12,13,15,16,2,3,5,7,8,9 ++ disa@sle12: CCI-002702 ++ nist@sle12: SI-6d ++ stigid@sle12: SLES-12-010510 ++ srg@sle12: SRG-OS-000447-GPOS-00201 ++ disa@sle12: CCI-002702 + + ocil_clause: 'AIDE has not been configured or has not been configured to notify personnel of scan details' + +diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +index 23e939bbec..abf13a274a 100644 +--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml ++++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +@@ -14,7 +14,7 @@ severity: medium + identifiers: + cce@rhel7: CCE-27096-7 + cce@rhel8: CCE-80844-4 +- cce@sle12: CCE-83048-9 ++ cce@sle12: CCE-83067-9 + + references: + cis@rhel8: 1.4.1 +diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template +index 49e4258cd2..70101ca777 100644 +--- a/shared/templates/audit_rules_dac_modification/ansible.template ++++ b/shared/templates/audit_rules_dac_modification/ansible.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle + # reboot = true + # strategy = restrict + # complexity = low +diff --git a/shared/templates/audit_rules_login_events/ansible.template b/shared/templates/audit_rules_login_events/ansible.template +index e36d4b3371..4b32771c3f 100644 +--- a/shared/templates/audit_rules_login_events/ansible.template ++++ b/shared/templates/audit_rules_login_events/ansible.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle + # reboot = true + # strategy = restrict + # complexity = low +diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template +index a992b47960..1c5a8b6b2a 100644 +--- a/shared/templates/audit_rules_privileged_commands/ansible.template ++++ b/shared/templates/audit_rules_privileged_commands/ansible.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle + # reboot = false + # strategy = restrict + # complexity = low +diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template +index 3737145add..8e8e003a5b 100644 +--- a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template ++++ b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle + # reboot = true + # strategy = restrict + # complexity = low +diff --git a/shared/templates/audit_rules_usergroup_modification/ansible.template b/shared/templates/audit_rules_usergroup_modification/ansible.template +index 2fab63ae44..ea9738ecb2 100644 +--- a/shared/templates/audit_rules_usergroup_modification/ansible.template ++++ b/shared/templates/audit_rules_usergroup_modification/ansible.template +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle + # reboot = true + # strategy = restrict + # complexity = low +diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile +index 15c4f70336..4c8b361226 100644 +--- a/sle12/profiles/stig.profile ++++ b/sle12/profiles/stig.profile +@@ -7,7 +7,9 @@ description: |- + DISA STIG for SUSE Linux Enterprise 12 V1R2. + + selections: ++ - sshd_approved_macs=stig + - var_accounts_fail_delay=4 ++ - var_removable_partition=dev_cdrom + - account_disable_post_pw_expiration + - account_temp_expire_date + - accounts_have_homedir_login_defs +@@ -19,6 +21,22 @@ selections: + - accounts_password_set_max_life_existing + - accounts_password_set_min_life_existing + - accounts_umask_etc_login_defs ++ - accounts_user_dot_no_world_writable_programs ++ - accounts_user_home_paths_only ++ - accounts_user_interactive_home_directory_defined ++ - accounts_user_interactive_home_directory_exists ++ - aide_scan_notification ++ - audit_rules_dac_modification_chmod ++ - audit_rules_login_events_lastlog ++ - audit_rules_login_events_tallylog ++ - audit_rules_privileged_commands_chage ++ - audit_rules_privileged_commands_unix_chkpwd ++ - audit_rules_unsuccessful_file_modification_creat ++ - audit_rules_unsuccessful_file_modification_ftruncate ++ - audit_rules_unsuccessful_file_modification_open_by_handle_at ++ - audit_rules_unsuccessful_file_modification_openat ++ - audit_rules_unsuccessful_file_modification_truncate ++ - audit_rules_usergroup_modification_gshadow + - auditd_audispd_encrypt_sent_records + - auditd_data_disk_full_action + - auditd_data_retention_action_mail_acct +@@ -26,17 +44,27 @@ selections: + - banner_etc_issue + - banner_etc_motd + - dir_perms_world_writable_sticky_bits ++ - dir_perms_world_writable_system_owned_group + - disable_ctrlaltdel_reboot + - encrypt_partitions + - ensure_gpgcheck_globally_activated ++ - file_groupownership_home_directories ++ - file_permission_user_init_files ++ - file_permissions_home_directories + - file_permissions_sshd_private_key + - file_permissions_sshd_pub_key ++ - file_permissions_ungroupowned + - ftp_present_banner + - gnome_gdm_disable_automatic_login + - grub2_password + - grub2_uefi_password + - installed_OS_is_vendor_supported ++ - kernel_module_dccp_disabled + - kernel_module_usb-storage_disabled ++ - mount_option_home_nosuid ++ - mount_option_noexec_remote_filesystems ++ - mount_option_nosuid_remote_filesystems ++ - mount_option_nosuid_removable_partitions + - no_empty_passwords + - no_files_unowned_by_user + - no_host_based_files +@@ -47,11 +75,14 @@ selections: + - package_audit_installed + - package_telnet-server_removed + - postfix_client_configure_mail_alias ++ - run_chkstat + - security_patches_up_to_date + - service_auditd_enabled ++ - service_kdump_disabled + - set_password_hashing_algorithm_logindefs + - sshd_disable_compression + - sshd_disable_empty_passwords ++ - sshd_disable_root_login + - sshd_disable_user_known_hosts + - sshd_do_not_permit_user_env + - sshd_enable_strictmodes +@@ -61,10 +92,18 @@ selections: + - sshd_set_idle_timeout + - sshd_set_keepalive + - sshd_set_loglevel_verbose ++ - sshd_use_approved_macs + - sshd_use_priv_separation + - sudo_remove_no_authenticate + - sudo_remove_nopasswd ++ - sysctl_net_ipv4_conf_all_accept_redirects + - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_all_send_redirects ++ - sysctl_net_ipv4_conf_default_accept_redirects + - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv4_conf_default_send_redirects ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv6_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_default_accept_source_route ++ diff --git a/SOURCES/scap-security-guide-0.1.55-sshd_approved_ciphers_ordered-PR_6541.patch b/SOURCES/scap-security-guide-0.1.55-sshd_approved_ciphers_ordered-PR_6541.patch new file mode 100644 index 0000000..c29f9ff --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-sshd_approved_ciphers_ordered-PR_6541.patch @@ -0,0 +1,259 @@ +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml +index abcebf60c7..50c7d689af 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml +@@ -61,7 +61,6 @@ references: + nist-csf: PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-1,PR.PT-1,PR.PT-3,PR.PT-4 + srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 + vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590 +- stigid@rhel7: RHEL-07-040110 + isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6' + isa-62443-2009: 4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO11.04,APO13.01,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10,MEA02.01 +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml +new file mode 100644 +index 0000000000..4796a2eab1 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml +@@ -0,0 +1,13 @@ ++# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: "Configure sshd to use approved ciphers" ++ lineinfile: ++ path: /etc/ssh/sshd_config ++ line: 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr' ++ state: present ++ regexp: '^[\s]*[Cc]iphers[\s]+(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$' ++ create: True +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh +new file mode 100644 +index 0000000000..8f751ed516 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh +@@ -0,0 +1,7 @@ ++# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7 ++ ++if grep -q -P '^\s*[Cc]iphers\s+' /etc/ssh/sshd_config; then ++ sed -i 's/^\s*[Cc]iphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config ++else ++ echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml +new file mode 100644 +index 0000000000..53ff0a2a9e +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml +@@ -0,0 +1,38 @@ ++ ++ ++ {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/ssh/sshd_config ++ ^[\s]*(?i)Ciphers(?-i)[\s]+(?=[\w]+)(aes256-ctr(?=[\w,]+|$),?)?(aes192-ctr(?=[\w,]+|$),?)?(aes128-ctr)?[\s]*(?:#.*)?$ ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml +new file mode 100644 +index 0000000000..0751064179 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml +@@ -0,0 +1,64 @@ ++documentation_complete: true ++ ++prodtype: rhel7 ++ ++title: 'Use Only FIPS 140-2 Validated Ciphers' ++ ++description: |- ++ Limit the ciphers to those algorithms which are FIPS-approved. ++ The following line in /etc/ssh/sshd_config ++ demonstrates use of FIPS-approved ciphers: ++ 
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
++ This rule ensures that there are configured ciphers mentioned ++ above (or their subset), keeping the given order of algorithms. ++ ++rationale: |- ++ Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore ++ cannot be relied upon to provide confidentiality or integrity, and system data may be compromised. ++
++ Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to ++ cryptographic modules. ++
++ FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules ++ utilize authentication that meets industry and government requirements. For government systems, this allows ++ Security Levels 1, 2, 3, or 4 for use on {{{ full_name }}}. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: CCE-83398-8 ++ ++references: ++ disa: CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123 ++ srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 ++ stigid@rhel7: RHEL-07-040110 ++ ++ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved' ++ ++ocil: |- ++ Only FIPS ciphers should be used. To verify that only FIPS-approved ++ ciphers are in use, run the following command: ++ 
$ sudo grep Ciphers /etc/ssh/sshd_config
++ The output should contain only following ciphers (or a subset) in the exact order: ++ 
aes256-ctr,aes192-ctr,aes128-ctr
++ ++warnings: ++ - general: |- ++ The system needs to be rebooted for these changes to take effect. ++ - regulatory: |- ++ System Crypto Modules must be provided by a vendor that undergoes ++ FIPS-140 certifications. ++ FIPS-140 is applicable to all Federal agencies that use ++ cryptographic-based security systems to protect sensitive information ++ in computer and telecommunication systems (including voice systems) as ++ defined in Section 5131 of the Information Technology Management Reform ++ Act of 1996, Public Law 104-106. This standard shall be used in ++ designing and implementing cryptographic modules that Federal ++ departments and agencies operate or are operated for them under ++ contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}} ++ To meet this, the system has to have cryptographic software provided by ++ a vendor that has undergone this certification. This means providing ++ documentation, test results, design information, and independent third ++ party review by an accredited lab. While open source software is ++ capable of meeting this, it does not meet FIPS-140 unless the vendor ++ submits to this process. +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh +new file mode 100644 +index 0000000000..daff7d7c53 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++if grep -q "^Ciphers" /etc/ssh/sshd_config; then ++ sed -i "s/^Ciphers.*/# ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config ++else ++ echo "# ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh +new file mode 100644 +index 0000000000..b9d22262af +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++if grep -q "^Ciphers" /etc/ssh/sshd_config; then ++ sed -i "s/^Ciphers.*/Ciphers aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config ++else ++ echo "Ciphers aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh +new file mode 100644 +index 0000000000..b99d3832cd +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++if grep -q "^Ciphers" /etc/ssh/sshd_config; then ++ sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config ++else ++ echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh +new file mode 100644 +index 0000000000..6dfd54631c +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++if grep -q "^Ciphers" /etc/ssh/sshd_config; then ++ sed -i "s/^Ciphers.*/ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config ++else ++ echo 'ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh +new file mode 100644 +index 0000000000..7b38914a1a +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++sed -i "/^Ciphers.*/d" /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh +new file mode 100644 +index 0000000000..6fdb47093d +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++if grep -q "^Ciphers" /etc/ssh/sshd_config; then ++ sed -i "s/^Ciphers.*/Ciphers /" /etc/ssh/sshd_config ++else ++ echo 'Ciphers ' >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh +new file mode 100644 +index 0000000000..24fdf0f30d +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++if grep -q "^Ciphers" /etc/ssh/sshd_config; then ++ sed -i "s/^Ciphers.*/ Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config ++else ++ echo " Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config ++fi +diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile +index 6c06a8ede6..adf86894e1 100644 +--- a/rhel7/profiles/stig.profile ++++ b/rhel7/profiles/stig.profile +@@ -239,8 +239,7 @@ selections: + - install_antivirus + - accounts_max_concurrent_login_sessions + - configure_firewalld_ports +- - sshd_approved_ciphers=stig +- - sshd_use_approved_ciphers ++ - sshd_use_approved_ciphers_ordered_stig + - accounts_tmout + - sshd_enable_warning_banner + - sssd_ldap_start_tls diff --git a/SOURCES/scap-security-guide-0.1.55-sshd_use_approved_macs_stig-PR_6546.patch b/SOURCES/scap-security-guide-0.1.55-sshd_use_approved_macs_stig-PR_6546.patch new file mode 100644 index 0000000..f321ef8 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-sshd_use_approved_macs_stig-PR_6546.patch @@ -0,0 +1,386 @@ +From 5f8f98024f8955a0327b67f873923757a51d082c Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 19 Jan 2021 12:32:07 +0100 +Subject: [PATCH 1/7] add rule and remediations + +--- + .../ansible/shared.yml | 13 +++++ + .../bash/shared.sh | 7 +++ + .../oval/shared.xml | 38 +++++++++++++ + .../rule.yml | 57 +++++++++++++++++++ + shared/references/cce-redhat-avail.txt | 1 - + 5 files changed, 115 insertions(+), 1 deletion(-) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml +new file mode 100644 +index 0000000000..cefba7db05 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml +@@ -0,0 +1,13 @@ ++# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: "Configure sshd to use approved MACs" ++ lineinfile: ++ path: /etc/ssh/sshd_config ++ line: 'MACs hmac-sha2-512,hmac-sha2-256' ++ state: present ++ regexp: '^[\s]*MACs[\s]+(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$' ++ create: True +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh +new file mode 100644 +index 0000000000..c76190fb96 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh +@@ -0,0 +1,7 @@ ++# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7 ++ ++if grep -q -P '^[[:space:]]*MACs[[:space:]]+' /etc/ssh/sshd_config; then ++ sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config ++else ++ echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml +new file mode 100644 +index 0000000000..d7fbd9f0ed +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml +@@ -0,0 +1,38 @@ ++ ++ ++ {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}} ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/ssh/sshd_config ++ ^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$ ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml +new file mode 100644 +index 0000000000..dc9f7dca7c +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml +@@ -0,0 +1,57 @@ ++documentation_complete: true ++ ++prodtype: rhel7 ++ ++title: 'Use Only FIPS 140-2 Validated MACs' ++ ++description: |- ++ Limit the MACs to those hash algorithms which are FIPS-approved. ++ The following line in /etc/ssh/sshd_config ++ demonstrates use of FIPS-approved MACs: ++ 
MACs hmac-sha2-512,hmac-sha2-256
++ This rule ensures that there are configured MACs mentioned ++ above (or their subset), keeping the given order of algorithms. ++ ++rationale: |- ++ DoD Information Systems are required to use FIPS-approved cryptographic hash ++ functions. The only SSHv2 hash algorithms meeting this requirement is SHA2. ++ ++severity: medium ++ ++identifiers: ++ cce@rhel7: CCE-83398-8 ++ ++references: ++ disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123 ++ srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174 ++ stigid@rhel7: RHEL-07-040400 ++ ++ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms' ++ ++ocil: |- ++ Only FIPS-approved MACs should be used. To verify that only FIPS-approved ++ MACs are in use, run the following command: ++ 
$ sudo grep -i macs /etc/ssh/sshd_config
++ The output should contain only following MACs (or a subset) in the exact order: ++ 
hmac-sha2-512,hmac-sha2-256
++ ++warnings: ++ - general: |- ++ The system needs to be rebooted for these changes to take effect. ++ - regulatory: |- ++ System Crypto Modules must be provided by a vendor that undergoes ++ FIPS-140 certifications. ++ FIPS-140 is applicable to all Federal agencies that use ++ cryptographic-based security systems to protect sensitive information ++ in computer and telecommunication systems (including voice systems) as ++ defined in Section 5131 of the Information Technology Management Reform ++ Act of 1996, Public Law 104-106. This standard shall be used in ++ designing and implementing cryptographic modules that Federal ++ departments and agencies operate or are operated for them under ++ contract. See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}} ++ To meet this, the system has to have cryptographic software provided by ++ a vendor that has undergone this certification. This means providing ++ documentation, test results, design information, and independent third ++ party review by an accredited lab. While open source software is ++ capable of meeting this, it does not meet FIPS-140 unless the vendor ++ submits to this process. +From 18ea3b8671e15c06a5c1c864d9d1d67f4262189e Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 19 Jan 2021 12:32:25 +0100 +Subject: [PATCH 2/7] add tests + +--- + .../tests/comment.fail.sh | 7 +++++++ + .../tests/correct_reduced_list.pass.sh | 7 +++++++ + .../tests/correct_scrambled.fail.sh | 7 +++++++ + .../tests/correct_value.pass.sh | 7 +++++++ + .../tests/line_not_there.fail.sh | 3 +++ + .../tests/no_parameters.fail.sh | 7 +++++++ + .../tests/wrong_value.fail.sh | 7 +++++++ + 7 files changed, 45 insertions(+) + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh + create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh +new file mode 100644 +index 0000000000..26bf18234c +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++if grep -q "^MACs" /etc/ssh/sshd_config; then ++ sed -i "s/^MACs.*/# MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config ++else ++ echo "# ciphers MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh +new file mode 100644 +index 0000000000..0d922cdee9 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++if grep -q "^MACs" /etc/ssh/sshd_config; then ++ sed -i "s/^MACs.*/MACs hmac-sha2-512/" /etc/ssh/sshd_config ++else ++ echo "MACs hmac-sha2-512" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh +new file mode 100644 +index 0000000000..ce3f459352 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++if grep -q "^MACs" /etc/ssh/sshd_config; then ++ sed -i "s/^MACs.*/MACs hmac-sha2-256,hmac-sha2-512/" /etc/ssh/sshd_config ++else ++ echo "MACs hmac-sha2-256,hmac-sha2-512" >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh +new file mode 100644 +index 0000000000..19da7102a7 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++if grep -q "^MACs" /etc/ssh/sshd_config; then ++ sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config ++else ++ echo 'MACs hmac-sha2-512,hmac-sha2-256' >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh +new file mode 100644 +index 0000000000..fd1f19347a +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh +@@ -0,0 +1,3 @@ ++#!/bin/bash ++ ++sed -i "/^MACs.*/d" /etc/ssh/sshd_config +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh +new file mode 100644 +index 0000000000..44c07c6de0 +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++if grep -q "^MACs" /etc/ssh/sshd_config; then ++ sed -i "s/^MACs.*/MACs /" /etc/ssh/sshd_config ++else ++ echo 'MACs ' >> /etc/ssh/sshd_config ++fi +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh +new file mode 100644 +index 0000000000..cf56cd228f +--- /dev/null ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh +@@ -0,0 +1,7 @@ ++#!/bin/bash ++ ++if grep -q "^MACs" /etc/ssh/sshd_config; then ++ sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256,blahblah/" /etc/ssh/sshd_config ++else ++ echo "MACs hmac-sha2-512,hmac-sha2-256,blahblah" >> /etc/ssh/sshd_config ++fi + +From a334b4b434adf92c94b8bd6bb888751782e70ad3 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 19 Jan 2021 12:32:58 +0100 +Subject: [PATCH 3/7] modify rhel7 stig profile + +--- + rhel7/profiles/stig.profile | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile +index 6c06a8ede6..17c781d3eb 100644 +--- a/rhel7/profiles/stig.profile ++++ b/rhel7/profiles/stig.profile +@@ -28,7 +28,6 @@ selections: + - inactivity_timeout_value=15_minutes + - var_screensaver_lock_delay=5_seconds + - sshd_idle_timeout_value=10_minutes +- - sshd_approved_macs=stig + - var_accounts_fail_delay=4 + - var_selinux_state=enforcing + - var_selinux_policy_name=targeted +@@ -259,7 +258,7 @@ selections: + - sshd_print_last_log + - sshd_disable_root_login + - sshd_allow_only_protocol2 +- - sshd_use_approved_macs ++ - sshd_use_approved_macs_ordered_stig + - file_permissions_sshd_pub_key + - file_permissions_sshd_private_key + - sshd_disable_gssapi_auth + +From df71fc735efa8754a73fab5d355d422c6e0ffa53 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Tue, 19 Jan 2021 12:33:10 +0100 +Subject: [PATCH 4/7] remove rhel7 stigid from sshd_use_approved_macs + +--- + .../services/ssh/ssh_server/sshd_use_approved_macs/rule.yml | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml +index 394c733f51..d47eb443f5 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml +@@ -54,7 +54,6 @@ references: + nist-csf: PR.AC-1,PR.AC-3,PR.DS-5,PR.PT-4 + srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174 + vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000480-VMM-002000,SRG-OS-000396-VMM-001590 +- stigid@rhel7: RHEL-07-040400 + stigid@sle12: SLES-12-030180 + isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.6,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6' + isa-62443-2009: 4.3.3.5.1,4.3.3.6.6 + +From 9c24aaaba67f0123a82335672fd25aacd913caa4 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 21 Jan 2021 11:43:16 +0100 +Subject: [PATCH 5/7] simplify regex + +--- + .../sshd_use_approved_macs_ordered_stig/oval/shared.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml +index d7fbd9f0ed..5973488661 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml +@@ -31,7 +31,7 @@ + + + /etc/ssh/sshd_config +- ^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$ ++ ^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$ + 1 + + + +From e3973f4c2988308a2d1a18e67a730a059f791336 Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 21 Jan 2021 11:55:19 +0100 +Subject: [PATCH 6/7] make bash remediation more readable + +--- + .../sshd_use_approved_macs_ordered_stig/bash/shared.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh +index c76190fb96..f8f6f39bee 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh +@@ -1,6 +1,6 @@ + # platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7 + +-if grep -q -P '^[[:space:]]*MACs[[:space:]]+' /etc/ssh/sshd_config; then ++if grep -q -P '^\s*MACs\s+' /etc/ssh/sshd_config; then + sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config + else + echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config + +From e5c379ac8cbd7bd42b116d3a5473a78406a662fd Mon Sep 17 00:00:00 2001 +From: Vojtech Polasek +Date: Thu, 21 Jan 2021 13:05:18 +0100 +Subject: [PATCH 7/7] one more small fix to oval regex + +--- + .../sshd_use_approved_macs_ordered_stig/oval/shared.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml +index 5973488661..b5443b07c4 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml +@@ -31,7 +31,7 @@ + + + /etc/ssh/sshd_config +- ^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$ ++ ^[\s]*(?i)MACs(?-i)[\s]+(?=[\w]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$ + 1 + + diff --git a/SOURCES/scap-security-guide-0.1.55-supress_lint_errors-PR_6542.patch b/SOURCES/scap-security-guide-0.1.55-supress_lint_errors-PR_6542.patch new file mode 100644 index 0000000..63b4d45 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-supress_lint_errors-PR_6542.patch @@ -0,0 +1,30 @@ +From e5399b7bf17d5bdb995851b3d2a27f3ab2e6066a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= +Date: Mon, 18 Jan 2021 15:21:51 +0100 +Subject: [PATCH] Supress Ansible lint error 503 + +It says that Tasks that run when changed should likely be handlers. +However, we don't use handlers, and developer guide says that handlers +aren't supported. I assume handlers would cause problems for SCAP +scanners. Unless we start to support handlers this error isn't fixable +for us therefore we can suppress it globally. + +Addressing problems in scap-security-guide-lint-check Jenkins job: +30/48 Test #260: ansible-playbook-ansible-lint-check-rhel8 .........***Failed 630.77 sec +all/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers +anssi_bp28_enhanced/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers +anssi_bp28_high/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers +anssi_bp28_intermediary/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers +--- + tests/ansible-lint_config.yml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tests/ansible-lint_config.yml b/tests/ansible-lint_config.yml +index d5107476a9..e4b4443f8c 100644 +--- a/tests/ansible-lint_config.yml ++++ b/tests/ansible-lint_config.yml +@@ -3,3 +3,4 @@ skip_list: + - '301' # Commands should not change things if nothing needs doing + - '303' # Using command rather than module + - '403' # Package installs should not use latest ++ - '503' # Tasks that run when changed should likely be handlers diff --git a/SOURCES/scap-security-guide-0.1.55-update_RHEL_07_040710-PR_6537.patch b/SOURCES/scap-security-guide-0.1.55-update_RHEL_07_040710-PR_6537.patch new file mode 100644 index 0000000..6e545d7 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-update_RHEL_07_040710-PR_6537.patch @@ -0,0 +1,73 @@ +From 35eb6ba272c4ca0b7bae1c10af182e59e3e52c6a Mon Sep 17 00:00:00 2001 +From: Gabriel Becker +Date: Fri, 15 Jan 2021 16:28:07 +0100 +Subject: [PATCH] RHEL-07-040710 now configures X11Forwarding to disable. + +--- + .../sshd_disable_x11_forwarding/rule.yml | 19 ++++++++++--------- + .../sshd_enable_x11_forwarding/rule.yml | 1 - + rhel7/profiles/stig.profile | 2 +- + 3 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +index 1779129f87..7da2e067a6 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +@@ -19,22 +19,23 @@ rationale: |- + other users on the X11 server. Note that even if X11 forwarding is disabled, + users can always install their own forwarders. + +-severity: low ++severity: medium + +-ocil_clause: "that the X11Forwarding option exists and is enabled" +- +-ocil: |- +- {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}} ++{{{ complete_ocil_entry_sshd_option(default="yes", option="X11Forwarding", value="no") }}} + + identifiers: + cce@rhel7: CCE-83359-0 + cce@rhel8: CCE-83360-8 + + references: +- cis@rhel7: 5.2.4 +- cis@rhel8: 5.2.6 +- cis@sle12: 5.2.4 +- cis@sle15: 5.2.6 ++ cis@rhel7: 5.2.4 ++ cis@rhel8: 5.2.6 ++ cis@sle12: 5.2.4 ++ cis@sle15: 5.2.6 ++ stigid@rhel7: RHEL-07-040710 ++ srg: SRG-OS-000480-GPOS-00227 ++ disa: CCI-000366 ++ nist: CM-6(b) + + template: + name: sshd_lineinfile +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml +index 803e581a0f..87c3cb7f5a 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml +@@ -29,7 +29,6 @@ references: + nist: CM-6(a),AC-17(a),AC-17(2) + nist-csf: DE.AE-1,PR.DS-7,PR.IP-1 + srg: SRG-OS-000480-GPOS-00227 +- stigid@rhel7: RHEL-07-040710 + stigid@sle12: SLES-12-030260 + isa-62443-2013: 'SR 7.6' + isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3 +diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile +index 817e0982e5..6c06a8ede6 100644 +--- a/rhel7/profiles/stig.profile ++++ b/rhel7/profiles/stig.profile +@@ -285,7 +285,7 @@ selections: + - postfix_prevent_unrestricted_relay + - package_vsftpd_removed + - package_tftp-server_removed +- - sshd_enable_x11_forwarding ++ - sshd_disable_x11_forwarding + - sshd_x11_use_localhost + - tftpd_uses_secure_mode + - package_xorg-x11-server-common_removed diff --git a/SOURCES/scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch b/SOURCES/scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch new file mode 100644 index 0000000..9903603 --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch @@ -0,0 +1,688 @@ +From e3dd773f905114c1d16ac3283611218a685f1722 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Feb 2021 09:17:15 +0100 +Subject: [PATCH 1/5] Remove extends key from ANSSI intermediary profile + +This is not necessary as the ANSSI controls file handles this. +--- + rhel8/profiles/anssi_bp28_intermediary.profile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile +index 64a9b542a0..4d0029af1d 100644 +--- a/rhel8/profiles/anssi_bp28_intermediary.profile ++++ b/rhel8/profiles/anssi_bp28_intermediary.profile +@@ -7,7 +7,6 @@ description: + Agence nationale de la sécurité des systèmes d''information. Based on + https://www.ssi.gouv.fr/. + +-extends: anssi_bp28_minimal + + selections: + - anssi:all:intermediary + +From 48845dbde69e69a043fc90622f21dc73d6a72018 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Feb 2021 09:21:47 +0100 +Subject: [PATCH 2/5] Update title and descriptions of ANSSI profiles + +--- + controls/anssi.yml | 2 +- + rhel7/profiles/anssi_nt28_enhanced.profile | 12 +++++++++--- + rhel7/profiles/anssi_nt28_high.profile | 12 +++++++++--- + rhel7/profiles/anssi_nt28_intermediary.profile | 14 ++++++++++---- + rhel7/profiles/anssi_nt28_minimal.profile | 14 ++++++++++---- + rhel8/profiles/anssi_bp28_enhanced.profile | 12 ++++++++---- + rhel8/profiles/anssi_bp28_high.profile | 14 +++++++++----- + rhel8/profiles/anssi_bp28_intermediary.profile | 11 +++++++---- + rhel8/profiles/anssi_bp28_minimal.profile | 12 ++++++++---- + 9 files changed, 71 insertions(+), 32 deletions(-) + +diff --git a/controls/anssi.yml b/controls/anssi.yml +index 2173d23f9d..54c05245b7 100644 +--- a/controls/anssi.yml ++++ b/controls/anssi.yml +@@ -1,5 +1,5 @@ + policy: 'ANSSI-BP-028' +-title: 'ANSSI-BP-028' ++title: 'Configuration Recommendations of a GNU/Linux System' + id: anssi + version: '1.2' + source: https://www.ssi.gouv.fr/uploads/2019/03/linux_configuration-en-v1.2.pdf +diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile +index 5893d12dbd..49fa8593fe 100644 +--- a/rhel7/profiles/anssi_nt28_enhanced.profile ++++ b/rhel7/profiles/anssi_nt28_enhanced.profile +@@ -1,9 +1,15 @@ + documentation_complete: true + +-title: 'DRAFT - ANSSI DAT-BP28 (enhanced)' ++title: 'ANSSI BP-028 (enhanced)' + +-description: 'Draft profile for ANSSI compliance at the enhanced level. ANSSI stands for Agence nationale de la sécurité des +- systèmes d''information. Based on https://www.ssi.gouv.fr/.' ++description: |- ++ This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level. ++ ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. ++ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems. ++ ++ A copy of the ANSSI BP-028 can be found at the ANSSI website: ++ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + selections: + - anssi:all:enhanced +diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile +index 52ae1dd6d2..2853f20607 100644 +--- a/rhel7/profiles/anssi_nt28_high.profile ++++ b/rhel7/profiles/anssi_nt28_high.profile +@@ -1,9 +1,15 @@ + documentation_complete: true + +-title: 'DRAFT - ANSSI DAT-BP28 (high)' ++title: 'DRAFT - ANSSI BP-028 (high)' + +-description: 'Draft profile for ANSSI compliance at the high level. ANSSI stands for Agence nationale de la sécurité des systèmes +- d''information. Based on https://www.ssi.gouv.fr/.' ++description: |- ++ This profile contains configurations that align to ANSSI BP-28 at the high hardening level. ++ ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. ++ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems. ++ ++ A copy of the ANSSI BP-028 can be found at the ANSSI website: ++ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + selections: + - anssi:all:high +diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile +index e18225247b..55f985a7a9 100644 +--- a/rhel7/profiles/anssi_nt28_intermediary.profile ++++ b/rhel7/profiles/anssi_nt28_intermediary.profile +@@ -1,10 +1,16 @@ + # Don't forget to enable build of tables in rhel7CMakeLists.txt when setting to true + documentation_complete: true + +-title: 'DRAFT - ANSSI DAT-BP28 (intermediary)' ++title: 'ANSSI BP-028 (intermediary)' + +-description: 'Draft profile for ANSSI compliance at the intermediary level. ANSSI stands for Agence nationale de la sécurité +- des systèmes d''information. Based on https://www.ssi.gouv.fr/.' ++description: |- ++ This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level. ++ ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. ++ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems. ++ ++ A copy of the ANSSI BP-028 can be found at the ANSSI website: ++ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + selections: +- - anssi:all:intermediary ++ - anssi:all:intermediary +diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile +index 214f37d14b..7786a26b45 100644 +--- a/rhel7/profiles/anssi_nt28_minimal.profile ++++ b/rhel7/profiles/anssi_nt28_minimal.profile +@@ -1,9 +1,15 @@ + documentation_complete: true + +-title: 'DRAFT - ANSSI DAT-BP28 (minimal)' ++title: 'ANSSI BP-028 (minimal)' + +-description: 'Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des +- systèmes d''information. Based on https://www.ssi.gouv.fr/.' ++description: |- ++ This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level. ++ ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. ++ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems. ++ ++ A copy of the ANSSI BP-028 can be found at the ANSSI website: ++ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + selections: +- - anssi:all:minimal ++ - anssi:all:minimal +diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile +index 4c39852b65..49fa8593fe 100644 +--- a/rhel8/profiles/anssi_bp28_enhanced.profile ++++ b/rhel8/profiles/anssi_bp28_enhanced.profile +@@ -2,10 +2,14 @@ documentation_complete: true + + title: 'ANSSI BP-028 (enhanced)' + +-description: +- ANSSI BP-028 compliance at the enhanced level. ANSSI stands for +- Agence nationale de la sécurité des systèmes d'information. Based on +- https://www.ssi.gouv.fr/. ++description: |- ++ This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level. ++ ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. ++ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems. ++ ++ A copy of the ANSSI BP-028 can be found at the ANSSI website: ++ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + selections: + - anssi:all:enhanced +diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile +index 6b0489e0f1..2853f20607 100644 +--- a/rhel8/profiles/anssi_bp28_high.profile ++++ b/rhel8/profiles/anssi_bp28_high.profile +@@ -1,11 +1,15 @@ + documentation_complete: false + +-title: 'ANSSI BP-028 (high)' ++title: 'DRAFT - ANSSI BP-028 (high)' + +-description: +- ANSSI BP-028 compliance at the high level. ANSSI stands for +- Agence nationale de la sécurité des systèmes d'information. Based on +- https://www.ssi.gouv.fr/. ++description: |- ++ This profile contains configurations that align to ANSSI BP-28 at the high hardening level. ++ ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. ++ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems. ++ ++ A copy of the ANSSI BP-028 can be found at the ANSSI website: ++ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + selections: + - anssi:all:high +diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile +index 4d0029af1d..50ab1ba0b8 100644 +--- a/rhel8/profiles/anssi_bp28_intermediary.profile ++++ b/rhel8/profiles/anssi_bp28_intermediary.profile +@@ -2,11 +2,14 @@ documentation_complete: true + + title: 'ANSSI BP-028 (intermediary)' + +-description: +- ANSSI BP-028 compliance at the intermediary level. ANSSI stands for +- Agence nationale de la sécurité des systèmes d''information. Based on +- https://www.ssi.gouv.fr/. ++description: |- ++ This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level. + ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. ++ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems. ++ ++ A copy of the ANSSI BP-028 can be found at the ANSSI website: ++ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + selections: + - anssi:all:intermediary +diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile +index d8f076c3e7..d477d34787 100644 +--- a/rhel8/profiles/anssi_bp28_minimal.profile ++++ b/rhel8/profiles/anssi_bp28_minimal.profile +@@ -2,10 +2,14 @@ documentation_complete: true + + title: 'ANSSI BP-028 (minimal)' + +-description: +- ANSSI BP-028 compliance at the minimal level. ANSSI stands for +- Agence nationale de la sécurité des systèmes d'information. Based on +- https://www.ssi.gouv.fr/. ++description: |- ++ This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level. ++ ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. ++ ANSSI BP-028 is a configuration recommendation for GNU/Linux systems. ++ ++ A copy of the ANSSI BP-028 can be found at the ANSSI website: ++ https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + selections: + - anssi:all:minimal + +From 5ea9fe70c78df6c4278aec71b9ab000a9884cea7 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 3 Feb 2021 12:23:14 +0100 +Subject: [PATCH 3/5] Add missing hyphen in ANSSI profiles descriptions + +--- + rhel7/profiles/anssi_nt28_enhanced.profile | 8 ++++---- + rhel7/profiles/anssi_nt28_high.profile | 8 ++++---- + rhel7/profiles/anssi_nt28_intermediary.profile | 8 ++++---- + rhel7/profiles/anssi_nt28_minimal.profile | 8 ++++---- + rhel8/profiles/anssi_bp28_enhanced.profile | 8 ++++---- + rhel8/profiles/anssi_bp28_high.profile | 8 ++++---- + rhel8/profiles/anssi_bp28_intermediary.profile | 8 ++++---- + rhel8/profiles/anssi_bp28_minimal.profile | 8 ++++---- + 8 files changed, 32 insertions(+), 32 deletions(-) + +diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile +index 49fa8593fe..411f0c03aa 100644 +--- a/rhel7/profiles/anssi_nt28_enhanced.profile ++++ b/rhel7/profiles/anssi_nt28_enhanced.profile +@@ -1,14 +1,14 @@ + documentation_complete: true + +-title: 'ANSSI BP-028 (enhanced)' ++title: 'ANSSI-BP-028 (enhanced)' + + description: |- +- This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level. ++ This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. +- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems. ++ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + +- A copy of the ANSSI BP-028 can be found at the ANSSI website: ++ A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + selections: +diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile +index 2853f20607..d9147b2dd0 100644 +--- a/rhel7/profiles/anssi_nt28_high.profile ++++ b/rhel7/profiles/anssi_nt28_high.profile +@@ -1,14 +1,14 @@ + documentation_complete: true + +-title: 'DRAFT - ANSSI BP-028 (high)' ++title: 'DRAFT - ANSSI-BP-028 (high)' + + description: |- +- This profile contains configurations that align to ANSSI BP-28 at the high hardening level. ++ This profile contains configurations that align to ANSSI-BP-28 at the high hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. +- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems. ++ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + +- A copy of the ANSSI BP-028 can be found at the ANSSI website: ++ A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + selections: +diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile +index 55f985a7a9..6e39a978e5 100644 +--- a/rhel7/profiles/anssi_nt28_intermediary.profile ++++ b/rhel7/profiles/anssi_nt28_intermediary.profile +@@ -1,15 +1,15 @@ + # Don't forget to enable build of tables in rhel7CMakeLists.txt when setting to true + documentation_complete: true + +-title: 'ANSSI BP-028 (intermediary)' ++title: 'ANSSI-BP-028 (intermediary)' + + description: |- +- This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level. ++ This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. +- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems. ++ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + +- A copy of the ANSSI BP-028 can be found at the ANSSI website: ++ A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + selections: +diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile +index 7786a26b45..f0a77bccd7 100644 +--- a/rhel7/profiles/anssi_nt28_minimal.profile ++++ b/rhel7/profiles/anssi_nt28_minimal.profile +@@ -1,14 +1,14 @@ + documentation_complete: true + +-title: 'ANSSI BP-028 (minimal)' ++title: 'ANSSI-BP-028 (minimal)' + + description: |- +- This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level. ++ This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. +- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems. ++ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + +- A copy of the ANSSI BP-028 can be found at the ANSSI website: ++ A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + selections: +diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile +index 49fa8593fe..411f0c03aa 100644 +--- a/rhel8/profiles/anssi_bp28_enhanced.profile ++++ b/rhel8/profiles/anssi_bp28_enhanced.profile +@@ -1,14 +1,14 @@ + documentation_complete: true + +-title: 'ANSSI BP-028 (enhanced)' ++title: 'ANSSI-BP-028 (enhanced)' + + description: |- +- This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level. ++ This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. +- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems. ++ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + +- A copy of the ANSSI BP-028 can be found at the ANSSI website: ++ A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + selections: +diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile +index 2853f20607..d9147b2dd0 100644 +--- a/rhel8/profiles/anssi_bp28_high.profile ++++ b/rhel8/profiles/anssi_bp28_high.profile +@@ -1,14 +1,14 @@ + documentation_complete: false + +-title: 'DRAFT - ANSSI BP-028 (high)' ++title: 'DRAFT - ANSSI-BP-028 (high)' + + description: |- +- This profile contains configurations that align to ANSSI BP-28 at the high hardening level. ++ This profile contains configurations that align to ANSSI-BP-28 at the high hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. +- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems. ++ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + +- A copy of the ANSSI BP-028 can be found at the ANSSI website: ++ A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + selections: +diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile +index 50ab1ba0b8..6dcd2b8ef2 100644 +--- a/rhel8/profiles/anssi_bp28_intermediary.profile ++++ b/rhel8/profiles/anssi_bp28_intermediary.profile +@@ -1,14 +1,14 @@ + documentation_complete: true + +-title: 'ANSSI BP-028 (intermediary)' ++title: 'ANSSI-BP-028 (intermediary)' + + description: |- +- This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level. ++ This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. +- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems. ++ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + +- A copy of the ANSSI BP-028 can be found at the ANSSI website: ++ A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + selections: +diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile +index d477d34787..54e8cbd5a6 100644 +--- a/rhel8/profiles/anssi_bp28_minimal.profile ++++ b/rhel8/profiles/anssi_bp28_minimal.profile +@@ -1,14 +1,14 @@ + documentation_complete: true + +-title: 'ANSSI BP-028 (minimal)' ++title: 'ANSSI-BP-028 (minimal)' + + description: |- +- This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level. ++ This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. +- ANSSI BP-028 is a configuration recommendation for GNU/Linux systems. ++ ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + +- A copy of the ANSSI BP-028 can be found at the ANSSI website: ++ A copy of the ANSSI-BP-028 can be found at the ANSSI website: + https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ + + selections: + +From c111061d6f1b9c134cc4cff1b712c44f271bcf42 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 Feb 2021 11:11:57 +0100 +Subject: [PATCH 4/5] Fix ANSSI document number for consistency + +--- + rhel7/profiles/anssi_nt28_enhanced.profile | 2 +- + rhel7/profiles/anssi_nt28_high.profile | 2 +- + rhel7/profiles/anssi_nt28_intermediary.profile | 2 +- + rhel7/profiles/anssi_nt28_minimal.profile | 2 +- + rhel8/profiles/anssi_bp28_enhanced.profile | 2 +- + rhel8/profiles/anssi_bp28_high.profile | 2 +- + rhel8/profiles/anssi_bp28_intermediary.profile | 2 +- + rhel8/profiles/anssi_bp28_minimal.profile | 2 +- + 8 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile +index 411f0c03aa..846ace9002 100644 +--- a/rhel7/profiles/anssi_nt28_enhanced.profile ++++ b/rhel7/profiles/anssi_nt28_enhanced.profile +@@ -3,7 +3,7 @@ documentation_complete: true + title: 'ANSSI-BP-028 (enhanced)' + + description: |- +- This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level. ++ This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. +diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile +index d9147b2dd0..e4db830291 100644 +--- a/rhel7/profiles/anssi_nt28_high.profile ++++ b/rhel7/profiles/anssi_nt28_high.profile +@@ -3,7 +3,7 @@ documentation_complete: true + title: 'DRAFT - ANSSI-BP-028 (high)' + + description: |- +- This profile contains configurations that align to ANSSI-BP-28 at the high hardening level. ++ This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. +diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile +index 6e39a978e5..4454976862 100644 +--- a/rhel7/profiles/anssi_nt28_intermediary.profile ++++ b/rhel7/profiles/anssi_nt28_intermediary.profile +@@ -4,7 +4,7 @@ documentation_complete: true + title: 'ANSSI-BP-028 (intermediary)' + + description: |- +- This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level. ++ This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. +diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile +index f0a77bccd7..cc2cbd8359 100644 +--- a/rhel7/profiles/anssi_nt28_minimal.profile ++++ b/rhel7/profiles/anssi_nt28_minimal.profile +@@ -3,7 +3,7 @@ documentation_complete: true + title: 'ANSSI-BP-028 (minimal)' + + description: |- +- This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level. ++ This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. +diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile +index 411f0c03aa..846ace9002 100644 +--- a/rhel8/profiles/anssi_bp28_enhanced.profile ++++ b/rhel8/profiles/anssi_bp28_enhanced.profile +@@ -3,7 +3,7 @@ documentation_complete: true + title: 'ANSSI-BP-028 (enhanced)' + + description: |- +- This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level. ++ This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. +diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile +index d9147b2dd0..e4db830291 100644 +--- a/rhel8/profiles/anssi_bp28_high.profile ++++ b/rhel8/profiles/anssi_bp28_high.profile +@@ -3,7 +3,7 @@ documentation_complete: false + title: 'DRAFT - ANSSI-BP-028 (high)' + + description: |- +- This profile contains configurations that align to ANSSI-BP-28 at the high hardening level. ++ This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. +diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile +index 6dcd2b8ef2..a9e0442257 100644 +--- a/rhel8/profiles/anssi_bp28_intermediary.profile ++++ b/rhel8/profiles/anssi_bp28_intermediary.profile +@@ -3,7 +3,7 @@ documentation_complete: true + title: 'ANSSI-BP-028 (intermediary)' + + description: |- +- This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level. ++ This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. +diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile +index 54e8cbd5a6..090b571bb6 100644 +--- a/rhel8/profiles/anssi_bp28_minimal.profile ++++ b/rhel8/profiles/anssi_bp28_minimal.profile +@@ -3,7 +3,7 @@ documentation_complete: true + title: 'ANSSI-BP-028 (minimal)' + + description: |- +- This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level. ++ This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level. + + ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + +From c4b11df5dabe389129f3cbc8a5bd9444fce09850 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Fri, 5 Feb 2021 16:05:07 +0100 +Subject: [PATCH 5/5] Fix single quote in ANSSI name + +Previously the description was enclosed in single quotes, requiring a +single quote to be escaped. +Now the description is not enclosed in single quotes and there is no +need to escape it. +--- + rhel7/profiles/anssi_nt28_enhanced.profile | 2 +- + rhel7/profiles/anssi_nt28_high.profile | 2 +- + rhel7/profiles/anssi_nt28_intermediary.profile | 2 +- + rhel7/profiles/anssi_nt28_minimal.profile | 2 +- + rhel8/profiles/anssi_bp28_enhanced.profile | 2 +- + rhel8/profiles/anssi_bp28_high.profile | 2 +- + rhel8/profiles/anssi_bp28_intermediary.profile | 2 +- + rhel8/profiles/anssi_bp28_minimal.profile | 2 +- + 8 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile +index 846ace9002..bbc11353f3 100644 +--- a/rhel7/profiles/anssi_nt28_enhanced.profile ++++ b/rhel7/profiles/anssi_nt28_enhanced.profile +@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (enhanced)' + description: |- + This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level. + +- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: +diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile +index e4db830291..22efad9c09 100644 +--- a/rhel7/profiles/anssi_nt28_high.profile ++++ b/rhel7/profiles/anssi_nt28_high.profile +@@ -5,7 +5,7 @@ title: 'DRAFT - ANSSI-BP-028 (high)' + description: |- + This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. + +- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: +diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile +index 4454976862..0c43ab8d73 100644 +--- a/rhel7/profiles/anssi_nt28_intermediary.profile ++++ b/rhel7/profiles/anssi_nt28_intermediary.profile +@@ -6,7 +6,7 @@ title: 'ANSSI-BP-028 (intermediary)' + description: |- + This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level. + +- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: +diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile +index cc2cbd8359..480333747c 100644 +--- a/rhel7/profiles/anssi_nt28_minimal.profile ++++ b/rhel7/profiles/anssi_nt28_minimal.profile +@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (minimal)' + description: |- + This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level. + +- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: +diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile +index 846ace9002..bbc11353f3 100644 +--- a/rhel8/profiles/anssi_bp28_enhanced.profile ++++ b/rhel8/profiles/anssi_bp28_enhanced.profile +@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (enhanced)' + description: |- + This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level. + +- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: +diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile +index e4db830291..22efad9c09 100644 +--- a/rhel8/profiles/anssi_bp28_high.profile ++++ b/rhel8/profiles/anssi_bp28_high.profile +@@ -5,7 +5,7 @@ title: 'DRAFT - ANSSI-BP-028 (high)' + description: |- + This profile contains configurations that align to ANSSI-BP-028 at the high hardening level. + +- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: +diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile +index a9e0442257..a592031673 100644 +--- a/rhel8/profiles/anssi_bp28_intermediary.profile ++++ b/rhel8/profiles/anssi_bp28_intermediary.profile +@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (intermediary)' + description: |- + This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level. + +- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: +diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile +index 090b571bb6..cef8394114 100644 +--- a/rhel8/profiles/anssi_bp28_minimal.profile ++++ b/rhel8/profiles/anssi_bp28_minimal.profile +@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (minimal)' + description: |- + This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level. + +- ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information. ++ ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information. + ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems. + + A copy of the ANSSI-BP-028 can be found at the ANSSI website: diff --git a/SOURCES/scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch b/SOURCES/scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch new file mode 100644 index 0000000..d3eb75f --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch @@ -0,0 +1,89 @@ +From ce6a307518c55b333897f5c130f5372dee9eeae8 Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Mon, 18 Jan 2021 11:18:43 +0100 +Subject: [PATCH] Update metadata for a few miminal and intermediary + requirements + +--- + controls/anssi.yml | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/controls/anssi.yml b/controls/anssi.yml +index dec9d68c99..9288ac1663 100644 +--- a/controls/anssi.yml ++++ b/controls/anssi.yml +@@ -506,7 +506,10 @@ controls: + - id: R27 + title: Disabling service accounts + level: intermediary +- # rules: TBD ++ notes: >- ++ It is difficult to generally identify the system's service accounts. ++ Assisting rules could list users which are not disabled for manual review. ++ automated: no + + - id: R28 + level: enhanced +@@ -530,7 +533,10 @@ controls: + - id: R30 + level: minimal + title: Applications using PAM +- # rules: TBD ++ notes: >- ++ Manual review is necessary to decide if the list of applications using PAM is minimal. ++ Asssising rules could be created to list all applications using PAM for manual review. ++ automated: no + + - id: R31 + title: Securing PAM Authentication Network Services +@@ -580,6 +586,7 @@ controls: + - id: R36 + title: Rights to access sensitive content files + level: intermediary ++ automated: yes + rules: + - file_owner_etc_shadow + - file_permissions_etc_shadow +@@ -637,7 +644,10 @@ controls: + - id: R42 + level: minimal + title: In memory services and daemons +- # rules: TBD ++ notes: >- ++ Manual review is necessary to decide if the list of resident daemons is minimal. ++ Asssising rules could be created to list sevices listening on the network for manual review. ++ automated: no + + - id: R43 + title: Hardening and configuring the syslog +@@ -709,6 +719,7 @@ controls: + - id: R48 + level: intermediary + title: Configuring the local messaging service ++ automated: yes + rules: + - postfix_network_listening_disabled + +@@ -825,6 +836,7 @@ controls: + level: intermediary + title: Privileges of target sudo users + description: The targeted users of a rule should be, as much as possible, non privileged users. ++ automated: yes + rules: + - sudoers_no_root_target + +@@ -840,12 +852,14 @@ controls: + level: intermediary + title: Good use of negation in a sudoers file + description: The sudoers configuration rules should not involve negation. ++ automated: yes + rules: + - sudoers_no_command_negation + + - id: R63 + level: intermediary + title: Explicit arguments in sudo specifications ++ automated: yes + rules: + - sudoers_explicit_command_args + diff --git a/SOURCES/scap-security-guide-0.1.55-update_nodev_nonroot_mount_option-PR_6606.patch b/SOURCES/scap-security-guide-0.1.55-update_nodev_nonroot_mount_option-PR_6606.patch new file mode 100644 index 0000000..7ca1ead --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-update_nodev_nonroot_mount_option-PR_6606.patch @@ -0,0 +1,352 @@ +From cbede36c7a4e35cb882c35892cff72f9f190cbf9 Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Mon, 8 Feb 2021 15:57:43 +0100 +Subject: [PATCH 1/5] Add nodev,nosuid,noexec options to /boot in ANSSI + kickstart + +--- + rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg | 2 +- + rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg | 2 +- + rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg | 2 +- + rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg | 2 +- + rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 2 +- + rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 2 +- + 6 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg +index 1d35bedb91..c381512476 100644 +--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg ++++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg +@@ -99,7 +99,7 @@ zerombr + clearpart --linux --initlabel + + # Create primary system partitions (required for installs) +-part /boot --fstype=xfs --size=512 ++part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" + part pv.01 --grow --size=1 + + # Create a Logical Volume Management (LVM) group (optional) +diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg +index 73225c2fab..a672b38b83 100644 +--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg ++++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg +@@ -103,7 +103,7 @@ zerombr + clearpart --linux --initlabel + + # Create primary system partitions (required for installs) +-part /boot --fstype=xfs --size=512 ++part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" + part pv.01 --grow --size=1 + + # Create a Logical Volume Management (LVM) group (optional) +diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg +index 20c4c59a78..88a7cee8ab 100644 +--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg ++++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg +@@ -99,7 +99,7 @@ zerombr + clearpart --linux --initlabel + + # Create primary system partitions (required for installs) +-part /boot --fstype=xfs --size=512 ++part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" + part pv.01 --grow --size=1 + + # Create a Logical Volume Management (LVM) group (optional) +diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg +index 728946ecb7..6f66a3774b 100644 +--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg +@@ -90,7 +90,7 @@ zerombr + clearpart --linux --initlabel + + # Create primary system partitions (required for installs) +-part /boot --fstype=xfs --size=512 ++part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" + part pv.01 --grow --size=1 + + # Create a Logical Volume Management (LVM) group (optional) +diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg +index cd0eff2625..b5c09253a5 100644 +--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg +@@ -94,7 +94,7 @@ zerombr + clearpart --linux --initlabel + + # Create primary system partitions (required for installs) +-part /boot --fstype=xfs --size=512 ++part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" + part pv.01 --grow --size=1 + + # Create a Logical Volume Management (LVM) group (optional) +diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg +index 3a241b06f4..fb785e0c11 100644 +--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg ++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg +@@ -90,7 +90,7 @@ zerombr + clearpart --linux --initlabel + + # Create primary system partitions (required for installs) +-part /boot --fstype=xfs --size=512 ++part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec" + part pv.01 --grow --size=1 + + # Create a Logical Volume Management (LVM) group (optional) + +From 15be64cc2d6c21b0351bb8d3d1b55b1924be99ca Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Tue, 9 Feb 2021 12:45:34 +0100 +Subject: [PATCH 2/5] Add mount_option_nodev_nonroot_local_partitions bash + remediation + +--- + .../bash/shared.sh | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh +new file mode 100644 +index 0000000000..7e2b3bd76b +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh +@@ -0,0 +1,18 @@ ++# platform = multi_platform_all ++. /usr/share/scap-security-guide/remediation_functions ++ ++include_mount_options_functions ++ ++MOUNT_OPTION="nodev" ++# Create array of local non-root partitions ++readarray -t partitions_records < <(findmnt --mtab --raw --evaluate | grep "^/\w" | grep "\s/dev/\w") ++ ++for partition_record in "${partitions_records[@]}"; do ++ # Get all important information for fstab ++ mount_point="$(echo ${partition_record} | cut -d " " -f1)" ++ device="$(echo ${partition_record} | cut -d " " -f2)" ++ device_type="$(echo ${partition_record} | cut -d " " -f3)" ++ # device and device_type will be used only in case when the device doesn't have fstab record ++ ensure_mount_option_in_fstab "$mount_point" "$MOUNT_OPTION" "$device" "$device_type" ++ ensure_partition_is_mounted "$mount_point" ++done + +From 36958b72896a69cb580f00a986673c8ae99cb011 Mon Sep 17 00:00:00 2001 +From: Milan Lysonek +Date: Tue, 9 Feb 2021 12:45:54 +0100 +Subject: [PATCH 3/5] Add mount_option_nodev_nonroot_local_partitions test + scenarios + +--- + .../tests/correct.pass.sh | 23 +++++++++++++++++ + .../local_mounted_during_runtime.fail.sh | 19 ++++++++++++++ + .../tests/missing_multiple_nodev.fail.sh | 23 +++++++++++++++++ + .../tests/missing_one_nodev.fail.sh | 23 +++++++++++++++++ + .../tests/remote_without_nodev.pass.sh | 25 +++++++++++++++++++ + 5 files changed, 113 insertions(+) + create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh + create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh + create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh + create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh + create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh +new file mode 100644 +index 0000000000..8bfac4b80f +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh +@@ -0,0 +1,23 @@ ++#!/bin/bash ++ ++. $SHARED/partition.sh ++ ++# Add nodev option to all records in fstab to ensure that test will ++# run on environment where everything is set correctly for rule check. ++cp /etc/fstab /etc/fstab.backup ++sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup ++awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab ++# Remount all partitions. (--all option can't be used because it doesn't ++# mount e.g. /boot partition ++declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") ) ++for partition in ${partitions[@]}; do ++ mount -o remount "$partition" ++done ++ ++PARTITION="/dev/new_partition1"; create_partition ++make_fstab_given_partition_line "/tmp/partition1" ext2 nodev ++mount_partition "/tmp/partition1" ++ ++PARTITION="/dev/new_partition2"; create_partition ++make_fstab_given_partition_line "/tmp/partition2" ext2 nodev ++mount_partition "/tmp/partition2" +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh +new file mode 100644 +index 0000000000..84cadd6f73 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh +@@ -0,0 +1,19 @@ ++#!/bin/bash ++ ++. $SHARED/partition.sh ++ ++# Add nodev option to all records in fstab to ensure that test will ++# run on environment where everything is set correctly for rule check. ++cp /etc/fstab /etc/fstab.backup ++sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup ++awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab ++# Remount all partitions. (--all option can't be used because it doesn't ++# mount e.g. /boot partition ++declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") ) ++for partition in ${partitions[@]}; do ++ mount -o remount "$partition" ++done ++ ++PARTITION="/dev/new_partition1"; create_partition ++mkdir /tmp/test_dir ++mount $PARTITION /tmp/test_dir +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh +new file mode 100644 +index 0000000000..7a09093f46 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh +@@ -0,0 +1,23 @@ ++#!/bin/bash ++ ++. $SHARED/partition.sh ++ ++# Add nodev option to all records in fstab to ensure that test will ++# run on environment where everything is set correctly for rule check. ++cp /etc/fstab /etc/fstab.backup ++sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup ++awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab ++# Remount all partitions. (--all option can't be used because it doesn't ++# mount e.g. /boot partition ++declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") ) ++for partition in ${partitions[@]}; do ++ mount -o remount "$partition" ++done ++ ++PARTITION="/dev/new_partition1"; create_partition ++make_fstab_given_partition_line "/tmp/partition1" ext2 ++mount_partition "/tmp/partition1" ++ ++PARTITION="/dev/new_partition2"; create_partition ++make_fstab_given_partition_line "/tmp/partition2" ext2 ++mount_partition "/tmp/partition2" +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh +new file mode 100644 +index 0000000000..c20a98bdcc +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh +@@ -0,0 +1,23 @@ ++#!/bin/bash ++ ++. $SHARED/partition.sh ++ ++# Add nodev option to all records in fstab to ensure that test will ++# run on environment where everything is set correctly for rule check. ++cp /etc/fstab /etc/fstab.backup ++sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup ++awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab ++# Remount all partitions. (--all option can't be used because it doesn't ++# mount e.g. /boot partition ++declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") ) ++for partition in ${partitions[@]}; do ++ mount -o remount "$partition" ++done ++ ++PARTITION="/dev/new_partition1"; create_partition ++make_fstab_given_partition_line "/tmp/partition1" ext2 nodev ++mount_partition "/tmp/partition1" ++ ++PARTITION="/dev/new_partition2"; create_partition ++make_fstab_given_partition_line "/tmp/partition2" ext2 ++mount_partition "/tmp/partition2" +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh +new file mode 100644 +index 0000000000..a95410526f +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh +@@ -0,0 +1,25 @@ ++#!/bin/bash ++# packages = nfs-utils ++ ++. $SHARED/partition.sh ++ ++# Add nodev option to all records in fstab to ensure that test will ++# run on environment where everything is set correctly for rule check. ++cp /etc/fstab /etc/fstab.backup ++sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup ++awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab ++# Remount all partitions. (--all option can't be used because it doesn't ++# mount e.g. /boot partition ++declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") ) ++for partition in ${partitions[@]}; do ++ mount -o remount "$partition" ++done ++ ++mkdir /tmp/testdir ++mkdir /tmp/testmount ++chown 2 /tmp/testdir ++chmod 777 /tmp/testdir ++ ++echo '/tmp/testdir localhost(rw)' > /etc/exports ++systemctl restart nfs-server ++mount.nfs localhost:/tmp/testdir /tmp/testmount + +From b7bec83d7a3ad186413777f70fe2b5d20e01e56b Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 10 Feb 2021 18:32:26 +0100 +Subject: [PATCH 4/5] Add Ansible for + mount_option_nodev_nonroot_local_partitions + +The remediation metadata were inspired by the template mount_options +--- + .../ansible/shared.yml | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml +new file mode 100644 +index 0000000000..8530604308 +--- /dev/null ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml +@@ -0,0 +1,18 @@ ++# platform = multi_platform_all ++# reboot = false ++# strategy = configure ++# complexity = low ++# disruption = high ++ ++- name: Ensure non-root local partitions are mounted with nodev option ++ mount: ++ path: "{{ item.mount }}" ++ src: "{{ item.device}}" ++ opts: "{{ item.options }},nodev" ++ state: "mounted" ++ fstype: "{{ item.fstype }}" ++ when: ++ - "item.mount is match('/\\w')" ++ - "item.options is not search('nodev')" ++ with_items: ++ - "{{ ansible_facts.mounts }}" + +From dab22894ca0798dde27c77704a7fd34d62d77f8f Mon Sep 17 00:00:00 2001 +From: Watson Sato +Date: Wed, 10 Feb 2021 20:29:32 +0100 +Subject: [PATCH 5/5] Add space before and after variable + +--- + .../ansible/shared.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml +index 8530604308..2aa9a53e4d 100644 +--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml ++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml +@@ -7,7 +7,7 @@ + - name: Ensure non-root local partitions are mounted with nodev option + mount: + path: "{{ item.mount }}" +- src: "{{ item.device}}" ++ src: "{{ item.device }}" + opts: "{{ item.options }},nodev" + state: "mounted" + fstype: "{{ item.fstype }}" diff --git a/SOURCES/scap-security-guide-0.1.55-upstream_sles12_stigs_3-PR_6599.patch b/SOURCES/scap-security-guide-0.1.55-upstream_sles12_stigs_3-PR_6599.patch new file mode 100644 index 0000000..37d24fd --- /dev/null +++ b/SOURCES/scap-security-guide-0.1.55-upstream_sles12_stigs_3-PR_6599.patch @@ -0,0 +1,1711 @@ +From a050df59825379e7793b5f31c40fc1936585a4a6 Mon Sep 17 00:00:00 2001 +From: Guang Yee +Date: Wed, 3 Feb 2021 16:17:14 -0800 +Subject: [PATCH] Enable checks and remediations for the following SLES-12 + STIGs: + + - SLES-12-010890 'file_permissions_var_log_messages' + - SLES-12-010910 'pam_disable_automatic_configuration' + - SLES-12-020020 'auditd_audispd_configure_sufficiently_large_partition' + - SLES-12-020100 'auditd_audispd_network_failure_action' + - SLES-12-020110 'auditd_audispd_disk_full_action' + - SLES-12-020120 'permissions_local_var_log_audit' + - SLES-12-020130 'permissions_local_audit_binaries' + - SLES-12-020199 'audit_rules_enable_syscall_auditing' + - SLES-12-020200 'audit_rules_usergroup_modification_passwd' + - SLES-12-020210 'audit_rules_usergroup_modification_group' + - SLES-12-020220 'audit_rules_usergroup_modification_shadow' + - SLES-12-020230 'audit_rules_usergroup_modification_opasswd' + - SLES-12-020250 'audit_rules_privileged_commands_su' + - SLES-12-020260 'audit_rules_privileged_commands_sudo' + - SLES-12-020290 'audit_rules_privileged_commands_mount' + - SLES-12-020300 'audit_rules_privileged_commands_umount' + - SLES-12-020370 'audit_rules_dac_modification_setxattr' + - SLES-12-020380 'audit_rules_dac_modification_fsetxattr' + - SLES-12-020390 'audit_rules_dac_modification_removexattr' + - SLES-12-020400 'audit_rules_dac_modification_lremovexattr' + - SLES-12-020410 'audit_rules_dac_modification_fremovexattr' + - SLES-12-020430 'audit_rules_dac_modification_fchown' + - SLES-12-020440 'audit_rules_dac_modification_lchown' + - SLES-12-020450 'audit_rules_dac_modification_fchownat' + - SLES-12-020460 'audit_rules_dac_modification_chown' + - SLES-12-020470 'audit_rules_dac_modification_fchmod' + - SLES-12-020480 'audit_rules_dac_modification_fchmodat' + - SLES-12-020490 'audit_rules_unsuccessful_file_modification_open' + - SLES-12-020710 'audit_rules_privileged_commands_crontab' + - SLES-12-020720 'audit_rules_privileged_commands_pam_timestamp_check' + - SLES-12-020730 'audit_rules_kernel_module_loading_delete' + - SLES-12-020740 'audit_rules_kernel_module_loading_finit' + - SLES-12-020750 'audit_rules_kernel_module_loading_init' + - SLES-12-030300 'chronyd_or_ntpd_set_maxpoll' + +Corrections: + + - The STIG ID for audit_rules_dac_modification_chmod was incorrect. + It should've been SLES-12-020460 instead of SLES-12-020600. + - The STIG ID for sshd_do_not_permit_user_env was incorrect. + It should've been SLES-12-030151 instead of SLES-12-030150. +--- + .../ansible/shared.yml | 49 +++++++++++++ + .../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 5 +- + .../sshd_do_not_permit_user_env/rule.yml | 2 +- + .../ansible/shared.yml | 19 +++++ + .../bash/shared.sh | 6 ++ + .../oval/shared.xml | 29 ++++++++ + .../rule.yml | 37 ++++++++++ + .../rule.yml | 2 +- + .../rule.yml | 3 + + .../rule.yml | 2 + + .../rule.yml | 2 + + .../rule.yml | 3 + + .../rule.yml | 3 + + .../rule.yml | 3 + + .../rule.yml | 3 + + .../rule.yml | 3 + + .../rule.yml | 3 + + .../rule.yml | 3 + + .../rule.yml | 3 + + .../rule.yml | 2 + + .../ansible/shared.yml | 2 +- + .../rule.yml | 2 + + .../ansible/shared.yml | 2 +- + .../rule.yml | 2 + + .../ansible/shared.yml | 2 +- + .../rule.yml | 3 +- + .../rule.yml | 4 +- + .../rule.yml | 5 +- + .../rule.yml | 4 +- + .../rule.yml | 4 +- + .../rule.yml | 4 +- + .../rule.yml | 5 +- + .../ansible/shared.yml | 53 ++++++++++++++ + .../bash/shared.sh | 19 +++++ + .../oval/shared.xml | 46 ++++++++++++ + .../rule.yml | 35 +++++++++ + .../rule.yml | 4 +- + .../rule.yml | 5 +- + .../rule.yml | 4 +- + .../rule.yml | 5 +- + .../oval/shared.xml | 34 +++++++++ + .../rule.yml | 69 ++++++++++++++++++ + .../auditd_audispd_disk_full_action/rule.yml | 5 +- + .../rule.yml | 4 +- + .../ansible/shared.yml | 12 ++++ + .../oval/shared.xml | 45 ++++++++++++ + .../rule.yml | 53 ++++++++++++++ + .../permissions_local_audit_binaries/rule.yml | 72 +++++++++++++++++++ + .../permissions_local_var_log_audit/rule.yml | 57 +++++++++++++++ + shared/templates/extra_ovals.yml | 6 ++ + sle12/profiles/stig.profile | 37 +++++++++- + 51 files changed, 766 insertions(+), 20 deletions(-) + create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/ansible/shared.yml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/bash/shared.sh + create mode 100644 linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/oval/shared.xml + create mode 100644 linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/oval/shared.xml + create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml + create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/oval/shared.xml + create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml + create mode 100644 linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/ansible/shared.yml + create mode 100644 linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/oval/shared.xml + create mode 100644 linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/rule.yml + create mode 100644 linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml + create mode 100644 linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml + +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml +new file mode 100644 +index 0000000000..3c83850a05 +--- /dev/null ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml +@@ -0,0 +1,49 @@ ++# platform = multi_platform_sle ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++{{{ ansible_instantiate_variables('var_time_service_set_maxpoll') }}} ++ ++- name: Check that /etc/ntp.conf exist ++ stat: ++ path: /etc/ntp.conf ++ register: ntp_conf_exist_result ++ ++- name: Check that /etc/chrony.conf exist ++ stat: ++ path: /etc/chrony.conf ++ register: chrony_conf_exist_result ++ ++- name: Update the maxpoll values in /etc/ntp.conf ++ lineinfile: ++ path: /etc/ntp.conf ++ regex: '^(server.*maxpoll) [0-9]+(\s+.*)$' ++ line: '\1 {{ var_time_service_set_maxpoll }}\2' ++ backrefs: yes ++ when: ntp_conf_exist_result.stat.exists ++ ++- name: Update the maxpoll values in /etc/chrony.conf ++ lineinfile: ++ path: /etc/chrony.conf ++ regex: '^(server.*maxpoll) [0-9]+(\s+.*)$' ++ line: '\1 {{ var_time_service_set_maxpoll }}\2' ++ backrefs: yes ++ when: chrony_conf_exist_result.stat.exists ++ ++- name: Set the maxpoll values in /etc/ntp.conf ++ lineinfile: ++ path: /etc/ntp.conf ++ regex: '(^server\s+((?!maxpoll).)*)$' ++ line: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n' ++ backrefs: yes ++ when: ntp_conf_exist_result.stat.exists ++ ++- name: Set the maxpoll values in /etc/chrony.conf ++ lineinfile: ++ path: /etc/chrony.conf ++ regex: '(^server\s+((?!maxpoll).)*)$' ++ line: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n' ++ backrefs: yes ++ when: chrony_conf_exist_result.stat.exists +diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml +index d5f8b9125e..4e4be3002f 100644 +--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml ++++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Configure Time Service Maxpoll Interval' + +@@ -26,6 +26,7 @@ platform: machine # The check uses service_... extended definition, which doesn + identifiers: + cce@rhel7: CCE-80439-3 + cce@rhcos4: CCE-82684-2 ++ cce@sle12: CCE-83124-8 + + references: + stigid@ol7: OL07-00-040500 +@@ -39,6 +40,8 @@ references: + cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01 + iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1 + cis-csc: 1,14,15,16,3,5,6 ++ stigid@sle12: SLES-12-030300 ++ nist@sle12: AU-8(1)(a),AU-8(1)(b) + + ocil_clause: 'it does not exist or maxpoll has not been set to the expected value' + +diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +index 0c17411fad..e5d54261d3 100644 +--- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml ++++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +@@ -33,7 +33,7 @@ references: + srg: SRG-OS-000480-GPOS-00229 + vmmsrg: SRG-OS-000480-VMM-002000 + stigid@rhel7: RHEL-07-010460 +- stigid@sle12: SLES-12-030150 ++ stigid@sle12: SLES-12-030151 + isa-62443-2013: 'SR 7.6' + isa-62443-2009: 4.3.4.3.2,4.3.4.3.3 + cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 +diff --git a/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/ansible/shared.yml +new file mode 100644 +index 0000000000..04e889199f +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/ansible/shared.yml +@@ -0,0 +1,19 @@ ++# platform = multi_platform_sle ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: Find soft links /etc/pam.d/ ++ find: ++ paths: /etc/pam.d ++ file_type: link ++ patterns: common-.* ++ use_regex: yes ++ register: find_pam_soft_links_result ++ ++- name: Remove soft links in /etc/pam.d/ ++ shell: | ++ target=$(readlink -f "{{ item.path }}") ++ cp -p --remove-destination "$target" "{{ item.path }}" ++ with_items: "{{ find_pam_soft_links_result.files }}" +diff --git a/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/bash/shared.sh +new file mode 100644 +index 0000000000..ef195d3ac2 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/bash/shared.sh +@@ -0,0 +1,6 @@ ++# platform = multi_platform_sle ++ ++for link in $(find /etc/pam.d/ -type l -iname "common-*") ; do ++ target=$(readlink -f "$link") ++ cp -p --remove-destination "$target" "$link" ++done +diff --git a/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/oval/shared.xml +new file mode 100644 +index 0000000000..0a8f356e7a +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/oval/shared.xml +@@ -0,0 +1,29 @@ ++ ++ ++ ++ The PAM configuration should not be changed automatically ++ ++ multi_platform_sle ++ ++ Verify the SUSE operating system is configured to not overwrite Pluggable ++ Authentication Modules (PAM) configuration on package changes. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /etc/pam.d ++ ^common-.*$ ++ ++ ++ ++ regular ++ ++ +diff --git a/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml +new file mode 100644 +index 0000000000..fe02158220 +--- /dev/null ++++ b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml +@@ -0,0 +1,37 @@ ++documentation_complete: true ++ ++prodtype: sle12 ++ ++title: 'The PAM configuration should not be changed automatically' ++ ++description: |- ++ Verify the SUSE operating system is configured to not overwrite Pluggable ++ Authentication Modules (PAM) configuration on package changes. ++ ++ ++rationale: |- ++ pam-config is a command line utility that automatically generates ++ a system PAM configuration as packages are installed, updated or removed ++ from the system. pam-config removes configurations for PAM modules ++ and parameters that it does not know about. It may render ineffective PAM ++ configuration by the system administrator and thus impact system security. ++ ++severity: medium ++ ++identifiers: ++ cce@sle12: CCE-83113-1 ++ ++references: ++ stigid@sle12: SLES-12-010910 ++ disa@sle12: CCI-000366 ++ srg@sle12: SRG-OS-000480-GPOS-00227 ++ nist@sle12: CM-6(b),CM-6.1(iv) ++ ++ocil_clause: 'that is not the case' ++ ++ocil: |- ++ Check that soft links between PAM configuration files are removed with the following command: ++ ++ 
# find /etc/pam.d/ -type l -iname "common-*"
++ ++ If any results are returned, this is a finding. +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +index 22031b6517..b1d9dfbc4c 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +@@ -46,7 +46,7 @@ references: + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 + stigid@rhel7: RHEL-07-030410 +- stigid@sle12: SLES-12-020600 ++ stigid@sle12: SLES-12-020460 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +index 8c8ccf405f..27e9d98617 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +@@ -30,6 +30,7 @@ identifiers: + cce@rhel7: CCE-27364-9 + cce@rhel8: CCE-80686-9 + cce@rhcos4: CCE-82557-0 ++ cce@sle12: CCE-83137-0 + + references: + stigid@ol7: OL07-00-030370 +@@ -43,8 +44,10 @@ references: + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 ++ srg@sle12: SRG-OS-000037-GPOS-00015 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 + stigid@rhel7: RHEL-07-030370 ++ stigid@sle12: SLES-12-020420 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +index 7b66511acc..6d55b59af4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +@@ -30,6 +30,7 @@ identifiers: + cce@rhel7: CCE-27393-8 + cce@rhel8: CCE-80687-7 + cce@rhcos4: CCE-82558-8 ++ cce@sle12: CCE-83133-9 + + references: + stigid@ol7: OL07-00-030420 +@@ -45,6 +46,7 @@ references: + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 + stigid@rhel7: RHEL-07-030420 ++ stigid@sle12: SLES-12-020470 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +index 3882d0db26..d5b87320a7 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +@@ -30,6 +30,7 @@ identifiers: + cce@rhel7: CCE-27388-8 + cce@rhel8: CCE-80688-5 + cce@rhcos4: CCE-82559-6 ++ cce@sle12: CCE-83132-1 + + references: + stigid@ol7: OL07-00-030430 +@@ -45,6 +46,7 @@ references: + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 + stigid@rhel7: RHEL-07-030430 ++ stigid@sle12: SLES-12-020480 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +index 7950e714f6..d75447dab4 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +@@ -33,6 +33,7 @@ identifiers: + cce@rhel7: CCE-27356-5 + cce@rhel8: CCE-80689-3 + cce@rhcos4: CCE-82560-4 ++ cce@sle12: CCE-83136-2 + + references: + stigid@ol7: OL07-00-030380 +@@ -46,8 +47,10 @@ references: + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 ++ srg@sle12: SRG-OS-000037-GPOS-00015 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 + stigid@rhel7: RHEL-07-030380 ++ stigid@sle12: SLES-12-020430 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +index b35b2d7298..214f7e95c0 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +@@ -30,6 +30,7 @@ identifiers: + cce@rhel7: CCE-27387-0 + cce@rhel8: CCE-80690-1 + cce@rhcos4: CCE-82561-2 ++ cce@sle12: CCE-83134-7 + + references: + stigid@ol7: OL07-00-030400 +@@ -43,8 +44,10 @@ references: + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 ++ srg@sle12: SRG-OS-000037-GPOS-00015 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 + stigid@rhel7: RHEL-07-030400 ++ stigid@sle12: SLES-12-020450 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +index fb936a04b6..af1eea1a36 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +@@ -35,6 +35,7 @@ identifiers: + cce@rhel7: CCE-27353-2 + cce@rhel8: CCE-80691-9 + cce@rhcos4: CCE-82562-0 ++ cce@sle12: CCE-83138-8 + + references: + stigid@ol7: OL07-00-030480 +@@ -48,8 +49,10 @@ references: + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 ++ srg@sle12: SRG-OS-000037-GPOS-00015 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 + stigid@rhel7: RHEL-07-030480 ++ stigid@sle12: SLES-12-020410 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +index 6d6216122d..33de1d53eb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +@@ -30,6 +30,7 @@ identifiers: + cce@rhel7: CCE-27389-6 + cce@rhel8: CCE-80692-7 + cce@rhcos4: CCE-82563-8 ++ cce@sle12: CCE-83141-2 + + references: + stigid@ol7: OL07-00-030450 +@@ -43,8 +44,10 @@ references: + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 ++ srg@sle12: SRG-OS-000037-GPOS-00015 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 + stigid@rhel7: RHEL-07-030450 ++ stigid@sle12: SLES-12-020380 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +index 53d680a29c..04e8ae5d99 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +@@ -30,6 +30,7 @@ identifiers: + cce@rhel7: CCE-27083-5 + cce@rhel8: CCE-80693-5 + cce@rhcos4: CCE-82564-6 ++ cce@sle12: CCE-83135-4 + + references: + stigid@ol7: OL07-00-030390 +@@ -43,8 +44,10 @@ references: + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 ++ srg@sle12: SRG-OS-000037-GPOS-00015 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 + stigid@rhel7: RHEL-07-030390 ++ stigid@sle12: SLES-12-020440 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +index bbce29648d..55bc1502d6 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +@@ -35,6 +35,7 @@ identifiers: + cce@rhel7: CCE-27410-0 + cce@rhel8: CCE-80694-3 + cce@rhcos4: CCE-82565-3 ++ cce@sle12: CCE-83139-6 + + references: + stigid@ol7: OL07-00-030490 +@@ -48,8 +49,10 @@ references: + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 ++ srg@sle12: SRG-OS-000037-GPOS-00015 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 + stigid@rhel7: RHEL-07-030490 ++ stigid@sle12: SLES-12-020400 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +index f8890cea0d..abbe9269fe 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +@@ -34,6 +34,7 @@ identifiers: + cce@rhel7: CCE-27367-2 + cce@rhel8: CCE-80696-8 + cce@rhcos4: CCE-82567-9 ++ cce@sle12: CCE-83140-4 + + references: + stigid@ol7: OL07-00-030470 +@@ -47,8 +48,10 @@ references: + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 ++ srg@sle12: SRG-OS-000037-GPOS-00015 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 + stigid@rhel7: RHEL-07-030470 ++ stigid@sle12: SLES-12-020390 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +index 4bcbaf54b4..a74756bfbd 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +@@ -30,6 +30,7 @@ identifiers: + cce@rhel7: CCE-27213-8 + cce@rhel8: CCE-80697-6 + cce@rhcos4: CCE-82568-7 ++ cce@sle12: CCE-83142-0 + + references: + stigid@ol7: OL07-00-030440 +@@ -43,8 +44,10 @@ references: + ospp: FAU_GEN.1.1.c + pcidss: Req-10.5.5 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 ++ srg@sle12: SRG-OS-000037-GPOS-00015 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 + stigid@rhel7: RHEL-07-030440 ++ stigid@sle12: SLES-12-020370 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +index ebccc4dbbf..97aa771056 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +@@ -39,6 +39,7 @@ identifiers: + cce@rhel7: CCE-80386-6 + cce@rhel8: CCE-80753-7 + cce@rhcos4: CCE-82633-9 ++ cce@sle12: CCE-83131-3 + + references: + stigid@ol7: OL07-00-030510 +@@ -53,6 +54,7 @@ references: + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 + vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 + stigid@rhel7: RHEL-07-030510 ++ stigid@sle12: SLES-12-020490 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml +index 4759760bc1..c7b605ec31 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle + # reboot = false + # complexity = low + # disruption = low +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +index d53927fcab..0997c1c6a5 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +@@ -27,6 +27,7 @@ identifiers: + cce@rhel7: CCE-80415-3 + cce@rhel8: CCE-80711-5 + cce@rhcos4: CCE-82580-2 ++ cce@sle12: CCE-83128-9 + + references: + stigid@ol7: OL07-00-030830 +@@ -41,6 +42,7 @@ references: + srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 + vmmsrg: SRG-OS-000477-VMM-001970 + stigid@rhel7: RHEL-07-030830 ++ stigid@sle12: SLES-12-020730 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml +index 62220a2294..3f3c3e3d94 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle + # reboot = false + # complexity = low + # disruption = low +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +index a6c457485c..f54035bfcb 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +@@ -27,6 +27,7 @@ identifiers: + cce@rhel7: CCE-80547-3 + cce@rhel8: CCE-80712-3 + cce@rhcos4: CCE-82581-0 ++ cce@sle12: CCE-83129-7 + + references: + stigid@ol7: OL07-00-030821 +@@ -41,6 +42,7 @@ references: + srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 + vmmsrg: SRG-OS-000477-VMM-001970 + stigid@rhel7: RHEL-07-030821 ++ stigid@sle12: SLES-12-020740 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml +index ee6aa0ba59..d804bbd09e 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml +@@ -1,4 +1,4 @@ +-# platform = multi_platform_rhel,multi_platform_rhv ++# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle + # reboot = false + # complexity = low + # disruption = low +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +index b81ca09151..829f3b2c8a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +@@ -27,7 +27,7 @@ identifiers: + cce@rhel7: CCE-80414-6 + cce@rhel8: CCE-80713-1 + cce@rhcos4: CCE-82582-8 +- ++ cce@sle12: CCE-83130-5 + references: + stigid@ol7: OL07-00-030820 + cis: 5.2.17 +@@ -41,6 +41,7 @@ references: + srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 + vmmsrg: SRG-OS-000477-VMM-001970 + stigid@rhel7: RHEL-07-030820 ++ stigid@sle12: SLES-12-020750 + isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' + isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +index 53be8f4928..0cd92027b1 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019 + + title: 'Ensure auditd Collects Information on the Use of Privileged Commands - crontab' + +@@ -34,6 +34,7 @@ identifiers: + cce@rhel7: CCE-80410-4 + cce@rhel8: CCE-80727-1 + cce@rhcos4: CCE-82593-5 ++ cce@sle12: CCE-83126-3 + + references: + stigid@ol7: OL07-00-030800 +@@ -45,6 +46,7 @@ references: + srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 + vmmsrg: SRG-OS-000471-VMM-001910 + stigid@rhel7: RHEL-07-030800 ++ stigid@sle12: SLES-12-020710 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml +index 471a920ed4..4941b38aac 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,sle12 + + title: 'Ensure auditd Collects Information on the Use of Privileged Commands - mount' + +@@ -34,6 +34,7 @@ identifiers: + cce@rhel7: CCE-81064-8 + cce@rhel8: CCE-80989-7 + cce@rhcos4: CCE-82595-0 ++ cce@sle12: CCE-83145-3 + + references: + disa: CCI-000135,CCI-000172,CCI-002884 +@@ -41,8 +42,10 @@ references: + ospp: FAU_GEN.1.1.c + vmmsrg: SRG-OS-000471-VMM-001910 + srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172 ++ srg@sle12: SRG-OS-000037-GPOS-00015 + stigid@rhel7: RHEL-07-030740 + stigid@ol7: OL07-00-030740 ++ stigid@sle12: SLES-12-020290 + + ocil_clause: 'it is not the case' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +index 824e7470ec..d6780b0156 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019 + + title: 'Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check' + +@@ -34,6 +34,7 @@ identifiers: + cce@rhel7: CCE-80411-2 + cce@rhel8: CCE-80730-5 + cce@rhcos4: CCE-82599-2 ++ cce@sle12: CCE-83127-1 + + references: + stigid@ol7: OL07-00-030810 +@@ -45,6 +46,7 @@ references: + srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 + vmmsrg: SRG-OS-000471-VMM-001910 + stigid@rhel7: RHEL-07-030810 ++ stigid@sle12: SLES-12-020720 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +index 4de737ddf1..86c423dd28 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019 + + title: 'Ensure auditd Collects Information on the Use of Privileged Commands - su' + +@@ -34,6 +34,7 @@ identifiers: + cce@rhel7: CCE-80400-5 + cce@rhel8: CCE-80736-2 + cce@rhcos4: CCE-82605-7 ++ cce@sle12: CCE-83143-8 + + references: + stigid@ol7: OL07-00-030680 +@@ -46,6 +47,7 @@ references: + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + vmmsrg: SRG-OS-000471-VMM-001910 + stigid@rhel7: RHEL-07-030680 ++ stigid@sle12: SLES-12-020250 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +index 382c66cc88..9e9e892789 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019 + + title: 'Ensure auditd Collects Information on the Use of Privileged Commands - sudo' + +@@ -34,6 +34,7 @@ identifiers: + cce@rhel7: CCE-80401-3 + cce@rhel8: CCE-80737-0 + cce@rhcos4: CCE-82606-5 ++ cce@sle12: CCE-83144-6 + + references: + stigid@ol7: OL07-00-030690 +@@ -46,6 +47,7 @@ references: + srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 + vmmsrg: SRG-OS-000471-VMM-001910 + stigid@rhel7: RHEL-07-030690 ++ stigid@sle12: SLES-12-020260 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +index e8a7ef5f9d..2ce9d62aaf 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019 + + title: 'Ensure auditd Collects Information on the Use of Privileged Commands - umount' + +@@ -34,6 +34,7 @@ identifiers: + cce@rhel7: CCE-80405-4 + cce@rhel8: CCE-80739-6 + cce@rhcos4: CCE-82608-1 ++ cce@sle12: CCE-83158-6 + + references: + stigid@ol7: OL07-00-030750 +@@ -43,8 +44,10 @@ references: + nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) + nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 + srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 ++ srg@sle12: SRG-OS-000037-GPOS-00015 + vmmsrg: SRG-OS-000471-VMM-001910 + stigid@rhel7: RHEL-07-030750 ++ stigid@sle12: SLES-12-020300 + isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' + isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml +new file mode 100644 +index 0000000000..8286d51cf2 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml +@@ -0,0 +1,53 @@ ++# platform = multi_platform_sle ++# reboot = false ++# strategy = restrict ++# complexity = low ++# disruption = low ++ ++- name: Service facts ++ service_facts: ++ ++- name: Check the rules script being used ++ command: ++ grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service ++ register: check_rules_scripts_result ++ ++- name: Find audit rules in /etc/audit/rules.d ++ find: ++ paths: /etc/audit/rules.d ++ file_type: file ++ follow: yes ++ register: find_audit_rules_result ++ when: ++ - '"auditd.service" in ansible_facts.services' ++ - '"augenrules" in check_rules_scripts_result.stdout' ++ ++- name: Enable syscall auditing (augenrules) ++ lineinfile: ++ path: "{{ item.path }}" ++ regex: ^(?i)(\s*-a\s+task,never)\s*$ ++ line: '#-a task,never' ++ with_items: "{{ find_audit_rules_result.files }}" ++ when: ++ - '"auditd.service" in ansible_facts.services' ++ - '"augenrules" in check_rules_scripts_result.stdout' ++ register: augenrules_syscall_auditing_rule_update_result ++ ++- name: Enable syscall auditing (auditctl) ++ lineinfile: ++ path: /etc/audit/audit.rules ++ regex: ^(?i)(\s*-a\s+task,never)\s*$ ++ line: '#-a task,never' ++ when: ++ - '"auditd.service" in ansible_facts.services' ++ - '"auditctl" in check_rules_scripts_result.stdout' ++ register: auditctl_syscall_auditing_rule_update_result ++ ++- name: Restart auditd.service ++ systemd: ++ name: auditd.service ++ state: restarted ++ when: ++ - ansible_facts.services["auditd.service"].state == "running" ++ - (augenrules_syscall_auditing_rule_update_result.changed or ++ auditctl_syscall_auditing_rule_update_result.changed) +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh +new file mode 100644 +index 0000000000..501095bb85 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh +@@ -0,0 +1,19 @@ ++# platform = multi_platform_sle ++ ++if [ -f "/usr/lib/systemd/system/auditd.service" ] ; then ++ EXECSTARTPOST_SCRIPT=$(grep '^ExecStartPost=' /usr/lib/systemd/system/auditd.service | sed 's/ExecStartPost=//') ++ ++ if [[ "$EXECSTARTPOST_SCRIPT" == *"augenrules"* ]] ; then ++ for f in /etc/audit/rules.d/*.rules ; do ++ sed -E -i --follow-symlinks 's/^(\s*-a\s+task,never)/#\1/' "$f" ++ done ++ else ++ # auditctl is used ++ sed -E -i --follow-symlinks 's/^(\s*-a\s+task,never)/#\1/' /etc/audit/audit.rules ++ fi ++ ++ systemctl is-active --quiet auditd.service ++ if [ $? -ne 0 ] ; then ++ systemctl restart auditd.service ++ fi ++fi +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/oval/shared.xml +new file mode 100644 +index 0000000000..f871e0195c +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/oval/shared.xml +@@ -0,0 +1,46 @@ ++ ++ ++ ++ Enable Syscall Auditing ++ ++ multi_platform_all ++ ++ Syscall auditing should not be disabled. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ^/etc/audit/rules\.d/.*\.rules$ ++ ^[\s]*-a[\s]+task,never[\s]*$ ++ 1 ++ ++ ++ ++ ++ ++ ++ /etc/audit/audit.rules ++ ^[\s]*-a[\s]+task,never[\s]*$ ++ 1 ++ ++ ++ +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml +new file mode 100644 +index 0000000000..9c23291d62 +--- /dev/null ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml +@@ -0,0 +1,35 @@ ++documentation_complete: true ++ ++prodtype: sle12 ++ ++title: 'Remove Default Configuration to Disable Syscall Auditing' ++ ++description: |- ++ By default, {{{ full_name }}} ships an audit rule to disable syscall ++ auditing for performance reasons. ++ ++ To make sure that syscall auditing works, this line must be removed from ++ /etc/audit/rules.d/audit.rules and /etc/audit/audit.rules: ++ ++ 
-a task,never
++ ++rationale: |- ++ Audit rules for syscalls do not take effect unless this line is removed. ++ ++severity: medium ++ ++identifiers: ++ cce@sle12: CCE-83119-8 ++ ++references: ++ stigid@sle12: SLES-12-020199 ++ srg@sle12: SRG-OS-000480-GPOS-00227 ++ disa@sle12: CCI-000366 ++ ++ocil_clause: 'syscall auditing is still disabled' ++ ++ocil: |- ++ To check for the offending line, run the following command: ++ 
$ grep task,never /etc/audit/{rules.d,.}/audit.rules
++ There must not be any output, or else these lines must be removed from ++ the matching files. +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +index 750fba65bb..e4b2b8dcb8 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Record Events that Modify User/Group Information - /etc/group' + +@@ -31,6 +31,7 @@ identifiers: + cce@rhel7: CCE-80433-6 + cce@rhel8: CCE-80758-6 + cce@rhcos4: CCE-82654-5 ++ cce@sle12: CCE-83121-4 + + references: + stigid@ol7: OL07-00-030871 +@@ -51,6 +52,7 @@ references: + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 ++ stigid@sle12: SLES-12-020210 + + ocil_clause: 'the system is not configured to audit account changes' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +index adf9f616b8..41434f664a 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Record Events that Modify User/Group Information - /etc/security/opasswd' + +@@ -31,6 +31,7 @@ identifiers: + cce@rhel7: CCE-80430-2 + cce@rhel8: CCE-80760-2 + cce@rhcos4: CCE-82656-0 ++ cce@sle12: CCE-83123-0 + + references: + stigid@ol7: OL07-00-030874 +@@ -51,6 +52,8 @@ references: + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 ++ srg@sle12: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221 ++ stigid@sle12: SLES-12-020230 + + ocil_clause: 'the system is not configured to audit account changes' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +index c0e3b4b23a..bae0a29903 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Record Events that Modify User/Group Information - /etc/passwd' + +@@ -31,6 +31,7 @@ identifiers: + cce@rhel7: CCE-80435-1 + cce@rhel8: CCE-80761-0 + cce@rhcos4: CCE-82657-8 ++ cce@sle12: CCE-83120-6 + + references: + stigid@ol7: OL07-00-030870 +@@ -51,6 +52,7 @@ references: + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 ++ stigid@sle12: SLES-12-020200 + + ocil_clause: 'the system is not configured to audit account changes' + +diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +index 6545282c8a..f3d9cf9cd2 100644 +--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml ++++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Record Events that Modify User/Group Information - /etc/shadow' + +@@ -31,6 +31,7 @@ identifiers: + cce@rhel7: CCE-80431-0 + cce@rhel8: CCE-80762-8 + cce@rhcos4: CCE-82658-6 ++ cce@sle12: CCE-83122-2 + + references: + stigid@ol7: OL07-00-030873 +@@ -51,6 +52,8 @@ references: + cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 + iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 + cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 ++ stigid@sle12: SLES-12-020220 ++ srg@sle12: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221 + + ocil_clause: 'the system is not configured to audit account changes' + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/oval/shared.xml +new file mode 100644 +index 0000000000..8aa7b04f7c +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/oval/shared.xml +@@ -0,0 +1,34 @@ ++{{% if target_oval_version >= [5, 11.2] %}} ++ ++ ++ {{{ oval_metadata("Configure a sufficiently large partition for audit logs.") }}} ++ ++ ++ ++ ++ ++ ++ ++ /var/log/audit ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ var_aacsflp_audit_partition_size ++ ++ ++ ++ ++ ++ ++ ++ 10000000000 ++ ++ ++ ++{{% endif %}} +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml +new file mode 100644 +index 0000000000..421b410446 +--- /dev/null ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml +@@ -0,0 +1,69 @@ ++documentation_complete: true ++ ++prodtype: sle12 ++ ++title: 'Configure a Sufficiently Large Partition for Audit Logs' ++ ++description: |- ++ The SUSE operating system must allocate audit record storage capacity to ++ store at least one weeks worth of audit records when audit records are not ++ immediately sent to a central audit record storage facility. ++ ++ The partition size needed to capture a week's worth of audit records is ++ based on the activity level of the system and the total storage capacity ++ available. In normal circumstances, 10.0 GB of storage space for audit ++ records will be sufficient. ++ ++ Determine which partition the audit records are being written to with the ++ following command: ++ ++ 
# grep log_file /etc/audit/auditd.conf
++    log_file = /var/log/audit/audit.log
++ ++ Check the size of the partition that audit records are written to with the ++ following command: ++ ++ 
# df -h /var/log/audit/
++    /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
++ ++rationale: |- ++ Information stored in one location is vulnerable to accidental or incidental ++ deletion or alteration.Off-loading is a common process in information ++ systems with limited audit storage capacity. ++ ++severity: medium ++ ++identifiers: ++ cce@sle12: CCE-83114-9 ++ ++references: ++ disa@sle12: CCI-001849 ++ srg@sle12: SRG-OS-000342-GPOS-00133 ++ stigid@sle12: SLES-12-020020 ++ ++ocil_clause: 'audispd is not sending logs to a remote system and the local partition has inadequate' ++ ++ocil: |- ++ To verify whether audispd plugin off-loads audit records onto a different ++ system or media from the system being audited, run the following command: ++ ++ 
# grep -i remote_server /etc/audisp/audisp-remote.conf
++ ++ The output should return something similar to where REMOTE_SYSTEM ++ is an IP address or hostname: ++ 
remote_server = REMOTE_SYSTEM
++ ++ Determine which partition the audit records are being written to with the ++ following command: ++ ++ 
# grep log_file /etc/audit/auditd.conf
++    log_file = /var/log/audit/audit.log
++ ++ Check the size of the partition that audit records are written to with the ++ following command and verify whether it is sufficiently large: ++ ++ 
# df -h /var/log/audit/
++    /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
++ ++ ++platform: machine +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml +index 5b9baa2858..d3bf2845ef 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Configure audispd''s Plugin disk_full_action When Disk Is Full' + +@@ -23,6 +23,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-80539-0 ++ cce@sle12: CCE-83116-4 + + references: + stigid@ol7: OL07-00-030320 +@@ -30,6 +31,8 @@ references: + disa: CCI-001851 + srg: SRG-OS-000342-GPOS-00133 + stigid@rhel7: RHEL-07-030320 ++ srg@sle12: SRG-OS-000479-GPOS-00224 ++ stigid@sle12: SLES-12-020110 + + ocil_clause: 'the system is not configured to switch to single user mode for corrective action' + +diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml +index 9e677d225c..f756e47969 100644 +--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml ++++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml +@@ -1,6 +1,6 @@ + documentation_complete: true + +-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 ++prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 + + title: 'Configure audispd''s Plugin network_failure_action On Network Failure' + +@@ -24,6 +24,7 @@ severity: medium + + identifiers: + cce@rhel7: CCE-80538-2 ++ cce@sle12: CCE-83115-6 + + references: + stigid@ol7: OL07-00-030321 +@@ -31,6 +32,7 @@ references: + disa: CCI-001851 + srg: SRG-OS-000342-GPOS-00133 + stigid@rhel7: RHEL-07-030321 ++ stigid@sle12: SLES-12-020100 + + ocil_clause: 'the system is not configured to switch to single user mode for corrective action' + +diff --git a/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/ansible/shared.yml b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/ansible/shared.yml +new file mode 100644 +index 0000000000..7ee0817b30 +--- /dev/null ++++ b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/ansible/shared.yml +@@ -0,0 +1,12 @@ ++# platform = multi_platform_sle ++# reboot = false ++# complexity = low ++# strategy = configure ++# disruption = low ++ ++{{{ ansible_lineinfile(msg='Configure permission for /var/log/messages', path='/etc/permissions.local', regex='^\/var\/log\/messages\s+root.*', new_line='/var/log/messages root:root 640', create='yes', state='present', register='update_permissions_local_result') }}} ++ ++- name: "Correct file permissions after update /etc/permissions.local" ++ shell: > ++ chkstat --set --system ++ when: update_permissions_local_result.changed +diff --git a/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/oval/shared.xml b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/oval/shared.xml +new file mode 100644 +index 0000000000..c0af07f781 +--- /dev/null ++++ b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/oval/shared.xml +@@ -0,0 +1,45 @@ ++ ++ ++ ++ Verify that /var/log/messages is readable only by root ++ ++ multi_platform_sle ++ ++ ++ Checks that /var/log/messages is only readable by root. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ /var/log/messages ++ ++ ++ ++ 0 ++ 0 ++ ++ ++ ++ false ++ false ++ false ++ false ++ false ++ false ++ false ++ false ++ false ++ ++ ++ +diff --git a/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/rule.yml b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/rule.yml +new file mode 100644 +index 0000000000..e0569758a9 +--- /dev/null ++++ b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/rule.yml +@@ -0,0 +1,53 @@ ++documentation_complete: true ++ ++prodtype: sle12 ++ ++title: 'Verify that local /var/log/messages is not world-readable' ++ ++description: |- ++ Files containing sensitive informations should be protected by restrictive ++ permissions. Most of the time, there is no need that these files need to be read by any non-root user ++ {{{ describe_file_permissions(file="/var/log/messages", perms="0640") }}} ++ ++ Check that "permissions.local" file contains the correct permissions rules with the following command: ++ ++ 
# grep -i messages /etc/permissions.local
++
++    /var/log/messages root:root 640
++ ++rationale: |- ++ The /var/log/messages file contains system error messages. Only ++ authorized personnel should be aware of errors and the details of the ++ errors. Error messages are an indicator of an organization's operational ++ state or can identify the SUSE operating system or platform. Additionally, ++ Personally Identifiable Information (PII) and operational information must ++ not be revealed through error messages to unauthorized personnel or their ++ designated representatives. ++ ++severity: medium ++ ++identifiers: ++ cce@sle12: CCE-83112-3 ++ ++references: ++ disa@sle12: CCI-001314 ++ nist@sle12: SI-11(c) ++ stigid@sle12: SLES-12-010890 ++ srg@sle12: SRG-OS-000206-GPOS-00084 ++ ++ocil_clause: 'Make sure /var/log/messages is not world-readable' ++ ++ocil: |- ++ {{{ ocil_file_permissions(file="/var/log/messages", perms="-rw-r-----") }}} ++ ++ Check that permissions.local file contains the correct permissions rules with the following command: ++ ++ 
# grep -i messages /etc/permissions.local
++
++    /var/log/messages root:root 640
++ ++ If the command does not return any or different output, this is a finding. ++ ++ Run the following command to correct the permissions after adding the missing entry: ++ ++ 
# sudo chkstat --set --system
+diff --git a/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml b/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml +new file mode 100644 +index 0000000000..b66a44452f +--- /dev/null ++++ b/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml +@@ -0,0 +1,72 @@ ++documentation_complete: true ++ ++prodtype: sle12 ++ ++title: 'Verify Permissions of Local Logs of audit Tools' ++ ++description: |- ++ The SUSE operating system audit tools must have the proper permissions ++ configured to protect against unauthorized access. ++ ++ Check that "permissions.local" file contains the correct permissions rules ++ with the following command: ++ ++ 
grep "^/usr/sbin/au" /etc/permissions.local
++
++    /usr/sbin/audispd root:root 0750
++    /usr/sbin/auditctl root:root 0750
++    /usr/sbin/auditd root:root 0750
++    /usr/sbin/ausearch root:root 0755
++    /usr/sbin/aureport root:root 0755
++    /usr/sbin/autrace root:root 0750
++    /usr/sbin/augenrules root:root 0750
++
++ ++ Audit tools include but are not limited to vendor-provided and open-source ++ audit tools needed to successfully view and manipulate audit information ++ system activity and records. Audit tools include custom queries and report ++ generators. ++ ++rationale: |- ++ Protecting audit information also includes identifying and protecting the ++ tools used to view and manipulate log data. Therefore, protecting audit ++ tools is necessary to prevent unauthorized operation on audit information. ++ ++ SUSE operating systems providing tools to interface with audit information ++ will leverage user permissions and roles identifying the user accessing the ++ tools and the corresponding rights the user enjoys to make access decisions ++ regarding the access to audit tools. ++ ++severity: medium ++ ++identifiers: ++ cce@sle12: CCE-83118-0 ++ ++references: ++ disa@sle12: CCI-001493,CCI-001494,CCI-001495 ++ nisti@sle12: AU-9 ++ srg@sle12: SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099 ++ stigid@sle12: SLES-12-020130 ++ ++ocil: |- ++ Check that permissions.local file contains the correct permissions ++ rules with the following command: ++ ++ 
grep "^/usr/sbin/au" /etc/permissions.local
++
++    /usr/sbin/audispd root:root 0750
++    /usr/sbin/auditctl root:root 0750
++    /usr/sbin/auditd root:root 0750
++    /usr/sbin/ausearch root:root 0755
++    /usr/sbin/aureport root:root 0755
++    /usr/sbin/autrace root:root 0750
++    /usr/sbin/augenrules root:root 0750
++
++ ++ If the command does not return all the above lines, the missing ones need ++ to be added. ++ ++ Run the following command to correct the permissions after adding missing ++ entries: ++ ++ 
# sudo chkstat --set --system
+diff --git a/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml +new file mode 100644 +index 0000000000..0eb6bfc893 +--- /dev/null ++++ b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml +@@ -0,0 +1,57 @@ ++documentation_complete: true ++ ++prodtype: sle12 ++ ++title: 'Verify that Local Logs of the audit Daemon are not World-Readable' ++ ++description: |- ++ Files containing sensitive informations should be protected by restrictive ++ permissions. Most of the time, there is no need that these files need to bei ++ read by any non-root user. ++ ++ Check that "permissions.local" file contains the correct permissions rules with the following command: ++ ++ 
# grep -i audit /etc/permissions.local
++
++    /var/log/audit/ root:root 600
++    /var/log/audit/audit.log root:root 600
++    /etc/audit/audit.rules root:root 640
++    /etc/audit/rules.d/audit.rules root:root 640
++ ++rationale: |- ++ Without the capability to restrict which roles and individuals can select ++ which events are audited, unauthorized personnel may be able to prevent the ++ auditing of critical events. Misconfigured audits may degrade the system's ++ performance by overwhelming the audit log. Misconfigured audits may also ++ make it more difficult to establish, correlate, and investigate the events ++ relating to an incident or identify those responsible for one. ++ ++severity: medium ++ ++identifiers: ++ cce@sle12: CCE-83117-2 ++ ++references: ++ disa@sle12: CCI-000164 ++ nist: AU-9 ++ srg@sle12: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029 ++ stigid@sle12: SLES-12-020120 ++ ++ocil: |- ++ Check that permissions.local file contains the correct permissionsi ++ rules with the following command: ++ ++ 
# grep -i audit /etc/permissions.local
++
++    /var/log/audit/ root:root 600
++    /var/log/audit/audit.log root:root 600
++    /etc/audit/audit.rules root:root 640
++    /etc/audit/rules.d/audit.rules root:root 640
++ ++ If the command does not return all the above lines, the missing ones need ++ to be added. ++ ++ Run the following command to correct the permissions after adding missing ++ entries: ++ ++ 
# sudo chkstat --set --system
+diff --git a/shared/templates/extra_ovals.yml b/shared/templates/extra_ovals.yml +index 2d305f56d4..89dbe31beb 100644 +--- a/shared/templates/extra_ovals.yml ++++ b/shared/templates/extra_ovals.yml +@@ -43,3 +43,9 @@ service_sssd_disabled: + vars: + servicename: sssd + packagename: sssd-common ++ ++service_syslog_disabled: ++ name: service_disabled ++ vars: ++ servicename: syslog ++ packagename: rsyslog +diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile +index 4c8b361226..095be4febe 100644 +--- a/sle12/profiles/stig.profile ++++ b/sle12/profiles/stig.profile +@@ -8,8 +8,10 @@ description: |- + + selections: + - sshd_approved_macs=stig ++ - var_account_disable_post_pw_expiration=35 + - var_accounts_fail_delay=4 + - var_removable_partition=dev_cdrom ++ - var_time_service_set_maxpoll=system_default + - account_disable_post_pw_expiration + - account_temp_expire_date + - accounts_have_homedir_login_defs +@@ -27,22 +29,52 @@ selections: + - accounts_user_interactive_home_directory_exists + - aide_scan_notification + - audit_rules_dac_modification_chmod ++ - audit_rules_dac_modification_chown ++ - audit_rules_dac_modification_fchmod ++ - audit_rules_dac_modification_fchmodat ++ - audit_rules_dac_modification_fchown ++ - audit_rules_dac_modification_fchownat ++ - audit_rules_dac_modification_fremovexattr ++ - audit_rules_dac_modification_fsetxattr ++ - audit_rules_dac_modification_lchown ++ - audit_rules_dac_modification_lremovexattr ++ - audit_rules_dac_modification_removexattr ++ - audit_rules_dac_modification_setxattr ++ - audit_rules_enable_syscall_auditing ++ - audit_rules_kernel_module_loading_delete ++ - audit_rules_kernel_module_loading_finit ++ - audit_rules_kernel_module_loading_init + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_privileged_commands_chage ++ - audit_rules_privileged_commands_crontab ++ - audit_rules_privileged_commands_mount ++ - audit_rules_privileged_commands_pam_timestamp_check ++ - audit_rules_privileged_commands_su ++ - audit_rules_privileged_commands_sudo ++ - audit_rules_privileged_commands_umount + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate ++ - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate ++ - audit_rules_usergroup_modification_group + - audit_rules_usergroup_modification_gshadow ++ - audit_rules_usergroup_modification_opasswd ++ - audit_rules_usergroup_modification_passwd ++ - audit_rules_usergroup_modification_shadow ++ - auditd_audispd_configure_sufficiently_large_partition ++ - auditd_audispd_disk_full_action + - auditd_audispd_encrypt_sent_records ++ - auditd_audispd_network_failure_action + - auditd_data_disk_full_action + - auditd_data_retention_action_mail_acct + - auditd_data_retention_space_left + - banner_etc_issue + - banner_etc_motd ++ - chronyd_or_ntpd_set_maxpoll + - dir_perms_world_writable_sticky_bits + - dir_perms_world_writable_system_owned_group + - disable_ctrlaltdel_reboot +@@ -54,6 +86,7 @@ selections: + - file_permissions_sshd_private_key + - file_permissions_sshd_pub_key + - file_permissions_ungroupowned ++ - file_permissions_var_log_messages + - ftp_present_banner + - gnome_gdm_disable_automatic_login + - grub2_password +@@ -74,6 +107,9 @@ selections: + - package_audit-audispd-plugins_installed + - package_audit_installed + - package_telnet-server_removed ++ - pam_disable_automatic_configuration ++ - permissions_local_audit_binaries ++ - permissions_local_var_log_audit + - postfix_client_configure_mail_alias + - run_chkstat + - security_patches_up_to_date +@@ -106,4 +142,3 @@ selections: + - sysctl_net_ipv4_ip_forward + - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv6_conf_default_accept_source_route +- diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec index 7ebce74..fe7f9b4 100644 --- a/SPECS/scap-security-guide.spec +++ b/SPECS/scap-security-guide.spec @@ -1,26 +1,48 @@ +# Base name of static rhel6 content tarball +%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6 + Name: scap-security-guide -Version: 0.1.50 -Release: 6%{?dist} +Version: 0.1.54 +Release: 5%{?dist} Summary: Security guidance and baselines in SCAP formats Group: Applications/System License: BSD URL: https://github.com/ComplianceAsCode/content/ Source0: https://github.com/ComplianceAsCode/content/releases/download/v%{version}/scap-security-guide-%{version}.tar.bz2 +# Include tarball with last released rhel6 content +Source1: %{_static_rhel6_content}.tar.bz2 # Patch allows only OSPP, PCI-DSS, E8 and STIG profiles in RHEL8 datastream Patch0: disable-not-in-good-shape-profiles.patch -Patch1: scap-security-guide-0.1.51-update_rhel8_cis_PR_5771.patch -Patch2: scap-security-guide-0.1.51-cis_hipaa_ansible_fixes_PR_5777.patch -Patch3: scap-security-guide-0.1.51-add_missing_cis_cces_PR_5781.patch -Patch4: scap-security-guide-0.1.51-add_hipaa_kickstarts_PR_5783.patch -Patch5: scap-security-guide-0.1.51-add_ansible_sshd_set_max_sessions_PR_5757.patch -# Patch6 already contains typo fix -Patch6: scap-security-guide-0.1.51-add_cis_attributions_PR_5779.patch -Patch7: scap-security-guide-0.1.51-add_ansible_ensure_logrotate_activated_PR_5753.patch -Patch8: scap-security-guide-0.1.51-fix_ansible_template_mount_options_PR_5765.patch -Patch9: scap-security-guide-0.1.51-fix_rpm_verify_permissions_conflict_PR_5770.patch -Patch10: scap-security-guide-0.1.51-add_ansible_system_shutdown_PR_5761.patch -Patch11: scap-security-guide-0.1.51-create_macro_selinux_remediation_PR_5785.patch -Patch12: scap-security-guide-0.1.51-fix_rsyslog_rules_PR_5763.patch +Patch1: scap-security-guide-0.1.55-add_sudoers_explicit_command_args-PR_6525.diff +Patch2: scap-security-guide-0.1.55-add_rule_sysctl_kernel_modules_disabled-PR_6533.patch +Patch3: scap-security-guide-0.1.55-supress_lint_errors-PR_6542.patch +Patch4: scap-security-guide-0.1.55-add_notes_and_rule_for_R35-PR_6548.patch +Patch5: scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch +Patch6: scap-security-guide-0.1.55-add_rules_for_R18-PR_6539.patch +Patch7: scap-security-guide-0.1.55-add_rules_for_R37-PR_6540.patch +Patch8: scap-security-guide-0.1.55-drop_fix_sysctl_kernel_modules_disabled-PR_6586.patch +Patch9: scap-security-guide-0.1.55-add_selector_for_R29-PR_6553.patch +Patch10: scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch +Patch11: scap-security-guide-0.1.55-adjust_ks_partion_sizes-PR_6600.patch +Patch12: scap-security-guide-0.1.55-better_align_anssi_ks-PR_6589.patch +Patch13: scap-security-guide-0.1.55-update_nodev_nonroot_mount_option-PR_6606.patch +Patch14: scap-security-guide-0.1.55-add_sshd_x11_proxy_localhost-PR_6534.patch +Patch15: scap-security-guide-0.1.55-sles12_stigs-PR_6524.patch +Patch16: scap-security-guide-0.1.55-remove_pam_rule_from_rhel8_stig-PR_6528.patch +Patch17: scap-security-guide-0.1.55-sles12_stigs_2-PR_6561.patch +Patch18: scap-security-guide-0.1.55-update_RHEL_07_040710-PR_6537.patch +Patch19: scap-security-guide-0.1.55-sshd_approved_ciphers_ordered-PR_6541.patch +Patch20: scap-security-guide-0.1.55-sshd_use_approved_macs_stig-PR_6546.patch +Patch21: scap-security-guide-0.1.55-fix_cce_rhel7_mac-PR_6564.patch +Patch22: scap-security-guide-0.1.55-OL7_DISA_STIG_v2r1_update-PR_6538.patch +Patch23: scap-security-guide-0.1.55-OL7_DISA_STIG_v2r2_update-PR_6607.patch +Patch24: scap-security-guide-0.1.55-upstream_sles12_stigs_3-PR_6599.patch +Patch25: scap-security-guide-0.1.55-rhel8_stig_v1r1-PR_6579.patch +Patch26: scap-security-guide-0.1.55-drop_kernel_module_vfat_disabled-PR_6613.patch +Patch27: scap-security-guide-0.1.55-remove_auditd_data_retention_space_left_from_RHEL8_STIG-PR_6615.patch +# Untill ANSSI High profile is shipped we drop the ks too +Patch28: remove-ANSSI-high-ks.patch + BuildArch: noarch # To get python3 inside the buildroot require its path explicitly in BuildRequires @@ -53,7 +75,7 @@ hardening guidances that have been generated from XCCDF benchmarks present in %{name} package. %prep -%setup -q +%setup -q -b 1 %patch0 -p1 %patch1 -p1 %patch2 -p1 @@ -67,13 +89,28 @@ present in %{name} package. %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 +%patch28 -p1 mkdir build %build cd build %cmake \ -DSSG_PRODUCT_DEFAULT:BOOLEAN=FALSE \ --DSSG_PRODUCT_RHEL6:BOOLEAN=TRUE \ -DSSG_PRODUCT_RHEL7:BOOLEAN=TRUE \ -DSSG_PRODUCT_RHEL8:BOOLEAN=TRUE \ -DSSG_PRODUCT_FIREFOX:BOOLEAN=TRUE \ @@ -86,6 +123,11 @@ cd build cd build %make_install +# Manually install pre-built rhel6 content +cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot} +cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name} +cp -r %{_builddir}/%{_static_rhel6_content}/guides %{buildroot}%{_docdir}/%{name} + %files %{_datadir}/xml/scap/ssg/content %{_datadir}/%{name}/kickstart @@ -101,6 +143,70 @@ cd build %doc %{_docdir}/%{name}/tables/*.html %changelog +* Wed Feb 17 2021 Watson Sato - 0.1.54-5 +- Remove Kickstart for not shipped profile (RHBZ#1778188) + +* Tue Feb 16 2021 Gabriel Becker - 0.1.54-4 +- Remove auditd_data_retention_space_left from RHEL8 STIG profile (RHBZ#1918742) + +* Tue Feb 16 2021 Vojtech Polasek - 0.1.54-3 +- drop kernel_module_vfat_disabled from CIS profiles (RHBZ#1927019) + +* Fri Feb 12 2021 Gabriel Becker - 0.1.54-2 +- Add initial RHEL8 STIG V1R1 profile (RHBZ#1918742) + +* Thu Feb 04 2021 Watson Sato - 0.1.54-1 +- Update to the latest upstream release (RHBZ#1889344) +- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1778188) + +* Fri Jan 08 2021 Gabriel Becker - 0.1.53-4 +- Fix description of rule installed_OS_is_vendor_supported (RHBZ#1914193) +- Fix RHEL6 CPE dictionary (RHBZ#1899059) +- Fix SRG mapping references for ssh_client_rekey_limit and use_pam_wheel_for_su (RHBZ#1914853) + +* Tue Dec 15 2020 Gabriel Becker - 0.1.53-3 +- Enforce pam_wheel for "su" in the OSPP profile (RHBZ#1884062) +- Fix case insensitive checking in rsyslog_remote_tls (RHBZ#1899032) +- Exclude kernel_trust_cpu_rng related rules on s390x (RHBZ#1899041) +- Create a SSH_USE_STRONG_RNG rule for SSH client and select it in OSPP profile (RHBZ#1884067) +- Disable usbguard rules on s390x architecture (RHBZ#1899059) + +* Thu Dec 03 2020 Watson Sato - 0.1.53-2 +- Update list of profiles built (RHBZ#1889344) + +* Wed Nov 25 2020 Vojtech Polasek - 0.1.53-1 +- Update to the latest upstream release (RHBZ#1889344) + +* Wed Sep 02 2020 Matěj Týč - 0.1.50-14 +- Added a kickstart for the RHEL-8 CUI Profile (RHBZ#1762962) + +* Tue Aug 25 2020 Watson Sato - 0.1.50-13 +- Enable build of RHEL-8 CUI Profile (RHBZ#1762962) + +* Fri Aug 21 2020 Matěj Týč - 0.1.50-12 +- remove rationale from rules that contain defective links (rhbz#1854854) + +* Thu Aug 20 2020 Matěj Týč - 0.1.50-11 +- fixed link in a grub2 rule description (rhbz#1854854) +- fixed selinux_all_devicefiles_labeled rule (rhbz#1852367) +- fixed no_shelllogin_for_systemaccounts on ubi8 (rhbz#1836873) + +* Mon Aug 17 2020 Matěj Týč - 0.1.50-10 +- Update the scapval invocation (RHBZ#1815007) +- Re-added the SSH Crypto Policy rule to OSPP, and added an SRG to the rule (RHBZ#1815007) +- Change the spec file macro invocation from patch to Patch +- Fix the rekey limit in ssh/sshd rules (RHBZ#1813066) + +* Wed Aug 05 2020 Vojtech Polasek - 0.1.50-9 +- fix description of HIPAA profile (RHBZ#1867559) + +* Fri Jul 17 2020 Watson Sato - 0.1.50-8 +- Add rule to harden OpenSSL crypto-policy (RHBZ#1852928) + - Remove CCM from TLS Ciphersuites + +* Mon Jun 29 2020 Matěj Týč - 0.1.50-7 +- Fix the OpenSSL Crypto Policy rule (RHBZ#1850543) + * Mon Jun 22 2020 Gabriel Becker - 0.1.50-6 - Fix rsyslog permissions/ownership rules (RHBZ#1781606)