scap-security-guide/SOURCES/scap-security-guide-0.1.55-OL7_DISA_STIG_v2r2_update-PR_6607.patch
2021-09-10 04:18:48 +00:00

138 lines
6.4 KiB
Diff

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
index 7da2e067a6..5d01170aab 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -33,6 +33,7 @@ references:
cis@sle12: 5.2.4
cis@sle15: 5.2.6
stigid@rhel7: RHEL-07-040710
+ stigid@ol7: OL07-00-040710
srg: SRG-OS-000480-GPOS-00227
disa: CCI-000366
nist: CM-6(b)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
index 87c3cb7f5a..5683676bfc 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
@@ -23,7 +23,6 @@ identifiers:
cce@sle12: CCE-83017-4
references:
- stigid@ol7: OL07-00-040710
cui: 3.1.13
disa: CCI-000366
nist: CM-6(a),AC-17(a),AC-17(2)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
index 50c7d689af..42cb32e30e 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,rhel7,rhel8,wrlinux1019,wrlinux8
+prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019,wrlinux8
title: 'Use Only FIPS 140-2 Validated Ciphers'
@@ -51,7 +51,6 @@ identifiers:
cce@rhel8: CCE-81032-5
references:
- stigid@ol7: OL07-00-040110
cis: 5.2.10
cjis: 5.5.6
cui: 3.1.13,3.13.11,3.13.8
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
index 0751064179..73de17af35 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel7
+prodtype: ol7,rhel7
title: 'Use Only FIPS 140-2 Validated Ciphers'
@@ -32,6 +32,7 @@ references:
disa: CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123
srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
stigid@rhel7: RHEL-07-040110
+ stigid@ol7: OL07-00-040110
ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
index c490756daf..13997f9418 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: ol7,rhel7,rhel8,sle12,wrlinux1019
+prodtype: ol7,ol8,rhel7,rhel8,sle12,wrlinux1019
title: 'Use Only FIPS 140-2 Validated MACs'
@@ -46,7 +46,6 @@ identifiers:
cce@sle12: CCE-83036-4
references:
- stigid@ol7: OL07-00-040400
cis: 5.2.12
cui: 3.1.13,3.13.11,3.13.8
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
index 88d2d77e14..bd597f0860 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhel7
+prodtype: ol7,rhel7
title: 'Use Only FIPS 140-2 Validated MACs'
@@ -25,6 +25,7 @@ references:
disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
stigid@rhel7: RHEL-07-040400
+ stigid@ol7: OL07-00-040400
ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
index 7267d2443a..b0fe065d86 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
@@ -26,6 +26,7 @@ identifiers:
references:
srg: SRG-OS-000480-GPOS-00227
stig@rhel7: RHEL-07-040711
+ stig@ol7: OL07-00-040711
disa: CCI-000366
nist: CM-6(b)
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
index 820a942220..dfcbbafd17 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
@@ -36,4 +36,4 @@ ocil_clause: 'the group ownership is incorrect'
ocil: |-
To verify the assigned home directory of all interactive users is group-
owned by that users primary GID, run the following command:
- <pre>$ sudo ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)</pre>
+ <pre># ls -ld $(awk -F: '($3&gt;=1000)&amp;&amp;($7 !~ /nologin/){print $6}' /etc/passwd)</pre>
diff --git a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
index 7d5778d4f6..37cb36cda3 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_ownership_home_directories/rule.yml
@@ -30,4 +30,4 @@ ocil_clause: 'the user ownership is incorrect'
ocil: |-
To verify the home directory ownership, run the following command:
- <pre>$ sudo ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)</pre>
+ <pre># ls -ld $(awk -F: '($3&gt;=1000)&amp;&amp;($7 !~ /nologin/){print $6}' /etc/passwd)</pre>