From 2ed874d54b70c486cbe675be8c0eff8dde11eeeb Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 13 Mar 2020 09:49:38 +0100 Subject: [PATCH 001/403] update list of contributors --- Contributors.md | 6 +++++- Contributors.xml | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/Contributors.md b/Contributors.md index 8f14f977aa7a..0051d7077b1d 100644 --- a/Contributors.md +++ b/Contributors.md @@ -1,5 +1,5 @@ The following people have contributed to the SCAP Security Guide project @@ -82,6 +82,7 @@ The following people have contributed to the SCAP Security Guide project * Šimon Lukašík * Milan Lysonek * Fredrik Lysén +* Caitlin Macleod * Matus Marhefka * Jamie Lorwey Martin * Robert McAllister @@ -111,6 +112,7 @@ The following people have contributed to the SCAP Security Guide project * Frank Lin PIAT * Stefan Pietsch * Vojtech Polasek +* Orion Poplawski * Martin Preisler * Wesley Ceraso Prudencio * Raphael Sanchez Prudencio @@ -122,6 +124,8 @@ The following people have contributed to the SCAP Security Guide project * rhayes * Pat Riehecky * rlucente-se-jboss +* Juan Antonio Osorio Robles +* Matt Rogers * Jesse Roland * Joshua Roys * rrenshaw diff --git a/Contributors.xml b/Contributors.xml index b139f3c1d37b..98839048a321 100644 --- a/Contributors.xml +++ b/Contributors.xml @@ -1,5 +1,5 @@ @@ -80,6 +80,7 @@ Last Modified: 2020-01-15 16:49 Šimon Lukašík <slukasik@redhat.com> Milan Lysonek <mlysonek@redhat.com> Fredrik Lysén <fredrik@pipemore.se> +Caitlin Macleod <caitelatte@gmail.com> Matus Marhefka <mmarhefk@redhat.com> Jamie Lorwey Martin <jlmartin@redhat.com> Robert McAllister <rmcallis@redhat.com> @@ -109,6 +110,7 @@ Last Modified: 2020-01-15 16:49 Frank Lin PIAT <fpiat@klabs.be> Stefan Pietsch <mail.ipv4v6+gh@gmail.com> Vojtech Polasek <vpolasek@redhat.com> +Orion Poplawski <orion@nwra.com> Martin Preisler <mpreisle@redhat.com> Wesley Ceraso Prudencio <wcerasop@redhat.com> Raphael Sanchez Prudencio <rsprudencio@redhat.com> @@ -120,6 +122,8 @@ Last Modified: 2020-01-15 16:49 rhayes <rhayes@rivierautilities.com> Pat Riehecky <riehecky@fnal.gov> rlucente-se-jboss <rlucente@redhat.com> +Juan Antonio Osorio Robles <jaosorior@redhat.com> +Matt Rogers <mrogers@redhat.com> Jesse Roland <j.roland277@gmail.com> Joshua Roys <roysjosh@gmail.com> rrenshaw <bofh69@yahoo.com> From 2db65dcb0b853ab2b34b327c64accc5961c32161 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= Date: Mon, 11 May 2020 10:49:27 +0200 Subject: [PATCH 002/403] Merge pull request #5747 from jan-cerny/i5730 Fix incomplete temporary file (cherry picked from commit 9972e3ab5055e9a3dd3cc72af7e8ce3efed7d62b) --- tests/test_suite.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/test_suite.py b/tests/test_suite.py index ba54b850fa58..7babe1a5dcb4 100755 --- a/tests/test_suite.py +++ b/tests/test_suite.py @@ -275,6 +275,7 @@ def datastream_in_stash(current_location): tfile = tempfile.NamedTemporaryFile(prefix="ssgts-ds-") tfile.write(open(current_location, "rb").read()) + tfile.flush() yield tfile.name From b596b449ef2d5823c095fd341a5b11a8e9f766b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 11 May 2020 19:44:37 +0200 Subject: [PATCH 003/403] Merge pull request #5726 from ggbecker/fix-lint-issues Fix Ansible linting issues [E206] (cherry picked from commit 176ac7f48a32cf88a30885a776ec5096714cfbf0) --- shared/macros-ansible.jinja | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja index 7b64341fb785..56a3f5f3ec45 100644 --- a/shared/macros-ansible.jinja +++ b/shared/macros-ansible.jinja @@ -383,7 +383,7 @@ See official documentation: https://jinja.palletsprojects.com/en/2.11.x/template loop: "{{ syscalls }}" - name: Get number of matched syscalls for architecture {{{ arch }}} in /etc/audit/rules.d/ - set_fact: audit_syscalls_matched_{{{ arch }}}_rules_d="{{audit_syscalls_found_{{{ arch }}}_rules_d.results|sum(attribute='matched')|int }}" + set_fact: audit_syscalls_matched_{{{ arch }}}_rules_d="{{ audit_syscalls_found_{{{ arch }}}_rules_d.results|sum(attribute='matched')|int }}" - name: Search /etc/audit/rules.d for other rules with the key {{{ key }}} find: @@ -409,7 +409,7 @@ See official documentation: https://jinja.palletsprojects.com/en/2.11.x/template - name: "Construct rule: add rule list, action and arch" set_fact: tmpline="-a always,exit -F arch={{{ arch }}}" - name: "Construct rule: add syscalls" - set_fact: tmpline="{{tmpline + ' -S ' + item.item }}" + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" loop: "{{ audit_syscalls_found_{{{ arch }}}_rules_d.results }}" when: item.matched is defined and item.matched == 0 - name: "Construct rule: add fields and key" @@ -459,14 +459,14 @@ See official documentation: https://jinja.palletsprojects.com/en/2.11.x/template loop: "{{ syscalls }}" - name: Get number of matched syscalls for architecture {{{ arch }}} in /etc/audit/audit.rules - set_fact: audit_syscalls_matched_{{{ arch }}}_audit_rules="{{audit_syscalls_found_{{{ arch }}}_audit_rules.results|sum(attribute='matched')|int }}" + set_fact: audit_syscalls_matched_{{{ arch }}}_audit_rules="{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results|sum(attribute='matched')|int }}" - name: Insert the syscall rule in /etc/audit/audit.rules block: - name: "Construct rule: add rule list, action and arch" set_fact: tmpline="-a always,exit -F arch={{{ arch }}}" - name: "Construct rule: add syscalls" - set_fact: tmpline="{{tmpline + ' -S ' + item.item }}" + set_fact: tmpline="{{ tmpline + ' -S ' + item.item }}" loop: "{{ audit_syscalls_found_{{{ arch }}}_audit_rules.results }}" when: item.matched is defined and item.matched == 0 - name: "Construct rule: add fields and key" From 790c7b4b94fc93c2d8104bff2a6b510944fa8082 Mon Sep 17 00:00:00 2001 From: Watson Yuuma Sato Date: Mon, 11 May 2020 15:18:55 +0200 Subject: [PATCH 004/403] Merge pull request #5740 from vojtapolasek/fix_release_documentation Fix release documentation and fix generation of release notes (cherry picked from commit 400262c787ab42462349582f42374a8623b1bc10) --- release_tools/README.adoc | 19 +++++++++++-------- release_tools/content_gh.py | 4 +++- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/release_tools/README.adoc b/release_tools/README.adoc index 2e4618fed8da..71cc16f677a0 100644 --- a/release_tools/README.adoc +++ b/release_tools/README.adoc @@ -1,6 +1,6 @@ = How to perform a semi-automatic release = -The scripts in this folder automates some processes of the release. +The scripts in this folder automate some processes of the release. === Dependencies === @@ -22,23 +22,26 @@ authentication tokens for these services. check your *profile page* in Jenkins. * A Jenkins token - generate a token on *Configure page* in Jenkins -* Create `.env` file in `release_tools` directory, to hold your tokens: +* Create `.env.yml` file in `release_tools` directory, to hold your tokens: + - GITHUB_TOKEN='' - JENKINS_USER='' - JENKINS_TOKEN='' + github_token: '' + jenkins_user: '' + jenkins_token: '' + +Your Jenkins user needs to have a special permission to perform the build successfully. This permission is not granted automatically to all users. If you want to perform build and you don't have this permission, please contact one of link:https://github.com/orgs/ComplianceAsCode/teams/trusted-developers[trusted developers]. [NOTE] ==== You can also use your own fork of the project to test and debug the release tools, define in `.env` file the owner and name of the repo to use. - OWNER="--owner " # your github user name - REPO="--repo " # your clone's repo name + owner: "--owner " # your github user name + repo: "--repo " # your clone's repo name ==== === Before the release === +* Make sure that the `build` directory is empty * Make sure the version in `CMakeLists.txt` is correct, i.e.: the version corresponds to an unreleased version number. * Run `PYTHONPATH=. utils/generate_contributors.py` to update the contributors list. + @@ -60,7 +63,7 @@ The script will verify the status of a few Jenkins jobs: * link:https://jenkins.complianceascode.io/job/scap-security-guide-scapval-scap-1.2/[SCAPVal 1.2] * link:https://jenkins.complianceascode.io/job/scap-security-guide-scapval-scap-1.3/[SCAPVal 1.3] * link:https://jenkins.complianceascode.io/job/scap-security-guide-nightly-zip/[Nightly zip] -* https://jenkins.complianceascode.io/job/scap-security-guide-nightly-oval510-zip/[Nightly OVAl 5.10 zip] +* link:https://jenkins.complianceascode.io/job/scap-security-guide-nightly-oval510-zip/[Nightly OVAl 5.10 zip] Although these jobs probably have run against `master`, they are a good indicator of problems in the project. diff --git a/release_tools/content_gh.py b/release_tools/content_gh.py index 4d7f3132dcb2..4f1f327e6c2e 100755 --- a/release_tools/content_gh.py +++ b/release_tools/content_gh.py @@ -101,7 +101,9 @@ def generate_release_notes(repo, args): for changed_file in changed_files: changed_filename = changed_file.filename - if ".profile" in changed_filename: + # do not include files from profile_stability folder + # they are part of testing mechanisms + if ".profile" in changed_filename and "profile_stability" not in changed_filename: # Track changes to product:profile profile_match = re.match(r"(\w+)/profiles/([\w-]+).profile", changed_filename) product, profile = profile_match.groups() From dc878781348cce5be3489b6b0c01f87215634555 Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Tue, 12 May 2020 14:45:20 +0200 Subject: [PATCH 005/403] Merge pull request #5752 from yuumasato/ansible_noexec_option Ansible template mount options: avoid duplicating options and extend system default when appropriate (cherry picked from commit b6945650fa15d5633c589bb86482cb2ecf9dae84) --- docs/manual/developer_guide.adoc | 2 +- .../tests/entry_in_fstab.fail.sh | 3 +++ .../tests/multiple_entries_in_mtab.fail.sh | 1 - .../tests/no_entry_in_fstab.fail.sh | 4 ++++ shared/templates/template_ANSIBLE_mount_option | 14 +++++++++++--- 5 files changed, 19 insertions(+), 5 deletions(-) create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc index 9d73e870f936..74fc869c519f 100644 --- a/docs/manual/developer_guide.adoc +++ b/docs/manual/developer_guide.adoc @@ -1574,7 +1574,7 @@ mount_option:: ** *mountoption* - mount option, eg. `nosuid` ** *filesystem* - filesystem in `/etc/fstab`, eg. `tmpfs`. Used only in Bash remediation. ** *type* - filesystem type. Used only in Bash remediation. -** *mount_has_to_exist* - Used only in Bash remediation. Specifies if the *mountpoint* entry has to exist in `/etc/fstab` before the remediation is executed. If set to `yes` and the *mountpoint* entry is not present in `/etc/fstab` the Bash remediation terminates. If set to `no` the *mountpoint* entry will be created in `/etc/fstab`. +** *mount_has_to_exist* - Specifies if the *mountpoint* entry has to exist in `/etc/fstab` before the remediation is executed. If set to `yes` and the *mountpoint* entry is not present in `/etc/fstab` the Bash remediation terminates. If set to `no` the *mountpoint* entry will be created in `/etc/fstab`. * Languages: Anaconda, Ansible, Bash, OVAL mount_option_remote_filesystems:: diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh new file mode 100644 index 000000000000..515d690e1fe4 --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/entry_in_fstab.fail.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +echo "tmpfs /dev/shm tmpfs rw,seclabel,nodev,nosuid 0 0" >> /etc/fstab diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh index dd56f9bb6c15..d7721b791dbb 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/multiple_entries_in_mtab.fail.sh @@ -1,5 +1,4 @@ #!/bin/bash -# profiles = xccdf_org.ssgproject.content_profile_ospp cat /etc/mtab > /etc/mtab.old # destroy symlink diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh new file mode 100644 index 000000000000..f484a3614c87 --- /dev/null +++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/tests/no_entry_in_fstab.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# make sure there is no entry for /dev/shm +sed -i '/\/dev\/shm/d' /etc/fstab diff --git a/shared/templates/template_ANSIBLE_mount_option b/shared/templates/template_ANSIBLE_mount_option index cfb55859acda..95bede25f9a6 100644 --- a/shared/templates/template_ANSIBLE_mount_option +++ b/shared/templates/template_ANSIBLE_mount_option @@ -3,13 +3,20 @@ # strategy = configure # complexity = low # disruption = high -- name: get back mount information associated to mountpoint - command: findmnt --fstab '{{{ MOUNTPOINT }}}' + +{{% if MOUNT_HAS_TO_EXIST == "no" %}} + {{% set TABFILE="" %}} +{{% else %}} + {{% set TABFILE="--fstab" %}} +{{% endif %}} + +- name: Check information associated to mountpoint + command: findmnt {{{ TABFILE }}} '{{{ MOUNTPOINT }}}' register: device_name failed_when: device_name.rc > 1 changed_when: False -- name: create mount_info dictionary variable +- name: Create mount_info dictionary variable set_fact: mount_info: "{{ mount_info|default({})|combine({item.0: item.1}) }}" with_together: @@ -27,5 +34,6 @@ state: "mounted" fstype: "{{ mount_info.fstype }}" when: + - mount_info is defined and "{{{ MOUNTOPTION }}}" not in mount_info.options - device_name.stdout is defined - (device_name.stdout | length > 0) From 96235393065dba4b454de089aae9931db061bc1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= Date: Wed, 13 May 2020 10:30:41 +0200 Subject: [PATCH 006/403] Merge pull request #5755 from yuumasato/rpm_verify_permissions_warning Warn about findings from rpm_verify_permissions and rpm_verify_ownership (cherry picked from commit 23af201d829c26d8fde1fc01adbeaf6adf483c70) --- .../rpm_verification/rpm_verify_ownership/rule.yml | 7 ++++++- .../rpm_verification/rpm_verify_permissions/rule.yml | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml index 7ae3f61919c7..e353ecef4c48 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml @@ -58,8 +58,13 @@ ocil: |- is expected by the RPM database: 
$ rpm -Va | rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'
-{{% if product == "rhel6" %}} warnings: + - general: |- + Profiles may require that specific files be owned by root while the default owner defined + by the vendor is different. + Such files will be reported as a finding and need to be evaluated according to your policy + and deployment environment. +{{% if product == "rhel6" %}} - general: |- Note: Due to a bug in the gdm package, the RPM verify command may continue to fail even after file permissions have diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml index 863e2d05a35d..677a239f3a37 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml @@ -67,8 +67,13 @@ ocil: |- is expected by the RPM database: 
$ rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
-{{% if product == "rhel6" %}} warnings: + - general: |- + Profiles may require that specific files have stricter file permissions than defined by the + vendor. + Such files will be reported as a finding and need to be evaluated according to your policy + and deployment environment. +{{% if product == "rhel6" %}} - general: |- Note: Due to a bug in the gdm package, the RPM verify command may continue to fail even after file permissions have From 9ade722c5c1993f869e2e2f99963501891c763a7 Mon Sep 17 00:00:00 2001 From: Watson Yuuma Sato Date: Thu, 14 May 2020 14:54:09 +0200 Subject: [PATCH 007/403] Merge pull request #5756 from vojtapolasek/fix_ansible_grub2_template fix grub2_bootloader_argument template (cherry picked from commit 3e1fae95831bb30a06de468ee8c0dcbd9ac1a8f6) --- .../tests/double_value_rhel7.fail.sh | 14 ++++++++++++++ .../tests/double_value_rhel8.fail.sh | 13 +++++++++++++ .../tests/correct_grubby.pass.sh | 13 +++++++++++++ .../tests/correct_grubenv.pass.sh | 4 ++++ .../tests/wrong_value_etcdefaultgrub.fail.sh | 11 +++++++++++ .../tests/wrong_value_rhel8.fail.sh | 12 ++++++++++++ .../template_ANSIBLE_grub2_bootloader_argument | 3 ++- .../template_BASH_grub2_bootloader_argument | 4 +++- .../template_OVAL_grub2_bootloader_argument | 2 +- 9 files changed, 73 insertions(+), 3 deletions(-) create mode 100644 linux_os/guide/system/auditing/grub2_audit_argument/tests/double_value_rhel7.fail.sh create mode 100644 linux_os/guide/system/auditing/grub2_audit_argument/tests/double_value_rhel8.fail.sh create mode 100644 linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/tests/correct_grubby.pass.sh create mode 100644 linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/tests/correct_grubenv.pass.sh create mode 100644 linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/tests/wrong_value_etcdefaultgrub.fail.sh create mode 100644 linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/tests/wrong_value_rhel8.fail.sh diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/tests/double_value_rhel7.fail.sh b/linux_os/guide/system/auditing/grub2_audit_argument/tests/double_value_rhel7.fail.sh new file mode 100644 index 000000000000..f110dcadd1fc --- /dev/null +++ b/linux_os/guide/system/auditing/grub2_audit_argument/tests/double_value_rhel7.fail.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_ospp +# platform = Red Hat Enterprise Linux 7 + +# Break the audit argument in kernel command line in /boot/grub2/grub.cfg +file="/boot/grub2/grub.cfg" +if grep -q '^.*audit=.*' "$file" ; then + # modify the GRUB command-line if an audit= arg already exists + sed -i 's/\(^.*\)audit=[^[:space:]]*\(.*\)/\1 audit=11 \2/' "$file" +else + # no audit=arg is present, append it + sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 audit=11/' "$file" +fi + diff --git a/linux_os/guide/system/auditing/grub2_audit_argument/tests/double_value_rhel8.fail.sh b/linux_os/guide/system/auditing/grub2_audit_argument/tests/double_value_rhel8.fail.sh new file mode 100644 index 000000000000..a265a281e5f4 --- /dev/null +++ b/linux_os/guide/system/auditing/grub2_audit_argument/tests/double_value_rhel8.fail.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_ospp +# platform = Red Hat Enterprise Linux 8 + +# Break the audit argument in kernel command line in /boot/grub2/grubenv +file="/boot/grub2/grubenv" +if grep -q '^.*audit=.*' "$file" ; then + # modify the GRUB command-line if an audit= arg already exists + sed -i 's/\(^.*\)audit=[^[:space:]]*\(.*\)/\1 audit=11 \2/' "$file" +else + # no audit=arg is present, append it + sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 audit=11/' "$file" +fi diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/tests/correct_grubby.pass.sh b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/tests/correct_grubby.pass.sh new file mode 100644 index 000000000000..9d14460692a1 --- /dev/null +++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/tests/correct_grubby.pass.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 7 + +# Correct the form of default kernel command line in GRUB /etc/default/grub and applies value through Grubby +if grep -q '^GRUB_CMDLINE_LINUX=.*audit_backlog_limit=.*"' '/etc/default/grub' ; then + # modify the GRUB command-line if an audit_backlog_limit= arg already exists + sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit_backlog_limit=[^[:space:]]*\(.*"\)/\1 audit_backlog_limit=8192 \2/' '/etc/default/grub' +else + # no audit_backlog_limit=arg is present, append it + sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit_backlog_limit=8192"/' '/etc/default/grub' +fi + +grubby --update-kernel=ALL --args="audit_backlog_limit=8192" diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/tests/correct_grubenv.pass.sh b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/tests/correct_grubenv.pass.sh new file mode 100644 index 000000000000..3648f21559e9 --- /dev/null +++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/tests/correct_grubenv.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 + +grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit_backlog_limit=8192" diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/tests/wrong_value_etcdefaultgrub.fail.sh b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/tests/wrong_value_etcdefaultgrub.fail.sh new file mode 100644 index 000000000000..347ee6c3ed5b --- /dev/null +++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/tests/wrong_value_etcdefaultgrub.fail.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 7 + +# Break the audit_backlog_limit argument in kernel command line in /etc/default/grub +if grep -q '^GRUB_CMDLINE_LINUX=.*audit_backlog_limit=.*"' '/etc/default/grub' ; then + # modify the GRUB command-line if an audit_backlog_limit= arg already exists + sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)audit_backlog_limit=[^[:space:]]*\(.*"\)/\1 audit_backlog_limit=123 \2/' '/etc/default/grub' +else + # no audit_backlog_limit=arg is present, append it + sed -i 's/\(^GRUB_CMDLINE_LINUX=".*\)"/\1 audit_backlog_limit=123"/' '/etc/default/grub' +fi diff --git a/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/tests/wrong_value_rhel8.fail.sh b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/tests/wrong_value_rhel8.fail.sh new file mode 100644 index 000000000000..921c9db9979b --- /dev/null +++ b/linux_os/guide/system/auditing/grub2_audit_backlog_limit_argument/tests/wrong_value_rhel8.fail.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# platform = Red Hat Enterprise Linux 8 + +# Break the audit_backlog_limit argument in kernel command line in /boot/grub2/grubenv +file="/boot/grub2/grubenv" +if grep -q '^.*audit_backlog_limit=.*' "$file" ; then + # modify the GRUB command-line if an audit_backlog_limit= arg already exists + sed -i 's/\(^.*\)audit_backlog_limit=[^[:space:]]*\(.*\)/\1 audit_backlog_limit=123 \2/' "$file" +else + # no audit_backlog_limit=arg is present, append it + sed -i 's/\(^.*\(vmlinuz\|kernelopts\).*\)/\1 audit_backlog_limit=123/' "$file" +fi diff --git a/shared/templates/template_ANSIBLE_grub2_bootloader_argument b/shared/templates/template_ANSIBLE_grub2_bootloader_argument index e3549dcc3e86..6f01abc6de13 100644 --- a/shared/templates/template_ANSIBLE_grub2_bootloader_argument +++ b/shared/templates/template_ANSIBLE_grub2_bootloader_argument @@ -13,7 +13,7 @@ - name: replace existing {{{ ARG_NAME }}} argument replace: path: /etc/default/grub - regexp: '{{{ ARG_NAME }}}=.' + regexp: '{{{ ARG_NAME }}}=\w+' replace: '{{{ ARG_NAME_VALUE }}}' when: argcheck.rc == 0 @@ -40,5 +40,6 @@ when: - kernelopts.stdout_lines is defined - kernelopts.stdout_lines | length > 0 + - kernelopts.stdout | regex_search('^kernelopts=(?:.*\s)?{{{ ARG_NAME_VALUE }}}(?:\s.*)?$', multiline=True) is none {{% endif %}} diff --git a/shared/templates/template_BASH_grub2_bootloader_argument b/shared/templates/template_BASH_grub2_bootloader_argument index 65d851f6448b..b7478d3e478d 100644 --- a/shared/templates/template_BASH_grub2_bootloader_argument +++ b/shared/templates/template_BASH_grub2_bootloader_argument @@ -14,5 +14,7 @@ fi grubby --update-kernel=ALL --args="{{{ ARG_NAME_VALUE }}}" {{% else %}} # Correct grub2 kernelopts value using grub2-editenv -grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) {{{ ARG_NAME_VALUE }}}" +if ! grub2-editenv - list | grep -qE '^kernelopts=(.*\s)?{{{ ARG_NAME_VALUE }}}(\s.*)?$'; then + grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) {{{ ARG_NAME_VALUE }}}" +fi {{% endif %}} diff --git a/shared/templates/template_OVAL_grub2_bootloader_argument b/shared/templates/template_OVAL_grub2_bootloader_argument index aaaa0393b0e0..ca062ad65f7d 100644 --- a/shared/templates/template_OVAL_grub2_bootloader_argument +++ b/shared/templates/template_OVAL_grub2_bootloader_argument @@ -92,7 +92,7 @@ - ^.*{{{ ESCAPED_ARG_NAME_VALUE }}}.*$ + ^(?:.*\s)?{{{ ESCAPED_ARG_NAME_VALUE }}}(?:\s.*)?$ From 284cbb76e1e8fbdae554c72cda70b2e66a9e18ef Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Fri, 15 May 2020 11:48:17 +0200 Subject: [PATCH 008/403] Merge pull request #5760 from vojtapolasek/contributors_v0.1.50 update contributors for 0.1.50 (cherry picked from commit 28b1ea804a70cdfc1c8e5b22ab72381be1b961ae) --- Contributors.md | 10 +++++++++- Contributors.xml | 10 +++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/Contributors.md b/Contributors.md index 0051d7077b1d..924b70d159b9 100644 --- a/Contributors.md +++ b/Contributors.md @@ -1,5 +1,5 @@ The following people have contributed to the SCAP Security Guide project @@ -7,10 +7,12 @@ The following people have contributed to the SCAP Security Guide project * Frank J Cameron (CAM1244) * 0x66656c6978 <0x66656c6978@users.noreply.github.com> +* Jack Adolph * Gabe Alford * Firas AlShafei * Christopher Anderson * angystardust +* anixon-rh <55244503+anixon-rh@users.noreply.github.com> * Chuck Atkins * Ryan Ballanger * Alex Baranowski @@ -40,12 +42,14 @@ The following people have contributed to the SCAP Security Guide project * drax * Sebastian Dunne * Greg Elin +* eradot4027 * Alexis Facques * Leah Fisher * Alijohn Ghassemlouei * ghylock * Andrew Gilmore * Joshua Glemza +* Nick Gompper * Loren Gordon * Patrik Greco * Steve Grubb @@ -57,6 +61,7 @@ The following people have contributed to the SCAP Security Guide project * John Hooks * Jakub Hrozek * De Huo +* Ultra IA <42849651+cyarbrough76@users.noreply.github.com> * Robin Price II * Yasir Imam * Jiri Jaburek @@ -76,6 +81,7 @@ The following people have contributed to the SCAP Security Guide project * kspargur * Amit Kumar * Fen Labalme +* Christopher Lee * Ian Lee * Jarrett Lee * Jan Lieskovsky @@ -113,6 +119,7 @@ The following people have contributed to the SCAP Security Guide project * Stefan Pietsch * Vojtech Polasek * Orion Poplawski +* Nick Poyant * Martin Preisler * Wesley Ceraso Prudencio * Raphael Sanchez Prudencio @@ -161,6 +168,7 @@ The following people have contributed to the SCAP Security Guide project * Shawn Wells * Daniel E. White * Roy Williams +* Willumpie * Rob Wilmoth * Lucas Yamanishi * Xirui Yang diff --git a/Contributors.xml b/Contributors.xml index 98839048a321..49b13f78c1f9 100644 --- a/Contributors.xml +++ b/Contributors.xml @@ -1,14 +1,16 @@ Frank J Cameron (CAM1244) <cameron@ctc.com> 0x66656c6978 <0x66656c6978@users.noreply.github.com> +Jack Adolph <jack.adolph@gmail.com> Gabe Alford <redhatrises@gmail.com> Firas AlShafei <firas.alshafei@us.abb.com> Christopher Anderson <cba@fedoraproject.org> angystardust <angystardust@users.noreply.github.com> +anixon-rh <55244503+anixon-rh@users.noreply.github.com> Chuck Atkins <chuck.atkins@kitware.com> Ryan Ballanger <root@rballang-admin-2.fastenal.com> Alex Baranowski <alex@euro-linux.com> @@ -38,12 +40,14 @@ Last Modified: 2020-03-13 09:45 drax <applezip@gmail.com> Sebastian Dunne <sdunne@redhat.com> Greg Elin <gregelin@gitmachines.com> +eradot4027 <jrtonmac@gmail.com> Alexis Facques <alexis.facques@mythalesgroup.io> Leah Fisher <lfisher047@gmail.com> Alijohn Ghassemlouei <alijohn.ghassemlouei@sapns2.com> ghylock <ghylock@gmail.com> Andrew Gilmore <agilmore2@gmail.com> Joshua Glemza <jglemza@nasa.gov> +Nick Gompper <forestgomp@yahoo.com> Loren Gordon <lorengordon@users.noreply.github.com> Patrik Greco <sikevux@sikevux.se> Steve Grubb <sgrubb@redhat.com> @@ -55,6 +59,7 @@ Last Modified: 2020-03-13 09:45 John Hooks <jhooks@starscream.pa.jhbcomputers.com> Jakub Hrozek <jhrozek@redhat.com> De Huo <De.Huo@windriver.com> +Ultra IA <42849651+cyarbrough76@users.noreply.github.com> Robin Price II <robin@redhat.com> Yasir Imam <yimam@redhat.com> Jiri Jaburek <jjaburek@redhat.com> @@ -74,6 +79,7 @@ Last Modified: 2020-03-13 09:45 kspargur <kspargur@kspargur.csb> Amit Kumar <amitkuma@redhat.com> Fen Labalme <fen@civicactions.com> +Christopher Lee <Crleekwc@gmail.com> Ian Lee <lee1001@llnl.gov> Jarrett Lee <jarrettl@umd.edu> Jan Lieskovsky <jlieskov@redhat.com> @@ -111,6 +117,7 @@ Last Modified: 2020-03-13 09:45 Stefan Pietsch <mail.ipv4v6+gh@gmail.com> Vojtech Polasek <vpolasek@redhat.com> Orion Poplawski <orion@nwra.com> +Nick Poyant <npoyant@redhat.com> Martin Preisler <mpreisle@redhat.com> Wesley Ceraso Prudencio <wcerasop@redhat.com> Raphael Sanchez Prudencio <rsprudencio@redhat.com> @@ -159,6 +166,7 @@ Last Modified: 2020-03-13 09:45 Shawn Wells <shawn@redhat.com> Daniel E. White <linuxdan@users.noreply.github.com> Roy Williams <roywilli@roywilli.redhat.com> +Willumpie <willumpie@xs4all.nl> Rob Wilmoth <rwilmoth@redhat.com> Lucas Yamanishi <lucas.yamanishi@onyxpoint.com> Xirui Yang <xirui.yang@oracle.com> From 3f0ae8bcd20c3c595d39dbd0b5e8d972d9b32dc2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 8 Jul 2020 17:04:51 +0200 Subject: [PATCH 009/403] Merge pull request #5911 from vojtapolasek/fix_selinux_device_labels fix rule selinux_all_devicefiles_labeled (cherry picked from commit 9eb4dcebc76f6c2c3129678d522497b5fceee6a4) --- .../oval/shared.xml | 64 +++++++++++++------ .../selinux_all_devicefiles_labeled/rule.yml | 19 +++--- .../tests/block_device_device_t.fail.sh | 4 ++ .../tests/char_device_unlabeled_t.fail.sh | 14 ++++ .../tests/regular_file_device_t.pass.sh | 4 ++ .../tests/symlink_with_wrong_label.pass.sh | 4 ++ 6 files changed, 80 insertions(+), 29 deletions(-) create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh create mode 100644 linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml index 51b68008af37..7dcfb985779d 100644 --- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml +++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml @@ -2,32 +2,54 @@ Device Files Have Proper SELinux Context - - Red Hat Enterprise Linux 6 - Red Hat Enterprise Linux 7 - Red Hat Enterprise Linux 8 - Red Hat Virtualization 4 - multi_platform_fedora - multi_platform_ol - multi_platform_wrlinux - - All device files in /dev should be assigned an SELinux security context other than 'device_t'. + {{{- oval_affected(products) }}} + All device files in /dev should be assigned an SELinux security context other than 'device_t' and 'unlabeled_t'. - - + + + - - - + + + + + /dev + ^.*$ + state_block_or_char_device_file + + + + ^(block|character) special$ + + + + + + + + + + - - - /dev - ^.*$ - state_selinux_all_devicefiles_labeled + + + state_selinux_dev_device_t - + device_t + + + + + + + + state_selinux_dev_unlabeled_t + + + unlabeled_t + + diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml index 765fca583e35..1667557740ea 100644 --- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml +++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml @@ -6,18 +6,20 @@ title: 'Ensure No Device Files are Unlabeled by SELinux' description: |- Device files, which are used for communication with important system - resources, should be labeled with proper SELinux types. If any device - files do not carry the SELinux type device_t, report the bug so - that policy can be corrected. Supply information about what the device is - and what programs use it. + resources, should be labeled with proper SELinux types. If any device files + carry the SELinux type device_t or unlabeled_t, report the + bug so that policy can be corrected. Supply information about what the + device is and what programs use it.

- To check for unlabeled device files, run the following command: + To check for incorrectly labeled device files, run following commands: 
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
+ 
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system. rationale: |- - If a device file carries the SELinux type device_t, then SELinux - cannot properly restrict access to the device file. + If a device file carries the SELinux type device_t or + unlabeled_t, then SELinux cannot properly restrict access to the + device file. severity: medium @@ -45,8 +47,9 @@ references: ocil_clause: 'there is output' ocil: |- - To check for unlabeled device files, run the following command: + To check for incorrectly labeled device files, run following commands: 
$ sudo find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
+ 
$ sudo find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
It should produce no output in a well-configured system. warnings: diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh new file mode 100644 index 000000000000..08c4142e5b75 --- /dev/null +++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/block_device_device_t.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +mknod /dev/foo b 1 5 +chcon -t device_t /dev/foo diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh new file mode 100644 index 000000000000..1da85c2034b3 --- /dev/null +++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/char_device_unlabeled_t.fail.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +# selinux does not allow unlabeled_t in /dev +# we have to modify the selinux policy to allow that + +echo '(allow unlabeled_t device_t (filesystem (associate)))' > /tmp/unlabeled_t.cil +semodule -i /tmp/unlabeled_t.cil + +mknod /dev/foo c 1 5 +chcon -t unlabeled_t /dev/foo + + +mknod /dev/foo c 1 5 +chcon -t device_t /dev/foo diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh new file mode 100644 index 000000000000..d161951d7a4e --- /dev/null +++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/regular_file_device_t.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +touch /dev/foo +restorecon -F /dev/foo diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh new file mode 100644 index 000000000000..a8280bf37e28 --- /dev/null +++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/tests/symlink_with_wrong_label.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +ln -s /dev/cpu /dev/foo +restorecon -F /dev/foo From 169979ac04d3c0edf9468937f7605a32339a0ce6 Mon Sep 17 00:00:00 2001 From: Watson Yuuma Sato Date: Tue, 14 Jul 2020 09:26:16 +0200 Subject: [PATCH 010/403] Merge pull request #5928 from jan-cerny/rhel6_scapval_src15 Fix SCAPVAL error SRC-15 (cherry picked from commit 19f768b175ed6a1aea759493afd42cd702237c4e) --- rhel6/cpe/rhel6-cpe-dictionary.xml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml index 2c8a82ebc58b..5cb70f1ff47d 100644 --- a/rhel6/cpe/rhel6-cpe-dictionary.xml +++ b/rhel6/cpe/rhel6-cpe-dictionary.xml @@ -47,6 +47,11 @@ installed_env_has_gdm_package + + Package grub2 is installed + + installed_env_has_grub2_package + Package libuser is installed From 6c9a324b3c98ffccbc481e6aca8cc04bf10bd0fc Mon Sep 17 00:00:00 2001 From: Gabe Alford Date: Tue, 14 Jul 2020 14:35:16 -0600 Subject: [PATCH 011/403] Merge pull request #5930 from isimluk/special-chars-in-ansible-role-desc Encode special characters in ansible role's description (cherry picked from commit 2cc213e753df24571f2d8ec8835d7480a6f1d39d) --- utils/ansible_playbook_to_role.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/utils/ansible_playbook_to_role.py b/utils/ansible_playbook_to_role.py index b081b70093c5..1490ad1ee584 100755 --- a/utils/ansible_playbook_to_role.py +++ b/utils/ansible_playbook_to_role.py @@ -204,7 +204,8 @@ def vars_data(self): @memoize def title(self): try: - return re.search(r'Profile Title:\s+(.+)$', self._description, re.MULTILINE).group(1) + title = re.search(r'Profile Title:\s+(.+)$', self._description, re.MULTILINE).group(1) + return '"' + title + '"' except AttributeError: return re.search(r'Ansible Playbook for\s+(.+)$', self._description, re.MULTILINE) \ .group(1) From b1c06b2942795fc54a84fa439108d32a2f45e019 Mon Sep 17 00:00:00 2001 From: Watson Yuuma Sato Date: Wed, 8 Jul 2020 11:12:02 +0200 Subject: [PATCH 012/403] Merge pull request #5912 from jan-cerny/zipl_cpe Add zipl to CPE dictionaries in all Linux products (cherry picked from commit 7492c01056cf7745e90fa450b2806a5b8eaf398d) --- debian10/cpe/debian10-cpe-dictionary.xml | 4 ++++ debian8/cpe/debian8-cpe-dictionary.xml | 4 ++++ debian9/cpe/debian9-cpe-dictionary.xml | 4 ++++ fedora/cpe/fedora-cpe-dictionary.xml | 4 ++++ ol7/cpe/ol7-cpe-dictionary.xml | 4 ++++ ol8/cpe/ol8-cpe-dictionary.xml | 4 ++++ opensuse/cpe/opensuse-cpe-dictionary.xml | 4 ++++ rhcos4/cpe/rhcos4-cpe-dictionary.xml | 4 ++++ rhel6/cpe/rhel6-cpe-dictionary.xml | 4 ++++ rhel7/cpe/rhel7-cpe-dictionary.xml | 4 ++++ rhv4/cpe/rhv4-cpe-dictionary.xml | 4 ++++ sle11/cpe/sle11-cpe-dictionary.xml | 4 ++++ sle12/cpe/sle12-cpe-dictionary.xml | 4 ++++ sle15/cpe/sle15-cpe-dictionary.xml | 4 ++++ ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml | 4 ++++ ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml | 4 ++++ ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml | 4 ++++ wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml | 4 ++++ wrlinux8/cpe/wrlinux8-cpe-dictionary.xml | 4 ++++ 19 files changed, 76 insertions(+) diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml index f2dbd09cfcdd..ddb68c34bdc7 100644 --- a/debian10/cpe/debian10-cpe-dictionary.xml +++ b/debian10/cpe/debian10-cpe-dictionary.xml @@ -72,4 +72,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/debian8/cpe/debian8-cpe-dictionary.xml b/debian8/cpe/debian8-cpe-dictionary.xml index f38570905234..24bbca69cd71 100644 --- a/debian8/cpe/debian8-cpe-dictionary.xml +++ b/debian8/cpe/debian8-cpe-dictionary.xml @@ -72,4 +72,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml index bc90a12bae40..d5595fd5940d 100644 --- a/debian9/cpe/debian9-cpe-dictionary.xml +++ b/debian9/cpe/debian9-cpe-dictionary.xml @@ -72,4 +72,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml index ff7cebc322d8..bef1337fc9bd 100644 --- a/fedora/cpe/fedora-cpe-dictionary.xml +++ b/fedora/cpe/fedora-cpe-dictionary.xml @@ -107,4 +107,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml index 613f853a6dee..5d4691aaf642 100644 --- a/ol7/cpe/ol7-cpe-dictionary.xml +++ b/ol7/cpe/ol7-cpe-dictionary.xml @@ -72,4 +72,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml index 912fe0134645..35167b1f7002 100644 --- a/ol8/cpe/ol8-cpe-dictionary.xml +++ b/ol8/cpe/ol8-cpe-dictionary.xml @@ -67,4 +67,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/opensuse/cpe/opensuse-cpe-dictionary.xml b/opensuse/cpe/opensuse-cpe-dictionary.xml index 7f485b800e23..6b95e46d3fcf 100644 --- a/opensuse/cpe/opensuse-cpe-dictionary.xml +++ b/opensuse/cpe/opensuse-cpe-dictionary.xml @@ -87,4 +87,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/rhcos4/cpe/rhcos4-cpe-dictionary.xml b/rhcos4/cpe/rhcos4-cpe-dictionary.xml index 0bde3bf3723b..517ff8ba32a7 100644 --- a/rhcos4/cpe/rhcos4-cpe-dictionary.xml +++ b/rhcos4/cpe/rhcos4-cpe-dictionary.xml @@ -57,4 +57,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml index 5cb70f1ff47d..1b696b88d3bc 100644 --- a/rhel6/cpe/rhel6-cpe-dictionary.xml +++ b/rhel6/cpe/rhel6-cpe-dictionary.xml @@ -92,4 +92,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml index f232b7ed2974..bc2aa869e805 100644 --- a/rhel7/cpe/rhel7-cpe-dictionary.xml +++ b/rhel7/cpe/rhel7-cpe-dictionary.xml @@ -102,4 +102,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/rhv4/cpe/rhv4-cpe-dictionary.xml b/rhv4/cpe/rhv4-cpe-dictionary.xml index db1b4b239b9f..02450d6efc67 100644 --- a/rhv4/cpe/rhv4-cpe-dictionary.xml +++ b/rhv4/cpe/rhv4-cpe-dictionary.xml @@ -72,4 +72,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/sle11/cpe/sle11-cpe-dictionary.xml b/sle11/cpe/sle11-cpe-dictionary.xml index 1b6b3e2518c4..b7cb4e1fd5b7 100644 --- a/sle11/cpe/sle11-cpe-dictionary.xml +++ b/sle11/cpe/sle11-cpe-dictionary.xml @@ -77,4 +77,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/sle12/cpe/sle12-cpe-dictionary.xml b/sle12/cpe/sle12-cpe-dictionary.xml index b1b66e129401..73cddd77401d 100644 --- a/sle12/cpe/sle12-cpe-dictionary.xml +++ b/sle12/cpe/sle12-cpe-dictionary.xml @@ -77,4 +77,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/sle15/cpe/sle15-cpe-dictionary.xml b/sle15/cpe/sle15-cpe-dictionary.xml index 0ee5a1b8178e..f070ab2e41ba 100644 --- a/sle15/cpe/sle15-cpe-dictionary.xml +++ b/sle15/cpe/sle15-cpe-dictionary.xml @@ -77,4 +77,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml index 7f3ce4271b32..3f5447741b48 100644 --- a/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml +++ b/ubuntu1404/cpe/ubuntu1404-cpe-dictionary.xml @@ -72,4 +72,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml index 83f0c8c5161e..e3e842842b11 100644 --- a/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml +++ b/ubuntu1604/cpe/ubuntu1604-cpe-dictionary.xml @@ -72,4 +72,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml index 77b78d74eceb..897673c6f53f 100644 --- a/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml +++ b/ubuntu1804/cpe/ubuntu1804-cpe-dictionary.xml @@ -72,4 +72,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml index cc4e806a4d5e..ef7e80350550 100644 --- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml +++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml @@ -71,4 +71,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + diff --git a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml index 824c575a6aab..7184ebfd0b6a 100644 --- a/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml +++ b/wrlinux8/cpe/wrlinux8-cpe-dictionary.xml @@ -71,4 +71,8 @@ installed_env_has_yum_package + + System uses zipl + installed_env_has_zipl_package + From 84bd6c7eebd7395723699293d51acd2186b48060 Mon Sep 17 00:00:00 2001 From: Watson Yuuma Sato Date: Mon, 13 Jul 2020 10:22:38 +0200 Subject: [PATCH 013/403] Merge pull request #5917 from ggbecker/update-disa-stig-manual-reference Update disa stig manual reference (cherry picked from commit 831ff9832514c71710994a203a0fd3d2c5c8c650) --- ... => disa-stig-rhel7-v2r7-xccdf-manual.xml} | 212 ++++++++++++------ .../transforms/shared_xccdf2table-stig.xslt | 2 + 2 files changed, 146 insertions(+), 68 deletions(-) rename shared/references/{disa-stig-rhel7-v2r5-xccdf-manual.xml => disa-stig-rhel7-v2r7-xccdf-manual.xml} (89%) diff --git a/shared/references/disa-stig-rhel7-v2r5-xccdf-manual.xml b/shared/references/disa-stig-rhel7-v2r7-xccdf-manual.xml similarity index 89% rename from shared/references/disa-stig-rhel7-v2r5-xccdf-manual.xml rename to shared/references/disa-stig-rhel7-v2r7-xccdf-manual.xml index 448bee6bd9d6..978667cd74b9 100644 --- a/shared/references/disa-stig-rhel7-v2r5-xccdf-manual.xml +++ b/shared/references/disa-stig-rhel7-v2r7-xccdf-manual.xml @@ -1,4 +1,4 @@ -acceptedRed Hat Enterprise Linux 7 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 5 Benchmark Date: 25 Oct 20192I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. Note: The life-cycle time spans and dates are subject to adjustment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Upgrade to a supported version of RHEL 8.Verify the version of the operating system is vendor supported. @@ -83,23 +83,25 @@ $ sudo cat /proc/sys/crypto/fips_enabled 1 -If FIPS mode is not "on", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of "1" for "fips_enabled" in "/proc/sys/crypto", this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>RHEL-08-010030All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.<VulnDiscussion>RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. +If FIPS mode is not "on", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of "1" for "fips_enabled" in "/proc/sys/crypto", this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>RHEL-08-010030All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.<VulnDiscussion>RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001199Configure RHEL 8 to prevent unauthorized modification of all information at rest by using disk encryption. -Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. +Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. -If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable. +If there is a documented and approved reason for not having data-at-rest encryption at the operating system level, such as encryption provided by a hypervisor or a disk storage array in a virtualized environment, this requirement is not applicable. Verify all system partitions are encrypted with the following command: -$ sudo blkid + $ sudo blkid -/dev/mapper/rhel-root: UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS" + /dev/mapper/rhel-root: UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS" -Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-08-010040RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. +Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. + +If there is no evidence that these partitions are encrypted, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-08-010040RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. @@ -500,30 +502,32 @@ $ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null drwxrwxrwt 7 root root 4096 Jul 26 11:19 /tmp -If any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-08-010200RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.<VulnDiscussion>Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. +If any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-08-010200RHEL 8 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.<VulnDiscussion>Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. -Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. +RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. -RHEL 8 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. +Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000126-GPOS-00066, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001133Note: This setting must be applied in conjunction with RHEL-08-010201 to function correctly. -Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000126-GPOS-00066, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001133Configure RHEL 8 to automatically terminate all network connections associated with SSH traffic at the end of a session or after 10 minutes of inactivity. +Configure the SSH server to terminate a user session automatically after the SSH client has become unresponsive. Modify or append the following lines in the "/etc/ssh/sshd_config" file: -ClientAliveCountMax 1 + ClientAliveCountMax 1 -In order for the changes to take effect, the SSH daemon must be restarted. +For the changes to take effect, the SSH daemon must be restarted: -$ sudo systemctl restart sshd.serviceVerify all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity. + $ sudo systemctl restart sshd.serviceVerify the SSH server automatically terminates a user session after the SSH client has become unresponsive. Check that the "ClientAliveCountMax" is set to "1" by performing the following command: -$ sudo grep -ir clientalive /etc/ssh/sshd_config* + $ sudo grep -ir clientalivecountmax /etc/ssh/sshd_config* -ClientAliveInterval 600 -ClientAliveCountMax 1 + ClientAliveCountMax 1 If "ClientAliveCountMax" do not exist, is not set to a value of "1" in "/etc/ssh/sshd_config", or is commented out, this is a finding. + If conflicting results are returned, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>RHEL-08-010210The RHEL 8 /var/log/messages file must have mode 0640 or less permissive.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 8 system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001314Change the permissions of the file "/var/log/messages" to "0640" by running the following command: @@ -584,7 +588,7 @@ $ sudo stat -c "%G" /var/log root -If "root" is not returned as a result, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010290The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. +If "root" is not returned as a result, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010290The RHEL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -594,17 +598,17 @@ RHEL 8 incorporates system-wide crypto policies by default. The SSH configuratio The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. -Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH server to use only MACs employing FIPS 140-2-approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following line: +Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH server to use only MACs employing FIPS 140-2-approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following line: --oMACS=hmac-sha2-512,hmac-sha2-256 +-oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com -A reboot is required for the changes to take effect.Verify the SSH server is configured to use only MACs employing FIPS 140-2-approved algorithms with the following command: +A reboot is required for the changes to take effect.Verify the SSH server is configured to use only MACs employing FIPS 140-2-approved algorithms with the following command: -$ sudo grep -i macs /etc/crypto-policies/back-ends/opensshserver.config + $ sudo grep -i macs /etc/crypto-policies/back-ends/opensshserver.config --oMACS=hmac-sha2-512,hmac-sha2-256 + -oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com -If the MACs entries in the "opensshserver.config" file have any hashes other than "hmac-sha2-512" and "hmac-sha2-256", the order differs from the example above, they are missing, or commented out, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010291The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. +If the MACs entries in the "opensshserver.config" file have any hashes other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010291The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -614,17 +618,17 @@ RHEL 8 incorporates system-wide crypto policies by default. The SSH configuratio The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. -Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH server to use only ciphers employing FIPS 140-2-approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following line: +Satisfies: SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000125-GPOS-00065</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001453Configure the RHEL 8 SSH server to use only ciphers employing FIPS 140-2-approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following line: --oCiphers=aes256-ctr,aes192-ctr,aes128-ctr +-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com -A reboot is required for the changes to take effect.Verify the SSH server is configured to use only ciphers employing FIPS 140-2-approved algorithms with the following command: +A reboot is required for the changes to take effect.Verify the SSH server is configured to use only ciphers employing FIPS 140-2-approved algorithms with the following command: -$ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config + $ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config -CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr' + CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com' -If the cipher entries in the "opensshserver.config" file have any ciphers other than "aes256-ctr,aes192-ctr,aes128-ctr", the order differs from the example above, they are missing, or commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010292RHEL 8 must ensure the SSH server uses strong entropy.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. +If the cipher entries in the "opensshserver.config" file have any ciphers other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010292RHEL 8 must ensure the SSH server uses strong entropy.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. The SSH implementation in RHEL8 uses the OPENSSL library, which does not use high-entropy sources by default. By using the SSH_USE_STRONG_RNG environment variable the OPENSSL random generator is reseeded from /dev/random. This setting is not recommended on computers without the hardware random generator because insufficient entropy causes the connection to be blocked until enough entropy is available.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Configure the operating system SSH server to use strong entropy. @@ -1366,13 +1370,15 @@ $ sudo rm /[path]/[to]/[file]/.shostsSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010471RHEL 8 must enable the hardware random number generator entropy gatherer service.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. - -The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Start the rngd service, and enable the rngd service with the following commands: +If any ".shosts" files are found, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010471RHEL 8 must enable the hardware random number generator entropy gatherer service.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (non-predictable) random number generation is important for several security functions (i.e., ciphers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Start the rngd service and enable the rngd service with the following commands: -$ sudo systemctl start rngd.service + $ sudo systemctl start rngd.service -$ sudo systemctl enable rngd.serviceCheck that RHEL 8 has enabled the hardware random number generator entropy gatherer service. + $ sudo systemctl enable rngd.serviceNote: For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is not applicable. + +Check that RHEL 8 has enabled the hardware random number generator entropy gatherer service. Verify the rngd service is enabled and active with the following commands: @@ -1384,7 +1390,7 @@ $ sudo systemctl is-active rngd active -If the service is not "enable and "active", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010480The RHEL 8 SSH public host key files must have mode 0644 or less permissive.<VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Change the mode of public host key files under "/etc/ssh" to "0644" with the following command: +If the service is not "enabled" and "active", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010480The RHEL 8 SSH public host key files must have mode 0644 or less permissive.<VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Change the mode of public host key files under "/etc/ssh" to "0644" with the following command: $ sudo chmod 0644 /etc/ssh/*key.pub @@ -1860,19 +1866,19 @@ $ sudo grep -i create_home /etc/login.defs CREATE_HOME yes -If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010770All RHEL 8 local initialization files must have mode 0740 or less permissive.<VulnDiscussion>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Set the mode of the local initialization files to "0740" with the following command: +If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010770All RHEL 8 local initialization files must have mode 0740 or less permissive.<VulnDiscussion>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Set the mode of the local initialization files to "0740" with the following command: Note: The example will be for the smithj user, who has a home directory of "/home/smithj". -$ sudo chmod 0740 /home/smithj/.<INIT_FILE>Verify that all local initialization files have a mode of "0740" or less permissive with the following command: + $ sudo chmod 0740 /home/smithj/.<INIT_FILE>Verify that all local initialization files have a mode of "0740" or less permissive with the following command: Note: The example will be for the "smithj" user, who has a home directory of "/home/smithj". -$ sudo ls -al /home/smithj/.[^.]* | more + $ sudo ls -al /home/smithj/.[^.]* | more --rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile --rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login --rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something + -rw-------. 1 smithj users 2984 Apr 27 19:02 .bash_history + -rw-r--r--. 1 smithj users 18 Aug 21 2019 .bash_logout + -rw-r--r--. 1 smithj users 193 Aug 21 2019 .bash_profile If any local initialization files have a mode more permissive than "0740", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010780All RHEL 8 local files and directories must have a valid owner.<VulnDiscussion>Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on RHEL 8 with the "chown" command: @@ -2411,11 +2417,7 @@ Reload tmux configuration to take effect. This can be performed in tmux while it set -g lock-command vlock bind X lock-session -If the "lock-command" is not set and "lock-session" is not bound to a specific keyboard key in the global settings, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020041RHEL 8 must ensure session control is automatically started at shell initialization.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - -The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. - -Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. +If the "lock-command" is not set and "lock-session" is not bound to a specific keyboard key in the global settings, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>RHEL-08-020041RHEL 8 must ensure session control is automatically started at shell initialization.<VulnDiscussion>Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000056Configure the operating system to initialize the tmux terminal multiplexer as each shell is called by adding the following lines to a custom.sh shell script in the /etc/profile.d/ directory: @@ -4474,7 +4476,7 @@ $ sudo yum list installed rsyslog-gnutls rsyslog-gnutls.x86_64 8.1911.0-3.el8 @AppStream -If the "rsyslog-gnutls" package is not installed, ask the administrator to indicate how audit logs are being encrypted during offloading and what packages are installed to support it. If there is no evidence of audit logs being encrypted during offloading, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-08-030690The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If the "rsyslog-gnutls" package is not installed, ask the administrator to indicate how audit logs are being encrypted during offloading and what packages are installed to support it. If there is no evidence of audit logs being encrypted during offloading, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-08-030690The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -4487,17 +4489,21 @@ TCP *.* @@remotesystemname RELP *.* :omrelp:remotesystemname:2514 Note that a port number was given as there is no standard port for RELP. -Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001851Configure the operating system to off-load audit records onto a different system or media from the system being audited by specifying the remote logging server in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf" with the name or IP address of the log aggregation server. +Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001851Configure the operating system to offload audit records onto a different system or media from the system being audited by specifying the remote logging server in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf" with the name or IP address of the log aggregation server. + +For UDP: + *.* @[logaggregationserver.example.mil]:[port] -*.* @@[remoteloggingserver]:[port]Verify the audit system off-loads audit records onto a different system or media from the system being audited with the following command: +For TCP: + *.* @@[logaggregationserver.example.mil]:[port]Verify the audit system offloads audit records onto a different system or media from the system being audited with the following command: -$ sudo grep @@ /etc/rsyslog.conf /etc/rsyslog.d/*.conf + $ sudo grep @@ /etc/rsyslog.conf /etc/rsyslog.d/*.conf -/etc/rsyslog.conf:*.* @@[remoteloggingserver]:[port] + /etc/rsyslog.conf:*.* @@[logaggregationserver.example.mil]:[port] -If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. +If a remote server is not configured, or the line is commented out, ask the system administrator to indicate how the audit logs are offloaded to a different system or media. -If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-08-030700RHEL 8 must take appropriate action when the internal event queue is full.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If there is no evidence that the audit logs are being offloaded to another system or media, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-08-030700RHEL 8 must take appropriate action when the internal event queue is full.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. @@ -5437,7 +5443,7 @@ $ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf # FirewallBackend FirewallBackend=nftables -If the "nftables" is not set as the "firewallbackend" default, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-08-040160All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +If the "nftables" is not set as the "firewallbackend" default, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-08-040160All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. @@ -6521,30 +6527,32 @@ $ sudo grep password /etc/pam.d/system-auth | grep pam_unix password sufficient pam_unix.so sha512 -If "sha512" is missing, or is commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-08-010201The RHEL 8 SSH daemon must be configured with a timeout interval.<VulnDiscussion>Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. +If "sha512" is missing, or is commented out, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-08-010201RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.<VulnDiscussion>Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. -Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. +Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session. -RHEL 8 utilizes /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" are used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. +RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages. -Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000126-GPOS-00066, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001133Configure RHEL 8 to automatically terminate all network connections associated with SSH traffic at the end of a session or after 10 minutes of inactivity. +Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000126-GPOS-00066, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001133Note: This setting must be applied in conjunction with RHEL-08-010200 to function correctly. + +Configure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes. Modify or append the following lines in the "/etc/ssh/sshd_config" file: -ClientAliveInterval 600 + ClientAliveInterval 600 -In order for the changes to take effect, the SSH daemon must be restarted. +For the changes to take effect, the SSH daemon must be restarted. -$ sudo systemctl restart sshd.serviceVerify all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity. + $ sudo systemctl restart sshd.serviceVerify the SSH server automatically terminates a user session after the SSH client has been unresponsive for 10 minutes. Check that the "ClientAliveInterval" variable is set to a value of "600" or less by performing the following command: -$ sudo grep -ir clientalive /etc/ssh/sshd_config* + $ sudo grep -ir clientaliveinterval /etc/ssh/sshd_config* + + ClientAliveInterval 600 -ClientAliveInterval 600 -ClientAliveCountMax 1 +If "ClientAliveInterval" does not exist, does not have a value of "600" or less in "/etc/ssh/sshd_config" or is commented out, this is a finding. -If "ClientAliveInterval" does not exist, does not have a value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding. If conflicting results are returned, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-010287The RHEL 8 SSH daemon must be configured to use system-wide crypto policies.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -6970,7 +6978,7 @@ Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset Active: active (running) If the usbguard.service is not enabled and active, ask the SA to indicate how unauthorized peripherals are being blocked. -If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-08-040159All RHEL 8 networked systems must have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>RHEL-08-040159All RHEL 8 networked systems must have SSH installed.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. @@ -7591,7 +7599,7 @@ All administrators must be mapped to the "sysadm_u", "staff_u", or an appropriat All authorized non-administrative users must be mapped to the "user_u" role. -If they are not mapped in this way, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-040342RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.<VulnDiscussion>Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection. +If they are not mapped in this way, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>RHEL-08-040342RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms.<VulnDiscussion>Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection. RHEL 8 incorporates system-wide crypto policies by default. The SSH configuration file has no effect on the ciphers, MACs, or algorithms unless specifically defined in the /etc/sysconfig/sshd file. The employed algorithms can be viewed in the /etc/crypto-policies/back-ends/opensshserver.config file. @@ -7599,13 +7607,13 @@ The system will attempt to use the first algorithm presented by the client that -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 -A reboot is required for the changes to take effect.Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms: +A reboot is required for the changes to take effect.Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms: $ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512' -If the entries following "KexAlgorithms" have any algorithms defined other than "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512", appear in different order than shown, are missing, or commented out, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010019RHEL 8 must ensure cryptographic verification of vendor software packages.<VulnDiscussion>Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Red Hat cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001749Install Red Hat package-signing keys on the system and verify their fingerprints match vendor values. +If the entries following "KexAlgorithms" have any algorithms defined other than "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512", appear in different order than shown, or are missing or commented out, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>RHEL-08-010019RHEL 8 must ensure cryptographic verification of vendor software packages.<VulnDiscussion>Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Red Hat cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001749Install Red Hat package-signing keys on the system and verify their fingerprints match vendor values. Insert RHEL 8 installation disc or attach RHEL 8 installation image to the system. Mount the disc or image to make the contents accessible inside the system. @@ -7664,4 +7672,16 @@ Verify that the "mailx" package is installed on the system: mailx.x86_64 12.5-29.el8 @rhel-8-for-x86_64-baseos-rpm -If "mailx" package is not installed, this is a finding. \ No newline at end of file +If "mailx" package is not installed, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>RHEL-08-020035RHEL 8 must terminate idle user sessions.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001133Configure RHEL 8 to log out idle sessions by editing the /etc/systemd/logind.conf file with the following line: + + StopIdleSessionSec=900 + +The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: + + $ sudo systemctl restart systemd-logindVerify that RHEL 8 logs out sessions that are idle for 15 minutes with the following command: + + $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf + + StopIdleSessionSec=900 + +If "StopIdleSessionSec" is not configured to "900" seconds, this is a finding. \ No newline at end of file From 209cb7a3a1e84ab1216afa0bba7d8c5a81a665da Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 21 Jul 2023 13:15:06 -0500 Subject: [PATCH 262/403] Update harden_sshd_macs_opensshserver_conf_crypto_policy for RHEL-08-010290 --- linux_os/guide/services/ssh/sshd_approved_macs.var | 2 +- .../rule.yml | 4 ++-- .../tests/rhel8_stig_correct.pass.sh | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/services/ssh/sshd_approved_macs.var b/linux_os/guide/services/ssh/sshd_approved_macs.var index dab7237fcb75..850a9e207158 100644 --- a/linux_os/guide/services/ssh/sshd_approved_macs.var +++ b/linux_os/guide/services/ssh/sshd_approved_macs.var @@ -11,7 +11,7 @@ operator: equals interactive: false options: - stig: hmac-sha2-512,hmac-sha2-256 + stig: hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com default: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com cis_rhel7: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-etm@openssh.com cis_sle12: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml index ad52c2a4e828..f08f120f9ad1 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/rule.yml @@ -12,7 +12,7 @@ description: |- To check that Crypto Policies settings are configured correctly, ensure that /etc/crypto-policies/back-ends/opensshserver.config contains the following text and is not commented out: - -oMACS=hmac-sha2-512,hmac-sha2-256 + -oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com rationale: |- Overriding the system crypto policy makes the behavior of the OpenSSH @@ -38,7 +38,7 @@ ocil: |- To verify if the OpenSSH server uses defined MACs in the Crypto Policy, run: 
$ grep -Po '(-oMACs=\S+)' /etc/crypto-policies/back-ends/opensshserver.config
and verify that the line matches: - 
-oMACS=hmac-sha2-512,hmac-sha2-256
+ 
-oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
warnings: - general: |- diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh index e936d1979028..26d7c6ccb4a3 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh @@ -2,7 +2,7 @@ # platform = Oracle Linux 8,Red Hat Enterprise Linux 8 # profiles = xccdf_org.ssgproject.content_profile_stig -sshd_approved_macs=hmac-sha2-512,hmac-sha2-256 +sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com configfile=/etc/crypto-policies/back-ends/opensshserver.config correct_value="-oMACs=${sshd_approved_macs}" From d84ffd138a1fc5415c68f9983044612e06126c05 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 21 Jul 2023 13:49:50 -0500 Subject: [PATCH 263/403] Add note for RHEL-08-010471 that its not applicable for RHEL 8.4+ --- products/rhel8/profiles/stig.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 23a9e7933c3e..f63aba228cd8 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -349,6 +349,7 @@ selections: # RHEL-08-010471 # currently there is not a relevant rule which would improve RNG for RHEL in this context. See #10153 + # Not applicable for RHEL 8.4+ # RHEL-08-010472 - package_rng-tools_installed From dfa36f5e5dbea1becf3f8846b8eed7835d82fd38 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 21 Jul 2023 20:42:01 -0500 Subject: [PATCH 264/403] Add RHEL-08-020035 to the RHEL 8 STIG --- .../accounts/accounts-physical/logind_session_timeout/rule.yml | 1 + products/rhel8/profiles/stig.profile | 3 +++ 2 files changed, 4 insertions(+) diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml index db543f83e2fa..d1e8acf0f488 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml @@ -39,6 +39,7 @@ references: nist-csf: DE.CM-1,DE.CM-3,PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-2 ospp: FMT_SMF_EXT.1.1 pcidss: Req-8.1.8 + stigid@rhel8: RHEL-08-020035 ocil_clause: "the option is not configured" diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index f63aba228cd8..a5bdadf4ddb0 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -538,6 +538,9 @@ selections: # RHEL-08-020032 - dconf_gnome_disable_user_list + # RHEL-08-020035 + - logind_session_timeout + # RHEL-08-020039 - package_tmux_installed From c28f285b7a32a0086103dca8f5ef4a7a2fe24003 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 21 Jul 2023 20:42:56 -0500 Subject: [PATCH 265/403] The STIG now reflects that SSHD KeepAlive settings are for network issues --- products/rhel8/profiles/stig.profile | 3 --- 1 file changed, 3 deletions(-) diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index a5bdadf4ddb0..928c49cd7eb1 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -177,9 +177,6 @@ selections: # RHEL-08-010190 - dir_perms_world_writable_sticky_bits - # Although these rules have a different behavior in RHEL>=8.6 - # they still need to be selected so it follows exactly what STIG - # states. # RHEL-08-010200 - sshd_set_keepalive # RHEL-08-010201 From bcb9b678ab5f4d66a614d9cc16b34d3a2fc32b8b Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 21 Jul 2023 20:43:26 -0500 Subject: [PATCH 266/403] Update comment for RHEL-08-040060 --- products/rhel8/profiles/stig.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 928c49cd7eb1..321f131b42e2 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -1010,7 +1010,7 @@ selections: - configure_firewalld_ports # RHEL-08-040060 - ### NOTE: Will be removed in V1R2 + ### NOTE: Removed in V1R2 # RHEL-08-040070 - service_autofs_disabled From b41145f3fae9cf9c5f000d007efe2ab4d05ff724 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 21 Jul 2023 20:45:30 -0500 Subject: [PATCH 267/403] Add service_rngd_enabled to the RHEL 8 STIG We can add this back for reasons of reporting coverage. A platform has been added to limit service_rngd_enabled RHEL<=8.3 --- linux_os/guide/services/rng/service_rngd_enabled/rule.yml | 5 +++++ products/rhel8/profiles/stig.profile | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml index 9993786dc93e..4e39496fcc3b 100644 --- a/linux_os/guide/services/rng/service_rngd_enabled/rule.yml +++ b/linux_os/guide/services/rng/service_rngd_enabled/rule.yml @@ -34,6 +34,11 @@ fixtext: '{{{ fixtext_service_disabled("rngd") }}}' srg_requirement: '{{{ srg_requirement_service_disabled("rngd") }}}' +{{% if product == "rhel8" %}} +platform: os_linux[rhel]<=8.3 +{{% endif %}} + + template: name: service_enabled vars: diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 321f131b42e2..e34faf143698 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -345,8 +345,8 @@ selections: - no_user_host_based_files # RHEL-08-010471 - # currently there is not a relevant rule which would improve RNG for RHEL in this context. See #10153 # Not applicable for RHEL 8.4+ + - service_rngd_enabled # RHEL-08-010472 - package_rng-tools_installed From 03e856a0da92a91cc25301bb331009927bbdff20 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 24 Jul 2023 10:29:47 -0500 Subject: [PATCH 268/403] Update RHEL 8 Profile Stability --- tests/data/profile_stability/rhel8/stig.profile | 2 ++ tests/data/profile_stability/rhel8/stig_gui.profile | 2 ++ 2 files changed, 4 insertions(+) diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index e44d28b70450..fd35e35a3a1f 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -265,6 +265,7 @@ selections: - kernel_module_sctp_disabled - kernel_module_tipc_disabled - kernel_module_usb-storage_disabled +- logind_session_timeout - mount_option_boot_efi_nosuid - mount_option_boot_nosuid - mount_option_dev_shm_nodev @@ -359,6 +360,7 @@ selections: - service_fapolicyd_enabled - service_firewalld_enabled - service_kdump_disabled +- service_rngd_enabled - service_rsyslog_enabled - service_sshd_enabled - service_systemd-coredump_disabled diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 67492fdc6a38..8a3755d0bc74 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -276,6 +276,7 @@ selections: - kernel_module_sctp_disabled - kernel_module_tipc_disabled - kernel_module_usb-storage_disabled +- logind_session_timeout - mount_option_boot_efi_nosuid - mount_option_boot_nosuid - mount_option_dev_shm_nodev @@ -369,6 +370,7 @@ selections: - service_fapolicyd_enabled - service_firewalld_enabled - service_kdump_disabled +- service_rngd_enabled - service_rsyslog_enabled - service_sshd_enabled - service_systemd-coredump_disabled From fc0649f7cf01160f5fc7938f349d78372415247f Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 24 Jul 2023 10:37:32 -0500 Subject: [PATCH 269/403] Create new option for SSHD MAC --- controls/srg_gpos.yml | 2 +- linux_os/guide/services/ssh/sshd_approved_macs.var | 3 ++- products/rhel8/profiles/stig.profile | 2 +- tests/data/profile_stability/rhel8/stig.profile | 2 +- tests/data/profile_stability/rhel8/stig_gui.profile | 2 +- 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml index 77e13efd6838..65d58d52915f 100644 --- a/controls/srg_gpos.yml +++ b/controls/srg_gpos.yml @@ -19,7 +19,7 @@ controls: - var_sshd_disable_compression=no - var_password_hashing_algorithm=SHA512 - var_password_pam_dictcheck=1 - - sshd_approved_macs=stig + - sshd_approved_macs=stig_extended - sshd_approved_ciphers=stig - sshd_idle_timeout_value=10_minutes - var_accounts_authorized_local_users_regex=rhel8 diff --git a/linux_os/guide/services/ssh/sshd_approved_macs.var b/linux_os/guide/services/ssh/sshd_approved_macs.var index 850a9e207158..b6d5ee6645e4 100644 --- a/linux_os/guide/services/ssh/sshd_approved_macs.var +++ b/linux_os/guide/services/ssh/sshd_approved_macs.var @@ -11,7 +11,8 @@ operator: equals interactive: false options: - stig: hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com + stig: hmac-sha2-512,hmac-sha2-256 + stig_extended: hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com default: hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com cis_rhel7: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-etm@openssh.com cis_sle12: hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index e34faf143698..fb8b4a676c01 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -50,7 +50,7 @@ selections: - var_password_pam_retry=3 - var_password_pam_minlen=15 - var_sshd_set_keepalive=1 - - sshd_approved_macs=stig + - sshd_approved_macs=stig_extended - sshd_approved_ciphers=stig - sshd_idle_timeout_value=10_minutes - var_accounts_authorized_local_users_regex=rhel8 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index fd35e35a3a1f..3fe7cdf4ea0b 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -454,7 +454,7 @@ selections: - var_password_pam_lcredit=1 - var_password_pam_retry=3 - var_sshd_set_keepalive=1 -- sshd_approved_macs=stig +- sshd_approved_macs=stig_extended - sshd_approved_ciphers=stig - sshd_idle_timeout_value=10_minutes - var_accounts_authorized_local_users_regex=rhel8 diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 8a3755d0bc74..66ada8588fef 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -462,7 +462,7 @@ selections: - var_password_pam_lcredit=1 - var_password_pam_retry=3 - var_sshd_set_keepalive=1 -- sshd_approved_macs=stig +- sshd_approved_macs=stig_extended - sshd_approved_ciphers=stig - sshd_idle_timeout_value=10_minutes - var_accounts_authorized_local_users_regex=rhel8 From 45622386d6995dd13a578c304c48ea1b5dde1271 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 25 Jul 2023 11:50:29 -0500 Subject: [PATCH 270/403] Move to setting the variable value in harden_sshd_macs_opensshserver_conf_crypto_policy tests As opposed to use the STIG profile. --- .../tests/rhel8_stig_correct.pass.sh | 2 +- .../tests/rhel8_stig_empty_policy.fail.sh | 2 +- .../tests/rhel8_stig_incorrect_policy.fail.sh | 3 ++- .../tests/rhel8_stig_missing_file.fail.sh | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh index 26d7c6ccb4a3..df9a2844e935 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_correct.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # platform = Oracle Linux 8,Red Hat Enterprise Linux 8 -# profiles = xccdf_org.ssgproject.content_profile_stig +# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com configfile=/etc/crypto-policies/back-ends/opensshserver.config diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh index 66483e898a05..eef727791a8c 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_empty_policy.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # platform = Oracle Linux 8,Red Hat Enterprise Linux 8 -# profiles = xccdf_org.ssgproject.content_profile_stig +# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com configfile=/etc/crypto-policies/back-ends/opensshserver.config diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh index ea403229044b..af3e64ebf409 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh @@ -1,6 +1,7 @@ #!/bin/bash # platform = Oracle Linux 8,Red Hat Enterprise Linux 8 -# profiles = xccdf_org.ssgproject.content_profile_stig +# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com +=stig_extended configfile=/etc/crypto-policies/back-ends/opensshserver.config diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh index 11b194db0325..ee314357db4b 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_missing_file.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # platform = Oracle Linux 8,Red Hat Enterprise Linux 8 -# profiles = xccdf_org.ssgproject.content_profile_stig +# variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com configfile=/etc/crypto-policies/back-ends/opensshserver.config From ce79f311e753869ff530efa11b44854b95bb2368 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 28 Jul 2023 12:49:53 -0500 Subject: [PATCH 271/403] Fix test for harden_sshd_macs_opensshserver_conf_crypto_policy --- .../tests/rhel8_stig_incorrect_policy.fail.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh index af3e64ebf409..ec6f07dbc42e 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/tests/rhel8_stig_incorrect_policy.fail.sh @@ -1,7 +1,6 @@ #!/bin/bash # platform = Oracle Linux 8,Red Hat Enterprise Linux 8 # variables = sshd_approved_macs=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com -=stig_extended configfile=/etc/crypto-policies/back-ends/opensshserver.config From 3ee7ef5403ecc1c3410a1d698845d2faf1e20ce5 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 28 Jul 2023 12:51:02 -0500 Subject: [PATCH 272/403] Fix STIG versions for RHEL 8 --- products/rhel8/profiles/stig.profile | 2 +- products/rhel8/profiles/stig_gui.profile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index fb8b4a676c01..5be8fb812751 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -12,7 +12,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8' description: |- This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 8 V1R9. + DISA STIG for Red Hat Enterprise Linux 8 V1R11. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile index b3c1fd3a5b6e..39d974958296 100644 --- a/products/rhel8/profiles/stig_gui.profile +++ b/products/rhel8/profiles/stig_gui.profile @@ -12,7 +12,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' description: |- This profile contains configuration checks that align to the - DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R9. + DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R11. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of From 304981f0df5050114e0a7e1d69838e63955acb9f Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 28 Jul 2023 12:51:33 -0500 Subject: [PATCH 273/403] Fix STIG versions for RHEL 7 --- products/rhel7/profiles/stig.profile | 2 +- products/rhel7/profiles/stig_gui.profile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile index 01e51356dc20..6483dfe3da43 100644 --- a/products/rhel7/profiles/stig.profile +++ b/products/rhel7/profiles/stig.profile @@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 7' description: |- This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux V3R10. + DISA STIG for Red Hat Enterprise Linux V3R12. In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this configuration baseline as applicable to the operating system tier of diff --git a/products/rhel7/profiles/stig_gui.profile b/products/rhel7/profiles/stig_gui.profile index 6bf62c9a27d6..13979fc274d5 100644 --- a/products/rhel7/profiles/stig_gui.profile +++ b/products/rhel7/profiles/stig_gui.profile @@ -11,7 +11,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 7' description: |- This profile contains configuration checks that align to the - DISA STIG with GUI for Red Hat Enterprise Linux V3R10. + DISA STIG with GUI for Red Hat Enterprise Linux V3R12. In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this configuration baseline as applicable to the operating system tier of From 8769bf2b5397393571be8fd652de24d5d827592d Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 31 Jul 2023 17:05:57 -0500 Subject: [PATCH 274/403] Update chrony docs url --- linux_os/guide/services/ntp/group.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/services/ntp/group.yml b/linux_os/guide/services/ntp/group.yml index 18aa6c416edc..7590495a13e0 100644 --- a/linux_os/guide/services/ntp/group.yml +++ b/linux_os/guide/services/ntp/group.yml @@ -74,7 +74,7 @@ description: |- and ntpd daemon features respectively, and for further guidance how to choose between the two NTP daemons.

- The upstream manual pages at {{{ weblink(link="http://chrony.tuxfamily.org/manual.html") }}} for + The upstream manual pages at {{{ weblink(link="https://chrony-project.org/documentation.html") }}} for chronyd and {{{ weblink(link="http://www.ntp.org") }}} for ntpd provide additional information on the capabilities and configuration of each of the NTP daemons. From b85b2d43a53a3a73cd1af2d2269e11ab21a6b146 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 31 Jul 2023 18:55:13 -0500 Subject: [PATCH 275/403] Add SRG to login_session_timeout --- .../accounts/accounts-physical/logind_session_timeout/rule.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml index d1e8acf0f488..00e31fc2156f 100644 --- a/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/rule.yml @@ -39,6 +39,7 @@ references: nist-csf: DE.CM-1,DE.CM-3,PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-2 ospp: FMT_SMF_EXT.1.1 pcidss: Req-8.1.8 + srg: SRG-OS-000163-GPOS-00072 stigid@rhel8: RHEL-08-020035 ocil_clause: "the option is not configured" From 9201c3fda96f1baa1a9d7a157bcbc801729ff9bc Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 4 Oct 2023 12:28:00 -0500 Subject: [PATCH 276/403] Add timer_logrotate_enabled back to RHEL 7 and RHEL 8 This is needed as last release this rule did not have a prodtype since one was added we need to add back rhel7 and rhel8 ensure that we don't break tailoring for users. --- .../logging/log_rotation/timer_logrotate_enabled/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml b/linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml index b9dfc59aafce..f4292ad9341c 100644 --- a/linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml +++ b/linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol9,rhcos4,rhel9,sle12,sle15 +prodtype: ol9,rhcos4,rhel7,rhel8,rhel9,sle12,sle15 title: 'Enable logrotate Timer' From f2d77af8c2bbdb9ca3f438b6630df24245876d3c Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 4 Oct 2023 17:05:53 -0500 Subject: [PATCH 277/403] Add a platform for timer_logrotate_enabled on RHEL products Since this rule has been shipped in RHEL its needs to stay in the datastream. But the rule is not relvant for RHEL 8 and below. This marks the rule as appicable to RHEL 9+. --- .../logging/log_rotation/timer_logrotate_enabled/rule.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml b/linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml index f4292ad9341c..6a3154a90584 100644 --- a/linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml +++ b/linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml @@ -14,7 +14,11 @@ rationale: |- severity: medium +{{% if 'rhel' in product %}} +platform: package[logrotate] and os_linux[rhel]>=9 +{{% else %}} platform: package[logrotate] +{{% endif %}} identifiers: cce@rhel7: CCE-86156-7 From be025343fe8eaa937adb2e5886518f099ed0e719 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 5 Oct 2023 07:03:46 -0500 Subject: [PATCH 278/403] Exlcude timer_logrotate_enabled from the RHEL8 and RHEL9 anssi profiles The timer_logrotate_enabled rule is in the datastream but is not applicable to RHEL 7 and RHEL 8. --- products/rhel7/profiles/anssi_nt28_enhanced.profile | 1 + products/rhel7/profiles/anssi_nt28_high.profile | 1 + products/rhel8/profiles/anssi_bp28_enhanced.profile | 1 + products/rhel8/profiles/anssi_bp28_high.profile | 1 + 4 files changed, 4 insertions(+) diff --git a/products/rhel7/profiles/anssi_nt28_enhanced.profile b/products/rhel7/profiles/anssi_nt28_enhanced.profile index 7b546b1314b0..ad2f5a84458e 100644 --- a/products/rhel7/profiles/anssi_nt28_enhanced.profile +++ b/products/rhel7/profiles/anssi_nt28_enhanced.profile @@ -14,3 +14,4 @@ description: |- selections: - anssi:all:enhanced - '!selinux_state' + - '!timer_logrotate_enabled' diff --git a/products/rhel7/profiles/anssi_nt28_high.profile b/products/rhel7/profiles/anssi_nt28_high.profile index 72c21bc5398b..575895693723 100644 --- a/products/rhel7/profiles/anssi_nt28_high.profile +++ b/products/rhel7/profiles/anssi_nt28_high.profile @@ -13,3 +13,4 @@ description: |- selections: - anssi:all:high + - '!timer_logrotate_enabled' diff --git a/products/rhel8/profiles/anssi_bp28_enhanced.profile b/products/rhel8/profiles/anssi_bp28_enhanced.profile index 62cbe1715b06..7ab0f85897b2 100644 --- a/products/rhel8/profiles/anssi_bp28_enhanced.profile +++ b/products/rhel8/profiles/anssi_bp28_enhanced.profile @@ -17,3 +17,4 @@ description: |- selections: - anssi:all:enhanced + - '!timer_logrotate_enabled' diff --git a/products/rhel8/profiles/anssi_bp28_high.profile b/products/rhel8/profiles/anssi_bp28_high.profile index 204e141b1f58..5375615a4558 100644 --- a/products/rhel8/profiles/anssi_bp28_high.profile +++ b/products/rhel8/profiles/anssi_bp28_high.profile @@ -19,3 +19,4 @@ selections: - anssi:all:high # the following rule renders UEFI systems unbootable - '!sebool_secure_mode_insmod' + - '!timer_logrotate_enabled' From 05f15d325360b1f4877d4c13b6cb1a33ae9ba2fd Mon Sep 17 00:00:00 2001 From: Eduardo Barretto Date: Tue, 3 Oct 2023 10:04:26 +0200 Subject: [PATCH 279/403] nftables: sce: Same principle of commit 3d87ab8 --- .../nftables_ensure_default_deny_policy/sce/ubuntu.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/sce/ubuntu.sh b/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/sce/ubuntu.sh index d82a29c0d955..67f210b1c809 100644 --- a/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/sce/ubuntu.sh +++ b/linux_os/guide/system/network/network-nftables/nftables_ensure_default_deny_policy/sce/ubuntu.sh @@ -5,9 +5,9 @@ # Check if default policy is drop output=$(nft list ruleset) -if ! (grep 'hook input' "$output" |& grep -w 'policy drop' &>/dev/null &&\ - grep 'hook forward' "$output" |& grep -w 'policy drop' &>/dev/null &&\ - grep 'hook output' "$output" |& grep -w 'policy drop' &>/dev/null); then +if ! (echo "$output" | grep 'hook input' |& grep -wq 'policy drop' &&\ + echo "$output" | grep 'hook forward' |& grep -wq 'policy drop' &&\ + echo "$output" | grep 'hook output' |& grep -wq 'policy drop'); then exit "${XCCDF_RESULT_FAIL}" fi From dd34b806776601ecb824bc02a50f2cda7da14b0b Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 29 Nov 2023 13:23:39 -0600 Subject: [PATCH 280/403] Move ansible_sudo_remove_config to FQCN --- shared/macros/10-ansible.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 84bddf54633d..03f5411dc111 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -725,13 +725,13 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul {{%- macro ansible_sudo_remove_config(parameter, pattern) -%}} - name: Find /etc/sudoers.d/ files - find: + ansible.builtin.find: paths: - /etc/sudoers.d/ register: sudoers - name: "Remove lines containing {{{ parameter }}} from sudoers files" - replace: + ansible.builtin.replace: regexp: '(^(?!#).*[\s]+{{{ pattern }}}.*$)' replace: '# \g<1>' path: "{{ item.path }}" From a5db4260fc7ec64d2fa5cbd6f8a7d701d1a5760f Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 29 Nov 2023 13:23:16 -0600 Subject: [PATCH 281/403] Add docs for ansible_sudo_remove_config --- shared/macros/10-ansible.jinja | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja index 03f5411dc111..d72ff21b6349 100644 --- a/shared/macros/10-ansible.jinja +++ b/shared/macros/10-ansible.jinja @@ -721,7 +721,15 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul mode: 0644 {{%- endmacro %}} +{{# + This macro comments out a given line of the sudoers and then validates it before saving. + +:param parameter: The parameter to remove +:type parameter: str +:param pattern: The pattern to remove +:type pattern: str +#}} {{%- macro ansible_sudo_remove_config(parameter, pattern) -%}} - name: Find /etc/sudoers.d/ files From 70e64a62a5b920466ed2cb5dd5f84b49828b3ed7 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 29 Nov 2023 13:22:22 -0600 Subject: [PATCH 282/403] Fix wrong_value test in sudo_require_authentication !authenticate is not valid in group line in sudoers --- .../sudo/sudo_require_authentication/tests/wrong_value.fail.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh index 1c2d98e824a0..3c661e2902ea 100644 --- a/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh @@ -5,6 +5,6 @@ echo "Defaults !authenticate" >> /etc/sudoers chmod 440 /etc/sudoers mkdir -p /etc/sudoers.d -echo "%wheel ALL=(ALL) !authenticate ALL" >> /etc/sudoers.d/sudoers +echo "%wheel ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/sudoers echo "Defaults !authenticate" >> /etc/sudoers.d/sudoers chmod 440 /etc/sudoers.d/sudoers From a3e897272a52ecf49fd6e09947fa7472f43c7185 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 1 Dec 2023 15:14:29 +0100 Subject: [PATCH 283/403] remove stigid from rule no longer selected in RHEL 8 STIG --- .../auditing/policy_rules/audit_immutable_login_uids/rule.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml index 663c3cfcdecb..19822b88d4d3 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml @@ -35,7 +35,6 @@ references: ospp: FAU_GEN.1.2 srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-APP-000121-CTR-000255,SRG-APP-000495-CTR-001235 stigid@ol8: OL08-00-030122 - stigid@rhel8: RHEL-08-030122 stigid@rhel9: RHEL-09-654270 ocil_clause: 'the file does not exist or the content differs' From 2f2de8ad60e5b4e346f04cab81fb2d795372b07b Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 1 Dec 2023 15:21:10 +0100 Subject: [PATCH 284/403] replace audit_immutable_login_uids with audit_rules_immutable_login_uids in rhel9 stig the rule is more versatile --- controls/stig_rhel9.yml | 2 +- .../audit_rules_immutable_login_uids/rule.yml | 1 + .../auditing/policy_rules/audit_immutable_login_uids/rule.yml | 1 - 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml index b576ba08c3ef..73d9e9e1aa53 100644 --- a/controls/stig_rhel9.yml +++ b/controls/stig_rhel9.yml @@ -4114,7 +4114,7 @@ controls: - medium title: RHEL 9 audit system must protect logon UIDs from unauthorized change. rules: - - audit_immutable_login_uids + - audit_rules_immutable_login_uids status: automated - id: RHEL-09-654275 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml index 46e249efbb56..6a8ea53fc51d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/rule.yml @@ -33,6 +33,7 @@ references: disa: CCI-000162,CCI-000163,CCI-000164 srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029 stigid@rhel8: RHEL-08-030122 + stigid@rhel9: RHEL-09-654270 ocil_clause: 'the system is not configured to make login UIDs immutable' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml index 19822b88d4d3..04333204f2c1 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_immutable_login_uids/rule.yml @@ -35,7 +35,6 @@ references: ospp: FAU_GEN.1.2 srg: SRG-OS-000462-GPOS-00206,SRG-OS-000475-GPOS-00220,SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-APP-000121-CTR-000255,SRG-APP-000495-CTR-001235 stigid@ol8: OL08-00-030122 - stigid@rhel9: RHEL-09-654270 ocil_clause: 'the file does not exist or the content differs' From 17b85a07b802b63a3d58afee4a8bd1c44459d2c2 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 1 Dec 2023 15:45:21 +0100 Subject: [PATCH 285/403] remove stigid from rule passwd_system-auth_substack because it is not selected in rhel7 stig profile --- .../password_quality/passwd_system-auth_substack/rule.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml index 89b82af3f26c..55d3e47a540e 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/passwd_system-auth_substack/rule.yml @@ -19,7 +19,6 @@ references: nist: IA-5(1)(a),IA-5(1).1(v),IA-5(1)(a) srg: SRG-OS-000069-GPOS-00037 stigid@ol7: OL07-00-010118 - stigid@rhel7: RHEL-07-010118 ocil_clause: '/etc/pam.d/passwd does not implement /etc/pam.d/system-auth' From 23aea40b1b45bd9c6d7e6d09f82e920dd4da0469 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 4 Dec 2023 15:33:13 +0100 Subject: [PATCH 286/403] add warning to rule service_ntpd_enabled that the service does not exist on some products --- linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml index 92d761ea6bfe..6881404b432f 100644 --- a/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml +++ b/linux_os/guide/services/ntp/service_ntpd_enabled/rule.yml @@ -52,3 +52,10 @@ template: packagename: ntp platform: package[ntp] + +{{% if prodtype in ["rhel8", "rhel9", "sle15"] %}} +warnings: + - general: + The 
ntp
package is not available in {{{ full_name }}}. Please + consider the 
chrony
package instead together with the respective 
service_chronyd_enabled
rule. +{{% endif %}} From 31b8d7395f1de212d1adaa1a416801377431f8ac Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Mon, 4 Dec 2023 15:34:29 +0100 Subject: [PATCH 287/403] remove rule service_ntpd_enabled from rhel8 and rhel9 pci-dss profiles the rule does not make sense on those products --- products/rhel8/profiles/pci-dss.profile | 1 + products/rhel9/profiles/pci-dss.profile | 1 + tests/data/profile_stability/rhel8/pci-dss.profile | 1 - 3 files changed, 2 insertions(+), 1 deletion(-) diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile index 8ddb6e0a980f..6f6667618da6 100644 --- a/products/rhel8/profiles/pci-dss.profile +++ b/products/rhel8/profiles/pci-dss.profile @@ -32,3 +32,4 @@ selections: - '!ntpd_specify_multiple_servers' - '!set_ipv6_loopback_traffic' - '!set_loopback_traffic' + - '!service_ntpd_enabled' diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile index 524b0b7cf093..d3503042ab9d 100644 --- a/products/rhel9/profiles/pci-dss.profile +++ b/products/rhel9/profiles/pci-dss.profile @@ -35,3 +35,4 @@ selections: - '!ntpd_specify_multiple_servers' - '!set_ipv6_loopback_traffic' - '!set_loopback_traffic' + - '!service_ntpd_enabled' diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile index 7bf16b23ca8a..4c486e94ce6e 100644 --- a/tests/data/profile_stability/rhel8/pci-dss.profile +++ b/tests/data/profile_stability/rhel8/pci-dss.profile @@ -232,7 +232,6 @@ selections: - audit_rules_sysadmin_actions - display_login_attempts - file_permissions_backup_etc_shadow -- service_ntpd_enabled - audit_rules_dac_modification_fremovexattr - sshd_disable_x11_forwarding - file_at_deny_not_exist From b73c72cf51f860ca92fdc5da1b48ef60fd41e902 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 5 Dec 2023 13:48:34 +0100 Subject: [PATCH 288/403] add warning to rule timer_logrotate_enabled although the rule has rhel7 and rhel8 prodtype, it does not make sense on those products --- .../logging/log_rotation/timer_logrotate_enabled/rule.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml b/linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml index 3804fdbe387a..bf18c97c6b9e 100644 --- a/linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml +++ b/linux_os/guide/system/logging/log_rotation/timer_logrotate_enabled/rule.yml @@ -54,3 +54,11 @@ template: vars: timername: logrotate packagename: logrotate + +{{% if product in ["rhel7", "rhel8"] %}} +warnings: + - general: + The Systemd unit logrotate.timer does not exist in + {{{ full_name }}}. The rule ensure_logrotate_activated is + suggested instead. +{{% endif %}} From fe4e5f489deff5cd0efa9d3f6fb57e930704850a Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 5 Dec 2023 13:49:27 +0100 Subject: [PATCH 289/403] remove the rule from the rhel7 pci-dss profile --- products/rhel7/profiles/pci-dss.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/products/rhel7/profiles/pci-dss.profile b/products/rhel7/profiles/pci-dss.profile index 7b2ff949257c..b705a8314424 100644 --- a/products/rhel7/profiles/pci-dss.profile +++ b/products/rhel7/profiles/pci-dss.profile @@ -30,3 +30,4 @@ selections: - '!service_ntp_enabled' - '!set_ipv6_loopback_traffic' - '!set_loopback_traffic' + - '!timer_logrotate_enabled' From bcc92eb645db1144f3d98480356695e6cb8ae0af Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 5 Dec 2023 13:49:48 +0100 Subject: [PATCH 290/403] remove the rule from rhel8 pci-dss profile --- products/rhel8/profiles/pci-dss.profile | 1 + tests/data/profile_stability/rhel8/pci-dss.profile | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile index 6f6667618da6..bbd00df18485 100644 --- a/products/rhel8/profiles/pci-dss.profile +++ b/products/rhel8/profiles/pci-dss.profile @@ -33,3 +33,4 @@ selections: - '!set_ipv6_loopback_traffic' - '!set_loopback_traffic' - '!service_ntpd_enabled' + - '!timer_logrotate_enabled' diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile index 4c486e94ce6e..fd8d8da498ad 100644 --- a/tests/data/profile_stability/rhel8/pci-dss.profile +++ b/tests/data/profile_stability/rhel8/pci-dss.profile @@ -145,7 +145,6 @@ selections: - file_permissions_var_log_audit - package_telnet-server_removed - file_permissions_unauthorized_world_writable -- timer_logrotate_enabled - package_tftp-server_removed - file_permissions_sshd_private_key - sshd_disable_tcp_forwarding From b267a6e91f32e1c9a5e571c65638eba89791e76e Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 6 Dec 2023 14:14:28 +0100 Subject: [PATCH 291/403] add warnings to package_*_removed rules for packages which no longer exist in rhel8 a/ rhel9 --- .../inetd_and_xinetd/package_xinetd_removed/rule.yml | 6 ++++++ .../services/obsolete/nis/package_ypbind_removed/rule.yml | 6 ++++++ .../services/obsolete/nis/package_ypserv_removed/rule.yml | 6 ++++++ .../obsolete/r_services/package_rsh-server_removed/rule.yml | 6 ++++++ .../obsolete/r_services/package_rsh_removed/rule.yml | 6 ++++++ .../obsolete/talk/package_talk-server_removed/rule.yml | 6 ++++++ .../services/obsolete/talk/package_talk_removed/rule.yml | 6 ++++++ 7 files changed, 42 insertions(+) diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml index 4bef92d96481..ed8dadca3765 100644 --- a/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml +++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/package_xinetd_removed/rule.yml @@ -49,3 +49,9 @@ template: name: package_removed vars: pkgname: xinetd + +{{% if product in ["rhel9"] %}} +warnings: + - general: + The package is not available in {{{ full_name }}}. +{{% endif %}} diff --git a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml index c5f90c4950c1..081e0aad490f 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypbind_removed/rule.yml @@ -43,3 +43,9 @@ template: name: package_removed vars: pkgname: ypbind + +{{% if product in ["rhel9"] %}} +warnings: + - general: + The package is not available in {{{ full_name }}}. +{{% endif %}} diff --git a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml index c91b8af25af9..bb449701bb96 100644 --- a/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml +++ b/linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml @@ -52,3 +52,9 @@ template: name: package_removed vars: pkgname: ypserv + +{{% if product in ["rhel9"] %}} +warnings: + - general: + The package is not available in {{{ full_name }}}. +{{% endif %}} diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml index 8dd57abad06e..f7764542a2d7 100644 --- a/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml @@ -50,3 +50,9 @@ template: name: package_removed vars: pkgname: rsh-server + +{{% if product in ["rhel8", "rhel9"] %}} +warnings: + - general: + The package is not available in {{{ full_name }}}. +{{% endif %}} diff --git a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml index 45e79f6de615..bb208d69956f 100644 --- a/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/package_rsh_removed/rule.yml @@ -61,3 +61,9 @@ template: pkgname@ubuntu1804: rsh-client pkgname@ubuntu2004: rsh-client pkgname@ubuntu2204: rsh-client + +{{% if product in ["rhel8", "rhel9"] %}} +warnings: + - general: + The package is not available in {{{ full_name }}}. +{{% endif %}} diff --git a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml index a1ebe433f4a7..47089044f26f 100644 --- a/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/talk/package_talk-server_removed/rule.yml @@ -33,3 +33,9 @@ template: name: package_removed vars: pkgname: talk-server + +{{% if product in ["rhel8", "rhel9"] %}} +warnings: + - general: + The package is not available in {{{ full_name }}}. +{{% endif %}} diff --git a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml index 14317060b90a..d9c5a6c6e788 100644 --- a/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml +++ b/linux_os/guide/services/obsolete/talk/package_talk_removed/rule.yml @@ -43,3 +43,9 @@ template: name: package_removed vars: pkgname: talk + +{{% if product in ["rhel8", "rhel9"] %}} +warnings: + - general: + The package is not available in {{{ full_name }}}. +{{% endif %}} From d6041d0aa0a8efbb1978a12553ee941a17b59c0b Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Wed, 6 Dec 2023 14:16:04 +0100 Subject: [PATCH 292/403] remove irrelevant rules from rhel8 and rhel9 pci-dss profile including profile stability test data --- products/rhel8/profiles/pci-dss.profile | 4 ++++ products/rhel9/profiles/pci-dss.profile | 7 +++++++ tests/data/profile_stability/rhel8/pci-dss.profile | 4 ---- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/products/rhel8/profiles/pci-dss.profile b/products/rhel8/profiles/pci-dss.profile index bbd00df18485..5fb46a60f482 100644 --- a/products/rhel8/profiles/pci-dss.profile +++ b/products/rhel8/profiles/pci-dss.profile @@ -34,3 +34,7 @@ selections: - '!set_loopback_traffic' - '!service_ntpd_enabled' - '!timer_logrotate_enabled' + - '!package_talk_removed' + - '!package_talk-server_removed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' diff --git a/products/rhel9/profiles/pci-dss.profile b/products/rhel9/profiles/pci-dss.profile index d3503042ab9d..143489d6d4d5 100644 --- a/products/rhel9/profiles/pci-dss.profile +++ b/products/rhel9/profiles/pci-dss.profile @@ -36,3 +36,10 @@ selections: - '!set_ipv6_loopback_traffic' - '!set_loopback_traffic' - '!service_ntpd_enabled' + - '!package_ypserv_removed' + - '!package_ypbind_removed' + - '!package_talk_removed' + - '!package_talk-server_removed' + - '!package_xinetd_removed' + - '!package_rsh_removed' + - '!package_rsh-server_removed' diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile index fd8d8da498ad..1724a57a80a0 100644 --- a/tests/data/profile_stability/rhel8/pci-dss.profile +++ b/tests/data/profile_stability/rhel8/pci-dss.profile @@ -65,7 +65,6 @@ selections: - file_owner_etc_shadow - accounts_passwords_pam_faillock_deny - accounts_password_all_shadowed -- package_talk-server_removed - accounts_root_gid_zero - selinux_state - audit_rules_time_clock_settime @@ -85,7 +84,6 @@ selections: - network_sniffer_disabled - audit_rules_session_events - package_dhcp_removed -- package_rsh_removed - file_owner_cron_d - sshd_set_idle_timeout - file_groupowner_cron_weekly @@ -213,7 +211,6 @@ selections: - auditd_data_retention_space_left_action - rsyslog_files_permissions - file_owner_cron_monthly -- package_talk_removed - file_permissions_cron_daily - selinux_confinement_of_daemons - sysctl_net_ipv4_conf_all_send_redirects @@ -245,7 +242,6 @@ selections: - rpm_verify_hashes - file_owner_cron_allow - file_permissions_sshd_pub_key -- package_rsh-server_removed - dconf_gnome_disable_automount - gid_passwd_group_same - package_xinetd_removed From a61b1f915be50722d06b2471a1548c439db86f86 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 31 Jan 2024 13:42:16 +0100 Subject: [PATCH 293/403] Align logind_session_timeout value with RHEL8 STIG --- products/rhel8/profiles/stig.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index fc12c24a5126..3015f17b7bd9 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -543,6 +543,7 @@ selections: # RHEL-08-020035 - logind_session_timeout + - var_logind_session_timeout=15_minutes # RHEL-08-020039 - package_tmux_installed From 68afc3d67444c91142276f17720d6d581ca05e79 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 31 Jan 2024 13:43:19 +0100 Subject: [PATCH 294/403] Align logind_session_timeout value with RHEL9 STIG --- controls/stig_rhel9.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml index 54919097d902..5449c82967af 100644 --- a/controls/stig_rhel9.yml +++ b/controls/stig_rhel9.yml @@ -2690,6 +2690,7 @@ controls: title: RHEL 9 must terminate idle user sessions. rules: - logind_session_timeout + - var_logind_session_timeout=15_minutes status: automated - id: RHEL-09-431010 From 4b6fd880bd83e4a1040f79543ed3c8565f8fa0cf Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 31 Jan 2024 15:03:30 +0100 Subject: [PATCH 295/403] Update references for profile stability tests --- .../data/profile_stability/rhel8/stig.profile | 753 +++++++++--------- .../profile_stability/rhel8/stig_gui.profile | 750 ++++++++--------- 2 files changed, 754 insertions(+), 749 deletions(-) diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 8b3813135fb5..7be875ab745d 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -1,6 +1,6 @@ description: 'This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 8 V1R13. + DISA STIG for Red Hat Enterprise Linux 8 V1R12. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes @@ -21,423 +21,424 @@ description: 'This profile contains configuration checks that align to the - Red Hat Containers with a Red Hat Enterprise Linux 8 image' extends: null +hidden: '' metadata: - version: V1R13 + version: V1R12 SMEs: - mab879 - ggbecker reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux selections: -- account_disable_post_pw_expiration -- account_password_pam_faillock_password_auth -- account_password_pam_faillock_system_auth -- account_password_selinux_faillock_dir -- account_temp_expire_date -- account_unique_id -- accounts_authorized_local_users -- accounts_have_homedir_login_defs -- accounts_logon_fail_delay -- accounts_max_concurrent_login_sessions +- mount_option_var_tmp_nosuid - accounts_maximum_age_login_defs -- accounts_minimum_age_login_defs -- accounts_no_uid_except_zero -- accounts_password_all_shadowed_sha512 -- accounts_password_minlen_login_defs -- accounts_password_pam_dcredit -- accounts_password_pam_dictcheck -- accounts_password_pam_difok -- accounts_password_pam_lcredit -- accounts_password_pam_maxclassrepeat -- accounts_password_pam_maxrepeat -- accounts_password_pam_minclass -- accounts_password_pam_minlen -- accounts_password_pam_ocredit -- accounts_password_pam_pwhistory_remember_password_auth -- accounts_password_pam_pwhistory_remember_system_auth -- accounts_password_pam_pwquality_password_auth -- accounts_password_pam_pwquality_system_auth -- accounts_password_pam_retry -- accounts_password_pam_ucredit -- accounts_password_set_max_life_existing -- accounts_password_set_min_life_existing -- accounts_passwords_pam_faillock_audit -- accounts_passwords_pam_faillock_deny -- accounts_passwords_pam_faillock_deny_root -- accounts_passwords_pam_faillock_dir -- accounts_passwords_pam_faillock_interval -- accounts_passwords_pam_faillock_silent -- accounts_passwords_pam_faillock_unlock_time -- accounts_umask_etc_bashrc -- accounts_umask_etc_csh_cshrc -- accounts_umask_etc_login_defs -- accounts_umask_etc_profile -- accounts_umask_interactive_users -- accounts_user_dot_no_world_writable_programs -- accounts_user_home_paths_only -- accounts_user_interactive_home_directory_defined -- accounts_user_interactive_home_directory_exists -- accounts_users_home_files_groupownership +- configure_libreswan_crypto_policy - accounts_users_home_files_permissions -- agent_mfetpd_running -- aide_build_database -- aide_check_audit_tools -- aide_scan_notification -- aide_verify_acls -- aide_verify_ext_attributes -- audit_rules_dac_modification_chmod -- audit_rules_dac_modification_chown -- audit_rules_dac_modification_fchmod -- audit_rules_dac_modification_fchmodat +- accounts_users_home_files_groupownership +- harden_sshd_ciphers_openssh_conf_crypto_policy +- kernel_module_cramfs_disabled +- accounts_user_interactive_home_directory_exists - audit_rules_dac_modification_fchown -- audit_rules_dac_modification_fchownat -- audit_rules_dac_modification_fremovexattr -- audit_rules_dac_modification_fsetxattr -- audit_rules_dac_modification_lchown -- audit_rules_dac_modification_lremovexattr -- audit_rules_dac_modification_lsetxattr -- audit_rules_dac_modification_removexattr -- audit_rules_dac_modification_setxattr -- audit_rules_execution_chacl -- audit_rules_execution_chcon -- audit_rules_execution_semanage -- audit_rules_execution_setfacl -- audit_rules_execution_setfiles -- audit_rules_execution_setsebool -- audit_rules_file_deletion_events_rename -- audit_rules_file_deletion_events_renameat -- audit_rules_file_deletion_events_rmdir +- file_permissions_ungroupowned +- enable_authselect +- coredump_disable_backtraces +- accounts_max_concurrent_login_sessions +- file_permissions_etc_audit_rulesd +- grub2_pti_argument +- kernel_module_bluetooth_disabled +- accounts_password_pam_minclass +- rsyslog_encrypt_offload_actionsendstreamdrivermode - audit_rules_file_deletion_events_unlink -- audit_rules_file_deletion_events_unlinkat +- encrypt_partitions +- sysctl_net_ipv6_conf_default_accept_ra +- package_libreport-plugin-rhtsupport_removed +- dconf_gnome_screensaver_lock_delay +- auditd_local_events +- configure_tmux_lock_keybinding +- accounts_password_pam_difok +- account_password_pam_faillock_system_auth +- sysctl_kernel_perf_event_paranoid - audit_rules_immutable -- audit_rules_immutable_login_uids -- audit_rules_kernel_module_loading_delete -- audit_rules_kernel_module_loading_finit -- audit_rules_kernel_module_loading_init -- audit_rules_login_events_faillock -- audit_rules_login_events_lastlog -- audit_rules_media_export -- audit_rules_privileged_commands_chage -- audit_rules_privileged_commands_chsh -- audit_rules_privileged_commands_crontab -- audit_rules_privileged_commands_gpasswd -- audit_rules_privileged_commands_kmod -- audit_rules_privileged_commands_mount -- audit_rules_privileged_commands_newgrp -- audit_rules_privileged_commands_pam_timestamp_check +- sysctl_net_ipv6_conf_all_accept_ra +- no_tmux_in_shells +- xwindows_runlevel_target +- mount_option_var_tmp_nodev +- sysctl_kernel_kptr_restrict +- account_password_selinux_faillock_dir +- audit_rules_file_deletion_events_rename +- sshd_do_not_permit_user_env +- service_fapolicyd_enabled +- accounts_umask_etc_login_defs +- accounts_password_pam_pwquality_system_auth +- package_rng-tools_installed +- dir_group_ownership_library_dirs +- accounts_passwords_pam_faillock_dir +- sysctl_kernel_randomize_va_space +- sysctl_net_ipv6_conf_default_accept_redirects +- grub2_uefi_password - audit_rules_privileged_commands_passwd -- audit_rules_privileged_commands_postdrop -- audit_rules_privileged_commands_postqueue +- require_emergency_target_auth +- mount_option_tmp_nodev - audit_rules_privileged_commands_ssh_agent -- audit_rules_privileged_commands_ssh_keysign -- audit_rules_privileged_commands_su -- audit_rules_privileged_commands_sudo -- audit_rules_privileged_commands_umount -- audit_rules_privileged_commands_unix_chkpwd -- audit_rules_privileged_commands_unix_update -- audit_rules_privileged_commands_userhelper -- audit_rules_privileged_commands_usermod -- audit_rules_sudoers -- audit_rules_sudoers_d -- audit_rules_suid_privilege_function -- audit_rules_unsuccessful_file_modification_creat -- audit_rules_unsuccessful_file_modification_ftruncate -- audit_rules_unsuccessful_file_modification_open -- audit_rules_unsuccessful_file_modification_open_by_handle_at -- audit_rules_unsuccessful_file_modification_openat -- audit_rules_unsuccessful_file_modification_truncate -- audit_rules_usergroup_modification_group -- audit_rules_usergroup_modification_gshadow -- audit_rules_usergroup_modification_opasswd -- audit_rules_usergroup_modification_passwd -- audit_rules_usergroup_modification_shadow -- auditd_audispd_configure_sufficiently_large_partition -- auditd_data_disk_error_action -- auditd_data_disk_full_action -- auditd_data_retention_action_mail_acct -- auditd_data_retention_space_left_action -- auditd_data_retention_space_left_percentage -- auditd_local_events -- auditd_log_format -- auditd_name_format -- auditd_overflow_action -- banner_etc_issue -- bios_enable_execution_restrictions -- chronyd_client_only -- chronyd_no_chronyc_network -- chronyd_or_ntpd_set_maxpoll -- chronyd_server_directive -- clean_components_post_updating -- configure_bashrc_tmux -- configure_bind_crypto_policy -- configure_crypto_policy -- configure_firewalld_ports -- configure_gnutls_tls_crypto_policy -- configure_kerberos_crypto_policy -- configure_libreswan_crypto_policy -- configure_openssl_crypto_policy +- service_kdump_disabled +- accounts_passwords_pam_faillock_deny +- package_telnet-server_removed +- file_groupownership_system_commands_dirs - configure_openssl_tls_crypto_policy -- configure_ssh_crypto_policy -- configure_tmux_lock_after_time -- configure_tmux_lock_command -- configure_tmux_lock_keybinding -- configure_usbguard_auditbackend -- configured_firewalld_default_deny -- coredump_disable_backtraces -- coredump_disable_storage +- no_files_unowned_by_user +- mount_option_noexec_removable_partitions +- mount_option_tmp_noexec +- package_abrt-addon-kerneloops_removed +- wireless_disable_interfaces +- accounts_password_all_shadowed_sha512 - dconf_gnome_banner_enabled -- dconf_gnome_disable_ctrlaltdel_reboot -- dconf_gnome_disable_user_list +- display_login_attempts +- audit_rules_privileged_commands_postqueue +- ensure_gpgcheck_globally_activated +- coredump_disable_storage +- ensure_gpgcheck_local_packages - dconf_gnome_lock_screen_on_smartcard_removal -- dconf_gnome_login_banner_text -- dconf_gnome_screensaver_idle_delay -- dconf_gnome_screensaver_lock_delay -- dconf_gnome_screensaver_lock_enabled -- dconf_gnome_screensaver_lock_locked -- dconf_gnome_screensaver_user_locks +- audit_rules_execution_setsebool +- accounts_user_interactive_home_directory_defined +- root_permissions_syslibrary_files +- grub2_audit_backlog_limit_argument +- kernel_module_uvcvideo_disabled +- audit_rules_kernel_module_loading_delete - dconf_gnome_session_idle_user_locks -- dir_group_ownership_library_dirs -- dir_ownership_library_dirs +- package_mcafeetp_installed +- configure_usbguard_auditbackend +- package_mailx_installed - dir_permissions_library_dirs -- dir_perms_world_writable_root_owned -- dir_perms_world_writable_sticky_bits -- dir_perms_world_writable_system_owned_group -- directory_group_ownership_var_log_audit -- directory_ownership_var_log_audit -- directory_permissions_var_log_audit -- disable_ctrlaltdel_burstaction -- disable_ctrlaltdel_reboot -- disable_users_coredumps +- audit_rules_usergroup_modification_shadow +- mount_option_var_log_audit_nosuid +- aide_build_database +- set_password_hashing_algorithm_systemauth +- audit_rules_privileged_commands_postdrop - disallow_bypass_password_sudo -- display_login_attempts -- enable_authselect -- enable_dracut_fips_module -- enable_fips_mode -- encrypt_partitions -- ensure_gpgcheck_globally_activated -- ensure_gpgcheck_local_packages +- configure_tmux_lock_after_time +- configure_firewalld_ports +- configure_bind_crypto_policy +- dconf_gnome_disable_user_list +- accounts_password_pam_pwquality_password_auth +- auditd_log_format +- audit_rules_sudoers_d +- accounts_passwords_pam_faillock_deny_root - ensure_gpgcheck_never_disabled -- ensure_redhat_gpgkey_installed -- fapolicy_default_deny -- file_audit_tools_group_ownership -- file_audit_tools_ownership -- file_audit_tools_permissions -- file_group_ownership_var_log_audit -- file_groupowner_var_log -- file_groupowner_var_log_messages -- file_groupownership_home_directories -- file_groupownership_system_commands_dirs -- file_owner_var_log -- file_owner_var_log_messages -- file_ownership_binary_dirs -- file_ownership_library_dirs -- file_ownership_var_log_audit_stig -- file_permission_user_init_files -- file_permissions_binary_dirs -- file_permissions_etc_audit_auditd -- file_permissions_etc_audit_rulesd -- file_permissions_home_directories -- file_permissions_library_dirs -- file_permissions_sshd_private_key - file_permissions_sshd_pub_key -- file_permissions_ungroupowned -- file_permissions_var_log -- file_permissions_var_log_audit -- file_permissions_var_log_messages -- firewalld-backend -- gnome_gdm_disable_automatic_login -- grub2_admin_username -- grub2_audit_argument -- grub2_audit_backlog_limit_argument -- grub2_page_poison_argument -- grub2_password -- grub2_pti_argument -- grub2_slub_debug_argument -- grub2_uefi_admin_username -- grub2_uefi_password -- grub2_vsyscall_argument -- harden_sshd_ciphers_openssh_conf_crypto_policy -- harden_sshd_ciphers_opensshserver_conf_crypto_policy -- harden_sshd_macs_openssh_conf_crypto_policy -- harden_sshd_macs_opensshserver_conf_crypto_policy -- install_smartcard_packages -- installed_OS_is_vendor_supported -- kerberos_disable_no_keytab -- kernel_module_atm_disabled -- kernel_module_bluetooth_disabled -- kernel_module_can_disabled -- kernel_module_cramfs_disabled -- kernel_module_firewire-core_disabled -- kernel_module_sctp_disabled - kernel_module_tipc_disabled -- kernel_module_usb-storage_disabled -- kernel_module_uvcvideo_disabled -- logind_session_timeout -- mount_option_boot_efi_nosuid -- mount_option_boot_nosuid -- mount_option_dev_shm_nodev -- mount_option_dev_shm_noexec -- mount_option_dev_shm_nosuid +- audit_rules_privileged_commands_pam_timestamp_check +- chronyd_or_ntpd_set_maxpoll +- account_temp_expire_date +- service_debug-shell_disabled - mount_option_home_noexec -- mount_option_home_nosuid -- mount_option_nodev_nonroot_local_partitions -- mount_option_nodev_remote_filesystems -- mount_option_nodev_removable_partitions -- mount_option_noexec_remote_filesystems -- mount_option_noexec_removable_partitions -- mount_option_nosuid_remote_filesystems -- mount_option_nosuid_removable_partitions -- mount_option_tmp_nodev -- mount_option_tmp_noexec -- mount_option_tmp_nosuid -- mount_option_var_log_audit_nodev -- mount_option_var_log_audit_noexec -- mount_option_var_log_audit_nosuid -- mount_option_var_log_nodev -- mount_option_var_log_noexec -- mount_option_var_log_nosuid -- mount_option_var_tmp_nodev -- mount_option_var_tmp_noexec -- mount_option_var_tmp_nosuid -- network_configure_name_resolution -- network_sniffer_disabled -- no_empty_passwords -- no_empty_passwords_etc_shadow -- no_files_unowned_by_user +- accounts_password_pam_retry +- security_patches_up_to_date +- partition_for_home +- sshd_enable_warning_banner +- package_sendmail_removed +- install_smartcard_packages +- usbguard_generate_policy +- accounts_passwords_pam_faillock_unlock_time +- sysctl_fs_protected_hardlinks - no_host_based_files -- no_tmux_in_shells -- no_user_host_based_files -- package_abrt-addon-ccpp_removed -- package_abrt-addon-kerneloops_removed -- package_abrt-cli_removed -- package_abrt-plugin-sosreport_removed -- package_abrt_removed +- chronyd_client_only +- audit_rules_kernel_module_loading_finit +- sshd_print_last_log +- no_empty_passwords +- partition_for_var_log +- kerberos_disable_no_keytab +- service_sshd_enabled +- accounts_password_pam_pwhistory_remember_system_auth +- sshd_disable_empty_passwords +- accounts_password_pam_ucredit +- chronyd_server_directive +- audit_rules_dac_modification_lsetxattr +- disable_ctrlaltdel_reboot +- grub2_vsyscall_argument +- audit_rules_dac_modification_fchmod +- file_audit_tools_permissions +- enable_dracut_fips_module +- package_tuned_removed +- configure_crypto_policy +- selinux_policytype +- audit_rules_dac_modification_fchmodat +- configure_bashrc_tmux - package_aide_installed -- package_audit_installed -- package_fapolicyd_installed -- package_firewalld_installed -- package_gssproxy_removed -- package_iprutils_removed -- package_krb5-server_removed -- package_krb5-workstation_removed +- rsyslog_remote_loghost +- mount_option_noexec_remote_filesystems +- file_audit_tools_ownership +- audit_rules_media_export +- sysctl_net_ipv4_conf_all_forwarding +- audit_rules_execution_setfiles - package_libreport-plugin-logger_removed -- package_libreport-plugin-rhtsupport_removed -- package_mailx_installed -- package_mcafeetp_installed +- audit_rules_unsuccessful_file_modification_open_by_handle_at +- sshd_disable_user_known_hosts +- audit_rules_dac_modification_chmod +- require_singleuser_auth +- sssd_enable_certmap +- audit_rules_dac_modification_fchownat +- audit_rules_privileged_commands_sudo +- disable_ctrlaltdel_burstaction - package_opensc_installed -- package_openssh-server_installed -- package_policycoreutils_installed +- logind_session_timeout +- ensure_redhat_gpgkey_installed +- mount_option_var_log_nosuid +- file_group_ownership_var_log_audit +- sshd_set_keepalive +- selinux_state +- audit_rules_dac_modification_lchown +- accounts_have_homedir_login_defs +- audit_rules_unsuccessful_file_modification_truncate +- sysctl_net_ipv4_conf_default_accept_source_route +- accounts_password_set_max_life_existing - package_postfix_installed -- package_python3-abrt-addon_removed -- package_rng-tools_installed -- package_rsh-server_removed +- mount_option_var_log_audit_nodev +- package_openssh-server_installed - package_rsyslog-gnutls_installed -- package_rsyslog_installed -- package_sendmail_removed -- package_telnet-server_removed -- package_tftp-server_removed -- package_tmux_installed -- package_tuned_removed +- file_permissions_var_log_messages +- service_rsyslog_enabled - package_usbguard_installed -- package_vsftpd_removed -- partition_for_home -- partition_for_tmp -- partition_for_var -- partition_for_var_log -- partition_for_var_log_audit -- partition_for_var_tmp -- postfix_client_configure_mail_alias_postmaster -- postfix_prevent_unrestricted_relay -- require_emergency_target_auth -- require_singleuser_auth -- root_permissions_syslibrary_files -- rsyslog_cron_logging -- rsyslog_encrypt_offload_actionsendstreamdriverauthmode -- rsyslog_encrypt_offload_actionsendstreamdrivermode -- rsyslog_encrypt_offload_defaultnetstreamdriver +- package_fapolicyd_installed +- sysctl_crypto_fips_enabled +- file_ownership_var_log_audit_stig +- file_permissions_sshd_private_key +- audit_rules_execution_semanage +- grub2_password +- audit_rules_dac_modification_fsetxattr +- audit_rules_login_events_faillock +- mount_option_dev_shm_nosuid +- dconf_gnome_screensaver_lock_enabled - rsyslog_remote_access_monitoring -- rsyslog_remote_loghost -- security_patches_up_to_date -- selinux_policytype -- selinux_state -- selinux_user_login_roles -- service_auditd_enabled +- package_abrt-plugin-sosreport_removed +- audit_rules_usergroup_modification_opasswd +- accounts_password_pam_lcredit +- sshd_disable_x11_forwarding +- package_krb5-server_removed +- mount_option_boot_nosuid +- accounts_minimum_age_login_defs +- enable_fips_mode +- sudo_remove_nopasswd +- auditd_data_retention_action_mail_acct +- audit_rules_privileged_commands_crontab +- firewalld-backend +- sysctl_net_ipv4_conf_default_accept_redirects +- network_sniffer_disabled +- grub2_slub_debug_argument +- audit_rules_unsuccessful_file_modification_open +- ssh_keys_passphrase_protected +- mount_option_nosuid_removable_partitions +- file_groupownership_home_directories +- package_audit_installed +- auditd_overflow_action +- sysctl_net_ipv4_conf_all_send_redirects +- package_abrt_removed +- mount_option_home_nosuid +- directory_group_ownership_var_log_audit +- mount_option_nosuid_remote_filesystems +- package_tmux_installed +- audit_rules_execution_chacl +- file_permissions_home_directories +- sudo_restrict_privilege_elevation_to_authorized +- accounts_password_pam_dictcheck +- configure_tmux_lock_command +- sysctl_fs_protected_symlinks +- accounts_passwords_pam_faillock_silent +- file_permission_user_init_files - service_autofs_disabled -- service_debug-shell_disabled -- service_fapolicyd_enabled -- service_firewalld_enabled -- service_kdump_disabled +- sssd_has_trust_anchor +- rsyslog_encrypt_offload_defaultnetstreamdriver - service_rngd_enabled -- service_rsyslog_enabled -- service_sshd_enabled +- accounts_authorized_local_users +- installed_OS_is_vendor_supported +- accounts_logon_fail_delay +- audit_rules_kernel_module_loading_init +- partition_for_var_log_audit +- audit_rules_suid_privilege_function +- file_owner_var_log +- set_password_hashing_min_rounds_logindefs +- audit_rules_sudoers +- file_permissions_library_dirs +- sysctl_net_ipv6_conf_all_accept_source_route +- service_auditd_enabled +- no_user_host_based_files +- accounts_password_pam_dcredit +- audit_rules_usergroup_modification_passwd +- selinux_user_login_roles +- file_audit_tools_group_ownership +- sudo_remove_no_authenticate +- package_rsh-server_removed +- auditd_data_retention_space_left_percentage +- mount_option_var_log_noexec +- sysctl_net_ipv4_conf_all_accept_source_route +- directory_ownership_var_log_audit +- agent_mfetpd_running +- package_iprutils_removed +- rsyslog_encrypt_offload_actionsendstreamdriverauthmode +- aide_verify_ext_attributes +- accounts_password_pam_maxclassrepeat +- accounts_no_uid_except_zero +- file_permissions_var_log +- sysctl_net_ipv4_conf_all_rp_filter +- audit_rules_privileged_commands_unix_chkpwd +- package_firewalld_installed +- sysctl_net_ipv6_conf_default_accept_source_route +- aide_verify_acls +- configure_kerberos_crypto_policy +- audit_rules_privileged_commands_unix_update +- sshd_set_idle_timeout +- audit_rules_login_events_lastlog +- network_configure_name_resolution +- kernel_module_can_disabled +- auditd_data_disk_error_action +- audit_rules_execution_chcon +- sysctl_net_core_bpf_jit_harden +- package_python3-abrt-addon_removed +- package_policycoreutils_installed +- grub2_uefi_admin_username +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- sysctl_kernel_core_pattern +- kernel_module_firewire-core_disabled +- accounts_password_set_min_life_existing +- chronyd_no_chronyc_network +- dir_perms_world_writable_root_owned +- sysctl_net_ipv4_conf_default_send_redirects +- file_permissions_binary_dirs +- accounts_umask_etc_profile +- package_vsftpd_removed +- audit_rules_privileged_commands_su - service_systemd-coredump_disabled +- grub2_page_poison_argument +- accounts_user_dot_no_world_writable_programs +- configure_ssh_crypto_policy +- audit_rules_privileged_commands_kmod +- accounts_passwords_pam_faillock_interval +- auditd_data_disk_full_action +- mount_option_var_tmp_noexec +- account_disable_post_pw_expiration +- sudo_require_reauthentication +- file_ownership_binary_dirs +- audit_rules_file_deletion_events_renameat +- audit_rules_privileged_commands_mount +- sshd_disable_gssapi_auth +- sssd_offline_cred_expiration +- partition_for_var +- aide_check_audit_tools +- accounts_password_pam_ocredit +- partition_for_tmp +- sysctl_kernel_yama_ptrace_scope +- audit_rules_file_deletion_events_rmdir +- file_groupowner_var_log_messages +- auditd_data_retention_space_left_action +- aide_scan_notification +- account_password_pam_faillock_password_auth +- dconf_gnome_disable_ctrlaltdel_reboot +- harden_sshd_macs_opensshserver_conf_crypto_policy +- mount_option_boot_efi_nosuid +- file_permissions_etc_audit_auditd +- audit_rules_unsuccessful_file_modification_creat +- mount_option_var_log_audit_noexec +- audit_rules_privileged_commands_gpasswd +- harden_sshd_macs_openssh_conf_crypto_policy +- file_ownership_library_dirs +- mount_option_nodev_nonroot_local_partitions +- banner_etc_issue +- sshd_use_strong_rng +- grub2_audit_argument +- account_unique_id +- package_abrt-cli_removed +- audit_rules_immutable_login_uids - service_usbguard_enabled -- set_firewalld_default_zone -- set_password_hashing_algorithm_logindefs +- audit_rules_privileged_commands_usermod +- audit_rules_dac_modification_lremovexattr +- accounts_umask_interactive_users +- audit_rules_unsuccessful_file_modification_openat +- service_firewalld_enabled +- accounts_password_minlen_login_defs +- audit_rules_usergroup_modification_group +- disable_users_coredumps +- audit_rules_file_deletion_events_unlinkat - set_password_hashing_algorithm_passwordauth -- set_password_hashing_algorithm_systemauth -- set_password_hashing_min_rounds_logindefs -- ssh_keys_passphrase_protected -- sshd_disable_empty_passwords -- sshd_disable_gssapi_auth -- sshd_disable_kerb_auth +- accounts_user_home_paths_only +- postfix_client_configure_mail_alias_postmaster +- kernel_module_usb-storage_disabled +- sssd_certificate_verification +- kernel_module_sctp_disabled +- configure_openssl_crypto_policy +- dconf_gnome_screensaver_idle_delay +- mount_option_dev_shm_nodev +- audit_rules_privileged_commands_umount +- postfix_prevent_unrestricted_relay +- tftpd_uses_secure_mode +- accounts_umask_etc_csh_cshrc +- kernel_module_atm_disabled +- audit_rules_privileged_commands_ssh_keysign +- package_tftp-server_removed +- sysctl_net_ipv6_conf_all_accept_redirects +- accounts_passwords_pam_faillock_audit +- sudoers_validate_passwd +- auditd_name_format - sshd_disable_root_login -- sshd_disable_user_known_hosts -- sshd_disable_x11_forwarding -- sshd_do_not_permit_user_env -- sshd_enable_strictmodes -- sshd_enable_warning_banner -- sshd_print_last_log +- audit_rules_dac_modification_chown +- sudoers_default_includedir +- sssd_enable_smartcards +- accounts_password_pam_pwhistory_remember_password_auth +- package_rsyslog_installed - sshd_rekey_limit -- sshd_set_idle_timeout -- sshd_set_keepalive - sshd_use_approved_kex_ordered_stig -- sshd_use_strong_rng -- sshd_x11_use_localhost -- sssd_certificate_verification -- sssd_enable_certmap -- sssd_enable_smartcards -- sssd_has_trust_anchor -- sssd_offline_cred_expiration -- sudo_remove_no_authenticate -- sudo_remove_nopasswd -- sudo_require_reauthentication -- sudo_restrict_privilege_elevation_to_authorized -- sudoers_default_includedir -- sudoers_validate_passwd -- sysctl_crypto_fips_enabled -- sysctl_fs_protected_hardlinks -- sysctl_fs_protected_symlinks -- sysctl_kernel_core_pattern +- accounts_umask_etc_bashrc +- audit_rules_dac_modification_removexattr - sysctl_kernel_dmesg_restrict +- package_abrt-addon-ccpp_removed +- dconf_gnome_screensaver_lock_locked +- auditd_audispd_configure_sufficiently_large_partition +- sshd_x11_use_localhost +- set_password_hashing_algorithm_logindefs +- file_owner_var_log_messages +- dconf_gnome_screensaver_user_locks +- file_groupowner_var_log +- accounts_password_pam_maxrepeat +- audit_rules_unsuccessful_file_modification_ftruncate +- dir_ownership_library_dirs +- set_firewalld_default_zone +- dir_perms_world_writable_system_owned_group +- package_krb5-workstation_removed +- audit_rules_usergroup_modification_gshadow +- harden_sshd_ciphers_opensshserver_conf_crypto_policy +- audit_rules_dac_modification_fremovexattr +- dir_perms_world_writable_sticky_bits +- fapolicy_default_deny +- mount_option_var_log_nodev +- audit_rules_execution_setfacl +- accounts_password_pam_minlen +- no_empty_passwords_etc_shadow +- configure_gnutls_tls_crypto_policy - sysctl_kernel_kexec_load_disabled -- sysctl_kernel_kptr_restrict -- sysctl_kernel_perf_event_paranoid -- sysctl_kernel_randomize_va_space -- sysctl_kernel_unprivileged_bpf_disabled -- sysctl_kernel_yama_ptrace_scope -- sysctl_net_core_bpf_jit_harden -- sysctl_net_ipv4_conf_all_accept_redirects -- sysctl_net_ipv4_conf_all_accept_source_route -- sysctl_net_ipv4_conf_all_forwarding -- sysctl_net_ipv4_conf_all_rp_filter -- sysctl_net_ipv4_conf_all_send_redirects -- sysctl_net_ipv4_conf_default_accept_redirects -- sysctl_net_ipv4_conf_default_accept_source_route -- sysctl_net_ipv4_conf_default_send_redirects -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- sysctl_net_ipv6_conf_all_accept_ra -- sysctl_net_ipv6_conf_all_accept_redirects -- sysctl_net_ipv6_conf_all_accept_source_route +- audit_rules_dac_modification_setxattr +- clean_components_post_updating - sysctl_net_ipv6_conf_all_forwarding -- sysctl_net_ipv6_conf_default_accept_ra -- sysctl_net_ipv6_conf_default_accept_redirects -- sysctl_net_ipv6_conf_default_accept_source_route +- rsyslog_cron_logging +- mount_option_nodev_removable_partitions +- audit_rules_privileged_commands_userhelper +- file_permissions_var_log_audit +- directory_permissions_var_log_audit +- configured_firewalld_default_deny +- sshd_enable_strictmodes - sysctl_user_max_user_namespaces -- tftpd_uses_secure_mode -- usbguard_generate_policy -- wireless_disable_interfaces - xwindows_remove_packages -- xwindows_runlevel_target +- sshd_disable_kerb_auth +- package_gssproxy_removed +- gnome_gdm_disable_automatic_login +- audit_rules_privileged_commands_newgrp +- audit_rules_privileged_commands_chsh +- mount_option_nodev_remote_filesystems +- dconf_gnome_login_banner_text +- bios_enable_execution_restrictions +- mount_option_dev_shm_noexec +- audit_rules_privileged_commands_chage +- sysctl_net_ipv4_conf_all_accept_redirects +- partition_for_var_tmp +- grub2_admin_username +- sysctl_kernel_unprivileged_bpf_disabled +- mount_option_tmp_nosuid - var_rekey_limit_size=1G - var_rekey_limit_time=1hour - var_accounts_user_umask=077 @@ -480,7 +481,6 @@ selections: - var_auditd_disk_error_action=rhel8 - var_auditd_max_log_file_action=syslog - var_auditd_disk_full_action=rhel8 -- var_auditd_name_format=stig - var_sssd_certificate_verification_digest_function=sha1 - login_banner_text=dod_banners - var_authselect_profile=sssd @@ -488,10 +488,13 @@ selections: - var_sudo_timestamp_timeout=always_prompt - var_slub_debug_options=P - var_screensaver_lock_delay=5_seconds +- var_logind_session_timeout=15_minutes +- var_auditd_name_format=stig unselected_groups: [] platforms: !!set {} cpe_names: !!set {} platform: null filter_rules: '' +policies: [] title: DISA STIG for Red Hat Enterprise Linux 8 documentation_complete: true diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 82525139ef79..41f769f3b4a5 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -1,6 +1,6 @@ description: 'This profile contains configuration checks that align to the - DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R13. + DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R12. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes @@ -32,420 +32,421 @@ description: 'This profile contains configuration checks that align to the standard DISA STIG for Red Hat Enterprise Linux 8 profile.' extends: null +hidden: '' metadata: - version: V1R13 + version: V1R12 SMEs: - mab879 - ggbecker reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux selections: -- account_disable_post_pw_expiration -- account_password_pam_faillock_password_auth -- account_password_pam_faillock_system_auth -- account_password_selinux_faillock_dir -- account_temp_expire_date -- account_unique_id -- accounts_authorized_local_users -- accounts_have_homedir_login_defs -- accounts_logon_fail_delay -- accounts_max_concurrent_login_sessions +- mount_option_var_tmp_nosuid - accounts_maximum_age_login_defs -- accounts_minimum_age_login_defs -- accounts_no_uid_except_zero -- accounts_password_all_shadowed_sha512 -- accounts_password_minlen_login_defs -- accounts_password_pam_dcredit -- accounts_password_pam_dictcheck -- accounts_password_pam_difok -- accounts_password_pam_lcredit -- accounts_password_pam_maxclassrepeat -- accounts_password_pam_maxrepeat -- accounts_password_pam_minclass -- accounts_password_pam_minlen -- accounts_password_pam_ocredit -- accounts_password_pam_pwhistory_remember_password_auth -- accounts_password_pam_pwhistory_remember_system_auth -- accounts_password_pam_pwquality_password_auth -- accounts_password_pam_pwquality_system_auth -- accounts_password_pam_retry -- accounts_password_pam_ucredit -- accounts_password_set_max_life_existing -- accounts_password_set_min_life_existing -- accounts_passwords_pam_faillock_audit -- accounts_passwords_pam_faillock_deny -- accounts_passwords_pam_faillock_deny_root -- accounts_passwords_pam_faillock_dir -- accounts_passwords_pam_faillock_interval -- accounts_passwords_pam_faillock_silent -- accounts_passwords_pam_faillock_unlock_time -- accounts_umask_etc_bashrc -- accounts_umask_etc_csh_cshrc -- accounts_umask_etc_login_defs -- accounts_umask_etc_profile -- accounts_umask_interactive_users -- accounts_user_dot_no_world_writable_programs -- accounts_user_home_paths_only -- accounts_user_interactive_home_directory_defined -- accounts_user_interactive_home_directory_exists -- accounts_users_home_files_groupownership +- configure_libreswan_crypto_policy - accounts_users_home_files_permissions -- agent_mfetpd_running -- aide_build_database -- aide_check_audit_tools -- aide_scan_notification -- aide_verify_acls -- aide_verify_ext_attributes -- audit_rules_dac_modification_chmod -- audit_rules_dac_modification_chown -- audit_rules_dac_modification_fchmod -- audit_rules_dac_modification_fchmodat +- accounts_users_home_files_groupownership +- harden_sshd_ciphers_openssh_conf_crypto_policy +- kernel_module_cramfs_disabled +- accounts_user_interactive_home_directory_exists - audit_rules_dac_modification_fchown -- audit_rules_dac_modification_fchownat -- audit_rules_dac_modification_fremovexattr -- audit_rules_dac_modification_fsetxattr -- audit_rules_dac_modification_lchown -- audit_rules_dac_modification_lremovexattr -- audit_rules_dac_modification_lsetxattr -- audit_rules_dac_modification_removexattr -- audit_rules_dac_modification_setxattr -- audit_rules_execution_chacl -- audit_rules_execution_chcon -- audit_rules_execution_semanage -- audit_rules_execution_setfacl -- audit_rules_execution_setfiles -- audit_rules_execution_setsebool -- audit_rules_file_deletion_events_rename -- audit_rules_file_deletion_events_renameat -- audit_rules_file_deletion_events_rmdir +- file_permissions_ungroupowned +- enable_authselect +- coredump_disable_backtraces +- accounts_max_concurrent_login_sessions +- file_permissions_etc_audit_rulesd +- grub2_pti_argument +- kernel_module_bluetooth_disabled +- accounts_password_pam_minclass +- rsyslog_encrypt_offload_actionsendstreamdrivermode - audit_rules_file_deletion_events_unlink -- audit_rules_file_deletion_events_unlinkat +- encrypt_partitions +- sysctl_net_ipv6_conf_default_accept_ra +- dconf_gnome_screensaver_lock_delay +- auditd_local_events +- configure_tmux_lock_keybinding +- accounts_password_pam_difok +- account_password_pam_faillock_system_auth +- sysctl_kernel_perf_event_paranoid - audit_rules_immutable -- audit_rules_immutable_login_uids -- audit_rules_kernel_module_loading_delete -- audit_rules_kernel_module_loading_finit -- audit_rules_kernel_module_loading_init -- audit_rules_login_events_faillock -- audit_rules_login_events_lastlog -- audit_rules_media_export -- audit_rules_privileged_commands_chage -- audit_rules_privileged_commands_chsh -- audit_rules_privileged_commands_crontab -- audit_rules_privileged_commands_gpasswd -- audit_rules_privileged_commands_kmod -- audit_rules_privileged_commands_mount -- audit_rules_privileged_commands_newgrp -- audit_rules_privileged_commands_pam_timestamp_check +- sysctl_net_ipv6_conf_all_accept_ra +- no_tmux_in_shells +- mount_option_var_tmp_nodev +- sysctl_kernel_kptr_restrict +- account_password_selinux_faillock_dir +- audit_rules_file_deletion_events_rename +- sshd_do_not_permit_user_env +- service_fapolicyd_enabled +- accounts_umask_etc_login_defs +- accounts_password_pam_pwquality_system_auth +- package_rng-tools_installed +- dir_group_ownership_library_dirs +- accounts_passwords_pam_faillock_dir +- sysctl_kernel_randomize_va_space +- sysctl_net_ipv6_conf_default_accept_redirects +- grub2_uefi_password - audit_rules_privileged_commands_passwd -- audit_rules_privileged_commands_postdrop -- audit_rules_privileged_commands_postqueue +- require_emergency_target_auth +- mount_option_tmp_nodev - audit_rules_privileged_commands_ssh_agent -- audit_rules_privileged_commands_ssh_keysign -- audit_rules_privileged_commands_su -- audit_rules_privileged_commands_sudo -- audit_rules_privileged_commands_umount -- audit_rules_privileged_commands_unix_chkpwd -- audit_rules_privileged_commands_unix_update -- audit_rules_privileged_commands_userhelper -- audit_rules_privileged_commands_usermod -- audit_rules_sudoers -- audit_rules_sudoers_d -- audit_rules_suid_privilege_function -- audit_rules_unsuccessful_file_modification_creat -- audit_rules_unsuccessful_file_modification_ftruncate -- audit_rules_unsuccessful_file_modification_open -- audit_rules_unsuccessful_file_modification_open_by_handle_at -- audit_rules_unsuccessful_file_modification_openat -- audit_rules_unsuccessful_file_modification_truncate -- audit_rules_usergroup_modification_group -- audit_rules_usergroup_modification_gshadow -- audit_rules_usergroup_modification_opasswd -- audit_rules_usergroup_modification_passwd -- audit_rules_usergroup_modification_shadow -- auditd_audispd_configure_sufficiently_large_partition -- auditd_data_disk_error_action -- auditd_data_disk_full_action -- auditd_data_retention_action_mail_acct -- auditd_data_retention_space_left_action -- auditd_data_retention_space_left_percentage -- auditd_local_events -- auditd_log_format -- auditd_name_format -- auditd_overflow_action -- banner_etc_issue -- bios_enable_execution_restrictions -- chronyd_client_only -- chronyd_no_chronyc_network -- chronyd_or_ntpd_set_maxpoll -- chronyd_server_directive -- clean_components_post_updating -- configure_bashrc_tmux -- configure_bind_crypto_policy -- configure_crypto_policy -- configure_firewalld_ports -- configure_gnutls_tls_crypto_policy -- configure_kerberos_crypto_policy -- configure_libreswan_crypto_policy -- configure_openssl_crypto_policy +- service_kdump_disabled +- accounts_passwords_pam_faillock_deny +- package_telnet-server_removed +- file_groupownership_system_commands_dirs - configure_openssl_tls_crypto_policy -- configure_ssh_crypto_policy -- configure_tmux_lock_after_time -- configure_tmux_lock_command -- configure_tmux_lock_keybinding -- configure_usbguard_auditbackend -- configured_firewalld_default_deny -- coredump_disable_backtraces -- coredump_disable_storage +- no_files_unowned_by_user +- mount_option_noexec_removable_partitions +- mount_option_tmp_noexec +- package_abrt-addon-kerneloops_removed +- wireless_disable_interfaces +- accounts_password_all_shadowed_sha512 - dconf_gnome_banner_enabled -- dconf_gnome_disable_ctrlaltdel_reboot -- dconf_gnome_disable_user_list +- display_login_attempts +- audit_rules_privileged_commands_postqueue +- ensure_gpgcheck_globally_activated +- coredump_disable_storage +- ensure_gpgcheck_local_packages - dconf_gnome_lock_screen_on_smartcard_removal -- dconf_gnome_login_banner_text -- dconf_gnome_screensaver_idle_delay -- dconf_gnome_screensaver_lock_delay -- dconf_gnome_screensaver_lock_enabled -- dconf_gnome_screensaver_lock_locked -- dconf_gnome_screensaver_user_locks +- audit_rules_execution_setsebool +- accounts_user_interactive_home_directory_defined +- root_permissions_syslibrary_files +- grub2_audit_backlog_limit_argument +- kernel_module_uvcvideo_disabled +- audit_rules_kernel_module_loading_delete - dconf_gnome_session_idle_user_locks -- dir_group_ownership_library_dirs -- dir_ownership_library_dirs +- package_mcafeetp_installed +- configure_usbguard_auditbackend +- package_mailx_installed - dir_permissions_library_dirs -- dir_perms_world_writable_root_owned -- dir_perms_world_writable_sticky_bits -- dir_perms_world_writable_system_owned_group -- directory_group_ownership_var_log_audit -- directory_ownership_var_log_audit -- directory_permissions_var_log_audit -- disable_ctrlaltdel_burstaction -- disable_ctrlaltdel_reboot -- disable_users_coredumps +- audit_rules_usergroup_modification_shadow +- mount_option_var_log_audit_nosuid +- aide_build_database +- set_password_hashing_algorithm_systemauth +- audit_rules_privileged_commands_postdrop - disallow_bypass_password_sudo -- display_login_attempts -- enable_authselect -- enable_dracut_fips_module -- enable_fips_mode -- encrypt_partitions -- ensure_gpgcheck_globally_activated -- ensure_gpgcheck_local_packages +- configure_tmux_lock_after_time +- configure_firewalld_ports +- configure_bind_crypto_policy +- dconf_gnome_disable_user_list +- accounts_password_pam_pwquality_password_auth +- auditd_log_format +- audit_rules_sudoers_d +- accounts_passwords_pam_faillock_deny_root - ensure_gpgcheck_never_disabled -- ensure_redhat_gpgkey_installed -- fapolicy_default_deny -- file_audit_tools_group_ownership -- file_audit_tools_ownership +- file_permissions_sshd_pub_key +- kernel_module_tipc_disabled +- audit_rules_privileged_commands_pam_timestamp_check +- chronyd_or_ntpd_set_maxpoll +- account_temp_expire_date +- service_debug-shell_disabled +- mount_option_home_noexec +- accounts_password_pam_retry +- security_patches_up_to_date +- partition_for_home +- sshd_enable_warning_banner +- package_sendmail_removed +- install_smartcard_packages +- usbguard_generate_policy +- accounts_passwords_pam_faillock_unlock_time +- sysctl_fs_protected_hardlinks +- no_host_based_files +- chronyd_client_only +- audit_rules_kernel_module_loading_finit +- sshd_print_last_log +- no_empty_passwords +- partition_for_var_log +- kerberos_disable_no_keytab +- service_sshd_enabled +- accounts_password_pam_pwhistory_remember_system_auth +- sshd_disable_empty_passwords +- accounts_password_pam_ucredit +- chronyd_server_directive +- audit_rules_dac_modification_lsetxattr +- disable_ctrlaltdel_reboot +- grub2_vsyscall_argument +- audit_rules_dac_modification_fchmod - file_audit_tools_permissions +- enable_dracut_fips_module +- package_tuned_removed +- configure_crypto_policy +- selinux_policytype +- audit_rules_dac_modification_fchmodat +- configure_bashrc_tmux +- package_aide_installed +- rsyslog_remote_loghost +- mount_option_noexec_remote_filesystems +- file_audit_tools_ownership +- audit_rules_media_export +- sysctl_net_ipv4_conf_all_forwarding +- audit_rules_execution_setfiles +- package_libreport-plugin-logger_removed +- audit_rules_unsuccessful_file_modification_open_by_handle_at +- sshd_disable_user_known_hosts +- audit_rules_dac_modification_chmod +- require_singleuser_auth +- sssd_enable_certmap +- audit_rules_dac_modification_fchownat +- audit_rules_privileged_commands_sudo +- disable_ctrlaltdel_burstaction +- package_opensc_installed +- logind_session_timeout +- ensure_redhat_gpgkey_installed +- mount_option_var_log_nosuid - file_group_ownership_var_log_audit -- file_groupowner_var_log -- file_groupowner_var_log_messages -- file_groupownership_home_directories -- file_groupownership_system_commands_dirs -- file_owner_var_log -- file_owner_var_log_messages -- file_ownership_binary_dirs -- file_ownership_library_dirs +- sshd_set_keepalive +- selinux_state +- audit_rules_dac_modification_lchown +- accounts_have_homedir_login_defs +- audit_rules_unsuccessful_file_modification_truncate +- sysctl_net_ipv4_conf_default_accept_source_route +- accounts_password_set_max_life_existing +- package_postfix_installed +- mount_option_var_log_audit_nodev +- package_openssh-server_installed +- package_rsyslog-gnutls_installed +- file_permissions_var_log_messages +- service_rsyslog_enabled +- package_usbguard_installed +- package_fapolicyd_installed +- sysctl_crypto_fips_enabled - file_ownership_var_log_audit_stig -- file_permission_user_init_files -- file_permissions_binary_dirs -- file_permissions_etc_audit_auditd -- file_permissions_etc_audit_rulesd -- file_permissions_home_directories -- file_permissions_library_dirs - file_permissions_sshd_private_key -- file_permissions_sshd_pub_key -- file_permissions_ungroupowned -- file_permissions_var_log -- file_permissions_var_log_audit -- file_permissions_var_log_messages -- firewalld-backend -- gnome_gdm_disable_automatic_login -- grub2_admin_username -- grub2_audit_argument -- grub2_audit_backlog_limit_argument -- grub2_page_poison_argument +- audit_rules_execution_semanage - grub2_password -- grub2_pti_argument -- grub2_slub_debug_argument -- grub2_uefi_admin_username -- grub2_uefi_password -- grub2_vsyscall_argument -- harden_sshd_ciphers_openssh_conf_crypto_policy -- harden_sshd_ciphers_opensshserver_conf_crypto_policy -- harden_sshd_macs_openssh_conf_crypto_policy -- harden_sshd_macs_opensshserver_conf_crypto_policy -- install_smartcard_packages -- installed_OS_is_vendor_supported -- kerberos_disable_no_keytab -- kernel_module_atm_disabled -- kernel_module_bluetooth_disabled -- kernel_module_can_disabled -- kernel_module_cramfs_disabled -- kernel_module_firewire-core_disabled -- kernel_module_sctp_disabled -- kernel_module_tipc_disabled -- kernel_module_usb-storage_disabled -- kernel_module_uvcvideo_disabled -- logind_session_timeout -- mount_option_boot_efi_nosuid -- mount_option_boot_nosuid -- mount_option_dev_shm_nodev -- mount_option_dev_shm_noexec +- audit_rules_dac_modification_fsetxattr +- audit_rules_login_events_faillock - mount_option_dev_shm_nosuid -- mount_option_home_noexec +- dconf_gnome_screensaver_lock_enabled +- rsyslog_remote_access_monitoring +- package_abrt-plugin-sosreport_removed +- audit_rules_usergroup_modification_opasswd +- accounts_password_pam_lcredit +- sshd_disable_x11_forwarding +- package_krb5-server_removed +- mount_option_boot_nosuid +- accounts_minimum_age_login_defs +- enable_fips_mode +- sudo_remove_nopasswd +- auditd_data_retention_action_mail_acct +- audit_rules_privileged_commands_crontab +- firewalld-backend +- sysctl_net_ipv4_conf_default_accept_redirects +- network_sniffer_disabled +- grub2_slub_debug_argument +- audit_rules_unsuccessful_file_modification_open +- ssh_keys_passphrase_protected +- mount_option_nosuid_removable_partitions +- file_groupownership_home_directories +- package_audit_installed +- auditd_overflow_action +- sysctl_net_ipv4_conf_all_send_redirects +- package_abrt_removed - mount_option_home_nosuid -- mount_option_nodev_nonroot_local_partitions -- mount_option_nodev_remote_filesystems -- mount_option_nodev_removable_partitions -- mount_option_noexec_remote_filesystems -- mount_option_noexec_removable_partitions +- directory_group_ownership_var_log_audit - mount_option_nosuid_remote_filesystems -- mount_option_nosuid_removable_partitions -- mount_option_tmp_nodev -- mount_option_tmp_noexec -- mount_option_tmp_nosuid -- mount_option_var_log_audit_nodev -- mount_option_var_log_audit_noexec -- mount_option_var_log_audit_nosuid -- mount_option_var_log_nodev -- mount_option_var_log_noexec -- mount_option_var_log_nosuid -- mount_option_var_tmp_nodev -- mount_option_var_tmp_noexec -- mount_option_var_tmp_nosuid -- network_configure_name_resolution -- network_sniffer_disabled -- no_empty_passwords -- no_empty_passwords_etc_shadow -- no_files_unowned_by_user -- no_host_based_files -- no_tmux_in_shells +- package_tmux_installed +- audit_rules_execution_chacl +- file_permissions_home_directories +- sudo_restrict_privilege_elevation_to_authorized +- accounts_password_pam_dictcheck +- configure_tmux_lock_command +- sysctl_fs_protected_symlinks +- accounts_passwords_pam_faillock_silent +- file_permission_user_init_files +- service_autofs_disabled +- sssd_has_trust_anchor +- rsyslog_encrypt_offload_defaultnetstreamdriver +- service_rngd_enabled +- accounts_authorized_local_users +- installed_OS_is_vendor_supported +- accounts_logon_fail_delay +- audit_rules_kernel_module_loading_init +- partition_for_var_log_audit +- audit_rules_suid_privilege_function +- file_owner_var_log +- set_password_hashing_min_rounds_logindefs +- audit_rules_sudoers +- file_permissions_library_dirs +- sysctl_net_ipv6_conf_all_accept_source_route +- service_auditd_enabled - no_user_host_based_files -- package_abrt-addon-ccpp_removed -- package_abrt-addon-kerneloops_removed -- package_abrt-cli_removed -- package_abrt-plugin-sosreport_removed -- package_abrt_removed -- package_aide_installed -- package_audit_installed -- package_fapolicyd_installed +- accounts_password_pam_dcredit +- audit_rules_usergroup_modification_passwd +- selinux_user_login_roles +- file_audit_tools_group_ownership +- sudo_remove_no_authenticate +- package_rsh-server_removed +- auditd_data_retention_space_left_percentage +- mount_option_var_log_noexec +- sysctl_net_ipv4_conf_all_accept_source_route +- directory_ownership_var_log_audit +- agent_mfetpd_running +- package_iprutils_removed +- rsyslog_encrypt_offload_actionsendstreamdriverauthmode +- aide_verify_ext_attributes +- accounts_password_pam_maxclassrepeat +- accounts_no_uid_except_zero +- file_permissions_var_log +- sysctl_net_ipv4_conf_all_rp_filter +- audit_rules_privileged_commands_unix_chkpwd - package_firewalld_installed -- package_gssproxy_removed -- package_iprutils_removed -- package_krb5-server_removed -- package_krb5-workstation_removed -- package_libreport-plugin-logger_removed -- package_mailx_installed -- package_mcafeetp_installed -- package_opensc_installed -- package_openssh-server_installed -- package_policycoreutils_installed -- package_postfix_installed +- sysctl_net_ipv6_conf_default_accept_source_route +- aide_verify_acls +- configure_kerberos_crypto_policy +- audit_rules_privileged_commands_unix_update +- sshd_set_idle_timeout +- audit_rules_login_events_lastlog +- network_configure_name_resolution +- kernel_module_can_disabled +- auditd_data_disk_error_action +- audit_rules_execution_chcon +- sysctl_net_core_bpf_jit_harden - package_python3-abrt-addon_removed -- package_rng-tools_installed -- package_rsh-server_removed -- package_rsyslog-gnutls_installed -- package_rsyslog_installed -- package_sendmail_removed -- package_telnet-server_removed -- package_tftp-server_removed -- package_tmux_installed -- package_tuned_removed -- package_usbguard_installed +- package_policycoreutils_installed +- grub2_uefi_admin_username +- sysctl_net_ipv4_icmp_echo_ignore_broadcasts +- sysctl_kernel_core_pattern +- kernel_module_firewire-core_disabled +- accounts_password_set_min_life_existing +- chronyd_no_chronyc_network +- dir_perms_world_writable_root_owned +- sysctl_net_ipv4_conf_default_send_redirects +- file_permissions_binary_dirs +- accounts_umask_etc_profile - package_vsftpd_removed -- partition_for_home -- partition_for_tmp -- partition_for_var -- partition_for_var_log -- partition_for_var_log_audit -- partition_for_var_tmp -- postfix_client_configure_mail_alias_postmaster -- postfix_prevent_unrestricted_relay -- require_emergency_target_auth -- require_singleuser_auth -- root_permissions_syslibrary_files -- rsyslog_cron_logging -- rsyslog_encrypt_offload_actionsendstreamdriverauthmode -- rsyslog_encrypt_offload_actionsendstreamdrivermode -- rsyslog_encrypt_offload_defaultnetstreamdriver -- rsyslog_remote_access_monitoring -- rsyslog_remote_loghost -- security_patches_up_to_date -- selinux_policytype -- selinux_state -- selinux_user_login_roles -- service_auditd_enabled -- service_autofs_disabled -- service_debug-shell_disabled -- service_fapolicyd_enabled -- service_firewalld_enabled -- service_kdump_disabled -- service_rngd_enabled -- service_rsyslog_enabled -- service_sshd_enabled +- audit_rules_privileged_commands_su - service_systemd-coredump_disabled +- grub2_page_poison_argument +- accounts_user_dot_no_world_writable_programs +- configure_ssh_crypto_policy +- audit_rules_privileged_commands_kmod +- accounts_passwords_pam_faillock_interval +- auditd_data_disk_full_action +- mount_option_var_tmp_noexec +- account_disable_post_pw_expiration +- sudo_require_reauthentication +- file_ownership_binary_dirs +- audit_rules_file_deletion_events_renameat +- audit_rules_privileged_commands_mount +- sshd_disable_gssapi_auth +- sssd_offline_cred_expiration +- partition_for_var +- aide_check_audit_tools +- accounts_password_pam_ocredit +- partition_for_tmp +- sysctl_kernel_yama_ptrace_scope +- audit_rules_file_deletion_events_rmdir +- file_groupowner_var_log_messages +- auditd_data_retention_space_left_action +- aide_scan_notification +- account_password_pam_faillock_password_auth +- dconf_gnome_disable_ctrlaltdel_reboot +- harden_sshd_macs_opensshserver_conf_crypto_policy +- mount_option_boot_efi_nosuid +- file_permissions_etc_audit_auditd +- audit_rules_unsuccessful_file_modification_creat +- mount_option_var_log_audit_noexec +- audit_rules_privileged_commands_gpasswd +- harden_sshd_macs_openssh_conf_crypto_policy +- file_ownership_library_dirs +- mount_option_nodev_nonroot_local_partitions +- banner_etc_issue +- sshd_use_strong_rng +- grub2_audit_argument +- account_unique_id +- package_abrt-cli_removed +- audit_rules_immutable_login_uids - service_usbguard_enabled -- set_firewalld_default_zone -- set_password_hashing_algorithm_logindefs +- audit_rules_privileged_commands_usermod +- audit_rules_dac_modification_lremovexattr +- accounts_umask_interactive_users +- audit_rules_unsuccessful_file_modification_openat +- service_firewalld_enabled +- accounts_password_minlen_login_defs +- audit_rules_usergroup_modification_group +- disable_users_coredumps +- audit_rules_file_deletion_events_unlinkat - set_password_hashing_algorithm_passwordauth -- set_password_hashing_algorithm_systemauth -- set_password_hashing_min_rounds_logindefs -- ssh_keys_passphrase_protected -- sshd_disable_empty_passwords -- sshd_disable_gssapi_auth -- sshd_disable_kerb_auth +- accounts_user_home_paths_only +- postfix_client_configure_mail_alias_postmaster +- kernel_module_usb-storage_disabled +- sssd_certificate_verification +- kernel_module_sctp_disabled +- configure_openssl_crypto_policy +- dconf_gnome_screensaver_idle_delay +- mount_option_dev_shm_nodev +- audit_rules_privileged_commands_umount +- postfix_prevent_unrestricted_relay +- tftpd_uses_secure_mode +- accounts_umask_etc_csh_cshrc +- kernel_module_atm_disabled +- audit_rules_privileged_commands_ssh_keysign +- package_tftp-server_removed +- sysctl_net_ipv6_conf_all_accept_redirects +- accounts_passwords_pam_faillock_audit +- sudoers_validate_passwd +- auditd_name_format - sshd_disable_root_login -- sshd_disable_user_known_hosts -- sshd_disable_x11_forwarding -- sshd_do_not_permit_user_env -- sshd_enable_strictmodes -- sshd_enable_warning_banner -- sshd_print_last_log +- audit_rules_dac_modification_chown +- sudoers_default_includedir +- sssd_enable_smartcards +- accounts_password_pam_pwhistory_remember_password_auth +- package_rsyslog_installed - sshd_rekey_limit -- sshd_set_idle_timeout -- sshd_set_keepalive - sshd_use_approved_kex_ordered_stig -- sshd_use_strong_rng -- sshd_x11_use_localhost -- sssd_certificate_verification -- sssd_enable_certmap -- sssd_enable_smartcards -- sssd_has_trust_anchor -- sssd_offline_cred_expiration -- sudo_remove_no_authenticate -- sudo_remove_nopasswd -- sudo_require_reauthentication -- sudo_restrict_privilege_elevation_to_authorized -- sudoers_default_includedir -- sudoers_validate_passwd -- sysctl_crypto_fips_enabled -- sysctl_fs_protected_hardlinks -- sysctl_fs_protected_symlinks -- sysctl_kernel_core_pattern +- accounts_umask_etc_bashrc +- audit_rules_dac_modification_removexattr - sysctl_kernel_dmesg_restrict +- package_abrt-addon-ccpp_removed +- dconf_gnome_screensaver_lock_locked +- auditd_audispd_configure_sufficiently_large_partition +- sshd_x11_use_localhost +- set_password_hashing_algorithm_logindefs +- file_owner_var_log_messages +- dconf_gnome_screensaver_user_locks +- file_groupowner_var_log +- accounts_password_pam_maxrepeat +- audit_rules_unsuccessful_file_modification_ftruncate +- dir_ownership_library_dirs +- set_firewalld_default_zone +- dir_perms_world_writable_system_owned_group +- package_krb5-workstation_removed +- audit_rules_usergroup_modification_gshadow +- harden_sshd_ciphers_opensshserver_conf_crypto_policy +- audit_rules_dac_modification_fremovexattr +- dir_perms_world_writable_sticky_bits +- fapolicy_default_deny +- mount_option_var_log_nodev +- audit_rules_execution_setfacl +- accounts_password_pam_minlen +- no_empty_passwords_etc_shadow +- configure_gnutls_tls_crypto_policy - sysctl_kernel_kexec_load_disabled -- sysctl_kernel_kptr_restrict -- sysctl_kernel_perf_event_paranoid -- sysctl_kernel_randomize_va_space -- sysctl_kernel_unprivileged_bpf_disabled -- sysctl_kernel_yama_ptrace_scope -- sysctl_net_core_bpf_jit_harden -- sysctl_net_ipv4_conf_all_accept_redirects -- sysctl_net_ipv4_conf_all_accept_source_route -- sysctl_net_ipv4_conf_all_forwarding -- sysctl_net_ipv4_conf_all_rp_filter -- sysctl_net_ipv4_conf_all_send_redirects -- sysctl_net_ipv4_conf_default_accept_redirects -- sysctl_net_ipv4_conf_default_accept_source_route -- sysctl_net_ipv4_conf_default_send_redirects -- sysctl_net_ipv4_icmp_echo_ignore_broadcasts -- sysctl_net_ipv6_conf_all_accept_ra -- sysctl_net_ipv6_conf_all_accept_redirects -- sysctl_net_ipv6_conf_all_accept_source_route +- audit_rules_dac_modification_setxattr +- clean_components_post_updating - sysctl_net_ipv6_conf_all_forwarding -- sysctl_net_ipv6_conf_default_accept_ra -- sysctl_net_ipv6_conf_default_accept_redirects -- sysctl_net_ipv6_conf_default_accept_source_route +- rsyslog_cron_logging +- mount_option_nodev_removable_partitions +- audit_rules_privileged_commands_userhelper +- file_permissions_var_log_audit +- directory_permissions_var_log_audit +- configured_firewalld_default_deny +- sshd_enable_strictmodes - sysctl_user_max_user_namespaces -- tftpd_uses_secure_mode -- usbguard_generate_policy -- wireless_disable_interfaces +- sshd_disable_kerb_auth +- package_gssproxy_removed +- gnome_gdm_disable_automatic_login +- audit_rules_privileged_commands_newgrp +- audit_rules_privileged_commands_chsh +- mount_option_nodev_remote_filesystems +- dconf_gnome_login_banner_text +- bios_enable_execution_restrictions +- mount_option_dev_shm_noexec +- audit_rules_privileged_commands_chage +- sysctl_net_ipv4_conf_all_accept_redirects +- partition_for_var_tmp +- grub2_admin_username +- sysctl_kernel_unprivileged_bpf_disabled +- mount_option_tmp_nosuid - var_rekey_limit_size=1G - var_rekey_limit_time=1hour - var_accounts_user_umask=077 @@ -488,7 +489,6 @@ selections: - var_auditd_disk_error_action=rhel8 - var_auditd_max_log_file_action=syslog - var_auditd_disk_full_action=rhel8 -- var_auditd_name_format=stig - var_sssd_certificate_verification_digest_function=sha1 - login_banner_text=dod_banners - var_authselect_profile=sssd @@ -496,11 +496,13 @@ selections: - var_sudo_timestamp_timeout=always_prompt - var_slub_debug_options=P - var_screensaver_lock_delay=5_seconds +- var_logind_session_timeout=15_minutes - var_auditd_name_format=stig unselected_groups: [] platforms: !!set {} cpe_names: !!set {} platform: null filter_rules: '' +policies: [] title: DISA STIG with GUI for Red Hat Enterprise Linux 8 documentation_complete: true From f485d5b375d00f2309ec78e413eaafa54ba28b7f Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 31 Jan 2024 09:55:57 -0600 Subject: [PATCH 296/403] Fix RHEL 8 STIG version --- products/rhel8/profiles/stig.profile | 4 ++-- products/rhel8/profiles/stig_gui.profile | 4 ++-- tests/data/profile_stability/rhel8/stig.profile | 4 ++-- tests/data/profile_stability/rhel8/stig_gui.profile | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 3015f17b7bd9..44a19ce7448b 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V1R12 + version: V1R13 SMEs: - mab879 - ggbecker @@ -12,7 +12,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 8' description: |- This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 8 V1R12. + DISA STIG for Red Hat Enterprise Linux 8 V1R13. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile index 4033a978e302..7bc5761ae64c 100644 --- a/products/rhel8/profiles/stig_gui.profile +++ b/products/rhel8/profiles/stig_gui.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V1R12 + version: V1R13 SMEs: - mab879 - ggbecker @@ -12,7 +12,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' description: |- This profile contains configuration checks that align to the - DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R12. + DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R13. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 7be875ab745d..9c1726577a78 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -1,6 +1,6 @@ description: 'This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 8 V1R12. + DISA STIG for Red Hat Enterprise Linux 8 V1R13. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes @@ -23,7 +23,7 @@ description: 'This profile contains configuration checks that align to the extends: null hidden: '' metadata: - version: V1R12 + version: V1R13 SMEs: - mab879 - ggbecker diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 41f769f3b4a5..800438cad9d2 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -1,6 +1,6 @@ description: 'This profile contains configuration checks that align to the - DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R12. + DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R13. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes @@ -34,7 +34,7 @@ description: 'This profile contains configuration checks that align to the extends: null hidden: '' metadata: - version: V1R12 + version: V1R13 SMEs: - mab879 - ggbecker From 1f0d7fefd4e529a1a05dc787d7dab06e39d27762 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 31 Jan 2024 14:46:50 -0600 Subject: [PATCH 297/403] Update audit_ospp_general Fixes #11517 --- .../auditing/policy_rules/audit_ospp_general/rule.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml index 584003d23dd6..f89ff77e10fd 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general/rule.yml @@ -60,8 +60,14 @@ title: 'Perform general configuration of Audit for OSPP' -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=special-config-changes ## Privilege escalation via su or sudo. This is entirely handled by pam. +## Special case for systemd-run. It is not audit aware, specifically watch it +-a always,exit -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation +## Special case for pkexec. It is not audit aware, specifically watch it +-a always,exit -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation + ## Watch for configuration changes to privilege escalation. -a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes From 210a9a430df8328656f9e3e6126e9d44b19431b8 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 1 Feb 2024 10:31:14 +0100 Subject: [PATCH 298/403] Minor alignment in CIS test scenario for RHEL7 --- .../tests/rhel7_correct_value_cis_l2.pass.sh | 2 +- .../tests/rhel7_correct_value_cis_l2.pass.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/rhel7_correct_value_cis_l2.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/rhel7_correct_value_cis_l2.pass.sh index 6bd9ea2f3158..2399061d9309 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/rhel7_correct_value_cis_l2.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/tests/rhel7_correct_value_cis_l2.pass.sh @@ -3,7 +3,7 @@ # platform = Oracle Linux 7,Red Hat Enterprise Linux 7 # profiles = xccdf_org.ssgproject.content_profile_cis -remember_cnt=5 +remember_cnt=24 control_flag='requisite' config_file=/etc/pam.d/password-auth diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/rhel7_correct_value_cis_l2.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/rhel7_correct_value_cis_l2.pass.sh index b7064055296f..357313caa273 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/rhel7_correct_value_cis_l2.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/tests/rhel7_correct_value_cis_l2.pass.sh @@ -3,7 +3,7 @@ # platform = Oracle Linux 7,Red Hat Enterprise Linux 7 # profiles = xccdf_org.ssgproject.content_profile_cis -remember_cnt=5 +remember_cnt=24 control_flag='requisite' config_file=/etc/pam.d/system-auth From 0ba173a8e7f5792b5564ba8f36c3c472ba9ecefa Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 1 Feb 2024 12:24:38 +0100 Subject: [PATCH 299/403] fix regex used in Ansible remediation of configure_ssh_crypto_policy --- .../crypto/configure_ssh_crypto_policy/ansible/shared.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml index df717d47123b..6615877fdc3e 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/ansible/shared.yml @@ -8,4 +8,4 @@ lineinfile: dest: /etc/sysconfig/sshd state: absent - regexp: ^(?i)\s*CRYPTO_POLICY.*$ + regexp: (?i)^\s*CRYPTO_POLICY.*$ From cbe353818ef3030699a3de9dec6f2d031a34a3e1 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Thu, 1 Feb 2024 12:55:27 +0100 Subject: [PATCH 300/403] Remove restrictions in sshd_use_approved_ciphers remediation --- .../ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml | 2 +- .../ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml index fa0eee7023e6..dca571f0de61 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle +# platform = multi_platform_all # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh index 3a73107148e8..77bd27928f75 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_all {{{ bash_instantiate_variables("sshd_approved_ciphers") }}} From 410b36d3136a070a2d73e891ea9059459e0ecf5b Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 1 Feb 2024 09:36:22 -0600 Subject: [PATCH 301/403] Update audit_ospp_general_aarch64 The file has been updated in RHEL and thus we need to update our content. --- .../policy_rules/audit_ospp_general_aarch64/rule.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_aarch64/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_aarch64/rule.yml index 79ba025d5183..d03a59db3f98 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_aarch64/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_aarch64/rule.yml @@ -58,8 +58,14 @@ title: 'Perform general configuration of Audit for OSPP (AArch64)' -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=special-config-changes ## Privilege escalation via su or sudo. This is entirely handled by pam. +## Special case for systemd-run. It is not audit aware, specifically watch it +-a always,exit -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation +## Special case for pkexec. It is not audit aware, specifically watch it +-a always,exit -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation + ## Watch for configuration changes to privilege escalation. -a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes From 56622157248215229fef4fdee27c6884c2a1ae58 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 1 Feb 2024 09:36:47 -0600 Subject: [PATCH 302/403] Update audit_ospp_general_ppc64le The file has been updated in RHEL and thus we need to update our content. --- .../policy_rules/audit_ospp_general_ppc64le/rule.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml index 1ced11911e9e..ca57d23fe72e 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_ospp_general_ppc64le/rule.yml @@ -56,8 +56,14 @@ title: 'Perform general configuration of Audit for OSPP (ppc64le)' -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=special-config-changes -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=special-config-changes +-a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=" ~ uid_min ~ " -F auid!=unset -F key=special-config-changes ## Privilege escalation via su or sudo. This is entirely handled by pam. +## Special case for systemd-run. It is not audit aware, specifically watch it +-a always,exit -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation +## Special case for pkexec. It is not audit aware, specifically watch it +-a always,exit -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation + ## Watch for configuration changes to privilege escalation. -a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes From 3126a86ccfaacabf91de93f88e3956bf166a4fd4 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 2 Feb 2024 10:05:04 +0100 Subject: [PATCH 303/403] remove /dev/shm partition definition from RHEL 9 kickstarts --- products/rhel9/kickstart/ssg-rhel9-ccn_advanced-ks.cfg | 3 --- products/rhel9/kickstart/ssg-rhel9-ccn_basic-ks.cfg | 3 --- products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg | 3 --- products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg | 3 --- products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg | 3 --- products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg | 3 --- products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg | 3 --- 7 files changed, 21 deletions(-) diff --git a/products/rhel9/kickstart/ssg-rhel9-ccn_advanced-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ccn_advanced-ks.cfg index bfbdf1dea9e9..8ff39443e841 100644 --- a/products/rhel9/kickstart/ssg-rhel9-ccn_advanced-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-ccn_advanced-ks.cfg @@ -88,9 +88,6 @@ clearpart --linux --initlabel part /boot --fstype=xfs --size=512 part pv.01 --grow --size=1 -# Ensure /dev/shm is a separate partition -part /dev/shm --fstype=tmpfs --fsoptions="nodev,nosuid,noexec" --size=512 - # Create a Logical Volume Management (LVM) group (optional) volgroup VolGroup pv.01 diff --git a/products/rhel9/kickstart/ssg-rhel9-ccn_basic-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ccn_basic-ks.cfg index 7d2f806bbd2a..71d9dec338fb 100644 --- a/products/rhel9/kickstart/ssg-rhel9-ccn_basic-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-ccn_basic-ks.cfg @@ -88,9 +88,6 @@ clearpart --linux --initlabel part /boot --fstype=xfs --size=512 part pv.01 --grow --size=1 -# Ensure /dev/shm is a separate partition -part /dev/shm --fstype=tmpfs --fsoptions="nodev,nosuid,noexec" --size=512 - # Create a Logical Volume Management (LVM) group (optional) volgroup VolGroup pv.01 diff --git a/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg index 897189173cd4..73d10972a013 100644 --- a/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg @@ -88,9 +88,6 @@ clearpart --linux --initlabel part /boot --fstype=xfs --size=512 part pv.01 --grow --size=1 -# Ensure /dev/shm is a separate partition -part /dev/shm --fstype=tmpfs --fsoptions="nodev,nosuid,noexec" --size=512 - # Create a Logical Volume Management (LVM) group (optional) volgroup VolGroup pv.01 diff --git a/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg index 6e8cc9158b95..e1344a023e79 100644 --- a/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg @@ -91,9 +91,6 @@ clearpart --linux --initlabel part /boot --fstype=xfs --size=512 part pv.01 --grow --size=1 -# Ensure /dev/shm is a separate partition -part /dev/shm --fstype=tmpfs --fsoptions="nodev,nosuid,noexec" --size=512 - # Create a Logical Volume Management (LVM) group (optional) volgroup VolGroup pv.01 diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg index bf6ec98c2867..198082c2e83e 100644 --- a/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg @@ -91,9 +91,6 @@ clearpart --linux --initlabel part /boot --fstype=xfs --size=512 part pv.01 --grow --size=1 -# Ensure /dev/shm is a separate partition -part /dev/shm --fstype=tmpfs --fsoptions="nodev,nosuid,noexec" --size=512 - # Create a Logical Volume Management (LVM) group (optional) volgroup VolGroup pv.01 diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg index c3c62ea001bf..9295710e1942 100644 --- a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg @@ -91,9 +91,6 @@ clearpart --linux --initlabel part /boot --fstype=xfs --size=512 part pv.01 --grow --size=1 -# Ensure /dev/shm is a separate partition -part /dev/shm --fstype=tmpfs --fsoptions="nodev,nosuid,noexec" --size=512 - # Create a Logical Volume Management (LVM) group (optional) volgroup VolGroup pv.01 diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg index 0903e76efb8c..51dc4dd62fc1 100644 --- a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg +++ b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg @@ -91,9 +91,6 @@ clearpart --linux --initlabel part /boot --fstype=xfs --size=512 part pv.01 --grow --size=1 -# Ensure /dev/shm is a separate partition -part /dev/shm --fstype=tmpfs --fsoptions="nodev,nosuid,noexec" --size=512 - # Create a Logical Volume Management (LVM) group (optional) volgroup VolGroup pv.01 From 05f6afd8e763d35e6a742db9e215d84ca73f8671 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 2 Feb 2024 10:07:34 +0100 Subject: [PATCH 304/403] remove /dev/shm partition definition from RHEL 7 kickstarts --- products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg | 2 -- products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg | 2 -- products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg | 2 -- products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg | 2 -- 4 files changed, 8 deletions(-) diff --git a/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg index 04438000dae3..9f75122e4f8c 100644 --- a/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg +++ b/products/rhel7/kickstart/ssg-rhel7-cis-ks.cfg @@ -117,8 +117,6 @@ logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 # Ensure /var/log/audit Located On Separate Partition logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 -# Ensure /dev/shm Located on Separate Partition -logvol /dev/shm --name=devshm --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" logvol swap --name=swap --vgname=VolGroup --size=2016 diff --git a/products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg index 3e514f66e7b8..0e203349c8a5 100644 --- a/products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg +++ b/products/rhel7/kickstart/ssg-rhel7-cis_server_l1-ks.cfg @@ -117,8 +117,6 @@ logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 # Ensure /var/log/audit Located On Separate Partition logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 -# Ensure /dev/shm Located on Separate Partition -logvol /dev/shm --name=devshm --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" logvol swap --name=swap --vgname=VolGroup --size=2016 diff --git a/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg index 6a5eb0765237..480ee026b95a 100644 --- a/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg +++ b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l1-ks.cfg @@ -117,8 +117,6 @@ logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 # Ensure /var/log/audit Located On Separate Partition logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 -# Ensure /dev/shm Located on Separate Partition -logvol /dev/shm --name=devshm --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" logvol swap --name=swap --vgname=VolGroup --size=2016 diff --git a/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg index 867f5d710a60..6721863f6b09 100644 --- a/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg +++ b/products/rhel7/kickstart/ssg-rhel7-cis_workstation_l2-ks.cfg @@ -117,8 +117,6 @@ logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 # Ensure /var/log/audit Located On Separate Partition logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 -# Ensure /dev/shm Located on Separate Partition -logvol /dev/shm --name=devshm --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec" logvol swap --name=swap --vgname=VolGroup --size=2016 From 05c915bcec576d6d94d84315ef60ddebcbb7111a Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Fri, 2 Feb 2024 15:05:31 +0100 Subject: [PATCH 305/403] Fix Ansible compatibility with sysctl module In older versions of Ansible, such as the version included with RHEL7, the sysctl module was part of the ansible.builtin collection. But in most recent versions it belongs to the ansible.posix collection. Since explicit collection is not mandatory, we can leave it implicit for this particular case so each Ansible version can manage it properly. --- .../set_nftables_loopback_traffic/ansible/shared.yml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/ansible/shared.yml b/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/ansible/shared.yml index 991936f9fd87..2643a7a10f95 100644 --- a/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/ansible/shared.yml +++ b/linux_os/guide/system/network/network-nftables/set_nftables_loopback_traffic/ansible/shared.yml @@ -16,11 +16,7 @@ register: ipv6_status - name: Check sysctl value of net.ipv6.conf.all.disable_ipv6 -{{% if product == "rhel7" %}} - ansible.builtin.sysctl: -{{% else %}} - ansible.posix.sysctl: -{{%endif %}} + sysctl: name: net.ipv6.conf.all.disable_ipv6 state: present value: "1" @@ -28,11 +24,7 @@ register: sysctl_ipv6_all - name: Check sysctl value of net.ipv6.conf.default.disable_ipv6 -{{% if product == "rhel7" %}} - ansible.builtin.sysctl: -{{% else %}} - ansible.posix.sysctl: -{{%endif %}} + sysctl: name: net.ipv6.conf.default.disable_ipv6 state: present value: "1" From e7c0c3272adf26ba914446775b61adbf4bba0804 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 2 May 2024 16:40:03 +0200 Subject: [PATCH 306/403] make Ansible remediation of zipl_bootmap_is_up_to_date available in all products --- .../zipl_bootmap_is_up_to_date/ansible/shared.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml index 7f2be35644cd..2697718c097f 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 8 +# platform = multi_platform_all # reboot = false # strategy = configure # complexity = low From b4fb836b8eb916772e77b4f4780e961af71d586e Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 3 May 2024 15:26:47 +0200 Subject: [PATCH 307/403] add rule configure_firewalld_ports to the rhel9 default profile so that the rule is back in the datastream --- products/rhel9/profiles/default.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/products/rhel9/profiles/default.profile b/products/rhel9/profiles/default.profile index 07ac0183a6fb..d9b50f7fa35f 100644 --- a/products/rhel9/profiles/default.profile +++ b/products/rhel9/profiles/default.profile @@ -552,3 +552,4 @@ selections: - audit_rules_unsuccessful_file_modification_fchmodat - sebool_polipo_session_users - sebool_cluster_manage_all_files + - configure_firewalld_ports From e93e6308b1a29d2b49c181254f7c732c65ff8d39 Mon Sep 17 00:00:00 2001 From: Vincent Shen Date: Fri, 26 Apr 2024 13:29:18 -0700 Subject: [PATCH 308/403] OCP Update variable filter to consider go_template Update the variable filter to find if a rule is using go-template, if so find any var being used, add them to var list for that rule --- build-scripts/build_xccdf.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/build-scripts/build_xccdf.py b/build-scripts/build_xccdf.py index 89a71da8761a..fde80a1ab01d 100644 --- a/build-scripts/build_xccdf.py +++ b/build-scripts/build_xccdf.py @@ -6,7 +6,7 @@ import os import os.path from collections import namedtuple - +import re import ssg.build_yaml import ssg.utils @@ -114,6 +114,15 @@ def get_linked_xccdf(loader, xccdftree, args): return oval_linker, xccdftree +def get_variables_from_go_templating(rule, var_ids): + go_templating_pattern = re.compile(r"{{(.*?)}}") + go_templating_var_pattern = re.compile(r"\.([a-zA-Z0-9_]+)") + for ele in rule.itertext(): + for match in go_templating_pattern.finditer(ele): + for var in go_templating_var_pattern.finditer(match.group(1)): + var_ids.add(var.group(1)) + + def get_rules_with_variables(xccdftree): rules = xccdftree.findall(".//{%s}Rule" % ssg.constants.XCCDF12_NS) out_var_ids = {} @@ -129,6 +138,7 @@ def get_rules_with_variables(xccdftree): var_ids.add( sub_el.get("idref").replace("xccdf_org.ssgproject.content_value_", "") ) + get_variables_from_go_templating(rule, var_ids) out_var_ids[ rule.get("id").replace("xccdf_org.ssgproject.content_rule_", "") ] = var_ids From caae6c9fffa244412b80bd4d07b5ff0839114e8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 3 May 2024 18:35:16 +0200 Subject: [PATCH 309/403] Recollect facts in mount_option_nodev_nonroot_local_partitions This patch changes the Ansible code for rule mount_option_nodev_nonroot_local_partitions so that Ansible id forced to refresh facts about mount points right before running the Ansible Task for this rule. The data in facts that were collected at the beginning of the play can be outdated at point when this Ansible Task is executed if there is some other Ansible Task that changes mount points, for example if the Ansible Tasks for rule mount_option_boot_nosuid is before the Ansible Task for rule mount_option_nodev_nonroot_local_partitions. Fixes: #11933 --- .../ansible/shared.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml index 2aa9a53e4ddf..f2d8077b6027 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml @@ -4,6 +4,10 @@ # complexity = low # disruption = high +- name: "{{{ rule_title }}}: Refresh facts" + setup: + gather_subset: mounts + - name: Ensure non-root local partitions are mounted with nodev option mount: path: "{{ item.mount }}" From f743af3639e21c438ba6f90e3adf92cc005ce9ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 6 May 2024 14:44:14 +0200 Subject: [PATCH 310/403] Fix accounts_umask_etc_bashrc Fix accounts_umask_etc_bashrc content misalignment with RHEL 9 DISA STIG. - Only valid umask values (3-digits) will match in OVAL - Do not concatenate original value with the new value in Ansible remediation - Add a regression test for #11937 - Fix bash quoting in test scenario Fixes: #11937 --- .../accounts_umask_etc_bashrc/ansible/shared.yml | 6 +++--- .../user_umask/accounts_umask_etc_bashrc/oval/shared.xml | 2 +- ...ng_and_mangled_and_not_at_the_begining_of_line.fail.sh | 8 ++++++++ .../tests/wrong_and_not_at_the_begining_of_line.fail.sh | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/tests/wrong_and_mangled_and_not_at_the_begining_of_line.fail.sh diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml index 3cc2f3b32b0c..730c17f84f88 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml @@ -14,7 +14,7 @@ - name: Check if umask in {{{ etc_bash_rc }}} is already set ansible.builtin.lineinfile: path: {{{ etc_bash_rc }}} - regexp: ^[^#]*\bumask\s+ + regexp: ^[^#]*\bumask\s+\d+$ state: absent check_mode: true changed_when: false @@ -23,8 +23,8 @@ - name: Replace user umask in {{{ etc_bash_rc }}} ansible.builtin.replace: path: {{{ etc_bash_rc }}} - regexp: ^([^#]*\b)umask(\s*) - replace: \g<1>umask\g<2>{{ var_accounts_user_umask }} + regexp: ^([^#]*\b)umask\s+\d+$ + replace: \g<1>umask {{ var_accounts_user_umask }} when: - umask_replace.found > 0 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml index 597758a90df1..bf610a8714fa 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml @@ -16,7 +16,7 @@ {{{ etc_bash_rc }}} - ^[^#]*\bumask\s+([^#\s]*) + ^[^#]*\bumask\s+(\d{3})\s*$ 1 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/tests/wrong_and_mangled_and_not_at_the_begining_of_line.fail.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/tests/wrong_and_mangled_and_not_at_the_begining_of_line.fail.sh new file mode 100644 index 000000000000..e129a6ca988b --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/tests/wrong_and_mangled_and_not_at_the_begining_of_line.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# packages = bash + +# This TS is a regression test for https://github.com/ComplianceAsCode/content/issues/11937 + +sed -i '/umask/d' /etc/bashrc +echo " [ \`umask\` -eq 0 ] && umask 027022" >> /etc/bashrc +umask 000 diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/tests/wrong_and_not_at_the_begining_of_line.fail.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/tests/wrong_and_not_at_the_begining_of_line.fail.sh index 7a70747b3ae2..bbe2c3db1cea 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/tests/wrong_and_not_at_the_begining_of_line.fail.sh +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/tests/wrong_and_not_at_the_begining_of_line.fail.sh @@ -2,5 +2,5 @@ # packages = bash sed -i '/umask/d' /etc/bashrc -echo " [ `umask` -eq 0 ] && umask 022" >> /etc/bashrc +echo " [ \`umask\` -eq 0 ] && umask 022" >> /etc/bashrc umask 000 From a01d2eb6cd267d9f33a9fca249c6f37c338a076f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 6 May 2024 17:58:15 +0200 Subject: [PATCH 311/403] Prioritize chronyd_specify_remote_server This change will put chronyd_specify_remote_server before other rules in the ntp group. Fixes: #11934 --- ssg/build_yaml.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py index f382f4e24086..7da65863c38e 100644 --- a/ssg/build_yaml.py +++ b/ssg/build_yaml.py @@ -692,10 +692,12 @@ def _add_rules_xml(self, group, rules_to_not_include, env_yaml): r'(service_.*_(enabled|disabled))|' + r'install_smartcard_packages|' + r'sshd_set_keepalive(_0)?|' + - r'sshd_set_idle_timeout$') + r'sshd_set_idle_timeout|' + + r'chronyd_specify_remote_server$') priority_order = ["enable_authselect", "installed", "install_smartcard_packages", "removed", "enabled", "disabled", "sshd_set_keepalive_0", - "sshd_set_keepalive", "sshd_set_idle_timeout"] + "sshd_set_keepalive", "sshd_set_idle_timeout", + "chronyd_specify_remote_server"] rules_in_group = reorder_according_to_ordering(rules_in_group, priority_order, regex) # Add rules in priority order, first all packages installed, then removed, From 6f93bc0870bb1374cd9a4f6a4bd5e0da24af5d2e Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 9 May 2024 14:00:10 +0200 Subject: [PATCH 312/403] add when conditional to remediation of sssd_enable_pam_service older Ansible versions might terminate prematurely if there are no config files found in /etc/sssd/conf.d directory --- .../services/sssd/sssd_enable_pam_services/ansible/shared.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml index bfc1b754cb3e..83d109521969 100644 --- a/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml @@ -18,6 +18,7 @@ replace: '\1,pam' with_items: "{{ sssd_conf_d_files.files | map(attribute='path') }}" register: modify_lines_sssd_conf_d_files + when: sssd_conf_d_files.matched is defined and sssd_conf_d_files.matched >= 1 - name: {{{ rule_title }}} - Find /etc/sssd/sssd.conf ansible.builtin.stat: From 47b6fbf5600be11f66e544d3897af8e237a6df28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Thu, 9 May 2024 13:39:05 +0200 Subject: [PATCH 313/403] Fix zipl_bootmap_is_up_to_date First, we prioritize order of all zIPL rules that are changing the bootloader arguments in order to put them before zipl_bootmap_is_up_to_date. This should ensure that the fixed rule zipl_bootmap_is_up_to_date isn't broken by remediations executed later. Second, we align the Ansible remediation in zipl_bootmap_is_up_to_date to consider modification time of /boot/loader/entries/. Fixes #11944 --- .../zipl_bootmap_is_up_to_date/ansible/shared.yml | 11 +++++++++-- ssg/build_yaml.py | 6 ++++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml index 2697718c097f..be83c8d2d271 100644 --- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml +++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/ansible/shared.yml @@ -16,9 +16,16 @@ path: /etc/zipl.conf register: zipl_conf - # TODO: handle /boot/loader/entries/*.conf + - name: "Obtain stats of /boot/loader/entries" + stat: + path: /boot/loader/entries + register: boot_loader_entries - name: "Update zIPL bootmap" command: /usr/sbin/zipl changed_when: True - when: boot_bootmap.stat.mtime is defined and zipl_conf.stat.mtime is defined and boot_bootmap.stat.mtime < zipl_conf.stat.mtime + when: + - boot_bootmap.stat.mtime is defined + - zipl_conf.stat.mtime is defined + - boot_loader_entries.stat.mtime is defined + - boot_bootmap.stat.mtime < zipl_conf.stat.mtime or boot_bootmap.stat.mtime < boot_loader_entries.stat.mtime diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py index 7da65863c38e..5f0d3a41d772 100644 --- a/ssg/build_yaml.py +++ b/ssg/build_yaml.py @@ -693,11 +693,13 @@ def _add_rules_xml(self, group, rules_to_not_include, env_yaml): r'install_smartcard_packages|' + r'sshd_set_keepalive(_0)?|' + r'sshd_set_idle_timeout|' + - r'chronyd_specify_remote_server$') + r'chronyd_specify_remote_server|' + + r'zipl_.*_argument(_absent)?$') priority_order = ["enable_authselect", "installed", "install_smartcard_packages", "removed", "enabled", "disabled", "sshd_set_keepalive_0", "sshd_set_keepalive", "sshd_set_idle_timeout", - "chronyd_specify_remote_server"] + "chronyd_specify_remote_server", + "argument"] rules_in_group = reorder_according_to_ordering(rules_in_group, priority_order, regex) # Add rules in priority order, first all packages installed, then removed, From 0963c5c9ccdc5bc46ea33b48e02a33bf5ac9deef Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 10 May 2024 09:19:59 -0500 Subject: [PATCH 314/403] Disable RHEL 10 content for 0.1.73 release --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 788d0e45dc32..5d4bc725f288 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -101,7 +101,7 @@ option(SSG_PRODUCT_OPENSUSE "If enabled, the openSUSE SCAP content will be built option(SSG_PRODUCT_RHEL7 "If enabled, the RHEL7 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_RHEL8 "If enabled, the RHEL8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_RHEL9 "If enabled, the RHEL9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) -option(SSG_PRODUCT_RHEL10 "If enabled, the RHEL10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) +option(SSG_PRODUCT_RHEL10 "If enabled, the RHEL10 SCAP content will be built" FALSE) option(SSG_PRODUCT_RHV4 "If enabled, the RHV4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_SLE12 "If enabled, the SLE12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_SLE15 "If enabled, the SLE15 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) From 1368a76f587b61d93256d48711e32badfbd39a51 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 14 May 2024 10:08:43 +0200 Subject: [PATCH 315/403] Ensure that security_patches_up_to_date is not built with remediations wrt Red Hat products --- .../updating/security_patches_up_to_date/ansible/shared.yml | 2 +- .../updating/security_patches_up_to_date/bash/shared.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/ansible/shared.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/ansible/shared.yml index e0c02325c29c..0b90decc65f5 100644 --- a/linux_os/guide/system/software/updating/security_patches_up_to_date/ansible/shared.yml +++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_all +# platform = multi_platform_alinux,multi_platform_anolis,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_ubuntu,multi_platform_uos # reboot = true # strategy = patch # complexity = low diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/bash/shared.sh b/linux_os/guide/system/software/updating/security_patches_up_to_date/bash/shared.sh index fd844d2a1efc..8032672b10e1 100644 --- a/linux_os/guide/system/software/updating/security_patches_up_to_date/bash/shared.sh +++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = multi_platform_ol,multi_platform_sle # reboot = true # strategy = patch # complexity = low From cc695cda2dd2c9dca53922bd57ee8287af3927f7 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 30 Jul 2024 12:22:03 -0500 Subject: [PATCH 316/403] Remove installed_OS_is_FIPS_certified from sshd_use_approved_ciphers --- .../sshd_use_approved_ciphers/oval/shared.xml | 33 +++++++++---------- 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml index 33b492fdd36a..6f68e38ead69 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml @@ -1,24 +1,21 @@ {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.") }}} - - - - - - - - - - - - + + + + + + + + + From 2c8c018d2b966a041936e1cf244596e66bd0dd07 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 30 Jul 2024 17:08:52 -0500 Subject: [PATCH 317/403] Add package_rng-tools_installed to Fedora OSPP profile --- products/fedora/profiles/ospp.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/products/fedora/profiles/ospp.profile b/products/fedora/profiles/ospp.profile index edeb6eaacf19..5ee037a7c74d 100644 --- a/products/fedora/profiles/ospp.profile +++ b/products/fedora/profiles/ospp.profile @@ -232,4 +232,5 @@ selections: - dnf-automatic_security_updates_only - package_dnf-automatic_installed - timer_dnf-automatic_enabled + - package_rng-tools_installed - service_rngd_enabled From e54ac469eff17fd9d137839c72404468e79ff2ec Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 1 Aug 2024 13:59:12 -0500 Subject: [PATCH 318/403] Fix title of var_networkmanager_dns_mode. --- .../network/networkmanager/var_networkmanager_dns_mode.var | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var b/linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var index 1be615dff9a4..abab5ce68266 100644 --- a/linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var +++ b/linux_os/guide/system/network/networkmanager/var_networkmanager_dns_mode.var @@ -1,6 +1,6 @@ documentation_complete: true -title: 'NetoworkManager DNS Mode' +title: 'NetworkManager DNS Mode' type: string From 4d75c91a5bde32d6d4d9fe6e9ad7fbdc3c2d6fee Mon Sep 17 00:00:00 2001 From: Milan Lysonek Date: Thu, 1 Aug 2024 16:06:04 +0200 Subject: [PATCH 319/403] firewalld_sshd_port_enabled add zone to all connections --- .../ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml | 2 +- .../ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh | 2 +- .../tests/customized_zone_configured.pass.sh | 2 +- .../tests/customized_zone_without_ssh.fail.sh | 2 +- .../tests/new_zone_configured.pass.sh | 2 +- .../tests/new_zone_without_ssh.fail.sh | 2 +- .../tests/only_nics_configured.fail.sh | 2 +- .../tests/only_zones_configured.fail.sh | 2 +- .../tests/zones_and_nics_configured.pass.sh | 2 +- .../tests/zones_and_nics_ok_no_custom_files.pass.sh | 2 +- .../tests/zones_and_nics_ok_port_changed.pass.sh | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml index 7b0bda3f10c4..6609c08723c3 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml @@ -22,7 +22,7 @@ block: - name: '{{{ rule_title }}} - Collect NetworkManager connections names' ansible.builtin.shell: - cmd: nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }' + cmd: nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }' register: result_nmcli_cmd_connections_names changed_when: false diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh index 10d14ec7d79a..5b39a4b3fdb1 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/bash/shared.sh @@ -20,7 +20,7 @@ else firewall-cmd --zone="$firewalld_sshd_zone" --add-service=ssh # This will collect all NetworkManager connections names - readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') + readarray -t nm_connections < <(nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. for connection in "${nm_connections[@]}"; do diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh index 87e6871afb1e..327d7450241a 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_configured.pass.sh @@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager firewall-cmd --zone=work --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') +readarray -t nm_connections < <(nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh index 383907d2cb78..1fba597d493b 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/customized_zone_without_ssh.fail.sh @@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager firewall-cmd --zone=work --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') +readarray -t nm_connections < <(nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh index 9993e53788c7..f844106b87be 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_configured.pass.sh @@ -15,7 +15,7 @@ firewall-cmd --reload firewall-cmd --zone=$custom_zone_name --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') +readarray -t nm_connections < <(nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh index 1301679b3442..fc59df866661 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/new_zone_without_ssh.fail.sh @@ -15,7 +15,7 @@ firewall-cmd --reload firewall-cmd --zone=$custom_zone_name --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') +readarray -t nm_connections < <(nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh index 6552f3f42149..44de6e6e27c9 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_nics_configured.fail.sh @@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager firewall-cmd --zone=work --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') +readarray -t nm_connections < <(nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh index 72fc492e5bf9..134a345ce991 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/only_zones_configured.fail.sh @@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager firewall-cmd --zone=work --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') +readarray -t nm_connections < <(nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }') # If the connection is already assigned to a firewalld zone, removes the assignment. # This will not change connections which are not assigned to any firewalld zone. diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh index 02c627e5d009..8f352f2a76a8 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_configured.pass.sh @@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager firewall-cmd --zone=work --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') +readarray -t nm_connections < <(nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh index 9b3aa7d203f2..f68d72c20faf 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_no_custom_files.pass.sh @@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager firewall-cmd --zone=work --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') +readarray -t nm_connections < <(nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh index 3e27a0647b07..fd512516b2e4 100644 --- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh +++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/tests/zones_and_nics_ok_port_changed.pass.sh @@ -10,7 +10,7 @@ systemctl start firewalld NetworkManager firewall-cmd --zone=work --add-service=ssh # Collect all NetworkManager connections names. -readarray -t nm_connections < <(nmcli -f UUID,TYPE con | grep ethernet | awk '{ print $1 }') +readarray -t nm_connections < <(nmcli -g UUID,TYPE con | grep -v loopback | awk -F ':' '{ print $1 }') # If the connection is not yet assigned to a firewalld zone, assign it to the proper zone. # This will not change connections which are already assigned to any firewalld zone. From a6a100d69b961ff9349d71c10410db79962ce333 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 8 Aug 2024 09:00:52 -0500 Subject: [PATCH 320/403] Remove old and broken tldp.org link Very outdated per the LVM webpage. --- linux_os/guide/system/software/disk_partitioning/group.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/linux_os/guide/system/software/disk_partitioning/group.yml b/linux_os/guide/system/software/disk_partitioning/group.yml index d04b19b4e025..b4dc99a33a26 100644 --- a/linux_os/guide/system/software/disk_partitioning/group.yml +++ b/linux_os/guide/system/software/disk_partitioning/group.yml @@ -25,5 +25,3 @@ description: |- scheme was used, it is possible but nontrivial to modify it to create separate logical volumes for the directories listed above. The Logical Volume Manager (LVM) makes this possible. - See the LVM HOWTO at {{{ weblink(link="http://tldp.org/HOWTO/LVM-HOWTO/") }}} - for more detailed information on LVM. From 8ccc32a21cf0fff0b1b0e44b1bf20ca9ac4deae7 Mon Sep 17 00:00:00 2001 From: svet-se Date: Tue, 5 Nov 2024 16:08:10 +0200 Subject: [PATCH 321/403] Update SLE12 STIG to V3R1 --- products/sle12/profiles/stig.profile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/products/sle12/profiles/stig.profile b/products/sle12/profiles/stig.profile index 2471dcbb6c89..56ea042d6fba 100644 --- a/products/sle12/profiles/stig.profile +++ b/products/sle12/profiles/stig.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V2R13 + version: V3R1 SMEs: - abergmann @@ -11,7 +11,7 @@ title: 'DISA STIG for SUSE Linux Enterprise 12' description: |- This profile contains configuration checks that align to the - DISA STIG for SUSE Linux Enterprise 12 V2R13. + DISA STIG for SUSE Linux Enterprise 12 V3R1. selections: - sshd_approved_macs=stig From a18573b76be1fa9a318585a9d0f426c9ebfcc08e Mon Sep 17 00:00:00 2001 From: svet-se Date: Tue, 5 Nov 2024 16:09:55 +0200 Subject: [PATCH 322/403] Update SLE12 DISA STIG manual to V3R1 --- ... => disa-stig-sle12-v3r1-xccdf-manual.xml} | 588 +++++++++--------- 1 file changed, 278 insertions(+), 310 deletions(-) rename shared/references/{disa-stig-sle12-v2r13-xccdf-manual.xml => disa-stig-sle12-v3r1-xccdf-manual.xml} (82%) diff --git a/shared/references/disa-stig-sle12-v2r13-xccdf-manual.xml b/shared/references/disa-stig-sle12-v3r1-xccdf-manual.xml similarity index 82% rename from shared/references/disa-stig-sle12-v2r13-xccdf-manual.xml rename to shared/references/disa-stig-sle12-v3r1-xccdf-manual.xml index 3985b3361bde..2af7feb69823 100644 --- a/shared/references/disa-stig-sle12-v2r13-xccdf-manual.xml +++ b/shared/references/disa-stig-sle12-v3r1-xccdf-manual.xml @@ -1,4 +1,4 @@ -acceptedSLES 12 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 13 Benchmark Date: 24 Jan 20243.4.1.229161.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010000The SUSE operating system must be a vendor-supported release.<VulnDiscussion>A SUSE operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77045SV-91741CCI-001230Upgrade the SUSE operating system to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription. +acceptedSLES 12 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 24 Oct 20243.51.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010000The SUSE operating system must be a vendor-supported release.<VulnDiscussion>A SUSE operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77045SV-91741CCI-001230Upgrade the SUSE operating system to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription. If the system requires Long-Term Service Pack Support (LTSS), obtain the correct LTSS subscription for the system.Verify the SUSE operating system is a vendor-supported release. @@ -13,7 +13,7 @@ VERSION="12" Current End of Life for SLES 12 General Support is 31 Oct 2024 and Long-term Support is until 31 Oct 2027. If the release is not supported by the vendor, this is a finding. -SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010010Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.<VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep SUSE operating system and application software patched is a common mistake made by IT professionals. New patches are released frequently, and it is often difficult for even experienced System Administrators (SAs) to keep abreast of all the new patches. When new weaknesses in a SUSE operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77047SV-91743CCI-001227Install the applicable SUSE operating system patches available from SUSE by running the following command: +SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010010Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.<VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep SUSE operating system and application software patched is a common mistake made by IT professionals. New patches are released frequently, and it is often difficult for even experienced System Administrators (SAs) to keep abreast of all the new patches. When new weaknesses in a SUSE operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77047SV-91743CCI-001227Install the applicable SUSE operating system patches available from SUSE by running the following command: # sudo zypper patchVerify the SUSE operating system security patches and updates are installed and up to date. @@ -33,7 +33,7 @@ If the patch repository data is corrupt check that the available package securit 2016-12-14 11:59:36 | install | pam_apparmor | 2.8.0-2.4.1 2016-12-14 11:59:36 | install | pam_apparmor-32bit | 2.8.0-2.4.1 -If the SUSE operating system has not been patched within the site or PMO frequency, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>SLES-12-010020The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. +If the SUSE operating system has not been patched within the site or PMO frequency, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>SLES-12-010020The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. @@ -87,7 +87,7 @@ sleep 1; exit 1; fi -If the beginning of the file does not contain the above text immediately after the line (#!/bin/sh), this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>SLES-12-010030The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via local console.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. +If the beginning of the file does not contain the above text immediately after the line (#!/bin/sh), this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>SLES-12-010030The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via local console.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. @@ -145,7 +145,7 @@ By using this IS (which includes any device attached to this IS), you consent to -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." -If the output does not display the correct banner text, this is a finding.SRG-OS-000228-GPOS-00088<GroupDescription></GroupDescription>SLES-12-010040The SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. +If the output does not display the correct banner text, this is a finding.SRG-OS-000228-GPOS-00088<GroupDescription></GroupDescription>SLES-12-010040The SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. @@ -196,7 +196,7 @@ user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults -If "banner-message-enable" is set to "false" or is missing completely, this is a finding.SRG-OS-000228-GPOS-00088<GroupDescription></GroupDescription>SLES-12-010050The SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. +If "banner-message-enable" is set to "false" or is missing completely, this is a finding.SRG-OS-000228-GPOS-00088<GroupDescription></GroupDescription>SLES-12-010050The SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. @@ -244,13 +244,13 @@ banner-message-text= Note: The "\n" characters are for formatting only. They will not be displayed on the graphical user interface. -If the banner text does not exactly match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>SLES-12-010060The SUSE operating system must be able to lock the graphical user interface (GUI).<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. +If the banner text does not exactly match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>SLES-12-010060The SUSE operating system must be able to lock the graphical user interface (GUI).<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. -Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91753V-77057CCI-000056CCI-000058CCI-000060This command must be run from an X11 session; otherwise, the command will not work correctly. +Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91753V-77057CCI-000056CCI-000058CCI-000057CCI-000060This command must be run from an X11 session; otherwise, the command will not work correctly. Configure the SUSE operating system to allow the user to lock the graphical user interface. @@ -264,19 +264,19 @@ Run the following command: # gsettings get org.gnome.desktop.lockdown disable-lock-screen -If the result is "true", this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>SLES-12-010070The SUSE operating system must utilize vlock to allow for session locking.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. +If the result is "true", this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>SLES-12-010070The SUSE operating system must utilize vlock to allow for session locking.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. -Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77059SV-91755CCI-000060CCI-000056CCI-000058Allow users to lock the console by installing the "kbd" package using zypper: +Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77059SV-91755CCI-000060CCI-000056CCI-000058CCI-000057Allow users to lock the console by installing the "kbd" package using zypper: # sudo zypper install kbdCheck that the SUSE operating system has the "vlock" package installed by running the following command: # zypper se -i --provides vlock -If the command outputs "no matching items found", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>SLES-12-010080The SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. +If the command outputs "no matching items found", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>SLES-12-010080The SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the users to manually lock their SUSE operating system session prior to vacating the vicinity, the SUSE operating system needs to be able to identify when a user's session has idled and take action to initiate the session lock. @@ -292,41 +292,41 @@ Note: If the system does not have a graphical user interface installed, this req uint32 900 -If the command does not return a value less than or equal to "900", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>SLES-12-010090The SUSE operating system must initiate a session lock after a 15-minute period of inactivity.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. +If the command does not return a value less than or equal to "900", this is a finding.SRG-OS-000029-GPOS-00010<GroupDescription></GroupDescription>SLES-12-010090The SUSE operating system must initiate a session lock after a 10-minute period of inactivity.<VulnDiscussion>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the users to manually lock their SUSE operating system session prior to vacating the vicinity, the SUSE operating system needs to be able to identify when a user's session has idled and take action to initiate the session lock. -The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77063SV-91759CCI-000057Configure the SUSE operating system to initiate a session lock after a 15-minute period of inactivity by modifying or creating (if it does not already exist) the "/etc/profile.d/autologout.sh" file and add the following lines to it: +The session lock is implemented at the point where session activity can be determined and/or controlled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77063SV-91759CCI-000057Configure the SUSE operating system to initiate a session lock after a 10-minute period of inactivity by modifying or creating (if it does not already exist) the "/etc/profile.d/autologout.sh" file and add the following lines to it: -TMOUT=900 +TMOUT=600 readonly TMOUT export TMOUT Set the proper permissions for the "/etc/profile.d/autologout.sh" file with the following command: -# sudo chmod +x /etc/profile.d/autologout.shVerify the SUSE operating system must initiate a session logout after a 15-minute period of inactivity for all connection types. +# sudo chmod +x /etc/profile.d/autologout.shVerify the SUSE operating system must initiate a session logout after a 10-minute period of inactivity for all connection types. -Check the proper script exists to kill an idle session after a 15-minute period of inactivity with the following command: +Check the proper script exists to kill an idle session after a 10-minute period of inactivity with the following command: # cat /etc/profile.d/autologout.sh -TMOUT=900 +TMOUT=600 readonly TMOUT export TMOUT -If the file "/etc/profile.d/autologout.sh" does not exist or the output from the function call is not the same, this is a finding.SRG-OS-000031-GPOS-00012<GroupDescription></GroupDescription>SLES-12-010100The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. +If the file "/etc/profile.d/autologout.sh" does not exist or the output from the function call is not the same, this is a finding.SRG-OS-000031-GPOS-00012<GroupDescription></GroupDescription>SLES-12-010100The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. The SUSE operating system session lock event must include an obfuscation of the display screen to prevent other users from reading what was previously displayed. -Publicly viewable images can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images conveys sensitive information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91761V-77065CCI-000060Note: If the system does not have X Windows installed, this requirement is Not Applicable. - -Configure the SUSE operating system to use a publicly viewable image by finding the Settings menu and then navigate to the Background selection section: - -- Click "Applications" on the bottom left. -- Hover over "System Tools" with the mouse. -- Click the "Settings" icon under System Tools. -- Click "Background" and then "Lock Screen". -- Set the Lock Screen image to the user's choice. -- Click "Select". +Publicly viewable images can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images conveys sensitive information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91761V-77065CCI-000060Note: If the system does not have X Windows installed, this requirement is Not Applicable. + +Configure the SUSE operating system to use a publicly viewable image by finding the Settings menu and then navigate to the Background selection section: + +- Click "Applications" on the bottom left. +- Hover over "System Tools" with the mouse. +- Click the "Settings" icon under System Tools. +- Click "Background" and then "Lock Screen". +- Set the Lock Screen image to the user's choice. +- Click "Select". - Exit Settings Dialog.Verify the SUSE operating system conceals via the session lock information previously visible on the display with a publicly viewable image in the graphical user interface. Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. @@ -336,17 +336,17 @@ Check that the lock screen is set to a publicly viewable image by running the fo # gsettings get org.gnome.desktop.screensaver picture-uri 'file:///usr/share/wallpapers/SLE-default-static.xml' -If nothing is returned or "org.gnome.desktop.screensaver" is not set, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>SLES-12-010110The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. +If nothing is returned or "org.gnome.desktop.screensaver" is not set, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>SLES-12-010110The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When SUSE operating system provide the capability to change user authenticators, change security roles, or escalate a functional capability, it is critical the user reauthenticate. -Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91763V-77067CCI-002038Configure the SUSE operating system to remove any occurrence of "NOPASSWD" or "!authenticate" found in the "/etc/sudoers" file. If the system does not use passwords for authentication, the "NOPASSWD" tag may exist in the file.Verify that the SUSE operating system requires reauthentication when changing authenticators, roles, or escalating privileges. +Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91763V-77067CCI-002038CCI-004895Configure the SUSE operating system to remove any occurrence of "NOPASSWD" or "!authenticate" found in the "/etc/sudoers" file. If the system does not use passwords for authentication, the "NOPASSWD" tag may exist in the file.Verify that the SUSE operating system requires reauthentication when changing authenticators, roles, or escalating privileges. Check that "/etc/sudoers" has no occurrences of "NOPASSWD" or "!authenticate" with the following command: > sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers -If any uncommented lines containing "!authenticate", or "NOPASSWD" are returned and active accounts on the system have valid passwords, this is a finding.SRG-OS-000027-GPOS-00008<GroupDescription></GroupDescription>SLES-12-010120The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.<VulnDiscussion>SUSE operating system management includes the ability to control the number of users and user sessions that utilize a SUSE operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to Denial-of-Service (DoS) attacks. +If any uncommented lines containing "!authenticate", or "NOPASSWD" are returned and active accounts on the system have valid passwords, this is a finding.SRG-OS-000027-GPOS-00008<GroupDescription></GroupDescription>SLES-12-010120The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.<VulnDiscussion>SUSE operating system management includes the ability to control the number of users and user sessions that utilize a SUSE operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to Denial-of-Service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77069SV-91765CCI-000054Configure the SUSE operating system to limit the number of concurrent sessions to 10 or less for all accounts and/or account types. @@ -360,7 +360,7 @@ The result must contain the following line: * hard maxlogins 10 -If the "maxlogins" item is missing, the line does not begin with a star symbol, or the value is not set to "10" or less, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>SLES-12-010130The SUSE operating system must lock an account after three consecutive invalid access attempts.<VulnDiscussion>By limiting the number of failed access attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. +If the "maxlogins" item is missing, the line does not begin with a star symbol, or the value is not set to "10" or less, this is a finding.SRG-OS-000021-GPOS-00005<GroupDescription></GroupDescription>SLES-12-010130The SUSE operating system must lock an account after three consecutive invalid access attempts.<VulnDiscussion>By limiting the number of failed access attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. The pam_tally2.so module maintains a count of attempted accesses. This includes user name entry into a logon field as well as password entry. With counting access attempts, it is possible to lock an account without presenting a password into the password field. This should be taken into consideration as it poses as an avenue for denial of service.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91767V-77071CCI-000044Configure the operating system to lock an account when three unsuccessful access attempts occur. @@ -389,7 +389,7 @@ Check that the system resets the failed login attempts counter after a successfu # grep pam_tally2.so /etc/pam.d/common-account account required pam_tally2.so -If the account option is missing, or commented out, this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>SLES-12-010140The SUSE operating system must enforce a delay of at least four (4) seconds between logon prompts following a failed logon attempt.<VulnDiscussion>Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91769V-77073CCI-000366Configure the SUSE operating system to enforce a delay of at least four (4) seconds between logon prompts following a failed logon attempt. +If the account option is missing, or commented out, this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>SLES-12-010140The SUSE operating system must enforce a delay of at least four (4) seconds between logon prompts following a failed logon attempt.<VulnDiscussion>Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91769V-77073CCI-000366Configure the SUSE operating system to enforce a delay of at least four (4) seconds between logon prompts following a failed logon attempt. Add or update the following variable in "/etc/login.defs" to match the line below ("FAIL_DELAY" must have a value of "4" or higher): @@ -400,9 +400,9 @@ Check that the SUSE operating system enforces a delay of at least four (4) secon # grep FAIL_DELAY /etc/login.defs FAIL_DELAY 4 -If the value of "FAIL_DELAY" is not set to "4", "FAIL_DELAY" is commented out, or "FAIL_DELAY" is missing, then this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>SLES-12-010150The SUSE operating system must enforce passwords that contain at least one upper-case character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the value of "FAIL_DELAY" is not set to "4", "FAIL_DELAY" is commented out, or "FAIL_DELAY" is missing, then this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>SLES-12-010150The SUSE operating system must enforce passwords that contain at least one upper-case character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77075SV-91771CCI-000192Configure the SUSE operating system to enforce password complexity by requiring at least one upper-case character. +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77075SV-91771CCI-000192CCI-004066Configure the SUSE operating system to enforce password complexity by requiring at least one upper-case character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ucredit=-1" after the third column.Verify the SUSE operating system enforces password complexity by requiring that at least one upper-case character. @@ -411,9 +411,9 @@ Check that the operating system enforces password complexity by requiring that a # grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so ucredit=-1 -If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "ucredit=-1", this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>SLES-12-010160The SUSE operating system must enforce passwords that contain at least one lower-case character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "ucredit=-1", this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>SLES-12-010160The SUSE operating system must enforce passwords that contain at least one lower-case character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91773V-77077CCI-000193Configure the SUSE operating system to enforce password complexity by requiring at least one lower-case character. +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91773V-77077CCI-000193CCI-004066Configure the SUSE operating system to enforce password complexity by requiring at least one lower-case character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "lcredit=-1" after the third column.Verify the SUSE operating system enforces password complexity by requiring that at least one lower-case character. @@ -422,9 +422,9 @@ Check that the operating system enforces password complexity by requiring that a # grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so lcredit=-1 -If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "lcredit=-1", this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>SLES-12-010170The SUSE operating system must enforce passwords that contain at least one numeric character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "lcredit=-1", this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>SLES-12-010170The SUSE operating system must enforce passwords that contain at least one numeric character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91775V-77079CCI-000194Configure the SUSE operating system to enforce password complexity by requiring at least one numeric character. +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91775V-77079CCI-000194CCI-004066Configure the SUSE operating system to enforce password complexity by requiring at least one numeric character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "dcredit=-1" after the third column.Verify the SUSE operating system enforces password complexity by requiring that at least one numeric character. @@ -433,11 +433,11 @@ Check that the operating system enforces password complexity by requiring that a # grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so dcredit=-1 -If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "dcredit=-1", this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>SLES-12-010180The SUSE operating system must enforce passwords that contain at least one special character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "dcredit=-1", this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>SLES-12-010180The SUSE operating system must enforce passwords that contain at least one special character.<VulnDiscussion>Use of a complex password helps increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. -Special characters are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91777V-77081CCI-001619Configure the SUSE operating system to enforce password complexity by requiring at least one special character. +Special characters are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91777V-77081CCI-001619CCI-004066Configure the SUSE operating system to enforce password complexity by requiring at least one special character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ocredit=-1" after the third column.Verify the SUSE operating system enforces password complexity by requiring that at least one special character. @@ -446,9 +446,9 @@ Check that the operating system enforces password complexity by requiring that a # grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so ocredit=-1 -If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "ocredit=-1", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>SLES-12-010190The SUSE operating system must require the change of at least eight (8) of the total number of characters when passwords are changed.<VulnDiscussion>If the SUSE operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. +If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "ocredit=-1", this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>SLES-12-010190The SUSE operating system must require the change of at least eight (8) of the total number of characters when passwords are changed.<VulnDiscussion>If the SUSE operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. -The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91783V-77087CCI-000195Configure the SUSE operating system to require at least eight characters be changed between the old and new passwords during a password change with the following command: +The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91783V-77087CCI-000195CCI-004066Configure the SUSE operating system to require at least eight characters be changed between the old and new passwords during a password change with the following command: Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "difok=8" after the third column.Verify the SUSE operating system requires at least eight (8) characters be changed between the old and new passwords during a password change. @@ -457,7 +457,7 @@ Check that the operating system requires at least eight (8) characters be change # grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so difok=8 -If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "difok", or the value is less than "8", this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>SLES-12-010210The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised. +If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "difok", or the value is less than "8", this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>SLES-12-010210The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).<VulnDiscussion>Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised. SUSE operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. @@ -473,11 +473,11 @@ Check the value of "ENCRYPT_METHOD" value in "/etc/login.defs" with the followin ENCRYPT_METHOD SHA512 -If "ENCRYPT_METHOD" is not set to "SHA512", if any values other that "SHA512" are configured, or if no output is produced, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>SLES-12-010220The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.<VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. +If "ENCRYPT_METHOD" is not set to "SHA512", if any values other that "SHA512" are configured, or if no output is produced, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>SLES-12-010220The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.<VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. -Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77099SV-91795CCI-000803CCI-000196Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. +Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77099SV-91795CCI-000803CCI-000196CCI-004062Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. Edit/modify the following line in the "/etc/login.defs" file and set "ENCRYPT_METHOD" to have a value of "SHA512". @@ -493,9 +493,9 @@ $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. -If any interactive user password hash does not begin with "$6", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>SLES-12-010230The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. +If any interactive user password hash does not begin with "$6", this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>SLES-12-010230The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. -Satisfies: SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77105SV-91801CCI-000196CCI-000803Configure the SUSE operating system Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength. +Satisfies: SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77105SV-91801CCI-000196CCI-004062CCI-000803Configure the SUSE operating system Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength. Edit "/etc/pam.d/common-password" and edit the line containing "pam_unix.so" to contain the SHA512 keyword after third column. Remove the "nullok" option.Verify the SUSE operating system configures the Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength. @@ -504,7 +504,7 @@ Check that PAM is configured to create SHA512 hashed passwords by running the fo # grep pam_unix.so /etc/pam.d/common-password password required pam_unix.so sha512 -If the command does not return anything or the returned line is commented out, has a second column value different from "required", or does not contain "sha512", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010231The SUSE operating system must not be configured to allow blank or null passwords.<VulnDiscussion> Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-81785SV-96499CCI-000366Configure the SUSE operating system to not allow blank or null passwords. +If the command does not return anything or the returned line is commented out, has a second column value different from "required", or does not contain "sha512", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010231The SUSE operating system must not be configured to allow blank or null passwords.<VulnDiscussion> Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-81785SV-96499CCI-000366Configure the SUSE operating system to not allow blank or null passwords. Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" and "/etc/pam.d/common-password" to prevent logons with empty passwords.Verify the SUSE operating is not configured to allow blank or null passwords. @@ -513,11 +513,11 @@ Check that blank or null passwords cannot be used by running the following comma # grep pam_unix.so /etc/pam.d/* | grep nullok If this produces any output, it may be possible to log on with accounts with empty passwords. -If null passwords can be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>SLES-12-010240The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.<VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. +If null passwords can be used, this is a finding.SRG-OS-000073-GPOS-00041<GroupDescription></GroupDescription>SLES-12-010240The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.<VulnDiscussion>The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. -Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77107SV-91803CCI-000803CCI-000196Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. +Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77107SV-91803CCI-000803CCI-000196CCI-004062Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "5000": @@ -529,9 +529,9 @@ egrep "^SHA_CRYPT_" /etc/login.defs If only one of "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is set, and this value is below "5000", this is a finding. -If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>SLES-12-010250The SUSE operating system must employ passwords with a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. +If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>SLES-12-010250The SUSE operating system must employ passwords with a minimum of 15 characters.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. -Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps determine strength and how long it takes to crack a password. Use of more characters in a password helps exponentially increase the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91805V-77109CCI-000205Configure the SUSE operating system to enforce a minimum 15-character password length. +Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps determine strength and how long it takes to crack a password. Use of more characters in a password helps exponentially increase the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91805V-77109CCI-000205CCI-004066Configure the SUSE operating system to enforce a minimum 15-character password length. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "minlen=15" after the third column. @@ -542,7 +542,7 @@ Check that the operating system enforces a minimum 15-character password length # grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so minlen=15 -If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "minlen" value, or the value is less than "15", this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>SLES-12-010260The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day).<VulnDiscussion>Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77111SV-91807CCI-000198Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age. +If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "minlen" value, or the value is less than "15", this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>SLES-12-010260The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day).<VulnDiscussion>Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77111SV-91807CCI-000198CCI-004066Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age. Edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days: @@ -556,7 +556,7 @@ Check that the SUSE operating system enforces 24 hours/one day as the minimum pa PASS_MIN_DAYS 1 -If no output is produced, or if "PASS_MIN_DAYS" does not have a value of "1" or greater, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>SLES-12-010270The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day).<VulnDiscussion>Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91809V-77113CCI-000198Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age for user accounts. +If no output is produced, or if "PASS_MIN_DAYS" does not have a value of "1" or greater, this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>SLES-12-010270The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day).<VulnDiscussion>Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91809V-77113CCI-000198CCI-004066Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age for user accounts. Change the minimum time period between password changes for each [USER] account to "1" day with the command, replacing [USER] with the user account that must be changed: @@ -568,7 +568,7 @@ Check the minimum time period between password changes for each user account wit smithj:1 -If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>SLES-12-010280The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91811V-77115CCI-000199Configure the SUSE operating system to enforce a maximum password age of 60 days or less. +If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>SLES-12-010280The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91811V-77115CCI-000199CCI-004066Configure the SUSE operating system to enforce a maximum password age of 60 days or less. Edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days: @@ -582,7 +582,7 @@ Check that the SUSE operating system enforces 60 days or less as the maximum pas The DoD requirement is "60" days or less (greater than zero, as zero days will lock the account immediately). -If no output is produced, or if PASS_MAX_DAYS is not set to "60" days or less, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>SLES-12-010290The SUSE operating system must employ user passwords with a maximum lifetime of 60 days.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91813V-77117CCI-000199Configure the SUSE operating system to enforce a maximum password age of each [USER] account to 60 days. The command in the check text will give a list of users that need to be updated to be in compliance: +If no output is produced, or if PASS_MAX_DAYS is not set to "60" days or less, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>SLES-12-010290The SUSE operating system must employ user passwords with a maximum lifetime of 60 days.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91813V-77117CCI-000199CCI-004066Configure the SUSE operating system to enforce a maximum password age of each [USER] account to 60 days. The command in the check text will give a list of users that need to be updated to be in compliance: > sudo passwd -x 60 [USER] @@ -592,29 +592,7 @@ Check that the SUSE operating system enforces 60 days or less as the maximum use > sudo awk -F: '$5 > 60 || $5 == "" {print $1 ":" $5}' /etc/shadow -If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>SLES-12-010300The SUSE operating system must employ a password history file.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91815V-77119CCI-000200Configure the SUSE operating system to create the password history file with the following commands: - -# sudo touch /etc/security/opasswd -# sudo chown root:root /etc/security/opasswd -# sudo chmod 0600 /etc/security/opasswdVerify the password history file exists on the SUSE operating system. - -Check that the password history file exists with the following command: - -# ls -al /etc/security/opasswd - --rw------- 1 root root 7 Dec 13 17:21 /etc/security/opasswd - -If "/etc/security/opasswd" does not exist, this is a finding.SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>SLES-12-010310The SUSE operating system must not allow passwords to be reused for a minimum of five (5) generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77121SV-91817CCI-000200Configure the SUSE operating system password history to prohibit the reuse of a password for a minimum of five generations. - -Edit "/etc/pam.d/common-password" and edit the line containing "pam_pwhistory.so" to contain the option "remember=5 use_authtok" after the third column.Verify the SUSE operating system prohibits the reuse of a password for a minimum of five (5) generations. - -Check that the SUSE operating system prohibits the reuse of a password for a minimum of five (5) generations with the following command: - -# grep pam_pwhistory.so /etc/pam.d/common-password - -password requisite pam_pwhistory.so remember=5 use_authtok - -If the command does not return a result, or the returned line is commented out, has a second column value different from "requisite", does not contain "remember" value, the value is less than "5", or is missing the "use_authtok" keyword, this is a finding.SRG-OS-000480-GPOS-00225<GroupDescription></GroupDescription>SLES-12-010320The SUSE operating system must prevent the use of dictionary words for passwords.<VulnDiscussion>If the SUSE operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91819V-77123CCI-000366Configure the SUSE operating system to prevent the use of dictionary words for passwords. +If any results are returned that are not associated with a system account, this is a finding.SRG-OS-000480-GPOS-00225<GroupDescription></GroupDescription>SLES-12-010320The SUSE operating system must prevent the use of dictionary words for passwords.<VulnDiscussion>If the SUSE operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91819V-77123CCI-000366Configure the SUSE operating system to prevent the use of dictionary words for passwords. Edit "/etc/pam.d/common-password" and add the following line: @@ -627,7 +605,7 @@ password requisite pam_cracklib.so retry=3 If the command does not return anything, or the returned line is commented out, this is a finding. -If the value of "retry" is greater than 3, this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>SLES-12-010330The SUSE operating system must never automatically remove or disable emergency administrator accounts.<VulnDiscussion>Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. +If the value of "retry" is greater than 3, this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>SLES-12-010330The SUSE operating system must never automatically remove or disable emergency administrator accounts.<VulnDiscussion>Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. @@ -645,9 +623,9 @@ Check to see if the root account password or account expires with the following Password expires:never -If "Password expires" or "Account expires" is set to anything other than "never", this is a finding.SRG-OS-000118-GPOS-00060<GroupDescription></GroupDescription>SLES-12-010340The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. +If "Password expires" or "Account expires" is set to anything other than "never", this is a finding.SRG-OS-000118-GPOS-00060<GroupDescription></GroupDescription>SLES-12-010340The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. -The SUSE operating system needs to track periods of inactivity and disable application identifiers after 35 days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77127SV-91823CCI-000795Configure the SUSE operating system to disable account identifiers after 35 days of inactivity since the password expiration. +The SUSE operating system needs to track periods of inactivity and disable application identifiers after 35 days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77127SV-91823CCI-000795CCI-003627Configure the SUSE operating system to disable account identifiers after 35 days of inactivity since the password expiration. Run the following command to change the configuration for "useradd" to disable the account identifier after 35 days: @@ -661,7 +639,7 @@ Check the account inactivity value by performing the following command: INACTIVE=35 -If "INACTIVE" is not set to a value greater than "0" and less than or equal to "35", this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>SLES-12-010370The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.<VulnDiscussion>Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91827V-77131CCI-000366Configure the SUSE operating system to enforce a delay of at least four seconds between logon prompts following a failed logon attempt. +If "INACTIVE" is not set to a value greater than "0" and less than or equal to "35", this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>SLES-12-010370The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.<VulnDiscussion>Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91827V-77131CCI-000366Configure the SUSE operating system to enforce a delay of at least four seconds between logon prompts following a failed logon attempt. Edit the file "/etc/pam.d/common-auth". @@ -673,7 +651,7 @@ auth required pam_faildelay.so delay=4000000SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>SLES-12-010380The SUSE operating system must not allow unattended or automatic logon via the graphical user interface.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts SUSE operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91829V-77133CCI-000366Note: If a graphical user interface is not installed, this requirement is Not Applicable. +If the value of "delay" is not set to "4000000" or greater, "delay" is commented out, "delay" is missing, or the "pam_faildelay" line is missing completely, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>SLES-12-010380The SUSE operating system must not allow unattended or automatic logon via the graphical user interface.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts SUSE operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91829V-77133CCI-000366Note: If a graphical user interface is not installed, this requirement is Not Applicable. Configure the SUSE operating system graphical user interface to not allow unattended or automatic logon to the system. @@ -696,7 +674,7 @@ DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no" If the "DISPLAYMANAGER_AUTOLOGIN" parameter includes a username or the "DISPLAYMANAGER_PASSWORD_LESS_LOGIN" parameter is not set to "no", this is a -finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010390The SUSE operating system must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91831V-77135CCI-000052Configure the SUSE operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/login". +finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010390The SUSE operating system must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91831V-77135CCI-000052Configure the SUSE operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/login". Add the following line to the top of "/etc/pam.d/login": @@ -708,7 +686,7 @@ Check that "pam_lastlog" is used and not silent with the following command: session required pam_lastlog.so showfailed -If "pam_lastlog" is missing from "/etc/pam.d/login" file, the "silent" option is present, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010400There must be no .shosts files on the SUSE operating system.<VulnDiscussion>The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77137SV-91833CCI-000366Remove any ".shosts" files found on the SUSE operating system. +If "pam_lastlog" is missing from "/etc/pam.d/login" file, the "silent" option is present, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010400There must be no .shosts files on the SUSE operating system.<VulnDiscussion>The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77137SV-91833CCI-000366Remove any ".shosts" files found on the SUSE operating system. # rm /[path]/[to]/[file]/.shostsVerify there are no ".shosts" files on the SUSE operating system. @@ -716,7 +694,7 @@ Check the system for the existence of these files with the following command: # find / -name '.shosts' -If any ".shosts" files are found on the system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010410There must be no shosts.equiv files on the SUSE operating system.<VulnDiscussion>The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77139SV-91835CCI-000366Remove any "shosts.equiv" files found on the SUSE operating system. +If any ".shosts" files are found on the system, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010410There must be no shosts.equiv files on the SUSE operating system.<VulnDiscussion>The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77139SV-91835CCI-000366Remove any "shosts.equiv" files found on the SUSE operating system. # rm /[path]/[to]/[file]/shosts.equivVerify there are no "shosts.equiv" files on the SUSE operating system. @@ -724,7 +702,7 @@ Check the system for the existence of these files with the following command: # find /etc -name shosts.equiv -If any "shosts.equiv" files are found on the system, this is a finding.SRG-OS-000478-GPOS-00223<GroupDescription></GroupDescription>SLES-12-010420FIPS 140-2 mode must be enabled on the SUSE operating system.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The SUSE operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. +If any "shosts.equiv" files are found on the system, this is a finding.SRG-OS-000478-GPOS-00223<GroupDescription></GroupDescription>SLES-12-010420FIPS 140-2 mode must be enabled on the SUSE operating system.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The SUSE operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91837V-77141CCI-002450To configure the SUSE operating system to run in FIPS mode, add "fips=1" to the kernel parameter during the SUSE operating system install. @@ -736,7 +714,7 @@ http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2435.pdfSRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>SLES-12-010430SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. +If nothing is returned, the file does not exist, or the value returned is "0", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>SLES-12-010430SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77143SV-91839CCI-000213Note: If the system does not use a basic input/output system (BIOS) this requirement is Not Applicable. @@ -769,7 +747,7 @@ Check that the encrypted password is set for a boot user with the following comm password_pbkdf2 boot grub.pbkdf2.sha512.10000.VeryLongString -If the boot user password entry does not begin with "password_pbkdf2", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>SLES-12-010440SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system allows a user to boot into single-user or maintenance mode without authentication, any user that invokes single-user or maintenance mode is granted privileged access to all system information. +If the boot user password entry does not begin with "password_pbkdf2", this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>SLES-12-010440SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.<VulnDiscussion>If the system allows a user to boot into single-user or maintenance mode without authentication, any user that invokes single-user or maintenance mode is granted privileged access to all system information. If the system is running in EFI mode, SLES 12 by default will use GRUB 2 EFI as the boot loader.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91841V-77145CCI-000213Note: If the system does not use UEFI, this requirement is Not Applicable. @@ -802,10 +780,10 @@ Check that the encrypted password is set for a boot user with the following comm password_pbkdf2 boot grub.pbkdf2.sha512.10000.VeryLongString -If the boot user password entry does not begin with "password_pbkdf2", this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>SLES-12-010450All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.<VulnDiscussion>SUSE operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. - -Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). - +If the boot user password entry does not begin with "password_pbkdf2", this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>SLES-12-010450All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.<VulnDiscussion>SUSE operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). + Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77147SV-91843CCI-001199CCI-002475Configure the SUSE operating system to prevent unauthorized modification of all information at rest by using disk encryption. Encrypting a partition in an already-installed system is more difficult because of the need to resize and change existing partitions. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted partition by default. Add it manually in the partitioning dialog. @@ -834,7 +812,7 @@ truecrypt /dev/sda3 /etc/container_password tcrypt Every persistent disk partition present on the system must have an entry in the file. -If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>SLES-12-010460The sticky bit must be set on all SUSE operating system world-writable directories.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, and hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>SLES-12-010460The sticky bit must be set on all SUSE operating system world-writable directories.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, and hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. @@ -854,7 +832,7 @@ Check that world-writable directories have the sticky bit set with the following 256 0 drwxrwxrwt 1 root root 4096 Jun 14 06:45 /tmp -If any of the returned directories do not have the sticky bit set, or are not documented as having the write permission for the other class, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>SLES-12-010500Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the SUSE operating system. Changes to SUSE operating system configurations can have unintended side effects, some of which may be relevant to security. +If any of the returned directories do not have the sticky bit set, or are not documented as having the write permission for the other class, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>SLES-12-010500Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the SUSE operating system. Changes to SUSE operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the SUSE operating system. The SUSE operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrator (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77151SV-91847CCI-002696CCI-002699CCI-001744Configure the SUSE operating system to check the baseline configuration for unauthorized changes at least once weekly. @@ -864,7 +842,7 @@ The following example output is generic. It will set cron to run AIDE weekly, bu # sudo crontab -l - 0 0 * * 6 /usr/bin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil + 0 0 * * 6 /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil Note: Per requirement SLES-12-010498, the "mailx" package must be installed on the system to enable email functionality.Verify the SUSE operating system checks the baseline configuration for unauthorized changes at least once weekly. @@ -881,7 +859,7 @@ If the file integrity application does not exist, or a "crontab" entry does not Inspect the file and ensure that the file integrity tool is being executed. -If a file integrity tool is not configured in the crontab or in a script that runs at least weekly, this is a finding.SRG-OS-000447-GPOS-00201<GroupDescription></GroupDescription>SLES-12-010510The SUSE operating system must notify the System Administrator (SA) when AIDE discovers anomalies in the operation of any security functions.<VulnDiscussion>If anomalies are not acted on, security functions may fail to secure the system. +If a file integrity tool is not configured in the crontab or in a script that runs at least weekly, this is a finding.SRG-OS-000447-GPOS-00201<GroupDescription></GroupDescription>SLES-12-010510The SUSE operating system must notify the System Administrator (SA) when AIDE discovers anomalies in the operation of any security functions.<VulnDiscussion>If anomalies are not acted on, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. @@ -891,20 +869,20 @@ This capability must take into account operational requirements for availability Add following command to a cron job replacing the "[E-MAIL]" parameter with a proper email address for the SA: - /usr/bin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil + /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil Note: Per requirement SLES-12-010498, the "mailx" package must be installed on the system to enable email functionality.Verify the SUSE operating system notifies the SA when AIDE discovers anomalies in the operation of any security functions. Check to see if the aide cron job sends an email when executed with the following command: # sudo crontab -l - 0 0 * * 6 /usr/bin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil + 0 0 * * 6 /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil If a "crontab" entry does not exist, check the cron directories for a script that runs the file integrity application and is configured to execute a binary to send an email: # ls -al /etc/cron.daily /etc/cron.weekly -If a cron job is not configured to execute a binary to send an email (such as "/bin/mail"), this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010520The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).<VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77155SV-91851CCI-000366Configure the SUSE operating system file integrity tool to check file and directory ACLs. +If a cron job is not configured to execute a binary to send an email (such as "/bin/mail"), this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010520The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).<VulnDiscussion>ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77155SV-91851CCI-000366Configure the SUSE operating system file integrity tool to check file and directory ACLs. If AIDE is installed, ensure the "acl" rule is present on all file and directory selection lists.Verify that the SUSE operating system file integrity tool is configured to verify ACLs. @@ -916,7 +894,7 @@ An example rule that includes the "acl" rule follows: /bin All # apply the custom rule to the files in bin /sbin All # apply the same custom rule to the files in sbin -If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010530The SUSE operating system file integrity tool must be configured to verify extended attributes.<VulnDiscussion>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91853V-77157CCI-000366Configure the SUSE operating system file integrity tool to check file and directory extended attributes. +If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010530The SUSE operating system file integrity tool must be configured to verify extended attributes.<VulnDiscussion>Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91853V-77157CCI-000366Configure the SUSE operating system file integrity tool to check file and directory extended attributes. If AIDE is installed, ensure the "xattrs" rule is present on all file and directory selection lists.Verify that the SUSE operating system file integrity tool is configured to verify extended attributes. @@ -928,7 +906,7 @@ An example rule that includes the "xattrs" rule follows: /bin All # apply the custom rule to the files in bin /sbin All # apply the same custom rule to the files in sbin -If the "xattrs" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.SRG-OS-000278-GPOS-00108<GroupDescription></GroupDescription>SLES-12-010540The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools.<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. +If the "xattrs" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.SRG-OS-000278-GPOS-00108<GroupDescription></GroupDescription>SLES-12-010540The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools.<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. @@ -961,11 +939,11 @@ Check that AIDE is properly configured to protect the integrity of the audit too If AIDE is configured properly to protect the integrity of the audit tools, all lines listed above will be returned from the command. -If one or more lines are missing, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>SLES-12-010550The SUSE operating system tool zypper must have gpgcheck enabled.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the SUSE operating system. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor. +If one or more lines are missing, this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>SLES-12-010550The SUSE operating system tool zypper must have gpgcheck enabled.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the SUSE operating system. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or SUSE operating system components must be signed with a certificate recognized and approved by the organization. -Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The SUSE operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certification Authority (CA).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77161SV-91857CCI-001749Configure that the SUSE operating system tool zypper to enable gpgcheck by editing or adding the following line to "/etc/zypp/zypp.conf": +Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The SUSE operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certification Authority (CA).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77161SV-91857CCI-001749CCI-003992Configure that the SUSE operating system tool zypper to enable gpgcheck by editing or adding the following line to "/etc/zypp/zypp.conf": gpgcheck = 1Verify that the SUSE operating system tool zypper has gpgcheck enabled. @@ -975,7 +953,7 @@ Check that zypper has gpgcheck enabled with the following command: gpgcheck = 1 -If "gpgcheck" is set to "0", "off", "no", or "false", this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>SLES-12-010570The SUSE operating system must remove all outdated software components after updated versions have been installed.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77163SV-91859CCI-002617Configure the SUSE operating system to remove all outdated software components after an update by editing the following line in "/etc/zypp/zypp.conf" to match the one provided below: +If "gpgcheck" is set to "0", "off", "no", or "false", this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>SLES-12-010570The SUSE operating system must remove all outdated software components after updated versions have been installed.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77163SV-91859CCI-002617Configure the SUSE operating system to remove all outdated software components after an update by editing the following line in "/etc/zypp/zypp.conf" to match the one provided below: solver.upgradeRemoveDroppedPackages = trueVerify the SUSE operating system removes all outdated software components after updated version have been installed by running the following command: @@ -983,7 +961,7 @@ solver.upgradeRemoveDroppedPackages = trueSRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>SLES-12-010580The SUSE operating system must disable the USB mass storage kernel module.<VulnDiscussion>Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. +If "solver.upgradeRemoveDroppedPackages" is commented out, is set to "false", or is missing completely, this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>SLES-12-010580The SUSE operating system must disable the USB mass storage kernel module.<VulnDiscussion>Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include but are not limited to such devices as flash drives, external storage, and printers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91861V-77165CCI-001958Configure the SUSE operating system to prevent USB mass storage devices from automounting when connected to the host. @@ -996,7 +974,7 @@ Check that "usb-storage" is blacklisted in the "/etc/modprobe.d/50-blacklist.con # grep usb-storage /etc/modprobe.d/50-blacklist.conf blacklist usb-storage -If nothing is output from the command, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>SLES-12-010590The SUSE operating system must disable the file system automounter unless required.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. +If nothing is output from the command, this is a finding.SRG-OS-000114-GPOS-00059<GroupDescription></GroupDescription>SLES-12-010590The SUSE operating system must disable the file system automounter unless required.<VulnDiscussion>Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77167SV-91863CCI-000366CCI-000778CCI-001958Configure the SUSE operating system to disable the ability to automount devices. @@ -1014,7 +992,7 @@ autofs.service - Automounts filesystems on demand Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) Active: inactive (dead) -If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>SLES-12-010600The SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.<VulnDiscussion>Using a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. +If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000312-GPOS-00122<GroupDescription></GroupDescription>SLES-12-010600The SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.<VulnDiscussion>Using a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. The organization must identify authorized software programs and permit execution of authorized software by adding each authorized program to the "pam_apparmor" exception policy. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. @@ -1054,7 +1032,7 @@ Active: active (exited) since Fri 2017-01-13 01:01:01 GMT; 1day 1h ago If something other than "Active: active" is returned, this is a finding. -Note: "pam_apparmor" must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "pam_apparmor" documentation for more information on configuring profiles.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010610The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91867V-77171CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: +Note: "pam_apparmor" must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "pam_apparmor" documentation for more information on configuring profiles.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010610The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91867V-77171CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: > sudo systemctl disable ctrl-alt-del.target @@ -1071,7 +1049,7 @@ Check that the ctrl-alt-del.target is masked with the following command: Loaded: masked (/dev/null; masked) Active: inactive (dead) -If the ctrl-alt-del.target is not masked, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010611The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-108091V-98987CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface. +If the ctrl-alt-del.target is not masked, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010611The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-108091V-98987CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface. Create a database to contain the system-wide setting (if it does not already exist) with the following steps: @@ -1113,7 +1091,7 @@ Check that the value is not writable and cannot be changed by the user: > sudo gsettings writable org.gnome.settings-daemon.plugins.media-keys logout false -If the logout value is not [''] and the writable status is not false, this is a finding.SRG-OS-000480-GPOS-00228<GroupDescription></GroupDescription>SLES-12-010620The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files.<VulnDiscussion>Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91869V-77173CCI-000366Configure the SUSE operating system to define the default permissions for all authenticated users in such a way that the users can only read and modify their own files. +If the logout value is not [''] and the writable status is not false, this is a finding.SRG-OS-000480-GPOS-00228<GroupDescription></GroupDescription>SLES-12-010620The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files.<VulnDiscussion>Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91869V-77173CCI-000366Configure the SUSE operating system to define the default permissions for all authenticated users in such a way that the users can only read and modify their own files. Add or edit the "UMASK" parameter in the "/etc/login.defs" file to match the example below: @@ -1127,7 +1105,7 @@ UMASK 077 If the "UMASK" variable is set to "000", the severity is raised to a CAT I, and this is a finding. -If the value of "UMASK" is not set to "077", "UMASK" is commented out, or "UMASK" is missing completely, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010630The SUSE operating system must not have unnecessary accounts.<VulnDiscussion>Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77175SV-91871CCI-000366Configure the SUSE operating system so all accounts on the system are assigned to an active system, application, or user account. +If the value of "UMASK" is not set to "077", "UMASK" is commented out, or "UMASK" is missing completely, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010630The SUSE operating system must not have unnecessary accounts.<VulnDiscussion>Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77175SV-91871CCI-000366Configure the SUSE operating system so all accounts on the system are assigned to an active system, application, or user account. Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. @@ -1144,7 +1122,7 @@ games:x:12:100:Games account:/var/games:/bin/bash Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. -If the accounts on the system do not match the provided documentation, this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>SLES-12-010640The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users.<VulnDiscussion>To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. +If the accounts on the system do not match the provided documentation, this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>SLES-12-010640The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users.<VulnDiscussion>To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. Interactive users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Interactive users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: @@ -1160,7 +1138,7 @@ Check that the SUSE operating system contains no duplicate UIDs for interactive # awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd -If output is produced, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010650The SUSE operating system root account must be the only account having unrestricted access to the system.<VulnDiscussion>If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire SUSE operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77179SV-91875CCI-000366Change the UID of any account on the SUSE operating system, other than the root account, that has a UID of "0". +If output is produced, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010650The SUSE operating system root account must be the only account having unrestricted access to the system.<VulnDiscussion>If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire SUSE operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77179SV-91875CCI-000366Change the UID of any account on the SUSE operating system, other than the root account, that has a UID of "0". If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.Verify that the SUSE operating system root account is the only account with unrestricted access to the system. @@ -1170,7 +1148,7 @@ Check the system for duplicate UID "0" assignments with the following command: root -If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000383-GPOS-00166<GroupDescription></GroupDescription>SLES-12-010670If Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day.<VulnDiscussion>If cached authentication information is out of date, the validity of the authentication information may be questionable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77183SV-91879CCI-002007Configure NSS, if used by the SUSE operating system, to prohibit the use of cached authentications after one day. +If any accounts other than root have a UID of "0", this is a finding.SRG-OS-000383-GPOS-00166<GroupDescription></GroupDescription>SLES-12-010670If Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day.<VulnDiscussion>If cached authentication information is out of date, the validity of the authentication information may be questionable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77183SV-91879CCI-002007Configure NSS, if used by the SUSE operating system, to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[nss]": @@ -1184,7 +1162,7 @@ Check that cached authentications cannot be used after one day with the followin memcache_timeout = 86400 -If "memcache_timeout" has a value greater than "86400", or is missing, this is a finding.SRG-OS-000383-GPOS-00166<GroupDescription></GroupDescription>SLES-12-010680The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day.<VulnDiscussion>If cached authentication information is out of date, the validity of the authentication information may be questionable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77185SV-91881CCI-002007Configure the SUSE operating system PAM to prohibit the use of cached authentications after one day. +If "memcache_timeout" has a value greater than "86400", or is missing, this is a finding.SRG-OS-000383-GPOS-00166<GroupDescription></GroupDescription>SLES-12-010680The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day.<VulnDiscussion>If cached authentication information is out of date, the validity of the authentication information may be questionable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77185SV-91881CCI-002007Configure the SUSE operating system PAM to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]": @@ -1198,7 +1176,7 @@ Check that cached off line authentications cannot be used after one day with the offline_credentials_expiration = 1 -If "offline_credentials_expiration" is not set to a value of "1", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010690All SUSE operating system files and directories must have a valid owner.<VulnDiscussion>Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier (UID) as the UID of the unowned files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91883V-77187CCI-002165Either remove all files and directories from the SUSE operating system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the "chown" command: +If "offline_credentials_expiration" is not set to a value of "1", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010690All SUSE operating system files and directories must have a valid owner.<VulnDiscussion>Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier (UID) as the UID of the unowned files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91883V-77187CCI-002165Either remove all files and directories from the SUSE operating system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the "chown" command: # sudo chown <user> <file>Verify that all SUSE operating system files and directories on the system have a valid owner. @@ -1208,7 +1186,7 @@ Note: The value after -fstype must be replaced with the filesystem type. XFS is # find / -fstype xfs -nouser -If any files on the system do not have an assigned owner, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010700All SUSE operating system files and directories must have a valid group owner.<VulnDiscussion>Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91889V-77193CCI-002165Either remove all files and directories from the SUSE operating system that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command: +If any files on the system do not have an assigned owner, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010700All SUSE operating system files and directories must have a valid group owner.<VulnDiscussion>Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91889V-77193CCI-002165Either remove all files and directories from the SUSE operating system that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command: # sudo chgrp <group> <file>Verify all SUSE operating system files and directories on the system have a valid group. @@ -1218,7 +1196,7 @@ Note: The value after -fstype must be replaced with the filesystem type. XFS is # find / -fstype xfs -nogroup -If any files on the system do not have an assigned group, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010710All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91893V-77197CCI-000366Assign home directories to all SUSE operating system local interactive users that currently do not have a home directory assigned. +If any files on the system do not have an assigned group, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010710All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91893V-77197CCI-000366Assign home directories to all SUSE operating system local interactive users that currently do not have a home directory assigned. Assign a home directory to users via the usermod command: @@ -1233,7 +1211,7 @@ Ask the System Administrator (SA) if any users found without home directories ar > sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd -If any interactive users do not have a home directory assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010720All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77199SV-91895CCI-000366Configure the SUSE operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows. +If any interactive users do not have a home directory assigned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010720All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.<VulnDiscussion>If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77199SV-91895CCI-000366Configure the SUSE operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows. CREATE_HOME yesVerify all SUSE operating system local interactive users on the system are assigned a home directory upon creation. @@ -1242,7 +1220,7 @@ Check to see if the system is configured to create home directories for local in # grep -i create_home /etc/login.defs CREATE_HOME yes -If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010730All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.<VulnDiscussion>If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91899V-77203CCI-000366Create home directories to all SUSE operating system local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd": +If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010730All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.<VulnDiscussion>If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91899V-77203CCI-000366Create home directories to all SUSE operating system local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd": Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users assigned" in "/etc/passwd". @@ -1265,7 +1243,7 @@ Check that all referenced home directories exist with the following command: user 'smithj': directory '/home/smithj' does not exist -If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010740All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.<VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91903V-77207CCI-000366Change the mode of SUSE operating system local interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command: +If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010740All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.<VulnDiscussion>Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91903V-77207CCI-000366Change the mode of SUSE operating system local interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command: Note: The example will be for the user "smithj". @@ -1278,7 +1256,7 @@ Note: This may miss interactive users that have been assigned a privileged User # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj -If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010750All SUSE operating system local interactive user home directories must be group-owned by the home directory owners primary group.<VulnDiscussion>If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91907V-77211CCI-000366Change the group owner of a SUSE operating system local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command: +If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010750All SUSE operating system local interactive user home directories must be group-owned by the home directory owners primary group.<VulnDiscussion>If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91907V-77211CCI-000366Change the group owner of a SUSE operating system local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users. @@ -1296,7 +1274,7 @@ Check the user's primary group with the following command: # grep users /etc/group users:x:250:smithj,jonesj,jacksons -If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010760All SUSE operating system local initialization files must have mode 0740 or less permissive.<VulnDiscussion>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91911V-77215CCI-000366Set the mode of SUSE operating system local initialization files to "0740" with the following command: +If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010760All SUSE operating system local initialization files must have mode 0740 or less permissive.<VulnDiscussion>Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91911V-77215CCI-000366Set the mode of SUSE operating system local initialization files to "0740" with the following command: Note: The example will be for the smithj user, who has a home directory of "/home/smithj". @@ -1311,7 +1289,7 @@ Note: The example will be for the user "smithj", who has a home directory of "/h -rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login -rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something -If any local initialization files have a mode more permissive than "0740", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010770All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.<VulnDiscussion>The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91915V-77219CCI-000366Edit the SUSE operating system local interactive user initialization files to change any PATH variable statements for executables that reference directories other than their home directory. If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.Verify that all SUSE operating system local interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the user's home directory. +If any local initialization files have a mode more permissive than "0740", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010770All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.<VulnDiscussion>The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91915V-77219CCI-000366Edit the SUSE operating system local interactive user initialization files to change any PATH variable statements for executables that reference directories other than their home directory. If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.Verify that all SUSE operating system local interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the user's home directory. Check the executable search path statement for all operating system local interactive user initialization files in the user's home directory with the following commands: @@ -1320,7 +1298,7 @@ Note: The example will be for the user "smithj", who has a home directory of "/h # sudo grep -i path= /home/smithj/.* /home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin -If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, and the additional path statements are not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010780All SUSE operating system local initialization files must not execute world-writable programs.<VulnDiscussion>If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91921V-77225CCI-000366Remove the references to these files in the local initialization scripts or remove the world-writable permission of files referenced by SUSE operating system local initialization scripts with the following command: +If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, and the additional path statements are not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010780All SUSE operating system local initialization files must not execute world-writable programs.<VulnDiscussion>If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91921V-77225CCI-000366Remove the references to these files in the local initialization scripts or remove the world-writable permission of files referenced by SUSE operating system local initialization scripts with the following command: > sudo chmod 0755 <file>Verify that SUSE operating system local initialization files do not execute world-writable programs. @@ -1336,7 +1314,7 @@ users' home directories in the "/home" directory. > sudo find /home/* -maxdepth 1 -type f -name \.\* -exec grep -H <file> {} \; -If any local initialization files are found to reference world-writable files, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010790SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.<VulnDiscussion>The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91925V-77229CCI-000366Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems that contain user home directories for interactive users. +If any local initialization files are found to reference world-writable files, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010790SUSE operating system file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.<VulnDiscussion>The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91925V-77229CCI-000366Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems that contain user home directories for interactive users. Re-mount the filesystems. @@ -1349,7 +1327,7 @@ Print the currently active file system mount options of the file system(s) that If a file system containing user home directories is not mounted with the FSTYPE OPTION nosuid, this is a finding. -Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010800SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.<VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91933V-77237CCI-000366Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems that are associated with removable media.Verify SUSE operating system file systems used for removable media are mounted with the "nosuid" option. +Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010800SUSE operating system file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.<VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91933V-77237CCI-000366Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems that are associated with removable media.Verify SUSE operating system file systems used for removable media are mounted with the "nosuid" option. Check the file systems that are mounted at boot time with the following command: @@ -1357,7 +1335,7 @@ Check the file systems that are mounted at boot time with the following command: UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0 -If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010810SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.<VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91937V-77241CCI-000366Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems that are being exported via NFS.Verify SUSE operating system file systems that are being NFS exported are mounted with the "nosuid" option. +If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010810SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.<VulnDiscussion>The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91937V-77241CCI-000366Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems that are being exported via NFS.Verify SUSE operating system file systems that are being NFS exported are mounted with the "nosuid" option. Find the file system(s) that contain the directories being exported with the following command: @@ -1365,7 +1343,7 @@ Find the file system(s) that contain the directories being exported with the fol UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0 -If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010820SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.<VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91947V-77251CCI-000366Configure the SUSE operating system "/etc/fstab" file to use the "noexec" option on file systems that are being exported via NFS.Verify the SUSE operating system file systems that are being NFS exported are mounted with the "noexec" option. +If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010820SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.<VulnDiscussion>The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91947V-77251CCI-000366Configure the SUSE operating system "/etc/fstab" file to use the "noexec" option on file systems that are being exported via NFS.Verify the SUSE operating system file systems that are being NFS exported are mounted with the "noexec" option. Find the file system(s) that contain the directories being exported with the following command: @@ -1373,7 +1351,7 @@ Find the file system(s) that contain the directories being exported with the fol UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0 -If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS exported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010830All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others. +If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS exported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010830All SUSE operating system world-writable directories must be group-owned by root, sys, bin, or an application group.<VulnDiscussion>If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91949V-77253CCI-000366Change the group of the SUSE operating system world-writable directories to root with the following command: @@ -1389,7 +1367,7 @@ drwxrwxrwt. 2 root root 40 Aug 26 13:07 /dev/mqueue drwxrwxrwt. 2 root root 220 Aug 26 13:23 /dev/shm drwxrwxrwt. 14 root root 4096 Aug 26 13:29 /tmp -If any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010840SUSE operating system kernel core dumps must be disabled unless needed.<VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77257SV-91953CCI-000366If SUSE operating system kernel core dumps are not required, disable the "kdump" service with the following command: +If any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010840SUSE operating system kernel core dumps must be disabled unless needed.<VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77257SV-91953CCI-000366If SUSE operating system kernel core dumps are not required, disable the "kdump" service with the following command: # systemctl disable kdump.service @@ -1403,7 +1381,7 @@ Check the status of the "kdump" service with the following command: If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO). -If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010850A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91957V-77261CCI-000366Create a separate file system/partition for SUSE operating system non-privileged local interactive user home directories. +If the service is active and is not documented, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010850A separate file system must be used for SUSE operating system user home directories (such as /home or an equivalent).<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91957V-77261CCI-000366Create a separate file system/partition for SUSE operating system non-privileged local interactive user home directories. Migrate the non-privileged local interactive user home directories onto the separate file system/partition.Verify that a separate file system/partition has been created for SUSE operating system non-privileged local interactive user home directories. @@ -1424,7 +1402,7 @@ Note: The partition of /home is used in the example. # grep /home /etc/fstab UUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2 -If a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010860The SUSE operating system must use a separate file system for /var.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77265SV-91961CCI-000366Create a separate file system/partition on the SUSE operating system for "/var". +If a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not exist, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010860The SUSE operating system must use a separate file system for /var.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77265SV-91961CCI-000366Create a separate file system/partition on the SUSE operating system for "/var". Migrate "/var" onto the separate file system/partition.Verify that the SUSE operating system has a separate file system/partition for "/var". @@ -1433,7 +1411,7 @@ Check that a file system/partition has been created for "/var" with the followin # grep /var /etc/fstab UUID=c274f65f /var ext4 noatime,nobarrier 1 2 -If a separate entry for "/var" is not in use, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010870The SUSE operating system must use a separate file system for the system audit data path.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77271SV-91967CCI-000366Migrate the SUSE operating system audit data path onto a separate file system.Verify that the SUSE operating system has a separate file system/partition for the system audit data path. +If a separate entry for "/var" is not in use, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010870The SUSE operating system must use a separate file system for the system audit data path.<VulnDiscussion>The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77271SV-91967CCI-000366Migrate the SUSE operating system audit data path onto a separate file system.Verify that the SUSE operating system has a separate file system/partition for the system audit data path. Check that a file system/partition has been created for the system audit data path with the following command: @@ -1444,7 +1422,7 @@ UUID=3645951a /var/log/audit ext4 defaults 1 2 If a separate entry for the system audit data path (in this example the "/var/log/audit" path) does not exist, ask the System Administrator if the system audit logs are being written to a different file system/partition on the system and then grep for that file system/partition. -If a separate file system/partition does not exist for the system audit data path, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>SLES-12-010890The SUSE operating system must prevent unauthorized users from accessing system error messages.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SUSE operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. +If a separate file system/partition does not exist for the system audit data path, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>SLES-12-010890The SUSE operating system must prevent unauthorized users from accessing system error messages.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SUSE operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91971V-77275CCI-001314Configure the SUSE operating system to prevent unauthorized users from accessing system error messages. @@ -1468,7 +1446,7 @@ Check that "permissions.local" file contains the correct permissions rules with /var/log/messages root:root 640 -If the effective permissions do not match the "permissions.local" file, the command does not return any output, or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010910The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.<VulnDiscussion>"pam-config" is a command line utility that automatically generates a system PAM configuration as packages are installed, updated or removed from the system. "pam-config" removes configurations for PAM modules and parameters that it does not know about. It may render ineffective PAM configuration by the system administrator and thus impact system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91981V-77285CCI-000366Copy the PAM configuration files to their static locations and remove the SUSE operating system soft links for the PAM configuration files with the following command: +If the effective permissions do not match the "permissions.local" file, the command does not return any output, or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010910The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.<VulnDiscussion>"pam-config" is a command line utility that automatically generates a system PAM configuration as packages are installed, updated or removed from the system. "pam-config" removes configurations for PAM modules and parameters that it does not know about. It may render ineffective PAM configuration by the system administrator and thus impact system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91981V-77285CCI-000366Copy the PAM configuration files to their static locations and remove the SUSE operating system soft links for the PAM configuration files with the following command: > sudo sh -c 'for X in /etc/pam.d/common-*-pc; do cp -ivp --remove-destination $X ${X:0:-3}; done' @@ -1478,13 +1456,13 @@ Check that soft links between PAM configuration files are removed with the follo > find /etc/pam.d/ -type l -iname "common-*" -If any results are returned, this is a finding.SRG-OS-000337-GPOS-00129<GroupDescription></GroupDescription>SLES-12-020000The SUSE operating system must have the auditing package installed.<VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. +If any results are returned, this is a finding.SRG-OS-000337-GPOS-00129<GroupDescription></GroupDescription>SLES-12-020000The SUSE operating system must have the auditing package installed.<VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the SUSE operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured SUSE operating system. -Satisfies: SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77287SV-91983CCI-000172CCI-001882CCI-001889CCI-001877CCI-001914CCI-001814CCI-001875CCI-001878CCI-001879CCI-001880CCI-001881The SUSE operating system auditd package must be installed on the system. If it is not installed, use the following command to install it: +Satisfies: SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77287SV-91983CCI-000172CCI-001882CCI-001889CCI-001877CCI-001914CCI-001814CCI-003938CCI-001875CCI-001878CCI-001879CCI-001880CCI-001881The SUSE operating system auditd package must be installed on the system. If it is not installed, use the following command to install it: # sudo zypper in auditdVerify the SUSE operating system auditing package is installed. @@ -1494,7 +1472,7 @@ Check that the "audit" package is installed by performing the following command: i | audit | User Space Tools for 2.6 Kernel Auditing -If the package "audit" is not installed on the system, then this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020010SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.<VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. +If the package "audit" is not installed on the system, then this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020010SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.<VulnDiscussion>Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. @@ -1513,7 +1491,7 @@ If the service is enabled, the returned message must contain the following text: Active: active (running) -If the service is not running, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>SLES-12-020020The SUSE operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>To ensure SUSE operating systems have a sufficient storage capacity in which to write the audit logs, SUSE operating systems need to be able to allocate audit record storage capacity. +If the service is not running, this is a finding.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>SLES-12-020020The SUSE operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>To ensure SUSE operating systems have a sufficient storage capacity in which to write the audit logs, SUSE operating systems need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial installation of the SUSE operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77291SV-91987CCI-001849Allocate enough storage capacity for at least one week's worth of SUSE operating system audit records when audit records are not immediately sent to a central audit record storage facility. @@ -1538,7 +1516,7 @@ If the audit records are not written to a partition made specifically for audit The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. -If the audit record partition is not allocated sufficient storage capacity, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>SLES-12-020030The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91989V-77293CCI-001855Check the system configuration to determine the partition to which the audit records are written: +If the audit record partition is not allocated sufficient storage capacity, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>SLES-12-020030The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91989V-77293CCI-001855Check the system configuration to determine the partition to which the audit records are written: # grep -iw log_file /etc/audit/auditd.conf @@ -1568,7 +1546,7 @@ Determine the threshold for the system to take action when 75 percent of the rep # grep -iw space_left /etc/audit/auditd.conf space_left = 225 -If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>SLES-12-020040The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. +If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>SLES-12-020040The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. @@ -1584,7 +1562,7 @@ sudo grep action_mail /etc/audit/auditd.conf action_mail_acct = root -If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, this is a finding.SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>SLES-12-020050The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. +If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, this is a finding.SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>SLES-12-020050The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. @@ -1613,7 +1591,7 @@ Verify the alias for root forwards to a monitored e-mail account: > grep -i "^root:" /etc/aliases root: person@server.mil -If the alias for root does not forward to a monitored e-mail account, this is a finding.SRG-OS-000047-GPOS-00023<GroupDescription></GroupDescription>SLES-12-020060The SUSE operating system audit system must take appropriate action when the audit storage volume is full.<VulnDiscussion>It is critical that when the SUSE operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend on the nature of the failure mode. +If the alias for root does not forward to a monitored e-mail account, this is a finding.SRG-OS-000047-GPOS-00023<GroupDescription></GroupDescription>SLES-12-020060The SUSE operating system audit system must take appropriate action when the audit storage volume is full.<VulnDiscussion>It is critical that when the SUSE operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend on the nature of the failure mode. When availability is an overriding concern, other approved actions in response to an audit failure are as follows: @@ -1631,7 +1609,7 @@ Check that the SUSE operating system takes the appropriate action when the audit disk_full_action = SYSLOG -If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>SLES-12-020070The audit-audispd-plugins must be installed on the SUSE operating system.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>SLES-12-020070The audit-audispd-plugins must be installed on the SUSE operating system.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-91997V-77301CCI-001851Install the "audit-audispd-plugins" package on the SUSE operating system by running the following command: @@ -1651,7 +1629,7 @@ Verify the "au-remote" plugin is enabled with the following command: # grep -i active /etc/audisp/plugins.d/au-remote.conf active = yes -If "active" is missing, commented out, or is not set to "yes", this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>SLES-12-020080The SUSE operating system audit event multiplexor must be configured to use Kerberos.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If "active" is missing, commented out, or is not set to "yes", this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>SLES-12-020080The SUSE operating system audit event multiplexor must be configured to use Kerberos.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Audit events may include sensitive data must be encrypted prior to transmission. Kerberos provides a mechanism to provide both authentication and encryption for audit event records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77303SV-91999CCI-001851Configure the SUSE operating system audit event multiplexor to use Kerberos by editing the "/etc/audisp/audisp-remote.conf" file. @@ -1662,7 +1640,7 @@ enable_krb5 = yesSRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>SLES-12-020090Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If "enable-krb5" is not set to "yes", this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>SLES-12-020090Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92001V-77305CCI-001851Configure the SUSE operating system "/etc/audisp/audisp-remote.conf" file to off-load audit records onto a different system or media by adding or editing the following line with the correct IP address: @@ -1673,7 +1651,7 @@ Check if "audispd" is configured to off-load audit records onto a different syst # sudo cat /etc/audisp/audisp-remote.conf | grep remote_server remote_server = 192.168.1.101 -If "remote_server" is not set to an external server or media, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>SLES-12-020100The audit system must take appropriate action when the network cannot be used to off-load audit records.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If "remote_server" is not set to an external server or media, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>SLES-12-020100The audit system must take appropriate action when the network cannot be used to off-load audit records.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92003V-77307CCI-001851Configure the SUSE operating system to take the appropriate action if it cannot off-load audit records to a different system or storage media from the system being audited due to a network failure. @@ -1687,7 +1665,7 @@ Check the action that the audit system takes in the event of a network failure w network_failure_action = syslog -If the "network_failure_action" option is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>SLES-12-020110Audispd must take appropriate action when the SUSE operating system audit storage is full.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If the "network_failure_action" option is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>SLES-12-020110Audispd must take appropriate action when the SUSE operating system audit storage is full.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92005V-77309CCI-001851Configure the SUSE operating system to take the appropriate action if the audit storage is full. @@ -1700,7 +1678,7 @@ Check that the records are properly off-loaded to a remote server with the follo # sudo grep -i "disk_full_action" /etc/audisp/audisp-remote.conf disk_full_action = syslog -If "disk_full_action" is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>SLES-12-020120The SUSE operating system must protect audit rules from unauthorized modification.<VulnDiscussion>Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If "disk_full_action" is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>SLES-12-020120The SUSE operating system must protect audit rules from unauthorized modification.<VulnDiscussion>Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77311SV-92007CCI-000162CCI-000163CCI-000164Configure the SUSE operating system to protect audit rules from unauthorized modification. @@ -1730,7 +1708,7 @@ Check that all of the audit information files and folders have the correct permi # sudo chkstat /etc/permissions.local -If the command returns any output, this is a finding.SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>SLES-12-020130The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. +If the command returns any output, this is a finding.SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>SLES-12-020130The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SUSE operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. @@ -1770,7 +1748,7 @@ Check that all of the audit information files and folders have the correct permi > sudo chkstat /etc/permissions.local -If the command returns any output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-020199The SUSE operating system must not disable syscall auditing.<VulnDiscussion>By default, the SUSE operating system includes the "-a task,never" audit rule as a default. This rule suppresses syscall auditing for all tasks started with this rule in effect. Because the audit daemon processes the "audit.rules" file from the top down, this rule supersedes all other defined syscall rules; therefore no syscall auditing can take place on the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-97227SV-106365CCI-000366Remove the "-a task,never" rule from the /etc/audit/rules.d/audit.rules file. +If the command returns any output, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-020199The SUSE operating system must not disable syscall auditing.<VulnDiscussion>By default, the SUSE operating system includes the "-a task,never" audit rule as a default. This rule suppresses syscall auditing for all tasks started with this rule in effect. Because the audit daemon processes the "audit.rules" file from the top down, this rule supersedes all other defined syscall rules; therefore no syscall auditing can take place on the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-97227SV-106365CCI-000366Remove the "-a task,never" rule from the /etc/audit/rules.d/audit.rules file. The audit daemon must be restarted for the changes to take effect. @@ -1785,11 +1763,11 @@ Verify the default rule "-a task,never" is not statically defined : > sudo grep -rv "^#" /etc/audit/rules.d/ | grep -i "a task,never" -If any results are returned, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-12-020200The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. +If any results are returned, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-12-020200The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000470-GPOS-00214, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92011V-77315CCI-001403CCI-000172CCI-000018CCI-002130CCI-002132Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/passwd" file occur. +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000470-GPOS-00214, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92011V-77315CCI-001403CCI-000172CCI-000018CCI-002130CCI-002132CCI-000015Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/passwd" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": @@ -1805,11 +1783,11 @@ Check that the following file is being watched by performing the following comma -w /etc/passwd -p wa -k account_mod -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-12-020210The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-12-020210The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92013V-77317CCI-000018CCI-000172CCI-001403CCI-002130CCI-002132Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/group" file occur. +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92013V-77317CCI-000018CCI-000172CCI-001403CCI-002130CCI-002132CCI-000015Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/group" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": @@ -1825,11 +1803,11 @@ Check that the following file is being watched by performing the following comma -w /etc/group -p wa -k account_mod -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-12-020220The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-12-020220The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92015V-77319CCI-001403CCI-000172CCI-000018CCI-002132CCI-002130Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/shadow" file occur. +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92015V-77319CCI-001403CCI-000172CCI-000018CCI-002132CCI-000015CCI-002130Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/shadow" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": @@ -1845,11 +1823,11 @@ Check that the following file is being watched by performing the following comma -w /etc/shadow -p wa -k account_mod -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-12-020230The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-12-020230The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92017V-77321CCI-000018CCI-000172CCI-001403CCI-002130CCI-002132Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/security/opasswd" file occur. +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92017V-77321CCI-000018CCI-000172CCI-001403CCI-002130CCI-002132CCI-000015Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/security/opasswd" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": @@ -1866,9 +1844,9 @@ Check that the following file is being watched by performing the following comma -w /etc/security/opasswd -p wa -k account_mod -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>SLES-12-020240The SUSE operating system must generate audit records for all uses of the privileged functions.<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000327-GPOS-00127<GroupDescription></GroupDescription>SLES-12-020240The SUSE operating system must generate audit records for all uses of the privileged functions.<VulnDiscussion>Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. -Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77323SV-92019CCI-001877CCI-001878CCI-001914CCI-001889CCI-001875CCI-001881CCI-001882CCI-001879CCI-001880CCI-001814CCI-002234Configure the operating system to audit the execution of privileged functions. +Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77323SV-92019CCI-001877CCI-001878CCI-001914CCI-001889CCI-001875CCI-001881CCI-001882CCI-001879CCI-001880CCI-001814CCI-003938CCI-002234Configure the operating system to audit the execution of privileged functions. Add or update the following rules in "/etc/audit/rules.d/audit.rules": @@ -1890,7 +1868,7 @@ The audit daemon must be restarted for the changes to take effect. If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. -If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020250The SUSE operating system must generate audit records for all uses of the su command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020250The SUSE operating system must generate audit records for all uses of the su command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -1910,7 +1888,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020260The SUSE operating system must generate audit records for all uses of the sudo command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020260The SUSE operating system must generate audit records for all uses of the sudo command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. @@ -1930,7 +1908,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-sudo -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020280The SUSE operating system must generate audit records for all uses of the chfn command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020280The SUSE operating system must generate audit records for all uses of the chfn command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. @@ -1950,7 +1928,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020290The SUSE operating system must generate audit records for all uses of the mount command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020290The SUSE operating system must generate audit records for all uses of the mount command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. @@ -1976,7 +1954,7 @@ Check that the following command call is being audited by performing the followi If both the "b32" and "b64" audit rules are not defined for the "mount" syscall, this is a finding. -If all uses of the "mount" command are not being audited, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020300The SUSE operating system must generate audit records for all uses of the umount command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. +If all uses of the "mount" command are not being audited, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020300The SUSE operating system must generate audit records for all uses of the umount command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. @@ -2000,7 +1978,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount -If both the "b32" and "b64" audit rules are not defined for the "umount" syscall, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020310The SUSE operating system must generate audit records for all uses of the ssh-agent command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. +If both the "b32" and "b64" audit rules are not defined for the "umount" syscall, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020310The SUSE operating system must generate audit records for all uses of the ssh-agent command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. @@ -2020,7 +1998,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh-agent -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020320The SUSE operating system must generate audit records for all uses of the ssh-keysign command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020320The SUSE operating system must generate audit records for all uses of the ssh-keysign command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. @@ -2040,7 +2018,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh-keysign -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020360The SUSE operating system must generate audit records for all uses of the kmod command.<VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020360The SUSE operating system must generate audit records for all uses of the kmod command.<VulnDiscussion>Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2072,7 +2050,7 @@ Check that the following command call is being audited by performing the followi If the system is configured to audit the execution of the module management program "kmod", the command will return a line. -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020370The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020370The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2096,7 +2074,7 @@ Verify that the following command call is being audited by performing the follow -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -If both the "b32" and "b64" audit rules are not defined for the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020420The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If both the "b32" and "b64" audit rules are not defined for the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020420The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2118,7 +2096,7 @@ Verify that the following command call is being audited by performing the follow -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -If both the "b32" and "b64" audit rules are not defined for the "chown", "fchown", "fchownat", "lchown" syscalls, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020460The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If both the "b32" and "b64" audit rules are not defined for the "chown", "fchown", "fchownat", "lchown" syscalls, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020460The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2142,7 +2120,7 @@ Verify that the following command call is being audited by performing the follow -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -If both the "b32" and "b64" audit rules are not defined for the "chmod", "fchmod", and "fchmodat" syscalls, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020490The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If both the "b32" and "b64" audit rules are not defined for the "chmod", "fchmod", and "fchmodat" syscalls, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020490The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2176,7 +2154,7 @@ If both the "b32" and "b64" audit rules are not defined for the "creat", "open", If the output does not produce rules containing "-F exit=-EPERM", this is a finding. -If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020550The SUSE operating system must generate audit records for all uses of the passwd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. +If the output does not produce rules containing "-F exit=-EACCES", this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020550The SUSE operating system must generate audit records for all uses of the passwd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. @@ -2196,7 +2174,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020560The SUSE operating system must generate audit records for all uses of the gpasswd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020560The SUSE operating system must generate audit records for all uses of the gpasswd command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. @@ -2216,7 +2194,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020570The SUSE operating system must generate audit records for all uses of the newgrp command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020570The SUSE operating system must generate audit records for all uses of the newgrp command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. @@ -2236,7 +2214,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-newgrp -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020580The SUSE operating system must generate audit records for a uses of the chsh command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020580The SUSE operating system must generate audit records for a uses of the chsh command.<VulnDiscussion>Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. @@ -2256,7 +2234,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chsh -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-12-020590The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>SLES-12-020590The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. @@ -2276,7 +2254,7 @@ Check that the following file is being watched by performing the following comma -w /etc/gshadow -p wa -k account_mod -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020600The SUSE operating system must generate audit records for all uses of the chmod command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020600The SUSE operating system must generate audit records for all uses of the chmod command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2296,7 +2274,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020610The SUSE operating system must generate audit records for all uses of the setfacl command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020610The SUSE operating system must generate audit records for all uses of the setfacl command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2316,7 +2294,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020620The SUSE operating system must generate audit records for all uses of the chacl command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020620The SUSE operating system must generate audit records for all uses of the chacl command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2336,7 +2314,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020630Successful/unsuccessful attempts to modify categories of information (e.g., classification levels) must generate audit records.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020630Successful/unsuccessful attempts to modify categories of information (e.g., classification levels) must generate audit records.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2356,7 +2334,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020640The SUSE operating system must generate audit records for all uses of the rm command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020640The SUSE operating system must generate audit records for all uses of the rm command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2376,7 +2354,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020650The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020650The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2396,7 +2374,7 @@ Check that the following command call is being audited by performing the followi -w /var/log/tallylog -p wa -k logins -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020660The SUSE operating system must generate audit records for all modifications to the lastlog file.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020660The SUSE operating system must generate audit records for all modifications to the lastlog file.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2416,7 +2394,7 @@ Check that the following is being audited by performing the following command to -w /var/log/lastlog -p wa -k logins -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020670The SUSE operating system must generate audit records for all uses of the passmass command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020670The SUSE operating system must generate audit records for all uses of the passmass command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2436,7 +2414,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passmass -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020680The SUSE operating system must generate audit records for all uses of the unix_chkpwd command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020680The SUSE operating system must generate audit records for all uses of the unix_chkpwd command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2460,7 +2438,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix2-chkpwd If the command does not return any output or the returned line is commented out, this is a finding. -SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020690The SUSE operating system must generate audit records for all uses of the chage command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020690The SUSE operating system must generate audit records for all uses of the chage command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2480,7 +2458,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020700The SUSE operating system must generate audit records for all uses of the usermod command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020700The SUSE operating system must generate audit records for all uses of the usermod command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2500,7 +2478,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020710The SUSE operating system must generate audit records for all uses of the crontab command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020710The SUSE operating system must generate audit records for all uses of the crontab command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2520,7 +2498,7 @@ Check for the following command call is being audited by performing the followin -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020720The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020720The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2540,7 +2518,7 @@ Check for the following command call is being audited by performing the followin -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check -If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020730The SUSE operating system must generate audit records for all uses of the delete_module command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command does not return any output or the returned line is commented out, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020730The SUSE operating system must generate audit records for all uses of the delete_module command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2562,7 +2540,7 @@ Check that the following command call is being audited by performing the followi -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module -If both the "b32" and "b64" audit rules are not defined for the "unload_module" syscall, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020740The SUSE operating system must generate audit records for all uses of the init_module and finit_module syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If both the "b32" and "b64" audit rules are not defined for the "unload_module" syscall, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020740The SUSE operating system must generate audit records for all uses of the init_module and finit_module syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2586,7 +2564,7 @@ Verify that the following command call is being audited by performing the follow -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k moduleload -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k moduleload -If both the "b32" and "b64" audit rules are not defined for the "init_module" and "finit_module" syscalls, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020760The SUSE operating system must generate audit records for all modifications to the faillog file.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If both the "b32" and "b64" audit rules are not defined for the "init_module" and "finit_module" syscalls, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020760The SUSE operating system must generate audit records for all modifications to the faillog file.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2606,7 +2584,7 @@ Check that the following is being audited by performing the following command to -w /var/log/faillog -p wa -k logins -If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>SLES-12-030000The SUSE operating system must not have the telnet-server package installed.<VulnDiscussion>It is detrimental for SUSE operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If the command does not return a line, or the line is commented out, this is a finding.SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>SLES-12-030000The SUSE operating system must not have the telnet-server package installed.<VulnDiscussion>It is detrimental for SUSE operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. SUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions and functions). @@ -2620,7 +2598,7 @@ Check that the telnet-server package is not installed on the SUSE operating syst # zypper se telnet-server -If the telnet-server package is installed, this is a finding.SRG-OS-000024-GPOS-00007<GroupDescription></GroupDescription>SLES-12-030020The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text.<VulnDiscussion>The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. +If the telnet-server package is installed, this is a finding.SRG-OS-000024-GPOS-00007<GroupDescription></GroupDescription>SLES-12-030020The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text.<VulnDiscussion>The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. To establish acceptance of the application usage policy, a click-through banner at system logon is required. The system must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77433SV-92129CCI-000050Configure the SUSE operating system file "/etc/gdm/banner" to contain the Standard Mandatory DoD Notice and Consent Banner by running the following commands: @@ -2658,7 +2636,7 @@ By using this IS (which includes any device attached to this IS), you consent to -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. --Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."SRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>SLES-12-030030The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.<VulnDiscussion>To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."SRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>SLES-12-030030The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.<VulnDiscussion>To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. SUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. @@ -2700,7 +2678,7 @@ Ask the System Administrator for the site or program PPSM Component Local Servic If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. -If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>SLES-12-030040SuSEfirewall2 must protect against or limit the effects of Denial-of-Service (DoS) attacks on the SUSE operating system by implementing rate-limiting measures on impacted network interfaces.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. +If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>SLES-12-030040SuSEfirewall2 must protect against or limit the effects of Denial-of-Service (DoS) attacks on the SUSE operating system by implementing rate-limiting measures on impacted network interfaces.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of the SUSE operating system to mitigate the impact on system availability of DoS attacks that have occurred or are ongoing. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92133V-77437CCI-002385Configure "SuSEfirewall2" to protect the SUSE operating system against or limit the effects of DoS attacks by implementing rate-limiting measures on impacted network interfaces. @@ -2717,7 +2695,7 @@ Run the following command: # grep -i fw_services_accept_ext /etc/sysconfig/SuSEfirewall2 FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" -If the "FW_SERVICES_ACCEPT_EXT" rule does not contain both the "hitcount" and "blockseconds" parameters, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>SLES-12-030050The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. +If the "FW_SERVICES_ACCEPT_EXT" rule does not contain both the "hitcount" and "blockseconds" parameters, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>SLES-12-030050The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. @@ -2794,7 +2772,7 @@ The output must show the value of "Banner" set to "/etc/issue". An example is sh # sudo grep "Banner" /etc/ssh/sshd_config Banner /etc/issue -If it does not, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>SLES-12-030100All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +If it does not, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>SLES-12-030100All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. @@ -2834,7 +2812,7 @@ Check that the OpenSSH service active on the SUSE operating system with the foll Active: active (running) since Thu 2017-01-12 15:03:38 UTC; 1 months 4 days ago -If OpenSSH service is not active, this is a finding.SRG-OS-000032-GPOS-00013<GroupDescription></GroupDescription>SLES-12-030110The SUSE operating system must log SSH connection attempts and failures to the server.<VulnDiscussion>Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. +If OpenSSH service is not active, this is a finding.SRG-OS-000032-GPOS-00013<GroupDescription></GroupDescription>SLES-12-030110The SUSE operating system must log SSH connection attempts and failures to the server.<VulnDiscussion>Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -2857,7 +2835,7 @@ The output message must contain the following text: LogLevel VERBOSE -If "LogLevel" is not set to "VERBOSE" or "INFO", the LogLevel keyword is missing, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030130The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.<VulnDiscussion>Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77447SV-92143CCI-000052Configure the SUSE operating system to provide users with feedback on when account accesses last occurred. +If "LogLevel" is not set to "VERBOSE" or "INFO", the LogLevel keyword is missing, or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030130The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.<VulnDiscussion>Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77447SV-92143CCI-000052Configure the SUSE operating system to provide users with feedback on when account accesses last occurred. Add or edit the following lines in the "/etc/ssh/sshd_config" file: @@ -2868,7 +2846,7 @@ Check that "PrintLastLog" keyword in the sshd daemon configuration file is used # sudo grep -i printlastlog /etc/ssh/sshd_config PrintLastLog yes -If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.SRG-OS-000109-GPOS-00056<GroupDescription></GroupDescription>SLES-12-030140The SUSE operating system must deny direct logons to the root account using remote access via SSH.<VulnDiscussion>To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. +If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.SRG-OS-000109-GPOS-00056<GroupDescription></GroupDescription>SLES-12-030140The SUSE operating system must deny direct logons to the root account using remote access via SSH.<VulnDiscussion>To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the UNIX OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account. @@ -2876,7 +2854,7 @@ For example, the UNIX and Windows SUSE operating systems offer a "switch user" c Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the SUSE operating system without identification or authentication. -Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92145V-77449CCI-000770Configure the SUSE operating system to deny direct logons to the root account using remote access via SSH. +Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92145V-77449CCI-000770CCI-004045Configure the SUSE operating system to deny direct logons to the root account using remote access via SSH. Edit the appropriate "/etc/ssh/sshd_config" file, add or uncomment the line for "PermitRootLogin" and set its value to "no" (this file may be named differently or be in a different location): @@ -2887,7 +2865,7 @@ Check that SSH denies any user trying to log on directly as root with the follow # sudo grep -i permitrootlogin /etc/ssh/sshd_config PermitRootLogin no -If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>SLES-12-030150The SUSE operating system must not allow automatic logon via SSH.<VulnDiscussion>Failure to restrict system access via SSH to authenticated users negatively impacts SUSE operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77451SV-92147CCI-000366Configure the SUSE operating system disables automatic logon via SSH. +If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>SLES-12-030150The SUSE operating system must not allow automatic logon via SSH.<VulnDiscussion>Failure to restrict system access via SSH to authenticated users negatively impacts SUSE operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77451SV-92147CCI-000366Configure the SUSE operating system disables automatic logon via SSH. Add or edit the following line in the "/etc/ssh/sshd_config" file: @@ -2899,7 +2877,7 @@ Check that automatic logon via SSH is disabled with the following command: PermitEmptyPasswords no -If "PermitEmptyPasswords" is not set to "no", is missing completely, or is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>SLES-12-030151The SUSE operating system must not allow users to override SSH environment variables.<VulnDiscussion>SSH environment options potentially allow users to bypass access restriction in some configurations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-99011SV-108115CCI-000366Configure the SUSE operating system disables unattended logon via SSH. +If "PermitEmptyPasswords" is not set to "no", is missing completely, or is commented out, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>SLES-12-030151The SUSE operating system must not allow users to override SSH environment variables.<VulnDiscussion>SSH environment options potentially allow users to bypass access restriction in some configurations.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-99011SV-108115CCI-000366Configure the SUSE operating system disables unattended logon via SSH. Add or edit the following lines in the "/etc/ssh/sshd_config" file: @@ -2911,7 +2889,7 @@ Check that unattended logon via SSH is disabled with the following command: PermitUserEnvironment no -If the "PermitUserEnvironment" keyword is not set to "no", is missing completely, or is commented out, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>SLES-12-030170The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.<VulnDiscussion>Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. +If the "PermitUserEnvironment" keyword is not set to "no", is missing completely, or is commented out, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>SLES-12-030170The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.<VulnDiscussion>Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -2933,7 +2911,7 @@ Check the SSH daemon configuration for allowed ciphers with the following comman Ciphers aes256-ctr,aes192-ctr,aes128-ctr -If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>SLES-12-030180The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. +If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>SLES-12-030180The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -2952,11 +2930,11 @@ Check that the SSH daemon is configured to only use MACs that employ FIPS 140-2 # sudo grep -i macs /etc/ssh/sshd_config MACs hmac-sha2-512,hmac-sha2-256 -If any hashes other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, they are missing, or the returned line is commented out, this is a finding.SRG-OS-000126-GPOS-00066<GroupDescription></GroupDescription>SLES-12-030190The SUSE operating system SSH daemon must be configured with a timeout interval.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. +If any hashes other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, they are missing, or the returned line is commented out, this is a finding.SRG-OS-000126-GPOS-00066<GroupDescription></GroupDescription>SLES-12-030190The SUSE operating system SSH daemon must be configured with a timeout interval.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the SUSE operating system level, and deallocating networking assignments at the application level if multiple application sessions are using a single SUSE operating system-level network connection. This does not mean that the SUSE operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. -Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92155V-77459CCI-000879CCI-001133CCI-002361Configure the SUSE operating system SSH daemon to timeout idle sessions. +Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92155V-77459CCI-001133CCI-002361Configure the SUSE operating system SSH daemon to timeout idle sessions. Add or modify (to match exactly) the following line in the "/etc/ssh/sshd_config" file: @@ -2969,13 +2947,13 @@ Check that the "ClientAliveInterval" parameter is set to a value of "600" with t # sudo grep -i clientalive /etc/ssh/sshd_config ClientAliveInterval 600 -If "ClientAliveInterval" is not set to "600" in "/etc/ssh/sshd_config", this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>SLES-12-030191The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity.<VulnDiscussion>Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. +If "ClientAliveInterval" is not set to "600" in "/etc/ssh/sshd_config", this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>SLES-12-030191The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity.<VulnDiscussion>Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. -This capability is typically reserved for specific SUSE operating system functionality where the system owner, data owner, or organization requires additional assurance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-96515V-81801CCI-001133CCI-000879CCI-002361Configure the SUSE operating system to automatically terminate all network connections associated with SSH traffic at the end of a session or after a "10" minute period of inactivity. +This capability is typically reserved for specific SUSE operating system functionality where the system owner, data owner, or organization requires additional assurance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-96515V-81801CCI-001133CCI-002361Configure the SUSE operating system to automatically terminate all network connections associated with SSH traffic at the end of a session or after a "10" minute period of inactivity. Modify or append the following lines in the "/etc/ssh/sshd_config" file: @@ -2993,7 +2971,7 @@ ClientAliveInterval 600 ClientAliveCountMax 1 -If "ClientAliveCountMax" does not exist or "ClientAliveCountMax" is not set to a value of "1" in "/etc/ssh/sshd_config", or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030200The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77461SV-92157CCI-000366Configure the SUSE operating system SSH daemon to not allow authentication using known hosts authentication. +If "ClientAliveCountMax" does not exist or "ClientAliveCountMax" is not set to a value of "1" in "/etc/ssh/sshd_config", or the line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030200The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.<VulnDiscussion>Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77461SV-92157CCI-000366Configure the SUSE operating system SSH daemon to not allow authentication using known hosts authentication. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": @@ -3005,7 +2983,7 @@ To determine how the SSH daemon's "IgnoreUserKnownHosts" option is set, run the IgnoreUserKnownHosts yes -If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030210The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.<VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77463SV-92159CCI-000366Configure the SUSE operating system SSH daemon public host key files have mode "0644" or less permissive. +If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030210The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.<VulnDiscussion>If a public host key file is modified by an unauthorized user, the SSH service may be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77463SV-92159CCI-000366Configure the SUSE operating system SSH daemon public host key files have mode "0644" or less permissive. Note: SSH public key files may be found in other directories on the system depending on the installation. @@ -3024,7 +3002,7 @@ The following command will find all SSH public key files on the system: 644 /etc/ssh/ssh_host_ecdsa_key.pub 644 /etc/ssh/ssh_host_ed25519_key.pub -If any file has a mode more permissive than "0644", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030220The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive.<VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92161V-77465CCI-000366Configure the mode of the SUSE operating system SSH daemon private host key files under "/etc/ssh" to "0640" with the following command: +If any file has a mode more permissive than "0644", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030220The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive.<VulnDiscussion>If an unauthorized user obtains the private SSH host key file, the host could be impersonated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92161V-77465CCI-000366Configure the mode of the SUSE operating system SSH daemon private host key files under "/etc/ssh" to "0640" with the following command: > sudo chmod 0640 /etc/ssh/ssh_host*keyVerify the SUSE operating system SSH daemon private host key files have mode "0640" or less permissive. @@ -3041,7 +3019,7 @@ Check the mode of the private host key files under "/etc/ssh" file with the foll 640 /etc/ssh/ssh_host_ecdsa_key 640 /etc/ssh/ssh_host_ed25519_key -If any file has a mode more permissive than "0640", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030230The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.<VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92163V-77467CCI-000366Configure the SUSE operating system SSH daemon performs strict mode checking of home directory configuration files. +If any file has a mode more permissive than "0640", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030230The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.<VulnDiscussion>If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92163V-77467CCI-000366Configure the SUSE operating system SSH daemon performs strict mode checking of home directory configuration files. Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" and set the value to "yes": @@ -3053,7 +3031,7 @@ Check that the SSH daemon performs strict mode checking of home directory config StrictModes yes -If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030240The SUSE operating system SSH daemon must use privilege separation.<VulnDiscussion>SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92165V-77469CCI-000366Configure the SUSE operating system SSH daemon is configured to use privilege separation. +If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030240The SUSE operating system SSH daemon must use privilege separation.<VulnDiscussion>SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92165V-77469CCI-000366Configure the SUSE operating system SSH daemon is configured to use privilege separation. Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" and set the value to "yes" or "sandbox": @@ -3073,7 +3051,7 @@ Check that the SUSE operating system SSH daemon performs privilege separation wi UsePrivilegeSeparation yes -If the "UsePrivilegeSeparation" keyword is not set to "yes" or "sandbox", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030250The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication.<VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92167V-77471CCI-000366Configure the SUSE operating system SSH daemon performs compression after a user successfully authenticates. +If the "UsePrivilegeSeparation" keyword is not set to "yes" or "sandbox", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030250The SUSE operating system SSH daemon must not allow compression or must only allow compression after successful authentication.<VulnDiscussion>If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92167V-77471CCI-000366Configure the SUSE operating system SSH daemon performs compression after a user successfully authenticates. Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" on the system and set the value to "delayed" or "no": @@ -3086,7 +3064,7 @@ Check that the SSH daemon performs compression after a user successfully authent # sudo grep -i compression /etc/ssh/sshd_config Compression delayed -If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030260The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.<VulnDiscussion>The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting. +If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030260The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.<VulnDiscussion>The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92169V-77473CCI-000366Configure the SUSE operating system SSH daemon to disable forwarded X connections for interactive users. @@ -3097,13 +3075,13 @@ X11Forwarding noSRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>SLES-12-030300The SUSE operating system clock must, for networked systems, be synchronized to an authoritative DoD time source at least every 24 hours.<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. +If the "X11Forwarding" keyword is set to "yes" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, is missing, or is commented out, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>SLES-12-030300The SUSE operating system clock must, for networked systems, be synchronized to an authoritative DoD time source at least every 24 hours.<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). -Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77475SV-92171CCI-002046CCI-001891Configure the SUSE operating system clock must be configured to synchronize to an authoritative DoD time source when the time difference is greater than one second. +Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77475SV-92171CCI-002046CCI-004926CCI-001891CCI-004923Configure the SUSE operating system clock must be configured to synchronize to an authoritative DoD time source when the time difference is greater than one second. To configure the system clock to synchronize to an authoritative DoD time source at least every 24 hours, edit the file "/etc/ntp.conf". Add or correct the following lines by replacing "[time_source]" with an authoritative DoD time source: @@ -3122,7 +3100,7 @@ Verify the "ntp.conf" file is configured to an authoritative DoD time source by > sudo grep -i server /etc/ntp.conf server 0.us.pool.ntp.mil -If the parameter "server" is not set or is not set to an authoritative DoD time source, this is a finding.SRG-OS-000359-GPOS-00146<GroupDescription></GroupDescription>SLES-12-030310The SUSE operating system must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. +If the parameter "server" is not set or is not set to an authoritative DoD time source, this is a finding.SRG-OS-000359-GPOS-00146<GroupDescription></GroupDescription>SLES-12-030310The SUSE operating system must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the SUSE operating system include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92173V-77477CCI-001890Configure the SUSE operating system is configured to use UTC or GMT. @@ -3135,7 +3113,7 @@ Check that the SUSE operating system is configured to use UTC or GMT with the fo > timedatectl status | grep -i "time zone" Timezone: UTC (UTC, +0000) -If "Time zone" is not set to "UTC" or "GMT", this is a finding.SRG-OS-000433-GPOS-00192<GroupDescription></GroupDescription>SLES-12-030320The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism. +If "Time zone" is not set to "UTC" or "GMT", this is a finding.SRG-OS-000433-GPOS-00192<GroupDescription></GroupDescription>SLES-12-030320The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92175V-77479CCI-002824Configure the SUSE operating system to prevent leaking of internal kernel addresses by running the following command: @@ -3152,7 +3130,7 @@ Check that the SUSE operating system prevents leaking of internal kernel address > sudo sysctl kernel.kptr_restrict kernel.kptr_restrict = 1 -If the kernel parameter "kptr_restrict" is not equal to "1" or nothing is returned, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>SLES-12-030330Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism. +If the kernel parameter "kptr_restrict" is not equal to "1" or nothing is returned, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>SLES-12-030330Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92177V-77481CCI-002824Configure the SUSE operating system to implement ASLR by running the following commands: @@ -3170,7 +3148,7 @@ Check that the SUSE operating system implements ASLR by running the following co kernel.randomize_va_space = 2 -If the kernel parameter "randomize_va_space" is not equal to "2" or nothing is returned, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>SLES-12-030340The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If the kernel parameter "randomize_va_space" is not equal to "2" or nothing is returned, this is a finding.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>SLES-12-030340The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77483SV-92179CCI-001851Configure the SUSE operating system to off-load rsyslog messages for networked systems in real time. @@ -3193,7 +3171,7 @@ For networked systems, check that rsyslog is sending log messages to a remote se *.*;mail.none;news.none @192.168.1.101:514 -If any active message labels in the file do not have a line to send log messages to a remote server, this is a finding.SRG-OS-000142-GPOS-00071<GroupDescription></GroupDescription>SLES-12-030350The SUSE operating system must be configured to use TCP syncookies.<VulnDiscussion>Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. +If any active message labels in the file do not have a line to send log messages to a remote server, this is a finding.SRG-OS-000142-GPOS-00071<GroupDescription></GroupDescription>SLES-12-030350The SUSE operating system must be configured to use TCP syncookies.<VulnDiscussion>Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77485SV-92181CCI-001095Configure the SUSE operating system to use TCP syncookies by running the following command as an administrator: @@ -3209,7 +3187,7 @@ Check to see if syncookies are used with the following command: net.ipv4.tcp_syncookies = 1 -If the value is not set to "1", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030360The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77487SV-92183CCI-000366Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): +If the value is not set to "1", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030360The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77487SV-92183CCI-000366Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.all.accept_source_route = 0 @@ -3222,7 +3200,7 @@ Check the value of the accept source route variable with the following command: # sysctl net.ipv4.conf.all.accept_source_route net.ipv4.conf.all.accept_source_route = 0 -If the returned line does not have a value of "0" this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030361The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-81803SV-96517CCI-000366Configure the SUSE operating system to not accept IPv6 source-routed packets by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): +If the returned line does not have a value of "0" this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030361The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-81803SV-96517CCI-000366Configure the SUSE operating system to not accept IPv6 source-routed packets by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv6.conf.all.accept_source_route = 0 @@ -3235,7 +3213,7 @@ Check the value of the accept source route variable with the following command: # sudo sysctl net.ipv6.conf.all.accept_source_route net.ipv6.conf.all.accept_source_route = 0 -If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030370The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77489SV-92185CCI-000366Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): +If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030370The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77489SV-92185CCI-000366Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.default.accept_source_route = 0 @@ -3248,7 +3226,7 @@ Check the value of the default accept source route variable with the following c # sysctl net.ipv4.conf.default.accept_source_route net.ipv4.conf.default.accept_source_route = 0 -If the returned line does not have a value of "0" this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030380The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77491SV-92187CCI-000366Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): +If the returned line does not have a value of "0" this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030380The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.<VulnDiscussion>Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77491SV-92187CCI-000366Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.icmp_echo_ignore_broadcasts = 1 @@ -3261,7 +3239,7 @@ Check the value of the accept source route variable with the following command: # sysctl net.ipv4.icmp_echo_ignore_broadcasts net.ipv4.icmp_echo_ignore_broadcasts = 1 -If the returned line does not have a value of "1" this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030390The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77493SV-92189CCI-000366Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): +If the returned line does not have a value of "1" this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030390The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77493SV-92189CCI-000366Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.all.accept_redirects =0 @@ -3274,7 +3252,7 @@ Check the value of the "net.ipv4.conf.all.accept_redirects" variable with the fo # sysctl net.ipv4.conf.all.accept_redirects net.ipv4.conf.all.accept_redirects =0 -If the returned line does not have a value of "0" this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030400The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92191V-77495CCI-000366Configure the SUSE operating system ignores IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): +If the returned line does not have a value of "0" this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030400The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92191V-77495CCI-000366Configure the SUSE operating system ignores IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.default.accept_redirects = 0 @@ -3287,7 +3265,7 @@ Check the value of the "accept_redirects" variables with the following command: # sysctl net.ipv4.conf.default.accept_redirects net.ipv4.conf.default.accept_redirects = 0 -If the returned line does not have a value of "0" this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030401The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-96519V-81805CCI-000366Configure the SUSE operating system to not allow IPv6 ICMP redirect messages by default. +If the returned line does not have a value of "0" this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030401The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-96519V-81805CCI-000366Configure the SUSE operating system to not allow IPv6 ICMP redirect messages by default. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): @@ -3302,7 +3280,7 @@ Check the value of the "default accept_redirects" variables with the following c # sudo sysctl net.ipv6.conf.default.accept_redirects net.ipv6.conf.default.accept_redirects = 0 -If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030410The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77497SV-92193CCI-000366Configure the SUSE operating system to not allow interfaces to perform IPv4 ICMP redirects by default. +If the returned line does not have a value of "0", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030410The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77497SV-92193CCI-000366Configure the SUSE operating system to not allow interfaces to perform IPv4 ICMP redirects by default. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): @@ -3317,7 +3295,7 @@ Check the value of the "default send_redirects" variables with the following com # sysctl net.ipv4.conf.default.send_redirects net.ipv4.conf.default.send_redirects = 0 -If the returned line does not have a value of "0” this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030420The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77499SV-92195CCI-000366Configure the SUSE operating system to not allow interfaces to perform IPv4 ICMP redirects. +If the returned line does not have a value of "0” this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030420The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77499SV-92195CCI-000366Configure the SUSE operating system to not allow interfaces to perform IPv4 ICMP redirects. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): @@ -3332,7 +3310,7 @@ Check the value of the "all send_redirects" variables with the following command # sysctl net.ipv4.conf.all.send_redirects net.ipv4.conf.all.send_redirects =0 -If the returned line does not have a value of "0” this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030430The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77501SV-92197CCI-000366Configure the SUSE operating system to not performing IPv4 packet forwarding by running the following command as an administrator: +If the returned line does not have a value of "0” this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030430The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77501SV-92197CCI-000366Configure the SUSE operating system to not performing IPv4 packet forwarding by running the following command as an administrator: > sudo sysctl -w net.ipv4.ip_forward=0 @@ -3347,7 +3325,7 @@ Check to see if IPv4 forwarding is enabled using the following command: > sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0 -If the network parameter "ipv4.ip_forward" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030440The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.<VulnDiscussion>Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems. +If the network parameter "ipv4.ip_forward" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030440The SUSE operating system must not have network interfaces in promiscuous mode unless approved and documented.<VulnDiscussion>Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems. If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92199V-77503CCI-000366Configure the SUSE operating system network interfaces to turn off promiscuous mode unless approved by the ISSO and documented. @@ -3359,7 +3337,7 @@ Check for the status with the following command: # ip link | grep -i promisc -If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.SRG-OS-000299-GPOS-00117<GroupDescription></GroupDescription>SLES-12-030450The SUSE operating system wireless network adapters must be disabled unless approved and documented.<VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the SUSE operating system. +If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.SRG-OS-000299-GPOS-00117<GroupDescription></GroupDescription>SLES-12-030450The SUSE operating system wireless network adapters must be disabled unless approved and documented.<VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the SUSE operating system. This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with A SUSE operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the AO. Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the SUSE operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. @@ -3411,7 +3389,7 @@ route: ipv4 default via 10.0.0.1 proto dhcp If a wireless interface is configured it must be documented and approved by the local Authorizing Official. -If a wireless interface is configured and has not been documented and approved, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>SLES-12-030500The SUSE operating system must have the packages required for multifactor authentication to be installed.<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. +If a wireless interface is configured and has not been documented and approved, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>SLES-12-030500The SUSE operating system must have the packages required for multifactor authentication to be installed.<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. @@ -3421,7 +3399,7 @@ Remote access is access to DoD nonpublic information systems by an authorized us This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). -Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77507SV-92203CCI-001948CCI-001953CCI-001954Configure the SUSE operating system to implement multifactor authentication by installing the required packages. +Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77507SV-92203CCI-001948CCI-004046CCI-001953CCI-001954Configure the SUSE operating system to implement multifactor authentication by installing the required packages. Install the packages required to support multifactor authentication with the following commands: @@ -3468,7 +3446,7 @@ i | opensc | Smart Card Utilities | package Installed: Yes -If any of the packages required for multifactor authentication are not installed, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>SLES-12-030510The SUSE operating system must implement certificate status checking for multifactor authentication.<VulnDiscussion>Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures credentials stored on the authentication device will not be affected if the information system is compromised. +If any of the packages required for multifactor authentication are not installed, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>SLES-12-030510The SUSE operating system must implement certificate status checking for multifactor authentication.<VulnDiscussion>Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures credentials stored on the authentication device will not be affected if the information system is compromised. Multifactor solutions that require devices separate from information systems to gain access include: hardware tokens providing time-based or challenge-response authenticators, and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. @@ -3478,7 +3456,7 @@ Remote access is access to DoD nonpublic information systems by an authorized us This requirement only applies to components with device-specific functions, or for organizational users (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). -Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77509SV-92205CCI-001954CCI-001948CCI-001953Configure the SUSE operating system to certificate status checking for PKI authentication. +Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77509SV-92205CCI-001954CCI-001948CCI-004046CCI-001953Configure the SUSE operating system to certificate status checking for PKI authentication. Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on". @@ -3492,7 +3470,7 @@ Check that certificate status checking for multifactor authentication is impleme cert_policy = ca,ocsp_on,signature,crl_auto; -If "cert_policy" is not set to include "ocsp_on", this is a finding.SRG-OS-000068-GPOS-00036<GroupDescription></GroupDescription>SLES-12-030520The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. +If "cert_policy" is not set to include "ocsp_on", this is a finding.SRG-OS-000068-GPOS-00036<GroupDescription></GroupDescription>SLES-12-030520The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. @@ -3502,7 +3480,7 @@ Remote access is access to DoD nonpublic information systems by an authorized us This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). -Satisfies: SRG-OS-000068-GPOS-00036, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77511SV-92207CCI-000765CCI-000766CCI-000767CCI-000768CCI-000187CCI-001948CCI-001953CCI-001954Configure the SUSE operating system to implement multifactor authentication for remote access to privileged accounts via PAM. +Satisfies: SRG-OS-000068-GPOS-00036, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77511SV-92207CCI-000765CCI-000766CCI-000767CCI-000768CCI-000187CCI-001948CCI-004046CCI-001953CCI-001954Configure the SUSE operating system to implement multifactor authentication for remote access to privileged accounts via PAM. Add or update "pam_pkcs11.so" in "/etc/pam.d/common-auth" to match the following line: @@ -3514,7 +3492,7 @@ Check that the "pam_pkcs11.so" option is configured in the "/etc/pam.d/common-au auth sufficient pam_pkcs11.so -If "pam_pkcs11.so" is not set in "/etc/pam.d/common-auth", this is a finding.SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>SLES-12-030530The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.<VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. +If "pam_pkcs11.so" is not set in "/etc/pam.d/common-auth", this is a finding.SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>SLES-12-030530The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.<VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. @@ -3522,7 +3500,7 @@ When there is a chain of trust, usually the top entity to be trusted becomes the This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. -Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92209V-77513CCI-000185CCI-001991Configure the SUSE operating system, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. +Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033SV-92209V-77513CCI-000185CCI-001991CCI-004068Configure the SUSE operating system, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ca": @@ -3538,42 +3516,32 @@ Check that the certification path to an accepted trust anchor for multifactor au cert_policy = ca,oscp_on,signature,crl_auto; -If "cert_policy" is not set to include "ca", this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>SLES-12-010599The SUSE operating system must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-92249SV-102351CCI-001233Install and enable the latest Trellix ENSLTP package.Check that the following package has been installed: - -# rpm -qa | grep -i mcafeetp - -If the "mcafeetp" package is not installed, this is a finding. - -Verify that the daemon is running: - -# ps -ef | grep -i mfetpd - -If the daemon is not running, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030611The SUSE operating system must use a virus scan program.<VulnDiscussion>Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. - -The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis. - +If "cert_policy" is not set to include "ca", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030611The SUSE operating system must use a virus scan program.<VulnDiscussion>Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. + +The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis. + If the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-102727SV-111689CCI-001668Install an antivirus solution on the system.Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. If there is no anti-virus solution installed on the system, this is a finding. -SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030261The SUSE operating system SSH daemon must prevent remote hosts from connecting to the proxy display.<VulnDiscussion>When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-000366Configure the SUSE operating system SSH daemon to prevent remote hosts from connecting to the proxy display. - -Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11UseLocalhost" keyword and set its value to "yes" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): - -X11UseLocalhost yesVerify the SUSE operating system SSH daemon prevents remote hosts from connecting to the proxy display. - -Check the SSH X11UseLocalhost setting with the following command: - -# sudo grep -i x11uselocalhost /etc/ssh/sshd_config -X11UseLocalhost yes - -If the "X11UseLocalhost" keyword is set to "no", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010111The SUSE operating system must restrict privilege elevation to authorized personnel.<VulnDiscussion>The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-000366Remove the following entries from the sudoers file: +SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030261The SUSE operating system SSH daemon must prevent remote hosts from connecting to the proxy display.<VulnDiscussion>When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-000366Configure the SUSE operating system SSH daemon to prevent remote hosts from connecting to the proxy display. + +Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11UseLocalhost" keyword and set its value to "yes" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): + +X11UseLocalhost yesVerify the SUSE operating system SSH daemon prevents remote hosts from connecting to the proxy display. + +Check the SSH X11UseLocalhost setting with the following command: + +# sudo grep -i x11uselocalhost /etc/ssh/sshd_config +X11UseLocalhost yes + +If the "X11UseLocalhost" keyword is set to "no", is missing, or is commented out, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010111The SUSE operating system must restrict privilege elevation to authorized personnel.<VulnDiscussion>The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-000366Remove the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALLVerify the "sudoers" file restricts sudo access to authorized personnel. $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* If the either of the following entries are returned, this is a finding: ALL ALL=(ALL) ALL -ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010112The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. +ALL ALL=(ALL:ALL) ALLSRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010112The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".<VulnDiscussion>The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. For more information on each of the listed configurations, reference the sudoers(5) manual page.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-002227Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: Defaults !targetpw Defaults !rootpw @@ -3588,11 +3556,11 @@ Defaults !runaspwSRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>SLES-12-010113The SUSE operating system must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +If "Defaults !runaspw" is not defined, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>SLES-12-010113The SUSE operating system must require re-authentication when using the "sudo" command.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. -If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-002038Configure the "sudo" command to require re-authentication. +If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-002038CCI-004895Configure the "sudo" command to require re-authentication. Edit the /etc/sudoers file: > sudo visudo @@ -3605,7 +3573,7 @@ Note: The "[value]" must be a number that is greater than or equal to "0".SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010631The SUSE operating system must not have unnecessary account capabilities.<VulnDiscussion>Accounts providing no operational purpose provide additional opportunities for system compromise. Therefore all necessary non-interactive accounts should not have an interactive shell assigned to them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-000366Configure the SUSE operating system so that all non-interactive accounts on the system have no interactive shell assigned to them. +If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010631The SUSE operating system must not have unnecessary account capabilities.<VulnDiscussion>Accounts providing no operational purpose provide additional opportunities for system compromise. Therefore all necessary non-interactive accounts should not have an interactive shell assigned to them.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-000366Configure the SUSE operating system so that all non-interactive accounts on the system have no interactive shell assigned to them. Run the following command to disable the interactive shell for a specific non-interactive user account: @@ -3619,7 +3587,7 @@ Check the system accounts on the system with the following command: root:0:/bin/bash nobody:65534:/bin/bash -If a non-interactive accounts such as "games" or "nobody" is listed with an interactive shell, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010871The SUSE operating system library files must have mode 0755 or less permissive.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. +If a non-interactive accounts such as "games" or "nobody" is listed with an interactive shell, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010871The SUSE operating system library files must have mode 0755 or less permissive.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001499Configure the library files to be protected from unauthorized access. Run the following command: @@ -3629,7 +3597,7 @@ Check that the system-wide shared library files have mode 0755 or less permissiv > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec stat -c "%n %a" '{}' \; -If any files are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010872The SUSE operating system library directories must have mode 0755 or less permissive.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. +If any files are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010872The SUSE operating system library directories must have mode 0755 or less permissive.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001499Configure the shared library directories to be protected from unauthorized access. Run the following command: @@ -3639,7 +3607,7 @@ Check that the system-wide shared library directories have mode 0755 or less per > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec stat -c "%n %a" '{}' \; -If any of the aforementioned directories are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010873The SUSE operating system library files must be owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. +If any of the aforementioned directories are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010873The SUSE operating system library files must be owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001499Configure the system library files to be protected from unauthorized access. Run the following command: @@ -3649,7 +3617,7 @@ Check that the system-wide shared library files are owned by root with the follo > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type f -exec stat -c "%n %U" '{}' \; -If any system wide library file is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010874The SUSE operating system library directories must be owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. +If any system wide library file is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010874The SUSE operating system library directories must be owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001499Configure the library files and their respective parent directories to be protected from unauthorized access. Run the following command: @@ -3659,7 +3627,7 @@ Check that the system-wide shared library directories are owned by root with the > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; -If any system wide library directory is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010875The SUSE operating system library files must be group-owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. +If any system wide library directory is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010875The SUSE operating system library files must be group-owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001499Configure the system library files to be protected from unauthorized access. Run the following command: @@ -3669,7 +3637,7 @@ Check that the system-wide library files are group-owned by root with the follow > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type f -exec stat -c "%n %G" '{}' \; -If any system wide shared library file is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010876The SUSE operating system library directories must be group-owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. +If any system wide shared library file is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010876The SUSE operating system library directories must be group-owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001499Configure the system library directories to be protected from unauthorized access. Run the following command: @@ -3679,7 +3647,7 @@ Check that the system-wide library directories are group-owned by root with the > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; -If any system wide shared library directory is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010877The SUSE operating system must have system commands set to a mode of 755 or less permissive.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. +If any system wide shared library directory is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010877The SUSE operating system must have system commands set to a mode of 755 or less permissive.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001499Configure the system commands to be protected from unauthorized access. Run the following command: @@ -3696,7 +3664,7 @@ Check that the system command files have mode 755 or less permissive with the fo > find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec stat -c "%n %a" '{}' \; -If any files are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010878The SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. +If any files are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010878The SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001499Configure the system commands directories to be protected from unauthorized access. Run the following command: @@ -3713,7 +3681,7 @@ Check that the system command directories have mode 0755 or less permissive with > find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c "%n %a" '{}' \; -If any directories are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010879The SUSE operating system must have system commands owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. +If any directories are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010879The SUSE operating system must have system commands owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001499Configure the system commands - and their respective parent directories - to be protected from unauthorized access. Run the following command: @@ -3730,7 +3698,7 @@ Use the following command for the check: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c "%n %U" '{}' \; -If any system commands are returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010881The SUSE operating system must have directories that contain system commands owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. +If any system commands are returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010881The SUSE operating system must have directories that contain system commands owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001499Configure the system commands directories to be protected from unauthorized access. Run the following command: @@ -3747,7 +3715,7 @@ Use the following command for the check: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec stat -c "%n %U" '{}' \; -If any system commands directories are returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010882The SUSE operating system must have system commands group-owned by root or a system account.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. +If any system commands directories are returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010882The SUSE operating system must have system commands group-owned by root or a system account.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001499Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account. @@ -3764,7 +3732,7 @@ Run the check with the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f -exec stat -c "%n %G" '{}' \; -If any system commands are returned that are not Set Group ID upon execution (SGID) files and group-owned by a required system account, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010883The SUSE operating system must have directories that contain system commands group-owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. +If any system commands are returned that are not Set Group ID upon execution (SGID) files and group-owned by a required system account, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>SLES-12-010883The SUSE operating system must have directories that contain system commands group-owned by root.<VulnDiscussion>If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001499Configure the system commands directories to be protected from unauthorized access. Run the following command: @@ -3781,7 +3749,7 @@ Run the check with the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec stat -c "%n %G" '{}' \; -If any system commands directories are returned that are not Set Group ID up on execution (SGID) files and owned by a privileged account, this is a finding.SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>SLES-12-030011The SUSE operating system must not have the vsftpd package installed if not required for operational support.<VulnDiscussion>It is detrimental for SUSE operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked, and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If any system commands directories are returned that are not Set Group ID up on execution (SGID) files and owned by a privileged account, this is a finding.SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>SLES-12-030011The SUSE operating system must not have the vsftpd package installed if not required for operational support.<VulnDiscussion>It is detrimental for SUSE operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked, and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. SUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions and functions). @@ -3793,7 +3761,7 @@ Check that the vsftpd package is not installed on the SUSE operating system by r > zypper info vsftpd | grep Installed -If "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030362The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-000366Configure the SUSE operating system to disable IPv6 default source routing by running the following command as an administrator: +If "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030362The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.<VulnDiscussion>Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-000366Configure the SUSE operating system to disable IPv6 default source routing by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.default.accept_source_route=0 @@ -3808,7 +3776,7 @@ Check the value of the default IPv6 accept source route variable with the follow > sudo sysctl net.ipv6.conf.default.accept_source_route net.ipv6.conf.default.accept_source_route = 0 -If the network parameter "ipv6.conf.default.accept_source_route" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030363The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-000366Configure the SUSE operating system to not accept IPv6 ICMP redirect messages by running the following command as an administrator: +If the network parameter "ipv6.conf.default.accept_source_route" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030363The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.<VulnDiscussion>ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-000366Configure the SUSE operating system to not accept IPv6 ICMP redirect messages by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.all.accept_redirects=0 @@ -3824,7 +3792,7 @@ Check the value of the IPv6 accept_redirects variable with the following command > sudo sysctl net.ipv6.conf.all.accept_redirects net.ipv6.conf.all.accept_redirects =0 -If the network parameter "ipv6.conf.all.accept_redirects" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030364The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-000366Configure the SUSE operating system to not performing IPv6 packet forwarding by running the following command as an administrator: +If the network parameter "ipv6.conf.all.accept_redirects" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030364The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-000366Configure the SUSE operating system to not performing IPv6 packet forwarding by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.all.forwarding=0 @@ -3839,7 +3807,7 @@ Check to see if IPv6 forwarding is enabled using the following command: > sudo sysctl net.ipv6.conf.all.forwarding net.ipv6.conf.all.forwarding = 0 -If the network parameter "ipv6.conf.all.forwarding" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030365The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-000366Configure the SUSE operating system to not performing IPv6 packet forwarding by default by running the following command as an administrator: +If the network parameter "ipv6.conf.all.forwarding" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-030365The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.<VulnDiscussion>Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-000366Configure the SUSE operating system to not performing IPv6 packet forwarding by default by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.default.forwarding=0 @@ -3854,7 +3822,7 @@ Check to see if IPv6 forwarding is disabled by default using the following comma > sudo sysctl net.ipv6.conf.default.forwarding net.ipv6.conf.default.forwarding = 0 -If the network parameter "ipv6.conf.default.forwarding" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010109The SUSE operating system must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. +If the network parameter "ipv6.conf.default.forwarding" is not equal to "0" or nothing is returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010109The SUSE operating system must specify the default "include" directory for the /etc/sudoers file.<VulnDiscussion>The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) are reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-000366Configure the /etc/sudoers file to only include the /etc/sudoers.d directory. @@ -3877,11 +3845,11 @@ Verify the operating system does not have nested "include" files or directories > sudo grep -r include /etc/sudoers.d -If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>SLES-12-010114The SUSE operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. +If results are returned, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>SLES-12-010114The SUSE operating system must not be configured to bypass password requirements for privilege escalation.<VulnDiscussion>Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. -Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-002038Configure the operating system to require users to supply a password for privilege escalation. +Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-002038CCI-004895Configure the operating system to require users to supply a password for privilege escalation. Check the configuration of the "/etc/ pam.d/sudo" file with the following command: $ sudo vi /etc/pam.d/sudo @@ -3892,7 +3860,7 @@ Check the configuration of the "/etc/pam.d/sudo" file with the following command $ sudo grep pam_succeed_if /etc/pam.d/sudo -If any occurrences of "pam_succeed_if" are returned from the command, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010221The SUSE operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: +If any occurrences of "pam_succeed_if" are returned from the command, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010221The SUSE operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset: $ sudo passwd [username] @@ -3901,7 +3869,7 @@ $ sudo passwd -l [username]SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020411The SUSE operating system must generate audit records for all uses of the unlink, unlinkat, rename, renameat and rmdir syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +If the command returns any results, this is a finding.SRG-OS-000037-GPOS-00015<GroupDescription></GroupDescription>SLES-12-020411The SUSE operating system must generate audit records for all uses of the unlink, unlinkat, rename, renameat and rmdir syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. @@ -3923,7 +3891,7 @@ Verify that the following command call is being audited by performing the follow -a always,exit -F arch=b32 -S unlink, unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S unlink, unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete -If both the "b32" and "b64" audit rules are not defined for the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>SLES-12-030270The SUSE operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.<VulnDiscussion>Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection. +If both the "b32" and "b64" audit rules are not defined for the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls, this is a finding.SRG-OS-000250-GPOS-00093<GroupDescription></GroupDescription>SLES-12-030270The SUSE operating system SSH server must be configured to use only FIPS-validated key exchange algorithms.<VulnDiscussion>Without cryptographic integrity protections provided by FIPS-validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection. The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001453Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in "/etc/ssh/sshd_config": @@ -3936,7 +3904,7 @@ Restart the "sshd" service for changes to take effect: $ sudo grep -i kexalgorithms /etc/ssh/sshd_config KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 -If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>SLES-12-010375The SUSE operating system must restrict access to the kernel message buffer.<VulnDiscussion>Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a nonprivileged user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001090Configure the operating system to restrict access to the kernel message buffer. +If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>SLES-12-010375The SUSE operating system must restrict access to the kernel message buffer.<VulnDiscussion>Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a nonprivileged user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001090Configure the operating system to restrict access to the kernel message buffer. Set the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory: @@ -3967,7 +3935,7 @@ Check that the configuration files are present to enable this kernel parameter: If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>SLES-12-010499The SUSE operating system must use a file integrity tool to verify correct operation of all security functions.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. +If conflicting results are returned, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>SLES-12-010499The SUSE operating system must use a file integrity tool to verify correct operation of all security functions.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to the SUSE operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-002696Install AIDE, initialize it, and perform a manual check. @@ -4003,10 +3971,10 @@ If there is no application installed to perform integrity checks, this is a find If AIDE is installed, check if it has been initialized with the following command: $ sudo aide --check -If the output is "Couldn't open file /var/lib/aide/aide.db for reading", this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>SLES-12-010331The SUSE operating system must automatically expire temporary accounts within 72 hours.<VulnDiscussion>Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors. - -Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements. - +If the output is "Couldn't open file /var/lib/aide/aide.db for reading", this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>SLES-12-010331The SUSE operating system must automatically expire temporary accounts within 72 hours.<VulnDiscussion>Temporary accounts are privileged or nonprivileged accounts that are established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors. + +Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements. + The automatic expiration of temporary accounts may be extended as needed by the circumstances but it must not be extended indefinitely. A documented permanent account should be established for privileged users who need long-term maintenance accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001682Configure the operating system to expire temporary accounts after 72 hours with the following command: > sudo chage -E $(date -d +3days +%Y-%m-%d) <temporary_account_name>Verify temporary accounts have been provisioned with an expiration date of 72 hours. @@ -4016,7 +3984,7 @@ For every existing temporary account, run the following command to obtain its ac > sudo chage -l <temporary_account_name> | grep -i "account expires" Verify each of these accounts has an expiration date set within 72 hours. -If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>SLES-12-010498The SUSE operating system must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. +If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>SLES-12-010498The SUSE operating system must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033CCI-001744Install the "mailx" package on the system: From 615a409b4418f181756cb3a8f019784f268a3c1a Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 6 Nov 2024 14:09:41 +0200 Subject: [PATCH 333/403] Adjust tmout to 10 minutes for SLES-12-010090 --- products/sle12/profiles/stig.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/products/sle12/profiles/stig.profile b/products/sle12/profiles/stig.profile index 56ea042d6fba..12e7d451c2c3 100644 --- a/products/sle12/profiles/stig.profile +++ b/products/sle12/profiles/stig.profile @@ -18,7 +18,7 @@ selections: - sshd_approved_ciphers=stig - var_account_disable_post_pw_expiration=35 - var_accounts_fail_delay=4 - - var_accounts_tmout=15_min + - var_accounts_tmout=10_min - inactivity_timeout_value=15_minutes - var_password_pam_dcredit=1 - var_password_pam_delay=4000000 From 834a44a4b2f7324287b66301182f2b3be1c2fae6 Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 6 Nov 2024 14:14:12 +0200 Subject: [PATCH 334/403] Remove rule SLES-12-010310 --- .../accounts_password_pam_pwhistory_remember/rule.yml | 1 - products/sle12/profiles/stig.profile | 2 -- 2 files changed, 3 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml index eb6a270e031e..363ce0ea3cb1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml @@ -31,7 +31,6 @@ references: disa: CCI-000200 nist@sle12: IA-5(1)(e),IA-5 (1).1(v) srg: SRG-OS-000077-GPOS-00045 - stigid@sle12: SLES-12-010310 ocil_clause: |- the value of remember is not set equal to or greater than {{{ xccdf_value("var_password_pam_remember") }}} diff --git a/products/sle12/profiles/stig.profile b/products/sle12/profiles/stig.profile index 12e7d451c2c3..1dcf045fc764 100644 --- a/products/sle12/profiles/stig.profile +++ b/products/sle12/profiles/stig.profile @@ -26,7 +26,6 @@ selections: - var_password_pam_lcredit=1 - var_password_pam_minlen=15 - var_password_pam_ocredit=1 - - var_password_pam_remember=5 - var_password_pam_retry=3 - var_password_pam_ucredit=1 - var_accounts_maximum_age_login_defs=60 @@ -59,7 +58,6 @@ selections: - accounts_password_all_shadowed_sha512 - accounts_passwords_pam_faildelay_delay - accounts_passwords_pam_tally2 - - accounts_password_pam_pwhistory_remember - accounts_password_set_max_life_existing - accounts_password_set_min_life_existing - accounts_tmout From 31029da34d24124d1d28a0785be6a332c2c70a4c Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 6 Nov 2024 14:17:37 +0200 Subject: [PATCH 335/403] Remove rule SLES-12-010599 --- .../agent_mfetpd_running/rule.yml | 1 - .../package_mcafeetp_installed/rule.yml | 1 - products/sle12/profiles/stig.profile | 2 -- 3 files changed, 4 deletions(-) diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml index ff5efb08097f..1ebc05209cd7 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml @@ -24,7 +24,6 @@ references: disa: CCI-001263,CCI-000366 nist: SI-2(2) srg: SRG-OS-000191-GPOS-00080 - stigid@sle12: SLES-12-010599 ocil_clause: 'virus scanning software is not running' diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml index fb75fca77111..88d8a4312bcd 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml @@ -34,7 +34,6 @@ references: nist: SI-2(2) srg: SRG-OS-000191-GPOS-00080 stigid@rhel8: RHEL-08-010001 - stigid@sle12: SLES-12-010599 stigid@ubuntu2004: UBTU-20-010415 ocil_clause: 'the package is not installed' diff --git a/products/sle12/profiles/stig.profile b/products/sle12/profiles/stig.profile index 1dcf045fc764..41f80c36d7e4 100644 --- a/products/sle12/profiles/stig.profile +++ b/products/sle12/profiles/stig.profile @@ -68,7 +68,6 @@ selections: - accounts_user_interactive_home_directory_defined - accounts_user_interactive_home_directory_exists - account_temp_expire_date - - agent_mfetpd_running - aide_build_database - aide_check_audit_tools - aide_periodic_cron_checking @@ -221,7 +220,6 @@ selections: - package_audit-audispd-plugins_installed - package_audit_installed - package_mailx_installed - - package_mcafeetp_installed - package_pam_apparmor_installed - package_SuSEfirewall2_installed - package_telnet-server_removed From d6e74908150136e03c54f3de281d737ca64f6b3d Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 6 Nov 2024 14:21:00 +0200 Subject: [PATCH 336/403] Remove rule SLES-12-010300 --- .../file_etc_security_opasswd/ansible/shared.yml | 2 +- .../file_etc_security_opasswd/bash/shared.sh | 2 +- .../file_etc_security_opasswd/rule.yml | 1 - products/sle12/profiles/stig.profile | 1 - 4 files changed, 2 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/ansible/shared.yml index 1fc282c25f0e..dd9cfafb9127 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/ansible/shared.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,multi_platform_slmicro +# platform = multi_platform_slmicro # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/bash/shared.sh index 7e69037f7e93..bba053858268 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,multi_platform_slmicro +# platform = multi_platform_slmicro # Create /etc/security/opasswd if needed # Owner group mode root.root 0600 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml index a17c9dd62998..19afb581a935 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml @@ -25,7 +25,6 @@ references: disa: CCI-000200 nist@sle12: IA-5(1)(e),IA-5(1).1(v) srg: SRG-OS-000077-GPOS-00045 - stigid@sle12: SLES-12-010300 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/security/opasswd", owner="root") }}} and {{{ ocil_clause_file_group_owner(file="/etc/security/opasswd", group="root") }}} and {{{ ocil_clause_file_permissions(file="/etc/security/opasswd", perms="0600") }}}' diff --git a/products/sle12/profiles/stig.profile b/products/sle12/profiles/stig.profile index 41f80c36d7e4..882fd1a16a91 100644 --- a/products/sle12/profiles/stig.profile +++ b/products/sle12/profiles/stig.profile @@ -179,7 +179,6 @@ selections: - encrypt_partitions - ensure_gpgcheck_globally_activated - ensure_rtc_utc_configuration - - file_etc_security_opasswd - file_groupownership_home_directories - file_groupownership_system_commands_dirs - file_ownership_binary_dirs From 96c9656a6c21f722ec5aa9e14e2dfa27cd83aac4 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 30 Jan 2025 17:19:50 -0600 Subject: [PATCH 337/403] Update enable_fips_mode --- .../fips/enable_fips_mode/ansible/shared.yml | 27 --------------- .../fips/enable_fips_mode/bash/shared.sh | 18 ---------- .../integrity/fips/enable_fips_mode/rule.yml | 33 ++++++++----------- 3 files changed, 13 insertions(+), 65 deletions(-) delete mode 100644 linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml deleted file mode 100644 index ffc7cacb0aec..000000000000 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml +++ /dev/null @@ -1,27 +0,0 @@ -# platform = multi_platform_all -# reboot = true -# strategy = restrict -# complexity = medium -# disruption = medium -{{{ ansible_instantiate_variables("var_system_crypto_policy") }}} - -- name: "{{{ rule_title }}} - Check to See the Current Status of FIPS Mode" - ansible.builtin.command: /usr/bin/fips-mode-setup --check - register: is_fips_enabled - failed_when: false - changed_when: false - -- name: "{{{ rule_title }}} - Enable FIPS Mode" - ansible.builtin.command: /usr/bin/fips-mode-setup --enable - when: - - is_fips_enabled.stdout.find('FIPS mode is enabled.') == -1 - -- name: "{{{ rule_title }}} - Configure Crypto Policy" - ansible.builtin.lineinfile: - path: /etc/crypto-policies/config - regexp: '^(?!#)(\S+)$' - line: "{{ var_system_crypto_policy }}" - create: yes - -- name: "{{{ rule_title }}} - Verify that Crypto Policy is Set (runtime)" - ansible.builtin.command: /usr/bin/update-crypto-policies --set {{ var_system_crypto_policy }} diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh index 113f57e75a48..91574773a06b 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh @@ -6,21 +6,3 @@ if {{{ bash_bootc_build() }}}; then cat > /usr/lib/bootc/kargs.d/01-fips.toml << EOF kargs = ["fips=1"] EOF -else - fips-mode-setup --enable -fi - -stderr_of_call=$(update-crypto-policies $crypto_policies_no_reload --set ${var_system_crypto_policy} 2>&1 > /dev/null) -rc=$? - -if test "$rc" = 127; then - echo "$stderr_of_call" >&2 - echo "Make sure that the script is installed on the remediated system." >&2 - echo "See output of the 'dnf provides update-crypto-policies' command" >&2 - echo "to see what package to (re)install" >&2 - - false # end with an error code -elif test "$rc" != 0; then - echo "Error invoking the update-crypto-policies script: $stderr_of_call" >&2 - false # end with an error code -fi diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml index a746494d3fe3..eaaa03aa8b4e 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml @@ -22,6 +22,12 @@ description: |- 
kargs = ["fips=1"]
Then set the cryptographic policy to {{{ xccdf_value("var_system_crypto_policy") }}}: 
update-crypto-policies --no-reload --set {{{ xccdf_value("var_system_crypto_policy") }}}
+{{% elif 'rhel' in product %}} + {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode. + The installer must be booted with fips=1 for the system to have FIPS mode + enabled. Enabling FIPS mode on a preexisting system is not supported. If + this rule fails on an installed system, then this is a permanent + finding and cannot be fixed. {{% else %}} OpenShift has an installation-time flag that can enable FIPS mode for the cluster. The flag 
fips: true
must be enabled @@ -58,35 +64,22 @@ ocil_clause: 'FIPS mode is not enabled' ocil: |- To verify that FIPS mode is enabled properly, run the following command: - 
fips-mode-setup --check
- The output should contain the following: - 
FIPS mode is enabled.
- To verify that the cryptographic policy has been configured correctly, run the - following command: - 
$ update-crypto-policies --show
- The output should return 
{{{ xccdf_value("var_system_crypto_policy") }}}
. + + The output be must: + 
1
warnings: - general: |- - The system needs to be rebooted for these changes to take effect. + To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. + Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. - regulatory: |- This rule DOES NOT CHECK if the components of the operating system are FIPS certified. You can find the list of FIPS certified modules at {{{ weblink(link="https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search") }}}. - This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means. + This rule checks if the system is running in FIPS mode. fixtext: |- Configure {{{ full_name }}} to run in FIPS mode. - Run the following commands: - - $ sudo fips-mode-setup --enable - $ sudo update-crypto-policies --set {{{ xccdf_value("var_system_crypto_policy") }}} - - The system needs to be rebooted for these changes to take effect. - - To enable FIPS mode at bootable container build time, add the following commands in Containerfile: - - RUN echo 'kargs = ["fips=1"]' > /usr/lib/bootc/kargs.d/01-fips.toml - RUN update-crypto-policies --no-reload --set {{{ xccdf_value("var_system_crypto_policy") }}} + The installer for the system must be booted with kernel parameter fips=1. srg_requirement: '{{{ full_name }}} must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.' From dc8102446a95c375e7e55db3eb7b755bf60f2ff7 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 30 Jan 2025 17:21:51 -0600 Subject: [PATCH 338/403] Update enable_dracut_fips_module Remove remediations for RHEL and update rule --- .../enable_dracut_fips_module/ansible/shared.yml | 2 +- .../fips/enable_dracut_fips_module/bash/shared.sh | 2 +- .../fips/enable_dracut_fips_module/rule.yml | 12 ++++++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/ansible/shared.yml index 9647791ef989..06020245392c 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_ol # reboot = true # strategy = restrict # complexity = medium diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/bash/shared.sh index 5da0c99e6707..f56c424cbb1e 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,Red Hat Virtualization 4 +# platform = multi_platform_ol,Red Hat Virtualization 4 fips-mode-setup --enable FIPS_CONF="/etc/dracut.conf.d/40-fips.conf" diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml index ea4eb058f9d0..f3d8f516774b 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml @@ -4,8 +4,16 @@ documentation_complete: true title: "Enable Dracut FIPS Module" description: |- + {{% if 'rhel' not in product %}} To enable FIPS mode, run the following command: 
fips-mode-setup --enable
+ {{% else %}} + {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode. + The installer must be booted with fips=1 for the system to have FIPS mode + enabled. Enabling FIPS mode on a preexisting system is not supported. If + this rule fails on an installed system, then this is a permanent + finding and cannot be fixed. + {{% endif %}} To enable FIPS, the system requires that the fips module is added in dracut configuration. Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips " @@ -43,7 +51,11 @@ ocil: |- warnings: - general: |- + {{% if 'rhel' not in product %}} The system needs to be rebooted for these changes to take effect. + {{% else %}} + To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. + Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. - regulatory: |- System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security From 3687e5869f6dc998d6faca19e575f63b8831b1e1 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 30 Jan 2025 17:23:54 -0600 Subject: [PATCH 339/403] Update FIPS rules for RHEL Update rules for RHEL to state must install via fips=1. --- .../integrity/fips/etc_system_fips_exists/rule.yml | 8 ++++++++ .../integrity/fips/grub2_enable_fips_mode/rule.yml | 13 +++++++++++++ .../fips/sysctl_crypto_fips_enabled/rule.yml | 11 ++++++++++- .../fips/system_booted_in_fips_mode/rule.yml | 2 +- 4 files changed, 32 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml index fe0bd8ffb489..5ec317d92cb2 100644 --- a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml @@ -5,8 +5,16 @@ title: Ensure '/etc/system-fips' exists description: |- On a system where FIPS mode is enabled, /etc/system-fips must exist. + {{% if 'rhel' not in product %}} To enable FIPS mode, run the following command: 
fips-mode-setup --enable
+ {{% else %}} + {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode. + The installer must be booted with fips=1 for the system to have FIPS mode + enabled. Enabling FIPS mode on a preexisting system is not supported. If + this rule fails on an installed system, then this is a permanent + finding and cannot be fixed. + {{% endif %}} rationale: |- Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml index affa378f4a81..840c7acac536 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml @@ -7,6 +7,7 @@ description: |- To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands: 
{{{ package_install("dracut-fips") }}}
     dracut -f
+ {{% if 'rhel' not in product %}} After the dracut command has been run, add the argument fips=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: @@ -19,6 +20,14 @@ description: |-
  • On UEFI-based machines, issue the following command as root: 
    ~]# grub2-mkconfig -o {{{ grub2_uefi_boot_path }}}/grub.cfg
    • + {{% else %}} + {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode. + The installer must be booted with fips=1 for the system to have FIPS mode + enabled. Enabling FIPS mode on a preexisting system is not supported. If + this rule fails on an installed system, then this is a permanent + finding and cannot be fixed. + {{% endif %}} + rationale: |- Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to @@ -60,7 +69,11 @@ warnings: - functionality: |- Running 
    dracut -f
    will overwrite the existing initramfs file. - general: |- + {{% if 'rhel' not in product %}} The system needs to be rebooted for these changes to take effect. + {{% else %}} + To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. + Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. - regulatory: |- System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml index b990669200c1..5d28e1c28081 100644 --- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml @@ -6,8 +6,17 @@ title: "Set kernel parameter 'crypto.fips_enabled' to 1" description: |- System running in FIPS mode is indicated by kernel parameter 'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode. + {{% if 'rhel' not in product %}} To enable FIPS mode, run the following command: 
    fips-mode-setup --enable
    + {{% else %}} + {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode. + The installer must be booted with fips=1 for the system to have FIPS mode + enabled. Enabling FIPS mode on a preexisting system is not supported. If + this rule fails on an installed system, then this is a permanent + finding and cannot be fixed. + {{% endif %}} + To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms @@ -56,7 +65,7 @@ warnings: See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}} To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design - information, and independent third party review by an accredited lab. While open source + information, and independent third parenable_dracut_fips_modulety review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. diff --git a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml index 9438b2e0513d..42d010987187 100644 --- a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml @@ -38,7 +38,7 @@ ocil: |- warnings: - general: |- - To configure the OS to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. + To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. - regulatory: |- System Crypto Modules must be provided by a vendor that undergoes From 9fcef93d60baeced3cd32407d6f76e9959134adb Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 31 Jan 2025 07:28:12 -0600 Subject: [PATCH 340/403] Address feedback in #12946 --- .../fips/enable_dracut_fips_module/rule.yml | 1 + .../fips/enable_fips_mode/bash/shared.sh | 3 +- .../integrity/fips/enable_fips_mode/rule.yml | 33 ++++++++++--------- .../fips/etc_system_fips_exists/rule.yml | 13 ++++++++ .../fips/grub2_enable_fips_mode/rule.yml | 13 ++++++-- .../fips/sysctl_crypto_fips_enabled/rule.yml | 2 +- .../fips/system_booted_in_fips_mode/rule.yml | 2 +- 7 files changed, 44 insertions(+), 23 deletions(-) diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml index f3d8f516774b..2490db3747f3 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml @@ -56,6 +56,7 @@ warnings: {{% else %}} To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. + {{% endif %}} - regulatory: |- System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh index 91574773a06b..0d0a79438e9d 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/bash/shared.sh @@ -1,8 +1,7 @@ # platform = multi_platform_all -{{{ bash_instantiate_variables("var_system_crypto_policy") }}} if {{{ bash_bootc_build() }}}; then - crypto_policies_no_reload="--no-reload" cat > /usr/lib/bootc/kargs.d/01-fips.toml << EOF kargs = ["fips=1"] EOF +fi diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml index eaaa03aa8b4e..93b391ee0c6e 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml @@ -3,7 +3,19 @@ documentation_complete: true title: Enable FIPS Mode description: |- -{{% if product != "rhcos4" %}} +{{% if product == "rhcos4" %}} + OpenShift has an installation-time flag that can enable FIPS mode + for the cluster. The flag 
    fips: true
    must be enabled + at install time in the 
    install-config.yaml
    file. If + this rule fails on an installed cluster, then this is a permanent + finding and cannot be fixed. +{{% elif 'rhel' in product %}} + {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode. + The installer must be booted with fips=1 for the system to have FIPS mode + enabled. Enabling FIPS mode on a preexisting system is not supported. If + this rule fails on an installed system, then this is a permanent + finding and cannot be fixed. +{{% else %}} To enable FIPS mode, run the following command: 
    fips-mode-setup --enable

    @@ -15,25 +27,14 @@ description: |-
  • Setting the system crypto policy in /etc/crypto-policies/config to {{{ xccdf_value("var_system_crypto_policy") }}}
  • Loading the Dracut fips module
    • - +{{% endif %}} +{{% if bootable_containers_supported == "true" %}}
    To enable FIPS mode at bootable container build time configure fips=1 kernel argument in /usr/lib/bootc/kargs.d/01-fips.toml: 
    kargs = ["fips=1"]
    Then set the cryptographic policy to {{{ xccdf_value("var_system_crypto_policy") }}}: 
    update-crypto-policies --no-reload --set {{{ xccdf_value("var_system_crypto_policy") }}}
    -{{% elif 'rhel' in product %}} - {{{ full_name }}} has an installation-time kernel flag that can enable FIPS mode. - The installer must be booted with fips=1 for the system to have FIPS mode - enabled. Enabling FIPS mode on a preexisting system is not supported. If - this rule fails on an installed system, then this is a permanent - finding and cannot be fixed. -{{% else %}} - OpenShift has an installation-time flag that can enable FIPS mode - for the cluster. The flag 
    fips: true
    must be enabled - at install time in the 
    install-config.yaml
    file. If - this rule fails on an installed cluster, then this is a permanent - finding and cannot be fixed. {{% endif %}} rationale: |- @@ -64,13 +65,13 @@ ocil_clause: 'FIPS mode is not enabled' ocil: |- To verify that FIPS mode is enabled properly, run the following command: - + 
    cat /proc/sys/crypto/fips_enabled
    The output be must: 
    1
    warnings: - general: |- - To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. + To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. - regulatory: |- This rule DOES NOT CHECK if the components of the operating system are FIPS certified. diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml index 5ec317d92cb2..609d4cc0ebe2 100644 --- a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml @@ -15,6 +15,14 @@ description: |- this rule fails on an installed system, then this is a permanent finding and cannot be fixed. {{% endif %}} +{{% if bootable_containers_supported == "true" %}} +
    + To enable FIPS mode at bootable container build time configure fips=1 kernel argument + in /usr/lib/bootc/kargs.d/01-fips.toml: + 
    kargs = ["fips=1"]
    + Then set the cryptographic policy to {{{ xccdf_value("var_system_crypto_policy") }}}: + 
    update-crypto-policies --no-reload --set {{{ xccdf_value("var_system_crypto_policy") }}}
    +{{% endif %}} rationale: |- Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to @@ -39,7 +47,12 @@ ocil: |- warnings: - general: |- + {{% if 'rhel' not in product %}} The system needs to be rebooted for these changes to take effect. + {{% else %}} + To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. + Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. + {{% endif %}} - regulatory: |- System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml index 840c7acac536..dd03fd5b0040 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml @@ -4,10 +4,10 @@ documentation_complete: true title: 'Enable FIPS Mode in GRUB2' description: |- + {{% if 'rhel' not in product %}} To ensure FIPS mode is enabled, install package dracut-fips, and rebuild initramfs by running the following commands: 
    {{{ package_install("dracut-fips") }}}
     dracut -f
    - {{% if 'rhel' not in product %}} After the dracut command has been run, add the argument fips=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below: @@ -26,8 +26,14 @@ description: |- enabled. Enabling FIPS mode on a preexisting system is not supported. If this rule fails on an installed system, then this is a permanent finding and cannot be fixed. - {{% endif %}} + Verifying that the package dracut-fips is installed ensures FIPS mode is in + a good. + {{% endif %}} + To ensure FIPS mode is enabled, run the following commands: + 
    +    {{{ package_install("dracut-fips") }}}
+
    rationale: |- Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to @@ -72,8 +78,9 @@ warnings: {{% if 'rhel' not in product %}} The system needs to be rebooted for these changes to take effect. {{% else %}} - To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. + To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. + {{% endif %}} - regulatory: |- System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml index 5d28e1c28081..61093f4b27c3 100644 --- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml @@ -65,7 +65,7 @@ warnings: See {{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}} To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design - information, and independent third parenable_dracut_fips_modulety review by an accredited lab. While open source + information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. diff --git a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml index 42d010987187..baa361388aac 100644 --- a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml @@ -38,7 +38,7 @@ ocil: |- warnings: - general: |- - To configure the operating system to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. + To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. - regulatory: |- System Crypto Modules must be provided by a vendor that undergoes From 4ff92bacd558fc939a1eea4d3e9c8ac76261ac0a Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Fri, 31 Jan 2025 07:50:16 -0600 Subject: [PATCH 341/403] Adjust warnings for FIPS mode. --- .../system/software/integrity/fips/enable_fips_mode/rule.yml | 1 + .../software/integrity/fips/grub2_enable_fips_mode/rule.yml | 2 ++ .../software/integrity/fips/system_booted_in_fips_mode/rule.yml | 1 + 3 files changed, 4 insertions(+) diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml index 93b391ee0c6e..1687fcac929b 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml @@ -72,6 +72,7 @@ ocil: |- warnings: - general: |- To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. + Only enabling FIPS 140 mode during the {{{ full_name }}} installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place. Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. - regulatory: |- This rule DOES NOT CHECK if the components of the operating system are FIPS certified. diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml index dd03fd5b0040..7275f38726ce 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml @@ -79,7 +79,9 @@ warnings: The system needs to be rebooted for these changes to take effect. {{% else %}} To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. + Only enabling FIPS 140 mode during the {{{ full_name }}} installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place. Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. + {{% endif %}} - regulatory: |- System Crypto Modules must be provided by a vendor that undergoes diff --git a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml index baa361388aac..4abe60437a7d 100644 --- a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml @@ -39,6 +39,7 @@ ocil: |- warnings: - general: |- To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation. + Only enabling FIPS 140 mode during the {{{ full_name }}} installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place. Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported. - regulatory: |- System Crypto Modules must be provided by a vendor that undergoes From 8a9b8066e14794ed951623d5f4f26232d5edd1a6 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 3 Feb 2025 07:29:25 -0600 Subject: [PATCH 342/403] Apply feedback in #12946 --- .../software/integrity/fips/grub2_enable_fips_mode/rule.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml index 7275f38726ce..7c6d66886ab5 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml @@ -28,7 +28,7 @@ description: |- finding and cannot be fixed. Verifying that the package dracut-fips is installed ensures FIPS mode is in - a good. + a good state. {{% endif %}} To ensure FIPS mode is enabled, run the following commands: 
    @@ -81,7 +81,6 @@ warnings:
         To configure {{{ full_name }}} to run in FIPS 140 mode, the kernel parameter "fips=1" needs to be added during its installation.
         Only enabling FIPS 140 mode during the {{{ full_name }}} installation ensures that the system generates all keys with FIPS-approved algorithms and continuous monitoring tests in place.
         Enabling FIPS mode on a preexisting system involves a number of modifications to it and therefore is not supported.
-
         {{% endif %}}
     - regulatory: |-
         System Crypto Modules must be provided by a vendor that undergoes

From c6a115a86cec6b1d3271d9ebba1fb4b059c01b38 Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Tue, 4 Feb 2025 09:41:39 -0600
Subject: [PATCH 343/403] Remove enable_dracut_fips_module for RHEL 9

---
 .../software/integrity/fips/enable_fips_mode/oval/shared.xml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index fa7a4a7378a9..d3314b2f51d2 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -7,7 +7,7 @@
       
         
         
-        {{%- if product not in ["rhel10"] -%}}
+        {{%- if product not in ["rhel10", "rhel9"] -%}}
         
         {{%- endif -%}}

From a83357717f8ba3e8358e4c9fbf48940dc74c1ccf Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Tue, 4 Feb 2025 11:02:27 -0600
Subject: [PATCH 344/403] Exclude enable_dracut_fips_module from bootc

---
 .../software/integrity/fips/enable_dracut_fips_module/rule.yml  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
index 2490db3747f3..187038823bba 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
@@ -49,6 +49,8 @@ ocil: |-
     The output should look like this:
     add_dracutmodules+=" fips "
 
+platform: not bootc
+
 warnings:
     - general: |-
         {{% if 'rhel' not in product %}}

From 4adfbfed92c5cdb9437143f2c415e44ff43ddda7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Wed, 5 Feb 2025 17:00:31 +0100
Subject: [PATCH 345/403] Fix Automatus tests

Addressing:

```
jcerny@fedora:~/work/git/scap-security-guide (master)$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel9 rsyslog_files_permissions
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2025-02-05-1658/test_suite.log
ERROR - Unknown product name: mutli_platform_almalinux is not from Alibaba Cloud Linux 2, Alibaba Cloud Linux 3, AlmaLinux OS 9, Anolis OS 8, Anolis OS 23, Amazon Linux 2023, Chromium, Debian 11, Debian 12, Example, Amazon Elastic Kubernetes Service, Fedora, Firefox, Apple macOS 10.15, Kylin Server 10, Red Hat OpenShift Container Platform 4, Red Hat Enterprise Linux CoreOS 4, Oracle Linux 7, Oracle Linux 8, Oracle Linux 9, Oracle Linux 10, openEuler 2203, openSUSE, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, Red Hat Enterprise Linux 10, Red Hat Virtualization 4, SUSE Linux Enterprise 12, SUSE Linux Enterprise 15, SUSE Linux Enterprise Micro 5, Ubuntu 16.04, Ubuntu 18.04, Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, OpenEmbedded, Not Applicable
WARNING - Nothing has been tested!
Traceback (most recent call last):
  File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/common.py", line 210, in _get_platform_cpes
    product = FULL_NAME_TO_PRODUCT_MAPPING[platform]
              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^
KeyError: 'mutli_platform_almalinux'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/jcerny/work/git/scap-security-guide/tests/automatus.py", line 517, in 
    main()
    ~~~~^^
  File "/home/jcerny/work/git/scap-security-guide/tests/automatus.py", line 513, in main
    options.func(options)
    ~~~~~~~~~~~~^^^^^^^^^
  File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/rule.py", line 715, in perform_rule_check
    checker.test_target()
    ~~~~~~~~~~~~~~~~~~~^^
  File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/oscap.py", line 683, in test_target
    self._test_target()
    ~~~~~~~~~~~~~~~~~^^
  File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/rule.py", line 462, in _test_target
    test_content_by_rule_id = self._get_test_content_by_rule_id(
        rules_to_test)
  File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/rule.py", line 444, in _get_test_content_by_rule_id
    rule_test_content = self._get_rule_test_content(rule)
  File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/rule.py", line 419, in _get_rule_test_content
    if scenario.matches_regex_and_check_and_platform(
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
            self.scenarios_regex, checks, self.benchmark_cpes):
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/rule.py", line 690, in matches_regex_and_check_and_platform
    and self.matches_platform(benchmark_cpes))
        ~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^
  File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/rule.py", line 665, in matches_platform
    if common.matches_platform(
       ~~~~~~~~~~~~~~~~~~~~~~~^
            self.script_params["platform"], benchmark_cpes):
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/common.py", line 230, in matches_platform
    scenario_cpes |= _get_platform_cpes(p)
                     ~~~~~~~~~~~~~~~~~~^^^
  File "/home/jcerny/work/git/scap-security-guide/tests/ssg_test_suite/common.py", line 215, in _get_platform_cpes
    raise ValueError
ValueError
```
---
 .../tests/legacy_correct_attr_include.pass.sh                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr_include.pass.sh b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr_include.pass.sh
index 7a97e0d688cb..d27da1f43849 100755
--- a/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr_include.pass.sh
+++ b/shared/templates/rsyslog_logfiles_attributes_modify/tests/legacy_correct_attr_include.pass.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,mutli_platform_almalinux
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_almalinux
 
 # Declare variables used for the tests and define the create_rsyslog_test_logs function
 source $SHARED/rsyslog_log_utils.sh

From 314071918fda291be6ae1339f9276801cd41d5ca Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Wed, 5 Feb 2025 13:14:25 -0600
Subject: [PATCH 346/403] Remove the second enable_dracut_fips_module in
 enable_fips_mode

---
 .../software/integrity/fips/enable_fips_mode/oval/shared.xml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index d3314b2f51d2..ca46a3606f64 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -34,7 +34,7 @@
           comment="check contents of /proc/sys/crypto/fips_enabled"/>
         
-        {{%- if product not in ["rhel10"] -%}}
+        {{%- if product not in ["rhel10", "rhel9"] -%}}
         
         {{%- endif -%}}

From 89f5bbcb183347fc54038a6b2a011679208fdca9 Mon Sep 17 00:00:00 2001
From: vojtapolasek 
Date: Fri, 7 Feb 2025 15:13:22 +0100
Subject: [PATCH 347/403] replace wrong variable with the correct one

in RHEL 8 STIG, there was a wrong variable used for the rule set_password_hashing_min_rounds_logindefs.
The variable was actually not included in the profile at all and therefore its default value of 5000 was used.
However, stig requires values of 100000.
Also, the variable var_password_pam_unix_rounds was used in the file, but in fact it is not used by any rule in the profile.It got removed to reduce confusion.
---
 products/rhel8/profiles/stig.profile                | 2 +-
 tests/data/profile_stability/rhel8/stig.profile     | 2 +-
 tests/data/profile_stability/rhel8/stig_gui.profile | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 37acd9424ce9..69e09b07b229 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -41,7 +41,7 @@ selections:
     - var_password_pam_remember_control_flag=requisite_or_required
     - var_selinux_state=enforcing
     - var_selinux_policy_name=targeted
-    - var_password_pam_unix_rounds=5000
+    - var_password_hashing_min_rounds_login_defs=100000
     - var_password_pam_minlen=15
     - var_password_pam_ocredit=1
     - var_password_pam_dcredit=1
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index a5496bb217d3..369d37cc3709 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -443,7 +443,7 @@ selections:
 - var_password_pam_remember_control_flag=requisite_or_required
 - var_selinux_state=enforcing
 - var_selinux_policy_name=targeted
-- var_password_pam_unix_rounds=5000
+- var_password_hashing_min_rounds_login_defs=100000
 - var_password_pam_minlen=15
 - var_password_pam_ocredit=1
 - var_password_pam_dcredit=1
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index cc51fc30de16..d6308698ef7d 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -449,7 +449,7 @@ selections:
 - var_password_pam_remember_control_flag=requisite_or_required
 - var_selinux_state=enforcing
 - var_selinux_policy_name=targeted
-- var_password_pam_unix_rounds=5000
+- var_password_hashing_min_rounds_login_defs=100000
 - var_password_pam_minlen=15
 - var_password_pam_ocredit=1
 - var_password_pam_dcredit=1

From cfd3b0a268d2f6af5077acfd4fabcf701eb53942 Mon Sep 17 00:00:00 2001
From: Alan Moore 
Date: Fri, 7 Feb 2025 14:13:56 +0000
Subject: [PATCH 348/403] Use pam-auth-update to create tests

---
 .../tests/commented.fail.sh                   | 15 ++++++++++-
 .../tests/common.sh                           | 27 -------------------
 .../tests/correct.pass.sh                     |  9 ++++---
 .../tests/missing.fail.sh                     |  4 ++-
 4 files changed, 23 insertions(+), 32 deletions(-)
 delete mode 100644 linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/common.sh

diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/commented.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/commented.fail.sh
index 95830eba0ab3..aa776cf12db6 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/commented.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/commented.fail.sh
@@ -1,4 +1,17 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 
-sed -i 's/\(^.*pam_pwquality\.so.*\)/# \1/' /etc/pam.d/common-password
+config_file=/usr/share/pam-configs/tmp_pwquality
+cat << EOF > "$config_file"
+Name: Pwquality password strength checking
+Default: yes
+Priority: 1025
+Conflicts: cracklib, pwquality
+Password-Type: Primary
+Password:
+    requisite                   # pam_pwquality.so
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/common.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/common.sh
deleted file mode 100644
index 02bd487048ce..000000000000
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/common.sh
+++ /dev/null
@@ -1,27 +0,0 @@
-{{% if 'ubuntu' in product %}}
-configuration_files=("common-password")
-{{% elif product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}}
-configuration_files=("password-auth" "system-auth")
-{{% else %}}
-configuration_files=("system-auth")
-{{% endif %}}
-
-
-{{% if product in ['ol8', 'ol9', 'rhel8', 'rhel9'] %}}
-authselect create-profile testingProfile --base-on sssd
-
-for file in ${configuration_files[@]}; do
-	sed -i --follow-symlinks "/pam_pwquality\.so/d" \
-		"/etc/authselect/custom/testingProfile/$file"
-done
-authselect select --force custom/testingProfile
-{{% elif 'ubuntu' in product %}}
-rm -f /usr/share/pam-configs/pwquality
-DEBIAN_FRONTEND=noninteractive pam-auth-update
-{{% else %}}
-for file in ${configuration_files[@]}; do
-	sed -i --follow-symlinks "/pam_pwquality\.so/d" "/etc/pam.d/$file"
-done
-{{% endif%}}
-
-truncate -s 0 /etc/security/pwquality.conf
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/correct.pass.sh
index a74d14e7eb36..2410b572b430 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/correct.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/correct.pass.sh
@@ -1,14 +1,17 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 
-cat << EOF > /usr/share/pam-configs/pwquality
+config_file=/usr/share/pam-configs/tmp_pwquality
+cat << EOF > "$config_file"
 Name: Pwquality password strength checking
 Default: yes
-Priority: 1024
-Conflicts: cracklib
+Priority: 1025
+Conflicts: cracklib, pwquality
 Password-Type: Primary
 Password:
     requisite                   pam_pwquality.so
 EOF
 
 DEBIAN_FRONTEND=noninteractive pam-auth-update
+
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/missing.fail.sh
index feb4afc273da..d4fa608ae6bb 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/missing.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_pwquality_enabled/tests/missing.fail.sh
@@ -1,4 +1,6 @@
 #!/bin/bash
 # platform = multi_platform_ubuntu
 
-source common.sh
+rm /usr/share/pam-configs/*pwquality
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update

From ffba247c67fbb8ced86caf7bc27e7eca29adfc78 Mon Sep 17 00:00:00 2001
From: vojtapolasek 
Date: Fri, 7 Feb 2025 16:59:53 +0100
Subject: [PATCH 349/403] fix ansible remediation

the regex was overly complicated and it did not match values as expected.
Also conditionals were enhanced so that they check if variables containing values slurped from the file actually exist at all.
---
 .../ansible/shared.yml                              | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/ansible/shared.yml
index 5f07d8dad3dc..5eb4ff975035 100644
--- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/ansible/shared.yml
@@ -22,30 +22,29 @@
 - name: "{{{ rule_title }}} - Ensure SHA_CRYPT_MIN_ROUNDS has Minimum Value of 5000"
   ansible.builtin.replace:
     path: /etc/login.defs
-    regexp: '(^\s*SHA_CRYPT_MIN_ROUNDS\s+)(?!(?:[5-9]\d{3,}|\d{5,}))\S*(\s*$)'
+    regexp: '(^\s*SHA_CRYPT_MIN_ROUNDS\s+)(?:\d+)(.*$)'
     replace: '\g<1>{{ var_password_hashing_min_rounds_login_defs }}\g<2>'
     backup: no
-  when: etc_login_defs_sha_crypt_min_rounds | length > 0 and etc_login_defs_sha_crypt_min_rounds | first | int < var_password_hashing_min_rounds_login_defs | int
+  when: etc_login_defs_sha_crypt_min_rounds is defined and etc_login_defs_sha_crypt_min_rounds | length > 0 and etc_login_defs_sha_crypt_min_rounds | first | int < var_password_hashing_min_rounds_login_defs | int
 
 - name: "{{{ rule_title }}} - Ensure SHA_CRYPT_MAX_ROUNDS has Minimum Value of 5000"
   ansible.builtin.replace:
     path: /etc/login.defs
-    regexp: '(^\s*SHA_CRYPT_MAX_ROUNDS\s+)(?!(?:[5-9]\d{3,}|\d{5,}))\S*(\s*$)'
+    regexp: '(^\s*SHA_CRYPT_MAX_ROUNDS\s+)(?:\d+)(.*$)'
     replace: '\g<1>{{ var_password_hashing_min_rounds_login_defs }}\g<2>'
     backup: no
-  when: etc_login_defs_sha_crypt_max_rounds | length > 0 and etc_login_defs_sha_crypt_max_rounds | first | int < var_password_hashing_min_rounds_login_defs | int
+  when: etc_login_defs_sha_crypt_max_rounds is defined and etc_login_defs_sha_crypt_max_rounds | length > 0 and etc_login_defs_sha_crypt_max_rounds | first | int < var_password_hashing_min_rounds_login_defs | int
 
-- name: "{{ rule_title }} - SHA_CRYPT_MIN_ROUNDS add configuration if not found"
+- name: "{{{ rule_title }}} - SHA_CRYPT_MIN_ROUNDS add configuration if not found"
   ansible.builtin.lineinfile:
     line: "SHA_CRYPT_MIN_ROUNDS {{ var_password_hashing_min_rounds_login_defs }}"
     path: /etc/login.defs
     state: present
   when: etc_login_defs_sha_crypt_min_rounds | length == 0
 
-- name: "{{ rule_title }} - SHA_CRYPT_MAX_ROUNDS add configuration if not found"
+- name: "{{{ rule_title }}} - SHA_CRYPT_MAX_ROUNDS add configuration if not found"
   ansible.builtin.lineinfile:
     line: "SHA_CRYPT_MAX_ROUNDS {{ var_password_hashing_min_rounds_login_defs }}"
     path: /etc/login.defs
     state: present
   when: etc_login_defs_sha_crypt_max_rounds | length == 0
-

From fda305d87096c84a77e2fb5762dd1eea5bcd837c Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov 
Date: Mon, 10 Feb 2025 14:22:33 +0100
Subject: [PATCH 350/403] Rule: sshd_include_crypto_policy, platform: not
 osbuild

We temporary(?) ignore the rule in Image Builder until
we would be able to sort out the problems with sshd configuration
without reinstalling the package (which is not possible in osbuild).
---
 .../services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml
index a977985a458e..4db69e346123 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml
@@ -35,3 +35,5 @@ fixtext: |-
     Configure the RHEL 9 SSH daemon to use systemwide crypto policies.
     Reinstall OpenSSH server package contents with the following command:
     
    sudo dnf -y remove openssh-server && sudo dnf -y install openssh-server
    
+
+platform: not osbuild

From 64c1cab806268ac4ec32643d4326428b36888577 Mon Sep 17 00:00:00 2001
From: Alan Moore 
Date: Mon, 10 Feb 2025 10:26:21 +0000
Subject: [PATCH 351/403] Restart postfix instead of reload

---
 .../guide/services/mail/has_nonlocal_mta/tests/correct.pass.sh  | 2 +-
 .../guide/services/mail/has_nonlocal_mta/tests/wrong.fail.sh    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/services/mail/has_nonlocal_mta/tests/correct.pass.sh b/linux_os/guide/services/mail/has_nonlocal_mta/tests/correct.pass.sh
index 14b25e5f9b9f..3be0e1776ea4 100644
--- a/linux_os/guide/services/mail/has_nonlocal_mta/tests/correct.pass.sh
+++ b/linux_os/guide/services/mail/has_nonlocal_mta/tests/correct.pass.sh
@@ -2,4 +2,4 @@
 # packages = postfix
 
 echo "inet_interfaces = localhost" > /etc/postfix/main.cf
-postfix reload || postfix start
+postfix stop || postfix start
diff --git a/linux_os/guide/services/mail/has_nonlocal_mta/tests/wrong.fail.sh b/linux_os/guide/services/mail/has_nonlocal_mta/tests/wrong.fail.sh
index 929ce132a79e..0d113c378c60 100644
--- a/linux_os/guide/services/mail/has_nonlocal_mta/tests/wrong.fail.sh
+++ b/linux_os/guide/services/mail/has_nonlocal_mta/tests/wrong.fail.sh
@@ -3,4 +3,4 @@
 # remediation = none
 
 echo "inet_interfaces = all" > /etc/postfix/main.cf
-postfix reload || postfix start
+postfix stop || postfix start

From 2d594e1cc3cf56f1d7984c350ef825765917c376 Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Mon, 10 Feb 2025 10:29:31 -0600
Subject: [PATCH 352/403] Remove RHEL 8 STIG reference from
 file_permission_user_init_files

---
 .../accounts-session/file_permission_user_init_files/rule.yml    | 1 -
 1 file changed, 1 deletion(-)

diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
index 0fc7f9aa2ad0..7e09160aa472 100644
--- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
@@ -28,7 +28,6 @@ references:
     srg: SRG-OS-000480-GPOS-00227
     stigid@ol7: OL07-00-020710
     stigid@ol8: OL08-00-010770
-    stigid@rhel8: RHEL-08-010770
     stigid@sle12: SLES-12-010760
     stigid@sle15: SLES-15-040110
 

From 49a56dd34c00b050da924b84daf74ea5d947515f Mon Sep 17 00:00:00 2001
From: vojtapolasek 
Date: Tue, 11 Feb 2025 15:18:06 +0100
Subject: [PATCH 353/403] modify OVAL to check for different config flie format
 on rhel8

---
 .../oval/shared.xml                               | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
index 21d4e716dbcb..4fe7745d5e9c 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
@@ -16,20 +16,17 @@
 
   
     {{{ PATH }}}
-    ^(?!#).*(-oCiphers=[^\s']+).*$
+    {{%- if product == "rhel8" -%}}
+    ^(?!#).*-oCiphers=([^\s']+).*$
+    {{%- else -%}}
+    ^(?!#).*Ciphers\s+([^\s']+).*$
+    {{%- endif -%}}
     1
   
 
   
-    
+    
   
 
-  
-    
-      -oCiphers=
-      
-    
-  
-
   
 

From bc36f24dcb5a297519cf170784b030397ebaaaed Mon Sep 17 00:00:00 2001
From: vojtapolasek 
Date: Tue, 11 Feb 2025 15:47:42 +0100
Subject: [PATCH 354/403] rhel9 stig: correct placement of
 harden_sshd_ciphers_opensshserver_conf_crypto_policy

it was assigned to a wrong stig
---
 controls/stig_rhel9.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml
index 3e07fece5f92..32b70f00632f 100644
--- a/controls/stig_rhel9.yml
+++ b/controls/stig_rhel9.yml
@@ -1866,8 +1866,7 @@ controls:
             RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality
             of SSH client connections.
         rules:
-            - harden_sshd_ciphers_openssh_conf_crypto_policy
-            - sshd_approved_ciphers=stig_rhel9
+            - sshd_include_crypto_policy
         status: automated
     -   id: RHEL-09-255064
         title: The RHEL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
@@ -1884,6 +1883,7 @@ controls:
             of SSH server connections.
         rules:
             - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+            - sshd_approved_ciphers=stig_rhel9
         status: automated
     -   id: RHEL-09-255070
         levels:

From 10cc6d1b69c65e0fb37aae841506734063fdf155 Mon Sep 17 00:00:00 2001
From: vojtapolasek 
Date: Wed, 12 Feb 2025 09:59:57 +0100
Subject: [PATCH 355/403] add ol8 into if conditional

---
 .../oval/shared.xml                                             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
index 4fe7745d5e9c..41994d946e1f 100644
--- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/oval/shared.xml
@@ -16,7 +16,7 @@
 
   
     {{{ PATH }}}
-    {{%- if product == "rhel8" -%}}
+    {{%- if product in ["ol8", "rhel8"] -%}}
     ^(?!#).*-oCiphers=([^\s']+).*$
     {{%- else -%}}
     ^(?!#).*Ciphers\s+([^\s']+).*$

From 60e9c9c4f3e3c7ecf367bcdfa304c3fd997115a6 Mon Sep 17 00:00:00 2001
From: vojtapolasek 
Date: Wed, 12 Feb 2025 10:00:21 +0100
Subject: [PATCH 356/403] add test scenarios for rhel9

---
 .../tests/rhel9_stig_correct.pass.sh          | 19 +++++++++++++++++++
 .../tests/rhel9_stig_incorrect_policy.fail.sh | 15 +++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_correct.pass.sh
 create mode 100644 linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_incorrect_policy.fail.sh

diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_correct.pass.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_correct.pass.sh
new file mode 100644
index 000000000000..2ec9a6dad889
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_correct.pass.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 9
+# variables = sshd_approved_ciphers=aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+# remediation = none
+
+sshd_approved_ciphers=aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+correct_value="Ciphers ${sshd_approved_ciphers}"
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+# Proceed when file exists
+if [[ -f $configfile ]]; then
+    sed -i -r "s/Ciphers\s+\S+/${correct_value}/" $configfile
+else
+    echo "${correct_value}" > "$configfile"
+fi
diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_incorrect_policy.fail.sh b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_incorrect_policy.fail.sh
new file mode 100644
index 000000000000..9b464b3ebfa3
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_ciphers_opensshserver_conf_crypto_policy/tests/rhel9_stig_incorrect_policy.fail.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# platform = Red Hat Enterprise Linux 9
+# variables = sshd_approved_ciphers=aes256-gcm@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
+# remediation = none
+
+configfile=/etc/crypto-policies/back-ends/opensshserver.config
+
+# Ensure directory + file is there
+test -d /etc/crypto-policies/back-ends || mkdir -p /etc/crypto-policies/back-ends
+
+if [[ -f $configfile ]]; then
+    sed -i -r "s/Ciphers\s+\S+/Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc/" $configfile
+else
+    echo "Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc" > "$configfile"
+fi

From d1d78fe936fc007707d1cd8d1e170294990e9081 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov 
Date: Tue, 11 Feb 2025 22:56:54 +0100
Subject: [PATCH 357/403] Rule: sshd_include_crypto_policy, drop remediations,
 improve OVAL

We are dropping all remediations for now, as the recommended one
is questionable.

OVAL now recognizes Include directive in any drop-in file,
in case-insensitive and tolerant to different separators way.

Dropping the 'not osbuild' platform as well.
---
 .../sshd_include_crypto_policy/ansible/shared.yml    | 12 ------------
 .../sshd_include_crypto_policy/bash/shared.sh        |  5 -----
 .../sshd_include_crypto_policy/oval/shared.xml       |  8 ++++----
 .../ssh_server/sshd_include_crypto_policy/rule.yml   |  8 +++++---
 .../sshd_include_crypto_policy/tests/confing.pass.sh | 10 ++++++++++
 .../tests/default_pass.pass.sh                       |  9 ---------
 .../sshd_include_crypto_policy/tests/drop_in.pass.sh | 10 ++++++++++
 .../tests/no_crypto.fail.sh                          | 11 ++++-------
 .../tests/no_drop_in.fail.sh                         | 11 ++++-------
 .../tests/no_includes.fail.sh                        |  9 +++------
 10 files changed, 40 insertions(+), 53 deletions(-)
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/ansible/shared.yml
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/bash/shared.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/confing.pass.sh
 delete mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/default_pass.pass.sh
 create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/drop_in.pass.sh

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/ansible/shared.yml
deleted file mode 100644
index 0a923c9176f3..000000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/ansible/shared.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-# platform = multi_platform_all
-# complexity = low
-# strategy = configure
-# disruption = low
-# reboot = false
-
-# the shell module is used because those three commands have to be executed in one Ansible task.
-# Othervise the SSH server will be stopped and Ansible will be not able to conect again and continue.
-
--   name: "{{{ rule_title }}} - reinstall the openssh-server package"
-    ansible.builtin.shell:
-      cmd: dnf -y remove openssh-server; dnf -y install openssh-server; systemctl restart sshd.service
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/bash/shared.sh
deleted file mode 100644
index 95970043405b..000000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/bash/shared.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-# platform = multi_platform_all
-
-dnf -y remove openssh-server
-dnf -y install openssh-server
-systemctl restart sshd.service
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml
index 131c785aeb8e..ab4185870853 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml
@@ -14,19 +14,19 @@
 
     
         /etc/ssh/sshd_config
-        ^Include /etc/ssh/sshd_config.d/\*.conf$
+        ^[ \t]*(?i)Include(?-i)[ \t]+/etc/ssh/sshd_config\.d/\*.conf$
         1
     
 
 
     
-        
+        
     
 
     
-        /etc/ssh/sshd_config
-        ^Include /etc/crypto-policies/back-ends/opensshserver\.config
+        /etc/ssh/(sshd_config|sshd_config\.d/.*\.conf)
+        ^[ \t]*(?i)Include(?-i)[ \t]+/etc/crypto-policies/back-ends/opensshserver\.config$
         1
     
 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml
index 4db69e346123..458832d7cfd6 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml
@@ -25,8 +25,8 @@ references:
 checktext: |-
     Verify that RHEL 9 implements DOD-approved encryption ciphers for SSH connections.
     Verify that the SSH configuration files include the path to the systemwide policy with the following command:
-    
    sudo grep -R Include /etc/ssh/sshd_config  /etc/ssh/sshd_config.d/
-    
+    
    sudo grep -R "Include /etc/ssh/sshd_config"  /etc/ssh/sshd_config.d/
+
     /etc/ssh/sshd_config:Include /etc/ssh/sshd_config.d/*.conf
     /etc/ssh/sshd_config.d/50-redhat.conf:Include /etc/crypto-policies/back-ends/opensshserver.config
    
     If "Include /etc/ssh/sshd_config.d/*.conf" or "Include /etc/crypto-policies/back-ends/opensshserver.config" are not included in the system sshd config or if the file "/etc/ssh/sshd_config.d/50-redhat.conf" is missing, this is a finding.
@@ -36,4 +36,6 @@ fixtext: |-
     Reinstall OpenSSH server package contents with the following command:
     
    sudo dnf -y remove openssh-server && sudo dnf -y install openssh-server
    
 
-platform: not osbuild
+warnings:
+    - general: |-
+        There is no automated remediation because recommended action could severely disrupt the system and might not be efficient in fixing the problem.
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/confing.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/confing.pass.sh
new file mode 100644
index 000000000000..58b9ed0e937a
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/confing.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# remediation = none
+# platform = multi_platform_all
+
+sed -i '/Include \/etc\/crypto-policies\/back-ends\/opensshserver.config/d' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
+echo "Include /etc/crypto-policies/back-ends/opensshserver.config" >> /etc/ssh/sshd_config
+
+if ! grep -q "Include /etc/ssh/sshd_config.d/*.conf" /etc/ssh/sshd_config; then
+  echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/default_pass.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/default_pass.pass.sh
deleted file mode 100644
index e280a7a56764..000000000000
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/default_pass.pass.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-if ! grep -q "Include /etc/crypto-policies/back-ends/opensshserver.config" /etc/ssh/ssh_config.d/*.conf /etc/ssh/sshd_config; then
-  echo "Include /etc/crypto-policies/back-ends/opensshserver.config" >> /etc/ssh/ssh_config.d/50-redhat.conf
-fi
-
-if ! grep -q "Include /etc/ssh/sshd_config.d/*.conf" /etc/ssh/sshd_config; then
-  echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/ssh_config
-fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/drop_in.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/drop_in.pass.sh
new file mode 100644
index 000000000000..d8bd0f740858
--- /dev/null
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/drop_in.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# remediation = none
+# platform = multi_platform_all
+
+sed -i '/Include \/etc\/crypto-policies\/back-ends\/opensshserver.config/d' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
+echo "Include /etc/crypto-policies/back-ends/opensshserver.config" >> /etc/ssh/sshd_config.d/50-redhat.conf
+
+if ! grep -q "Include /etc/ssh/sshd_config.d/*.conf" /etc/ssh/sshd_config; then
+  echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
+fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_crypto.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_crypto.fail.sh
index 1d0e92a4af00..e5bdc53cc5fa 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_crypto.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_crypto.fail.sh
@@ -1,12 +1,9 @@
 #!/bin/bash
+# remediation = none
+# platform = multi_platform_all
 
-# this is done because the remediation will reset the /etc/ssh/sshd_config file
-# which is modified by Automatus so that root can log in.
-# This prevents Automatus from logging in for final scan.
-echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/99-automatus.conf
-
-sed -i '/Include/d' /etc/ssh/sshd_config
+sed -i '/Include \/etc\/crypto-policies\/back-ends\/opensshserver.config/d' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
 
 if ! grep -q "Include /etc/ssh/sshd_config.d/*.conf" /etc/ssh/sshd_config; then
-  echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/ssh_config.d/50-redhat.conf
+  echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
 fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_drop_in.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_drop_in.fail.sh
index 2f2062ba7a9f..790e46320a92 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_drop_in.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_drop_in.fail.sh
@@ -1,12 +1,9 @@
 #!/bin/bash
-
-# this is done because the remediation will reset the /etc/ssh/sshd_config file
-# which is modified by Automatus so that root can log in.
-# This prevents Automatus from logging in for final scan.
-echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/99-automatus.conf
+# remediation = none
+# platform = multi_platform_all
 
 sed -i '/Include/d' /etc/ssh/sshd_config
 
-if ! grep -q "Include /etc/ssh/sshd_config.d/*.conf" /etc/ssh/sshd_config; then
-  echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/ssh_config
+if ! grep -q "Include /etc/crypto-policies/back-ends/opensshserver.config" /etc/ssh/sshd_config.d/*.conf /etc/ssh/sshd_config; then
+  echo "Include /etc/crypto-policies/back-ends/opensshserver.config" >> /etc/ssh/sshd_config.d/50-redhat.conf
 fi
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_includes.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_includes.fail.sh
index 43b43f23bc17..c821672d9449 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_includes.fail.sh
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_includes.fail.sh
@@ -1,8 +1,5 @@
 #!/bin/bash
+# remediation = none
+# platform = multi_platform_all
 
-# this is done because the remediation will reset the /etc/ssh/sshd_config file
-# which is modified by Automatus so that root can log in.
-# This prevents Automatus from logging in for final scan.
-echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/99-automatus.conf
-
-sed -i '/Include/d' /etc/ssh/sshd_config
+sed -i '/Include/d' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf

From f02f6cda062e34c679de9e432159332793c0493b Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Thu, 6 Feb 2025 13:26:28 -0600
Subject: [PATCH 358/403] Update STIG description.

---
 products/rhel8/profiles/stig.profile     | 2 +-
 products/rhel8/profiles/stig_gui.profile | 2 +-
 products/rhel9/profiles/stig.profile     | 2 +-
 products/rhel9/profiles/stig_gui.profile | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 69e09b07b229..0d9f04e8a727 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -14,7 +14,7 @@ description: |-
     This profile contains configuration checks that align to the
     DISA STIG for Red Hat Enterprise Linux 8 V2R2.
 
-    In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
+    In addition to being applicable to Red Hat Enterprise Linux 8, this
     configuration baseline as applicable to the operating system tier of
     Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:
 
diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile
index f8f777d4fbb7..4e9fcab30e0f 100644
--- a/products/rhel8/profiles/stig_gui.profile
+++ b/products/rhel8/profiles/stig_gui.profile
@@ -14,7 +14,7 @@ description: |-
     This profile contains configuration checks that align to the
     DISA STIG with GUI for Red Hat Enterprise Linux 8 V2R2.
 
-    In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this
+    In addition to being applicable to Red Hat Enterprise Linux 8, this
     configuration baseline as applicable to the operating system tier of
     Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:
 
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
index ceef6310f93d..c8e627ac7edd 100644
--- a/products/rhel9/profiles/stig.profile
+++ b/products/rhel9/profiles/stig.profile
@@ -14,7 +14,7 @@ description: |-
     This profile contains configuration checks that align to the
     DISA STIG for Red Hat Enterprise Linux 9 V2R3.
 
-    In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this
+    In addition to being applicable to Red Hat Enterprise Linux 9, this
     configuration baseline as applicable to the operating system tier of
     Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as:
 
diff --git a/products/rhel9/profiles/stig_gui.profile b/products/rhel9/profiles/stig_gui.profile
index 05ba757a517a..5fcb5d07890e 100644
--- a/products/rhel9/profiles/stig_gui.profile
+++ b/products/rhel9/profiles/stig_gui.profile
@@ -15,7 +15,7 @@ description: |-
     DISA STIG for Red Hat Enterprise Linux 9 V2R3.
 
 
-    In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this
+    In addition to being applicable to Red Hat Enterprise Linux 9, this
     configuration baseline as applicable to the operating system tier of
     Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as:
 

From 411ae2d2a7cca15a24d490b98b7768fde02ce2ed Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Thu, 6 Feb 2025 13:59:12 -0600
Subject: [PATCH 359/403] Remove DRAFT from RHEL 10 profiles

---
 products/rhel10/profiles/anssi_bp28_enhanced.profile     | 2 +-
 products/rhel10/profiles/anssi_bp28_high.profile         | 2 +-
 products/rhel10/profiles/anssi_bp28_intermediary.profile | 2 +-
 products/rhel10/profiles/anssi_bp28_minimal.profile      | 2 +-
 products/rhel10/profiles/e8.profile                      | 2 +-
 products/rhel10/profiles/hipaa.profile                   | 2 +-
 products/rhel10/profiles/ism_o.profile                   | 2 +-
 products/rhel10/profiles/ism_o_secret.profile            | 2 +-
 products/rhel10/profiles/ism_o_top_secret.profile        | 2 +-
 products/rhel10/profiles/pci-dss.profile                 | 2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/products/rhel10/profiles/anssi_bp28_enhanced.profile b/products/rhel10/profiles/anssi_bp28_enhanced.profile
index 856f75340fc4..0f4cd020035c 100644
--- a/products/rhel10/profiles/anssi_bp28_enhanced.profile
+++ b/products/rhel10/profiles/anssi_bp28_enhanced.profile
@@ -5,7 +5,7 @@ metadata:
         - marcusburghardt
         - vojtapolasek
 
-title: 'DRAFT - ANSSI-BP-028 (enhanced)'
+title: 'ANSSI-BP-028 (enhanced)'
 
 description: |-
     This is a draft profile for experimental purposes.
diff --git a/products/rhel10/profiles/anssi_bp28_high.profile b/products/rhel10/profiles/anssi_bp28_high.profile
index 65f0cd2b4c19..7efc1c2a17d9 100644
--- a/products/rhel10/profiles/anssi_bp28_high.profile
+++ b/products/rhel10/profiles/anssi_bp28_high.profile
@@ -5,7 +5,7 @@ metadata:
         - marcusburghardt
         - vojtapolasek
 
-title: 'DRAFT - ANSSI-BP-028 (high)'
+title: 'ANSSI-BP-028 (high)'
 
 description: |-
     This is a draft profile for experimental purposes.
diff --git a/products/rhel10/profiles/anssi_bp28_intermediary.profile b/products/rhel10/profiles/anssi_bp28_intermediary.profile
index 0305bbe7fff5..71bd827e1b6c 100644
--- a/products/rhel10/profiles/anssi_bp28_intermediary.profile
+++ b/products/rhel10/profiles/anssi_bp28_intermediary.profile
@@ -5,7 +5,7 @@ metadata:
         - marcusburghardt
         - vojtapolasek
 
-title: 'DRAFT - ANSSI-BP-028 (intermediary)'
+title: 'ANSSI-BP-028 (intermediary)'
 
 description: |-
     This is a draft profile for experimental purposes.
diff --git a/products/rhel10/profiles/anssi_bp28_minimal.profile b/products/rhel10/profiles/anssi_bp28_minimal.profile
index 64810e08563f..36e00986297d 100644
--- a/products/rhel10/profiles/anssi_bp28_minimal.profile
+++ b/products/rhel10/profiles/anssi_bp28_minimal.profile
@@ -5,7 +5,7 @@ metadata:
         - marcusburghardt
         - vojtapolasek
 
-title: 'DRAFT - ANSSI-BP-028 (minimal)'
+title: 'ANSSI-BP-028 (minimal)'
 
 description: |-
     This is a draft profile for experimental purposes.
diff --git a/products/rhel10/profiles/e8.profile b/products/rhel10/profiles/e8.profile
index 25ec916fcdb3..528e9edd7896 100644
--- a/products/rhel10/profiles/e8.profile
+++ b/products/rhel10/profiles/e8.profile
@@ -7,7 +7,7 @@ metadata:
 
 reference: https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers
 
-title: 'DRAFT - Australian Cyber Security Centre (ACSC) Essential Eight'
+title: 'Australian Cyber Security Centre (ACSC) Essential Eight'
 
 description: |-
     This is a draft profile for experimental purposes.
diff --git a/products/rhel10/profiles/hipaa.profile b/products/rhel10/profiles/hipaa.profile
index ecddf30b4385..4367a1c48e2a 100644
--- a/products/rhel10/profiles/hipaa.profile
+++ b/products/rhel10/profiles/hipaa.profile
@@ -6,7 +6,7 @@ metadata:
 
 reference: https://www.hhs.gov/hipaa/for-professionals/index.html
 
-title: 'DRAFT - Health Insurance Portability and Accountability Act (HIPAA)'
+title: 'Health Insurance Portability and Accountability Act (HIPAA)'
 
 description: |-
     This is a draft profile for experimental purposes.
diff --git a/products/rhel10/profiles/ism_o.profile b/products/rhel10/profiles/ism_o.profile
index 6dbb5d9db512..247f824b8d39 100644
--- a/products/rhel10/profiles/ism_o.profile
+++ b/products/rhel10/profiles/ism_o.profile
@@ -10,7 +10,7 @@ metadata:
 
 reference: https://www.cyber.gov.au/ism
 
-title: 'DRAFT - Australian Cyber Security Centre (ACSC) ISM Official - Base'
+title: 'Australian Cyber Security Centre (ACSC) ISM Official - Base'
 
 description: |-
     This draft profile contains configuration checks for Red Hat Enterprise Linux 10
diff --git a/products/rhel10/profiles/ism_o_secret.profile b/products/rhel10/profiles/ism_o_secret.profile
index 2009523ef140..1941ed7704ed 100644
--- a/products/rhel10/profiles/ism_o_secret.profile
+++ b/products/rhel10/profiles/ism_o_secret.profile
@@ -10,7 +10,7 @@ metadata:
 
 reference: https://www.cyber.gov.au/ism
 
-title: 'DRAFT - Australian Cyber Security Centre (ACSC) ISM Official - Secret'
+title: 'Australian Cyber Security Centre (ACSC) ISM Official - Secret'
 
 description: |-
     This is a draft profile for experimental purposes.
diff --git a/products/rhel10/profiles/ism_o_top_secret.profile b/products/rhel10/profiles/ism_o_top_secret.profile
index badce3b8fe72..8a16d01a39e8 100644
--- a/products/rhel10/profiles/ism_o_top_secret.profile
+++ b/products/rhel10/profiles/ism_o_top_secret.profile
@@ -10,7 +10,7 @@ metadata:
 
 reference: https://www.cyber.gov.au/ism
 
-title: 'DRAFT - Australian Cyber Security Centre (ACSC) ISM Official - Top Secret'
+title: 'Australian Cyber Security Centre (ACSC) ISM Official - Top Secret'
 
 description: |-
     This draft profile contains configuration checks for Red Hat Enterprise Linux 10
diff --git a/products/rhel10/profiles/pci-dss.profile b/products/rhel10/profiles/pci-dss.profile
index e23020b7aa94..3cc128132562 100644
--- a/products/rhel10/profiles/pci-dss.profile
+++ b/products/rhel10/profiles/pci-dss.profile
@@ -9,7 +9,7 @@ metadata:
 
 reference: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf
 
-title: 'DRAFT - PCI-DSS v4.0.1 Control Baseline for Red Hat Enterprise Linux 10'
+title: 'PCI-DSS v4.0.1 Control Baseline for Red Hat Enterprise Linux 10'
 
 description: |-
     This is a draft profile for experimental purposes.

From b8ef1b48526f539fab9dff773bad35bc9572f283 Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Thu, 6 Feb 2025 14:37:55 -0600
Subject: [PATCH 360/403] Update RHEL 10 STIG title

---
 products/rhel10/profiles/stig.profile     | 6 +++---
 products/rhel10/profiles/stig_gui.profile | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/products/rhel10/profiles/stig.profile b/products/rhel10/profiles/stig.profile
index 23f0b9d026f5..9cb7d346ae7a 100644
--- a/products/rhel10/profiles/stig.profile
+++ b/products/rhel10/profiles/stig.profile
@@ -7,14 +7,14 @@ metadata:
 
 reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
 
-title: 'DRAFT - DISA STIG for Red Hat Enterprise Linux 10'
+title: 'Red Hat STIG for Red Hat Enterprise Linux 10'
 
 description: |-
-    This is a draft profile for experimental purposes.
+    This is a profile based on what is expected in the RHEL 10 STIG.
     It is not based on the DISA STIG for RHEL 10, because it was not available at time of
     the release.
 
-    In addition to being applicable to Red Hat Enterprise Linux 10, DISA recognizes this
+    In addition to being applicable to Red Hat Enterprise Linux 10, this
     configuration baseline as applicable to the operating system tier of
     Red Hat technologies that are based on Red Hat Enterprise Linux 10.
 
diff --git a/products/rhel10/profiles/stig_gui.profile b/products/rhel10/profiles/stig_gui.profile
index e9699a43b7fc..550842ef03b3 100644
--- a/products/rhel10/profiles/stig_gui.profile
+++ b/products/rhel10/profiles/stig_gui.profile
@@ -7,14 +7,14 @@ metadata:
 
 reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
 
-title: 'DRAFT - DISA STIG for Red Hat Enterprise Linux 10'
+title: 'Red Hat STIG for Red Hat Enterprise Linux 10'
 
 description: |-
-    This is a draft profile for experimental purposes.
+    This is a profile based on what is expected in the RHEL 10 STIG.:
     It is not based on the DISA STIG for RHEL 10, because it was not available at time of
     the release.
 
-    In addition to being applicable to Red Hat Enterprise Linux 10, DISA recognizes this
+    In addition to being applicable to Red Hat Enterprise Linux 10, this
     configuration baseline as applicable to the operating system tier of
     Red Hat technologies that are based on Red Hat Enterprise Linux 10.
 

From 961c75f4a21c43769b0208858157d34711c7dea8 Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Fri, 7 Feb 2025 07:36:27 -0600
Subject: [PATCH 361/403] Fix Grammar in STIG descriptions for RHEL

---
 products/rhel10/profiles/stig.profile     | 2 +-
 products/rhel10/profiles/stig_gui.profile | 2 +-
 products/rhel8/profiles/stig.profile      | 2 +-
 products/rhel9/profiles/stig.profile      | 2 +-
 products/rhel9/profiles/stig_gui.profile  | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/products/rhel10/profiles/stig.profile b/products/rhel10/profiles/stig.profile
index 9cb7d346ae7a..aeb4b4ee87b1 100644
--- a/products/rhel10/profiles/stig.profile
+++ b/products/rhel10/profiles/stig.profile
@@ -15,7 +15,7 @@ description: |-
     the release.
 
     In addition to being applicable to Red Hat Enterprise Linux 10, this
-    configuration baseline as applicable to the operating system tier of
+    configuration baseline is applicable to the operating system tier of
     Red Hat technologies that are based on Red Hat Enterprise Linux 10.
 
 selections:
diff --git a/products/rhel10/profiles/stig_gui.profile b/products/rhel10/profiles/stig_gui.profile
index 550842ef03b3..bdc831d061b3 100644
--- a/products/rhel10/profiles/stig_gui.profile
+++ b/products/rhel10/profiles/stig_gui.profile
@@ -15,7 +15,7 @@ description: |-
     the release.
 
     In addition to being applicable to Red Hat Enterprise Linux 10, this
-    configuration baseline as applicable to the operating system tier of
+    configuration baseline is applicable to the operating system tier of
     Red Hat technologies that are based on Red Hat Enterprise Linux 10.
 
 extends: stig
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 0d9f04e8a727..45776497dae7 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -15,7 +15,7 @@ description: |-
     DISA STIG for Red Hat Enterprise Linux 8 V2R2.
 
     In addition to being applicable to Red Hat Enterprise Linux 8, this
-    configuration baseline as applicable to the operating system tier of
+    configuration baseline is applicable to the operating system tier of
     Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:
 
     - Red Hat Enterprise Linux Server
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
index c8e627ac7edd..cf67fa9777c5 100644
--- a/products/rhel9/profiles/stig.profile
+++ b/products/rhel9/profiles/stig.profile
@@ -15,7 +15,7 @@ description: |-
     DISA STIG for Red Hat Enterprise Linux 9 V2R3.
 
     In addition to being applicable to Red Hat Enterprise Linux 9, this
-    configuration baseline as applicable to the operating system tier of
+    configuration baseline is applicable to the operating system tier of
     Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as:
 
     - Red Hat Enterprise Linux Server
diff --git a/products/rhel9/profiles/stig_gui.profile b/products/rhel9/profiles/stig_gui.profile
index 5fcb5d07890e..073ddfc0390f 100644
--- a/products/rhel9/profiles/stig_gui.profile
+++ b/products/rhel9/profiles/stig_gui.profile
@@ -16,7 +16,7 @@ description: |-
 
 
     In addition to being applicable to Red Hat Enterprise Linux 9, this
-    configuration baseline as applicable to the operating system tier of
+    configuration baseline is applicable to the operating system tier of
     Red Hat technologies that are based on Red Hat Enterprise Linux 9, such as:
 
     - Red Hat Enterprise Linux Server

From 376694b0255fcc5151c5198af24513fe91361e80 Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Tue, 11 Feb 2025 08:18:51 -0600
Subject: [PATCH 362/403] Fix RHEL 8 GUI STIG description

---
 products/rhel8/profiles/stig_gui.profile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile
index 4e9fcab30e0f..0f9a28183419 100644
--- a/products/rhel8/profiles/stig_gui.profile
+++ b/products/rhel8/profiles/stig_gui.profile
@@ -15,7 +15,7 @@ description: |-
     DISA STIG with GUI for Red Hat Enterprise Linux 8 V2R2.
 
     In addition to being applicable to Red Hat Enterprise Linux 8, this
-    configuration baseline as applicable to the operating system tier of
+    configuration baseline is applicable to the operating system tier of
     Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as:
 
     - Red Hat Enterprise Linux Server

From 9587191a71137c66c588c854d3c392c3d1ae312f Mon Sep 17 00:00:00 2001
From: Miha Purg 
Date: Thu, 13 Feb 2025 14:17:54 +0100
Subject: [PATCH 363/403] Align file_groupownership_system_commands_dirs with
 Ubuntu STIGs

Modify bash and OVAL to exclude commands that are not Set Group ID
upon execution (SGID) to align with Ubuntu STIGs.
---
 .../bash/shared.sh                            |  2 +-
 .../bash/ubuntu.sh                            |  6 ++++
 .../oval/ubuntu.xml                           | 29 +++++++++++++++++++
 .../tests/correct_groupownership_sgid.pass.sh | 19 ++++++++++++
 .../system_account_groupownership.pass.sh     |  3 ++
 5 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/ubuntu.sh
 create mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/oval/ubuntu.xml
 create mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/correct_groupownership_sgid.pass.sh

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
index 8ecb16700ce6..126824999fb1 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro
 
 for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
 do
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/ubuntu.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/ubuntu.sh
new file mode 100644
index 000000000000..63000cbb72a2
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/ubuntu.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_ubuntu
+
+for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
+do
+   find -L $SYSCMDFILES ! -group root -type f ! -perm /2000 -exec chgrp root '{}' \;
+done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/oval/ubuntu.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/oval/ubuntu.xml
new file mode 100644
index 000000000000..0b8eabbfc5ae
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/oval/ubuntu.xml
@@ -0,0 +1,29 @@
+
+  
+    {{{ oval_metadata("
+        Checks that system commands in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin 
+        are owned by root group.
+      ") }}}
+    
+      
+    
+  
+
+  
+    
+  
+
+  
+    
+    ^\/s?bin|^\/usr\/s?bin|^\/usr\/local\/s?bin
+    ^.*$
+   state_groupowner_system_commands_dirs_not_root_not_sgid
+  
+
+  
+    0
+    false
+  
+
+
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/correct_groupownership_sgid.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/correct_groupownership_sgid.pass.sh
new file mode 100644
index 000000000000..8f1286f5f950
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/correct_groupownership_sgid.pass.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+for SYSLIBDIRS in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
+do
+  find -L  $SYSLIBDIRS \! -group root -type f -exec chgrp root '{}' \;
+done
+
+groupadd group_test
+
+for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me /usr/local/sbin/test_me
+do
+   if [[ ! -f $TESTFILE ]]
+   then
+     touch $TESTFILE
+   fi
+   chgrp group_test $TESTFILE
+   chmod g+s $TESTFILE
+done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/system_account_groupownership.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/system_account_groupownership.pass.sh
index fd2b3aee7be5..5b4af26e24c5 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/system_account_groupownership.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/system_account_groupownership.pass.sh
@@ -1,4 +1,7 @@
 #!/bin/bash
+{{% if 'ubuntu' in product %}}
+# platform = Not Applicable
+{{% endif %}}
 
 # gid of sshd group is 74
 test_group="sshd"

From 6b02c8da90feb790d329d7dbbb01df5023ba7e8b Mon Sep 17 00:00:00 2001
From: Jiri Jaburek 
Date: Tue, 20 May 2025 15:43:32 +0200
Subject: [PATCH 364/403] do not package kickstarts in .spec on CentOS Stream
 >= 10

Signed-off-by: Jiri Jaburek 
---
 scap-security-guide.spec | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scap-security-guide.spec b/scap-security-guide.spec
index b49fdaf10857..4b487b8675e9 100644
--- a/scap-security-guide.spec
+++ b/scap-security-guide.spec
@@ -97,8 +97,8 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
 
 %files
 %{_datadir}/xml/scap/ssg/content
-# No kickstarts for Fedora
-%if 0%{?_rhel_like}
+# No kickstarts for Fedora or CentOS Stream 10+
+%if 0%{?_rhel_like} && 0%{?_rhel_like} < 10
 %{_datadir}/%{name}/kickstart
 %endif
 %{_datadir}/%{name}/ansible/*.yml

From ea6ac5de2313c3c7a240ab57379c422c2b083054 Mon Sep 17 00:00:00 2001
From: Jiri Jaburek 
Date: Tue, 20 May 2025 15:15:02 +0200
Subject: [PATCH 365/403] enable centos-stream-10 in Packit and on Testing Farm

Signed-off-by: Jiri Jaburek 
---
 .packit.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.packit.yaml b/.packit.yaml
index eb3a21978ceb..329983ef6cf9 100644
--- a/.packit.yaml
+++ b/.packit.yaml
@@ -17,6 +17,7 @@ jobs:
   - fedora-all-x86_64
   - centos-stream-8-x86_64
   - centos-stream-9-x86_64
+  - centos-stream-10-x86_64
 
 - <<: *build
   trigger: commit
@@ -31,6 +32,7 @@ jobs:
   targets:
     centos-stream-8: {}
     centos-stream-9: {}
+    centos-stream-10: {}
 
 # when modifying this, modify also tests/tmt-plans/
 
@@ -62,6 +64,9 @@ jobs:
 - <<: *test-static-checks
   identifier: /hardening/host-os/ansible/cui
   tmt_plan: /hardening/host-os/ansible/cui$
+  targets:
+    centos-stream-8: {}
+    centos-stream-9: {}
 - <<: *test-static-checks
   identifier: /hardening/host-os/ansible/e8
   tmt_plan: /hardening/host-os/ansible/e8$
@@ -104,6 +109,9 @@ jobs:
 - <<: *test-static-checks
   identifier: /hardening/host-os/oscap/cui
   tmt_plan: /hardening/host-os/oscap/cui$
+  targets:
+    centos-stream-8: {}
+    centos-stream-9: {}
 - <<: *test-static-checks
   identifier: /hardening/host-os/oscap/e8
   tmt_plan: /hardening/host-os/oscap/e8$

From 9c61c9c2b431312dcb64a0afacc310dab7b29795 Mon Sep 17 00:00:00 2001
From: Jiri Jaburek 
Date: Tue, 20 May 2025 18:27:50 +0200
Subject: [PATCH 366/403] fix/rewrite bash remediation for chrony_set_nts

The original code was really buggy:

- it relied on a *running* ntpd process to signify whether ntpd
  or chronyd is used (presumably)

- it was a copy/paste from (likely) some maxpoll code, inheriting its
  comment and 'grep -v' check, likely breaking the config on repeated
  remediation

So I simply rewrote it to just detect the presence of files or the
chrony.d directory, and if found, to do the modification.

I also avoid re-reading all the files via bash line iteration and just
let 'sed' do all the work.

Signed-off-by: Jiri Jaburek 
---
 .../ntp/chrony_set_nts/bash/shared.sh         | 32 ++++++++-----------
 1 file changed, 14 insertions(+), 18 deletions(-)

diff --git a/linux_os/guide/services/ntp/chrony_set_nts/bash/shared.sh b/linux_os/guide/services/ntp/chrony_set_nts/bash/shared.sh
index 10661cfea639..522c9ede0ec6 100644
--- a/linux_os/guide/services/ntp/chrony_set_nts/bash/shared.sh
+++ b/linux_os/guide/services/ntp/chrony_set_nts/bash/shared.sh
@@ -1,23 +1,19 @@
 # platform = multi_platform_all
 
-{{% if 'sle' in product or 'ubuntu' in product %}}
-pof="/bin/pidof"
-{{% else %}}
-pof="/usr/sbin/pidof"
-{{% endif %}}
+config_files=(/etc/ntp.conf)
+config_files+=("{{{ chrony_conf_path }}}")
 
-CONFIG_FILES="/etc/ntp.conf"
-$pof ntpd || {
-    CHRONY_D_PATH={{{ chrony_d_path }}}
-    mapfile -t CONFIG_FILES < <(find ${CHRONY_D_PATH}.* -type f -name '*.conf')
-    CONFIG_FILES+=({{{ chrony_conf_path }}})
-}
+chrony_d_path={{{ chrony_d_path }}}
+if [[ -d $chrony_d_path ]]; then
+    while IFS= read -r filename; do
+        config_files+=("$filename")
+    done < <(find "$chrony_d_path" -type f -name '*.conf')
+fi
 
-# get list of ntp files
-
-for config_file in "${CONFIG_FILES[@]}" ; do
-    # Add maxpoll to server, pool or peer entries without maxpoll
-    grep "^\(server\|pool\|peer\)" "$config_file" | grep -v maxpoll | while read -r line ; do
-        sed -i "s/$line/& nts/" "$config_file"
-    done
+for config_file in "${config_files[@]}"; do
+    [[ -e $config_file ]] || continue
+    # if the line doesn't start with 'server/pool/peer ', just print it
+    # if the line does contain ' nts' already, skip it
+    # else append ' nts' to it
+    sed "/^\(server\|pool\|peer\) /! b; / nts/ b; s/$/ nts/" -i "$config_file"
 done

From 7b49d23b668e413ea0d12d920765c88254dcc251 Mon Sep 17 00:00:00 2001
From: vojtapolasek 
Date: Tue, 27 May 2025 17:53:02 +0200
Subject: [PATCH 367/403] update links to documentation regarding time
 synchronization

---
 .../ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml     | 4 ++--
 .../ntp/chronyd_or_ntpd_specify_remote_server/rule.yml        | 4 ++--
 linux_os/guide/services/ntp/group.yml                         | 2 +-
 .../services/ntp/service_chronyd_or_ntpd_enabled/rule.yml     | 4 ++--
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml
index 3b1be8ca0d5f..b6fe145a275f 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/rule.yml
@@ -12,8 +12,8 @@ description: |-
         {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/network/ol7-nettime.html") }}}
     {{% elif product == "ol8" %}}
         {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/network-ConfiguringNetworkTime.html#ol-nettime") }}}
-    {{% else %}}
-        {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}}
+    {{% elif "rhel" in product %}}
+        {{{ weblink(link="https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html-single/configuring_basic_system_settings/index#proc_migrating-to-chrony_configuring-time-synchronization") }}}
     {{% endif %}}
     for more detailed comparison of the features of both of the choices, and for
     further guidance how to choose between the two NTP daemons.
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
index ee298f97c9d3..3af19531a203 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/rule.yml
@@ -12,8 +12,8 @@ description: |-
          {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/7/network/ol7-nettime.html") }}}
      {{% elif product == "ol8" %}}
          {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/network-ConfiguringNetworkTime.html#ol-nettime") }}}
-    {{% else %}}
-        {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}}
+    {{% elif "rhel" in product %}}
+        {{{ weblink(link="https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html-single/configuring_basic_system_settings/index#proc_migrating-to-chrony_configuring-time-synchronization") }}}
     {{% endif %}}
     for more detailed comparison of the features of both of the choices, and for
     further guidance how to choose between the two NTP daemons.
diff --git a/linux_os/guide/services/ntp/group.yml b/linux_os/guide/services/ntp/group.yml
index 491616898c71..b77225241b91 100644
--- a/linux_os/guide/services/ntp/group.yml
+++ b/linux_os/guide/services/ntp/group.yml
@@ -60,7 +60,7 @@ description: |-
     {{% elif product == "rhel9" %}}
         {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_basic_system_settings/configuring-time-synchronization_configuring-basic-system-settings") }}}
     {{% elif product == "rhel10" %}}
-        {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/10/html/configuring_basic_system_settings/configuring-time-synchronization_configuring-basic-system-settings") }}}
+        {{{ weblink(link="https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/configuring_time_synchronization/index") }}}
     {{% elif "ubuntu" in product  %}}
         {{{ weblink(link="https://help.ubuntu.com/lts/serverguide/NTP.html") }}}
     {{% elif "debian" in product %}}
diff --git a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml
index ec381ed28fef..b17a728c8a41 100644
--- a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml
+++ b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/rule.yml
@@ -21,8 +21,8 @@ description: |-
         {{{ weblink(link="https://docs.oracle.com/en/operating-systems/oracle-linux/8/network/network-ConfiguringNetworkTime.html#ol-nettime") }}}
     {{% elif product in ["sle12", "sle15"] %}}
         {{{ weblink(link="https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-ntp.html") }}}
-    {{% else %}}
-        {{{ weblink(link="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite") }}}
+    {{% elif "rhel" in product %}}
+        {{{ weblink(link="https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html-single/configuring_basic_system_settings/index#proc_migrating-to-chrony_configuring-time-synchronization") }}}
     {{% endif %}}
     for guidance which NTP daemon to choose depending on the environment used.
 

From a88e4d3297ee3f00cd26c15ff0ab66a3e00fcd94 Mon Sep 17 00:00:00 2001
From: vojtapolasek 
Date: Tue, 27 May 2025 17:53:24 +0200
Subject: [PATCH 368/403] update links to documentation regarding Bootc kernel
 arguments

---
 shared/macros/01-general.jinja | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/shared/macros/01-general.jinja b/shared/macros/01-general.jinja
index 91ef574c1666..c08f72197097 100644
--- a/shared/macros/01-general.jinja
+++ b/shared/macros/01-general.jinja
@@ -1170,7 +1170,7 @@ The kernel arguments should be set in /usr/lib/bootc/kargs.d in a TOML
 # /usr/lib/bootc/kargs.d/10-example.toml
 kargs = ["{{{ arg_name_value }}}"]
 
    
-For more details on configuring kernel arguments in bootable container images, please refer to {{{ weblink(link="https://containers.github.io/bootc/building/kernel-arguments.html", text="Bootc documentation") }}}.
+For more details on configuring kernel arguments in bootable container images, please refer to {{{ weblink(link="https://bootc-dev.github.io/bootc//building/kernel-arguments.html", text="Bootc documentation") }}}.
 {{%- endif -%}}
 {{%- endmacro -%}}
 
@@ -1188,7 +1188,7 @@ Run the following command to update command line for already installed kernels:
 {{% if bootable_containers_supported == "true" %}}
 If the system is distributed as a bootable container image, GRUB2 can't be configured using the method described above, but the kernel arguments should be configured using TOML files located in the /usr/lib/bootc/kargs.d directory.
 Remove all occurences of {{{ arg_name }}} from all files in /usr/lib/bootc/kargs.d.
-For more details on configuring kernel arguments in bootable container images, please refer to {{{ weblink(link="https://containers.github.io/bootc/building/kernel-arguments.html", text="Bootc documentation") }}}.
+For more details on configuring kernel arguments in bootable container images, please refer to {{{ weblink(link="https://bootc-dev.github.io/bootc//building/kernel-arguments.html", text="Bootc documentation") }}}.
 {{%- endif -%}}
 {{%- endmacro -%}}
 

From 518abdcaa07b5395de514b42b67ff9029fb56e3c Mon Sep 17 00:00:00 2001
From: vojtapolasek 
Date: Wed, 27 Aug 2025 12:04:25 +0200
Subject: [PATCH 369/403] RHEL 9 STIG: align login timeout with the STIG policy

---
 controls/stig_rhel9.yml                             | 2 +-
 tests/data/profile_stability/rhel9/stig.profile     | 2 +-
 tests/data/profile_stability/rhel9/stig_gui.profile | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml
index e72ed89a9ca0..e73e03964f9b 100644
--- a/controls/stig_rhel9.yml
+++ b/controls/stig_rhel9.yml
@@ -2511,7 +2511,7 @@ controls:
       title: RHEL 9 must terminate idle user sessions.
       rules:
           - logind_session_timeout
-          - var_logind_session_timeout=10_minutes
+          - var_logind_session_timeout=15_minutes
       status: automated
 
     - id: RHEL-09-431010
diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile
index ce70d942d263..451df9a817ce 100644
--- a/tests/data/profile_stability/rhel9/stig.profile
+++ b/tests/data/profile_stability/rhel9/stig.profile
@@ -514,7 +514,7 @@ var_auditd_name_format=stig
 var_auditd_space_left_action=email
 var_auditd_space_left_percentage=25pc
 var_authselect_profile=sssd
-var_logind_session_timeout=10_minutes
+var_logind_session_timeout=15_minutes
 var_multiple_time_servers=stig
 var_networkmanager_dns_mode=explicit_default
 var_password_hashing_algorithm=SHA512
diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile
index 5e5724c567b8..4f92c3697ebf 100644
--- a/tests/data/profile_stability/rhel9/stig_gui.profile
+++ b/tests/data/profile_stability/rhel9/stig_gui.profile
@@ -512,7 +512,7 @@ var_auditd_name_format=stig
 var_auditd_space_left_action=email
 var_auditd_space_left_percentage=25pc
 var_authselect_profile=sssd
-var_logind_session_timeout=10_minutes
+var_logind_session_timeout=15_minutes
 var_multiple_time_servers=stig
 var_networkmanager_dns_mode=explicit_default
 var_password_hashing_algorithm=SHA512

From fb3056b7e3a1be6f3dc36c40cc9282353945bfad Mon Sep 17 00:00:00 2001
From: vojtapolasek 
Date: Thu, 28 Aug 2025 15:52:27 +0200
Subject: [PATCH 370/403] Ansible: remediation use systemd instead of
 systemd_service

compatibility with older ansible-core
currently applied only to rules appearing in RHEL 9 profiles
---
 .../usbguard/usbguard_generate_policy/ansible/shared.yml        | 2 +-
 .../disable_ctrlaltdel_reboot/ansible/shared.yml                | 2 +-
 .../smart_card_login/service_pcscd_enabled/ansible/shared.yml   | 2 +-
 shared/templates/timer_enabled/ansible.template                 | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/services/usbguard/usbguard_generate_policy/ansible/shared.yml b/linux_os/guide/services/usbguard/usbguard_generate_policy/ansible/shared.yml
index 8fd7848735bd..ee943d1298d5 100644
--- a/linux_os/guide/services/usbguard/usbguard_generate_policy/ansible/shared.yml
+++ b/linux_os/guide/services/usbguard/usbguard_generate_policy/ansible/shared.yml
@@ -38,7 +38,7 @@
 
 {{%- if init_system == "systemd" %}}
   - name: Enable service usbguard
-    ansible.builtin.systemd_service:
+    ansible.builtin.systemd:
       name: "usbguard"
       enabled: "yes"
       state: "started"
diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml
index ad4fd2de1a53..60fa76e326fb 100644
--- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml
@@ -5,7 +5,7 @@
 # disruption = low
 
 - name: Disable Ctrl-Alt-Del Reboot Activation
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
     name: ctrl-alt-del.target
     force: yes
     masked: yes
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/ansible/shared.yml
index 1c8164ebcc4d..18922992178e 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/service_pcscd_enabled/ansible/shared.yml
@@ -11,7 +11,7 @@
 
 {{%- if init_system == "systemd" %}}
   - name: Start service pcscd
-    ansible.builtin.systemd_service:
+    ansible.builtin.systemd:
       name: "pcscd"
       state: "started"
       masked: "no"
diff --git a/shared/templates/timer_enabled/ansible.template b/shared/templates/timer_enabled/ansible.template
index d0ca1996a5ce..68a7fd09d79b 100644
--- a/shared/templates/timer_enabled/ansible.template
+++ b/shared/templates/timer_enabled/ansible.template
@@ -10,7 +10,7 @@
       manager: auto
 
   - name: Enable timer {{{ TIMERNAME }}}
-    ansible.builtin.systemd_service:
+    ansible.builtin.systemd:
       name: "{{{ TIMERNAME }}}.timer"
       enabled: "yes"
       state: "started"

From 3704f2576f1498e5900a210a94b8553c45add53e Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Thu, 28 Aug 2025 15:47:03 -0500
Subject: [PATCH 371/403] Update STIG for RHEL 9 to allow for FIPS:STIG

Fixes #13812
Fixes #13813
---
 controls/stig_rhel9.yml                                     | 2 +-
 .../software/integrity/crypto/var_system_crypto_policy.var  | 1 +
 .../integrity/fips/enable_fips_mode/oval/shared.xml         | 6 +++---
 tests/data/profile_stability/rhel9/stig.profile             | 2 +-
 tests/data/profile_stability/rhel9/stig_gui.profile         | 2 +-
 5 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml
index e73e03964f9b..b250bbd3b433 100644
--- a/controls/stig_rhel9.yml
+++ b/controls/stig_rhel9.yml
@@ -3814,7 +3814,7 @@ controls:
       rules:
           - enable_fips_mode
           - sysctl_crypto_fips_enabled
-          - var_system_crypto_policy=fips
+          - var_system_crypto_policy=fips_stig
           - enable_dracut_fips_module
       status: automated
 
diff --git a/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var b/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var
index 8b89848d1220..47a6496bb080 100644
--- a/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var
+++ b/linux_os/guide/system/software/integrity/crypto/var_system_crypto_policy.var
@@ -17,6 +17,7 @@ options:
     default_nosha1: "DEFAULT:NO-SHA1"
     fips: FIPS
     fips_ospp: "FIPS:OSPP"
+    fips_stig: "FIPS:STIG"
     legacy: LEGACY
     future: FUTURE
     next: NEXT
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
index 4e6d9254aa03..dcf3ef58f083 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
@@ -119,12 +119,12 @@
   
-  {{% if product in ["ol9","rhel9"] -%}}
-    ^FIPS(:OSPP)?$
+  {{% if product in ["ol9","rhel9","rhel10","fedora"] -%}}
+    ^FIPS(:(OSPP|STIG))?$
   {{%- else %}}
   {{# Legacy and more relaxed list of crypto policies that were historically considered
       FIPS-compatible. More recent products should use the more restricted list of options #}}
-    ^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$
+    ^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA|STIG))?$
   {{%- endif %}}
   
 
diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile
index 451df9a817ce..fddbf6ef3fbf 100644
--- a/tests/data/profile_stability/rhel9/stig.profile
+++ b/tests/data/profile_stability/rhel9/stig.profile
@@ -540,7 +540,7 @@ var_sshd_disable_compression=no
 var_sshd_set_keepalive=1
 var_sssd_certificate_verification_digest_function=sha512
 var_sudo_timestamp_timeout=always_prompt
-var_system_crypto_policy=fips
+var_system_crypto_policy=fips_stig
 var_time_service_set_maxpoll=18_hours
 var_user_initialization_files_regex=all_dotfiles
 wireless_disable_interfaces
diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile
index 4f92c3697ebf..cf404ec3768b 100644
--- a/tests/data/profile_stability/rhel9/stig_gui.profile
+++ b/tests/data/profile_stability/rhel9/stig_gui.profile
@@ -538,7 +538,7 @@ var_sshd_disable_compression=no
 var_sshd_set_keepalive=1
 var_sssd_certificate_verification_digest_function=sha512
 var_sudo_timestamp_timeout=always_prompt
-var_system_crypto_policy=fips
+var_system_crypto_policy=fips_stig
 var_time_service_set_maxpoll=18_hours
 var_user_initialization_files_regex=all_dotfiles
 wireless_disable_interfaces

From 6145304359365bf045edadd60b141c935ba6411f Mon Sep 17 00:00:00 2001
From: vojtapolasek 
Date: Fri, 29 Aug 2025 18:06:58 +0200
Subject: [PATCH 372/403] fips group: apply platform directly to rules and
 remove it from group.yml

the reason is that two rules, especially fips_crypto_subpolicy and fips_custom_stig_sub_policy make sense even on systems without kernel.
Actually I think they should be located in the crypto group instead, but having them in this group somehow makes them having precedence before crypto rules are applied.
And this is needed because the rule fips_custom_stig_sub_policy creates a new subpolicy.
If the order is reversed, it currently causes trouble.
---
 .../software/integrity/fips/enable_dracut_fips_module/rule.yml | 2 +-
 .../system/software/integrity/fips/enable_fips_mode/rule.yml   | 2 ++
 .../software/integrity/fips/etc_system_fips_exists/rule.yml    | 2 ++
 .../integrity/fips/fips_crypto_policy_symlinks/rule.yml        | 2 ++
 linux_os/guide/system/software/integrity/fips/group.yml        | 1 -
 .../software/integrity/fips/grub2_enable_fips_mode/rule.yml    | 3 +--
 .../software/integrity/fips/is_fips_mode_enabled/rule.yml      | 2 ++
 .../fips/package_dracut-fips-aesni_installed/rule.yml          | 2 ++
 .../integrity/fips/package_dracut-fips_installed/rule.yml      | 2 ++
 .../integrity/fips/sysctl_crypto_fips_enabled/rule.yml         | 2 ++
 .../integrity/fips/system_booted_in_fips_mode/rule.yml         | 2 ++
 11 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
index 8d4ecd4727b0..829a53d213ed 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/rule.yml
@@ -47,7 +47,7 @@ ocil: |-
     The output should look like this:
     add_dracutmodules+=" fips "
 
-platform: not bootc
+platform: not bootc and system_with_kernel and not osbuild
 
 warnings:
     - general: |-
diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
index 8b652694279d..7c567a0d5e6f 100644
--- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/rule.yml
@@ -83,3 +83,5 @@ fixtext: |-
     The installer for the system must be booted with kernel parameter fips=1.
 
 srg_requirement: '{{{ full_name }}} must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.'
+
+platform: system_with_kernel and not osbuild
diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
index 989e1223218e..ca2531321476 100644
--- a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
@@ -69,3 +69,5 @@ warnings:
         party review by an accredited lab. While open source software is
         capable of meeting this, it does not meet FIPS-140 unless the vendor
         submits to this process.
+
+platform: system_with_kernel and not osbuild
diff --git a/linux_os/guide/system/software/integrity/fips/fips_crypto_policy_symlinks/rule.yml b/linux_os/guide/system/software/integrity/fips/fips_crypto_policy_symlinks/rule.yml
index b23694a1e3ac..56e19cdfb215 100644
--- a/linux_os/guide/system/software/integrity/fips/fips_crypto_policy_symlinks/rule.yml
+++ b/linux_os/guide/system/software/integrity/fips/fips_crypto_policy_symlinks/rule.yml
@@ -54,3 +54,5 @@ ocil: |-
     '/etc/crypto-policies/back-ends/openssl.config' -> '/usr/share/crypto-policies/FIPS/openssl.txt'
     '/etc/crypto-policies/back-ends/openssl_fips.config' -> '/usr/share/crypto-policies/FIPS/openssl_fips.txt'
    + +platform: system_with_kernel and not osbuild diff --git a/linux_os/guide/system/software/integrity/fips/group.yml b/linux_os/guide/system/software/integrity/fips/group.yml index b69c674bd0aa..3f83ffc5a41f 100644 --- a/linux_os/guide/system/software/integrity/fips/group.yml +++ b/linux_os/guide/system/software/integrity/fips/group.yml @@ -15,4 +15,3 @@ description: |-

    See {{{ weblink(link="http://csrc.nist.gov/publications/PubsFIPS.html") }}} for more information. -platform: system_with_kernel and not osbuild diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml index b84b094c48b6..c8f933db26b0 100644 --- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/rule.yml @@ -43,8 +43,7 @@ rationale: |- severity: high -platforms: - - grub2 +platform: grub2 and system_with_kernel and not osbuild identifiers: cce@rhel10: CCE-86191-4 diff --git a/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml index 3a98ed07a869..bc62444573da 100644 --- a/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml @@ -58,3 +58,5 @@ warnings: party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. + +platform: system_with_kernel and not osbuild diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml index f35c6a1804a7..9705dda83661 100644 --- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/rule.yml @@ -54,3 +54,5 @@ warnings: party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. + +platform: system_with_kernel and not osbuild diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml index c6c319d8dba7..b903dc76ca1e 100644 --- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/rule.yml @@ -58,3 +58,5 @@ template: pkgname: dracut-fips backends: oval: "off" + +platform: system_with_kernel and not osbuild diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml index 4a611e79117d..c69357589a8f 100644 --- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/rule.yml @@ -86,3 +86,5 @@ checktext: |- $ sudo fips-mode-setup --check FIPS mode is enabled. If FIPS mode is not enabled, this is a finding. + +platform: system_with_kernel and not osbuild diff --git a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml index 56f6819fe568..21c6ce831b79 100644 --- a/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/system_booted_in_fips_mode/rule.yml @@ -57,3 +57,5 @@ warnings: party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process. + +platform: system_with_kernel and not osbuild From dacab9ef3b983f224055d1f85657fd6732f65227 Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Mon, 1 Sep 2025 15:23:51 +0200 Subject: [PATCH 373/403] update OVAL auditd_lineinfile macro to support specifying data type of the variable --- shared/macros/10-oval.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 51400e4c5152..733448fd3958 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -679,8 +679,8 @@ Generates the :code:`` tag for OVAL check using correct product platfo :type missing_config_file_fail: bool #}} -{{%- macro oval_auditd_config(parameter='', value='', xccdf_variable='', missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false, rule_id=None, rule_title=None) %}} -{{{ oval_check_config_file("/etc/audit/auditd.conf", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]*=[ \\t]*', value="(?i)"+value+"(?-i)", xccdf_variable=xccdf_variable, missing_parameter_pass=missing_parameter_pass, application="auditd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, rule_id=rule_id, rule_title=rule_title) }}} +{{%- macro oval_auditd_config(parameter='', value='', xccdf_variable='', variable_datatype='string', missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false, rule_id=None, rule_title=None) %}} +{{{ oval_check_config_file("/etc/audit/auditd.conf", prefix_regex="^[ \\t]*(?i)", parameter=parameter, separator_regex='(?-i)[ \\t]*=[ \\t]*', value="(?i)"+value+"(?-i)", xccdf_variable=xccdf_variable, variable_datatype=variable_datatype, missing_parameter_pass=missing_parameter_pass, application="auditd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, rule_id=rule_id, rule_title=rule_title) }}} {{%- endmacro %}} From c7513419fce06f9f6138f57d48adf8dfd794fd33 Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Mon, 1 Sep 2025 15:24:36 +0200 Subject: [PATCH 374/403] auditd_lineinfile template: allow specifying data type of the XCCDF variable --- .../templates/auditd_lineinfile/oval.template | 9 +++++++-- .../templates/auditd_lineinfile/template.py | 19 ++++++++++++------- .../auditd_lineinfile/tests/commented.fail.sh | 4 ++-- .../tests/correct_value.pass.sh | 4 ++-- .../tests/double_assignment.fail.sh | 6 +++--- .../tests/wrong_value.fail.sh | 4 ++-- .../tests/wrong_value_capital.fail.sh | 2 +- 7 files changed, 29 insertions(+), 19 deletions(-) diff --git a/shared/templates/auditd_lineinfile/oval.template b/shared/templates/auditd_lineinfile/oval.template index c78c4f52037a..c5323730f663 100644 --- a/shared/templates/auditd_lineinfile/oval.template +++ b/shared/templates/auditd_lineinfile/oval.template @@ -3,13 +3,18 @@ oval_auditd_config( parameter=PARAMETER, xccdf_variable=XCCDF_VARIABLE, - missing_parameter_pass=MISSING_PARAMETER_PASS, rule_id=rule_id, rule_title=rule_title) + variable_datatype=VARIABLE_DATATYPE, + missing_parameter_pass=MISSING_PARAMETER_PASS, + rule_id=rule_id, + rule_title=rule_title) }}} {{%- else -%}} {{{ oval_auditd_config( parameter=PARAMETER, value=VALUE, - missing_parameter_pass=MISSING_PARAMETER_PASS, rule_id=rule_id, rule_title=rule_title) + missing_parameter_pass=MISSING_PARAMETER_PASS, + rule_id=rule_id, + rule_title=rule_title) }}} {{%- endif -%}} diff --git a/shared/templates/auditd_lineinfile/template.py b/shared/templates/auditd_lineinfile/template.py index 87fd98a85810..10c1c1be3cb2 100644 --- a/shared/templates/auditd_lineinfile/template.py +++ b/shared/templates/auditd_lineinfile/template.py @@ -10,15 +10,20 @@ def preprocess(data, lang): raise ValueError(errmsg) data["missing_parameter_pass"] = parse_template_boolean_value( data, parameter="missing_parameter_pass", default_value=False) + if "variable_datatype" not in data: + data["variable_datatype"] = "string" return set_variables_for_test_scenarios(data) def set_variables_for_test_scenarios(data): - if not data.get("value"): - # this implies XCCDF variable is used - data["wrong_value"] = "wrong_value" - data["correct_value"] = "correct_value" - else: - data["wrong_value"] = "wrong_value" - data["correct_value"] = str(data["value"]) + # if no correct value is specified, we will create one for testing purposes + if not data.get("test_correct_value"): + if not data.get("value"): + # this implies XCCDF variable is used + data["test_correct_value"] = "test_correct_value" + else: + data["test_correct_value"] = str(data["value"]) + # if no wrong value is provided, we will create one for testing purposes + if not data.get("test_wrong_value"): + data["test_wrong_value"] = "test_wrong_value" return data diff --git a/shared/templates/auditd_lineinfile/tests/commented.fail.sh b/shared/templates/auditd_lineinfile/tests/commented.fail.sh index f467ff961584..f023acc4caae 100644 --- a/shared/templates/auditd_lineinfile/tests/commented.fail.sh +++ b/shared/templates/auditd_lineinfile/tests/commented.fail.sh @@ -4,6 +4,6 @@ {{% endif%}} # packages = audit {{% if XCCDF_VARIABLE %}} -# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ TEST_CORRECT_VALUE }}} {{% endif %}} -echo "#{{{ PARAMETER }}} = {{{ CORRECT_VALUE }}}" > "/etc/audit/auditd.conf" +echo "#{{{ PARAMETER }}} = {{{ TEST_CORRECT_VALUE }}}" > "/etc/audit/auditd.conf" diff --git a/shared/templates/auditd_lineinfile/tests/correct_value.pass.sh b/shared/templates/auditd_lineinfile/tests/correct_value.pass.sh index 59cb82fc17c2..dc9ce9f5ec53 100644 --- a/shared/templates/auditd_lineinfile/tests/correct_value.pass.sh +++ b/shared/templates/auditd_lineinfile/tests/correct_value.pass.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit {{% if XCCDF_VARIABLE %}} -# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ TEST_CORRECT_VALUE }}} {{% endif %}} -echo "{{{ PARAMETER }}} = {{{ CORRECT_VALUE }}}" > "/etc/audit/auditd.conf" +echo "{{{ PARAMETER }}} = {{{ TEST_CORRECT_VALUE }}}" > "/etc/audit/auditd.conf" diff --git a/shared/templates/auditd_lineinfile/tests/double_assignment.fail.sh b/shared/templates/auditd_lineinfile/tests/double_assignment.fail.sh index a4b629de4b1c..2268dc8cd67f 100644 --- a/shared/templates/auditd_lineinfile/tests/double_assignment.fail.sh +++ b/shared/templates/auditd_lineinfile/tests/double_assignment.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash # packages = audit {{% if XCCDF_VARIABLE %}} -# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ TEST_CORRECT_VALUE }}} {{% endif %}} -echo "{{{ PARAMETER }}} = {{{ CORRECT_VALUE }}}" >> "/etc/audit/auditd.conf" -echo "{{{ PARAMETER }}} = wrong_value" >> "/etc/audit/auditd.conf" +echo "{{{ PARAMETER }}} = {{{ TEST_CORRECT_VALUE }}}" >> "/etc/audit/auditd.conf" +echo "{{{ PARAMETER }}} = {{{ TEST_WRONG_VALUE }}}" >> "/etc/audit/auditd.conf" diff --git a/shared/templates/auditd_lineinfile/tests/wrong_value.fail.sh b/shared/templates/auditd_lineinfile/tests/wrong_value.fail.sh index c6c80f9398a2..b924250258f4 100644 --- a/shared/templates/auditd_lineinfile/tests/wrong_value.fail.sh +++ b/shared/templates/auditd_lineinfile/tests/wrong_value.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit {{% if XCCDF_VARIABLE %}} -# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +# variables = {{{ XCCDF_VARIABLE }}}={{{ TEST_CORRECT_VALUE }}} {{% endif %}} -echo "{{{ PARAMETER }}} = {{{ WRONG_VALUE | upper }}}" > "/etc/audit/auditd.conf" +echo "{{{ PARAMETER }}} = {{{ TEST_WRONG_VALUE }}}" > "/etc/audit/auditd.conf" diff --git a/shared/templates/auditd_lineinfile/tests/wrong_value_capital.fail.sh b/shared/templates/auditd_lineinfile/tests/wrong_value_capital.fail.sh index 177fe8badf59..da064ff1a0fb 100644 --- a/shared/templates/auditd_lineinfile/tests/wrong_value_capital.fail.sh +++ b/shared/templates/auditd_lineinfile/tests/wrong_value_capital.fail.sh @@ -1,6 +1,6 @@ #!/bin/bash # packages = audit {{% if XCCDF_VARIABLE %}} -# variables = {{{ XCCDF_VARIABLE }}}={{{ CORRECT_VALUE }}} +# platform = Not Applicable {{% endif %}} echo "{{{ PARAMETER | upper }}} = {{{ WRONG_VALUE | upper }}}" > "/etc/audit/auditd.conf" From 5edb8b9c06e849d156e3dd49f40ebcaf1e4beb8d Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Mon, 1 Sep 2025 15:25:08 +0200 Subject: [PATCH 375/403] auditd_freq: use new feature and specify data type of the variable --- .../configure_auditd_data_retention/auditd_freq/rule.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_freq/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_freq/rule.yml index fb1d4e488d9b..6ff39f3d04fb 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_freq/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_freq/rule.yml @@ -47,3 +47,6 @@ template: parameter: freq rule_id: auditd_freq xccdf_variable: var_auditd_freq + variable_datatype: int + test_correct_value: 50 + test_wrong_value: 1 From 2b35cc48b38693195bdbfc522d4953843b5acc26 Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Mon, 1 Sep 2025 15:25:31 +0200 Subject: [PATCH 376/403] docs: update auditd_lineinfile template docs and describe new parameters --- docs/templates/template_reference.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index 8ea81e2282b8..fac809104719 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -31,6 +31,17 @@ - **xccdf_variable** - specifies an XCCDF variable to use as a value for the specified **parameter**. This parameter conflicts with the **value** parameter. + - **variable_datatype** - data type of the XCCDF variable specified by the xccdf_variable parameter, optional, default is string + + - **test_correct_value** - optional. If set, it will be used in test scenarios as a correct value. + If not set, the "value" parameter of the template will be used. + If XCCDF variable is used and the this option is not set, then a string "corect_value" will be used. + This parameter should be used in case the value is defined by an XCCDF variable and the value must be chosen from a strictly defined set of options. + + - **test_wrong_value** - optional. If set, this value will be used test scenarios as a incorrect value. + If not set, a string "wrong_value" will be used. + This parameter can be used in case that the value has to be chosen from strictly defined set of options. + - **missing_parameter_pass** - effective only in OVAL checks, if set to `"false"` and the parameter is not present in the configuration file, the OVAL check will return false (default value: `"false"`). From cca286489a45f853d668e9ad65051b3ace2462b7 Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Tue, 2 Sep 2025 09:22:09 +0200 Subject: [PATCH 377/403] document the new parameter in OVAL macro --- shared/macros/10-oval.jinja | 2 ++ 1 file changed, 2 insertions(+) diff --git a/shared/macros/10-oval.jinja b/shared/macros/10-oval.jinja index 733448fd3958..1ac9d730b2ef 100644 --- a/shared/macros/10-oval.jinja +++ b/shared/macros/10-oval.jinja @@ -671,6 +671,8 @@ Generates the :code:`` tag for OVAL check using correct product platfo :type value: str :param xccdf_variable: the name of an XCCDF variable carrying the value, this conflicts with the value parameter :type xccdf_variable: str +:param variable_datatype: data type of the XCCDF variable specified by the xccdf_variable parameter, optional, default is string +:type variable_datatype: str :param missing_parameter_pass: If set, the check will also pass if the parameter is not present in the configuration file (default is applied). :type missing_parameter_pass: bool :param multi_value: If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values. From 10514494e474b8399b04cc49c75c6924b11a3d75 Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Tue, 2 Sep 2025 09:22:28 +0200 Subject: [PATCH 378/403] fix grammar in documentation --- docs/templates/template_reference.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md index fac809104719..96b96439ba39 100644 --- a/docs/templates/template_reference.md +++ b/docs/templates/template_reference.md @@ -35,10 +35,10 @@ - **test_correct_value** - optional. If set, it will be used in test scenarios as a correct value. If not set, the "value" parameter of the template will be used. - If XCCDF variable is used and the this option is not set, then a string "corect_value" will be used. + If XCCDF variable is used and this option is not set, then a string "corect_value" will be used. This parameter should be used in case the value is defined by an XCCDF variable and the value must be chosen from a strictly defined set of options. - - **test_wrong_value** - optional. If set, this value will be used test scenarios as a incorrect value. + - **test_wrong_value** - optional. If set, this value will be used in test scenarios as an incorrect value. If not set, a string "wrong_value" will be used. This parameter can be used in case that the value has to be chosen from strictly defined set of options. @@ -630,10 +630,10 @@ When the remediation is applied duplicate occurrences of `key` are removed. - **test_correct_value** - optional. If set, it will be used in test scenarios as a correct value. If not set, the "value" parameter of the template will be used. - If XCCDF variable is used and the this option is not set, then a string "corect_value" will be used. + If XCCDF variable is used and this option is not set, then a string "corect_value" will be used. This parameter should be used in case the value is defined by an XCCDF variable and the value must be chosen from a strictly defined set of options. - - **test_wrong_value** - optional. If set, this value will be used test scenarios as a incorrect value. + - **test_wrong_value** - optional. If set, this value will be used in test scenarios as an incorrect value. If not set, a string "wrong_value" will be used. This parameter can be used in case that the value has to be chosen from strictly defined set of options. From 25b1ab431567981ceaae81319410bbf913d43e62 Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Tue, 2 Sep 2025 13:14:20 +0200 Subject: [PATCH 379/403] remove rpm_verify_permissions to prevent conflicts --- controls/bsi_sys_1_1_rhel9.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/controls/bsi_sys_1_1_rhel9.yml b/controls/bsi_sys_1_1_rhel9.yml index 938bb0215546..763bd3b303a3 100644 --- a/controls/bsi_sys_1_1_rhel9.yml +++ b/controls/bsi_sys_1_1_rhel9.yml @@ -525,6 +525,12 @@ controls: - rpm_verify_hashes - rpm_verify_ownership + + related_rules: + # while rpm_verify_permissions is a part of how to detect changes, it conflicts + # with permission hardening rules like the cron_permissions rules and therelike. + # it is more important to harden the permissions to prevent change, than it is to + # ensure that the permissions are the same as in the rpm database. - rpm_verify_permissions - id: SYS.1.1.A28 From 5f84d242ef465f7e40771931ffcaa477c0211ec0 Mon Sep 17 00:00:00 2001 From: sluetze <13255307+sluetze@users.noreply.github.com> Date: Tue, 2 Sep 2025 13:16:19 +0200 Subject: [PATCH 380/403] remove rolling profile to align to rhel defaults and prevent irritations --- products/rhel9/profiles/bsi-2022.profile | 28 ------------------------ products/rhel9/profiles/bsi.profile | 8 ++++++- 2 files changed, 7 insertions(+), 29 deletions(-) delete mode 100644 products/rhel9/profiles/bsi-2022.profile diff --git a/products/rhel9/profiles/bsi-2022.profile b/products/rhel9/profiles/bsi-2022.profile deleted file mode 100644 index f2f530ff8538..000000000000 --- a/products/rhel9/profiles/bsi-2022.profile +++ /dev/null @@ -1,28 +0,0 @@ -documentation_complete: true - -title: 'BSI SYS.1.1 and SYS.1.3' - -reference: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf - -metadata: - SMEs: - - sluetze - version: 2022 - -description: |- - This profile defines a baseline that aligns to the BSI (Federal Office for Security Information) IT-Grundschutz - Basic-Protection. - - This baseline implements OS-Level configuration requirements from the following - sources: - - - Building-Block SYS.1.1 General Server - - Building-Block SYS.1.3 Linux Server - -selections: - - bsi_sys_1_1_rhel9:all - - bsi_sys_1_3_rhel9:all - - # BSI APP.4.4.A4 - - var_selinux_policy_name=targeted - - var_selinux_state=enforcing diff --git a/products/rhel9/profiles/bsi.profile b/products/rhel9/profiles/bsi.profile index 71b0d51441c0..f2f530ff8538 100644 --- a/products/rhel9/profiles/bsi.profile +++ b/products/rhel9/profiles/bsi.profile @@ -19,4 +19,10 @@ description: |- - Building-Block SYS.1.1 General Server - Building-Block SYS.1.3 Linux Server -extends: bsi-2022 +selections: + - bsi_sys_1_1_rhel9:all + - bsi_sys_1_3_rhel9:all + + # BSI APP.4.4.A4 + - var_selinux_policy_name=targeted + - var_selinux_state=enforcing From 0232649f1ede42e4543c618b6816de20a7992d3a Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Wed, 3 Sep 2025 09:26:07 -0500 Subject: [PATCH 381/403] public.cyber.mil -> www.cyber.mil --- DISCLAIMER | 2 +- build-scripts/verify_references.py | 2 +- controls/stig_slmicro5.yml | 2 +- controls/stig_ubuntu2204.yml | 2 +- docs/manual/developer/03_creating_content.md | 2 +- .../developer/05_tools_and_utilities.md | 2 +- docs/manual/user/20_scanning.md | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- products/chromium/profiles/stig.profile | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- products/example/new_product.sh | 4 ++-- products/firefox/profiles/stig.profile | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- products/ocp4/profiles/stig-node.profile | 2 +- products/ocp4/profiles/stig.profile | 2 +- products/ol10/profiles/stig.profile | 2 +- products/ol10/profiles/stig_gui.profile | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- products/ol8/profiles/stig.profile | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- products/ol9/profiles/stig.profile | 2 +- products/ol9/profiles/stig_gui.profile | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- products/rhel10/profiles/stig.profile | 2 +- products/rhel10/profiles/stig_gui.profile | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- products/rhel8/profiles/stig.profile | 2 +- products/rhel8/profiles/stig_gui.profile | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- products/rhel9/profiles/stig.profile | 2 +- products/rhel9/profiles/stig_gui.profile | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- products/rhv4/profiles/rhvh-stig.profile | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- products/sle12/profiles/stig.profile | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- products/sle15/profiles/stig.profile | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- products/slmicro5/profiles/stig.profile | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- products/ubuntu2204/profiles/stig.profile | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- products/ubuntu2404/profiles/stig.profile | 2 +- .../xccdf2table-profileccirefs.xslt | 2 +- shared/transforms/shared_constants.xslt | 20 +++++++++---------- .../shared_xccdf-apply-overlay-stig.xslt | 4 ++-- ssg/constants.py | 18 ++++++++--------- tests/data/product_stability/alinux2.yml | 12 +++++------ tests/data/product_stability/alinux3.yml | 12 +++++------ tests/data/product_stability/anolis23.yml | 12 +++++------ tests/data/product_stability/anolis8.yml | 12 +++++------ tests/data/product_stability/chromium.yml | 12 +++++------ tests/data/product_stability/debian11.yml | 12 +++++------ tests/data/product_stability/debian12.yml | 12 +++++------ tests/data/product_stability/debian13.yml | 12 +++++------ tests/data/product_stability/eks.yml | 12 +++++------ tests/data/product_stability/example.yml | 12 +++++------ tests/data/product_stability/fedora.yml | 12 +++++------ tests/data/product_stability/firefox.yml | 12 +++++------ tests/data/product_stability/ocp4.yml | 10 +++++----- tests/data/product_stability/ol7.yml | 12 +++++------ tests/data/product_stability/ol8.yml | 12 +++++------ tests/data/product_stability/ol9.yml | 12 +++++------ tests/data/product_stability/openembedded.yml | 12 +++++------ tests/data/product_stability/opensuse.yml | 12 +++++------ tests/data/product_stability/rhcos4.yml | 10 +++++----- tests/data/product_stability/rhel10.yml | 12 +++++------ tests/data/product_stability/rhel8.yml | 12 +++++------ tests/data/product_stability/rhel9.yml | 12 +++++------ tests/data/product_stability/rhv4.yml | 12 +++++------ tests/data/product_stability/sle12.yml | 12 +++++------ tests/data/product_stability/sle15.yml | 12 +++++------ tests/data/product_stability/ubuntu2204.yml | 12 +++++------ tests/data/product_stability/ubuntu2404.yml | 12 +++++------ tests/stig_srg_mapping.py | 2 +- tests/unit/ssg-module/data/accounts_tmout.xml | 4 ++-- utils/build_stig_control.py | 2 +- utils/create-stig-overlay.py | 8 ++++---- 90 files changed, 246 insertions(+), 246 deletions(-) diff --git a/DISCLAIMER b/DISCLAIMER index 683826fd0cc1..5d0267f975d7 100644 --- a/DISCLAIMER +++ b/DISCLAIMER @@ -5,7 +5,7 @@ serving as the upstream development environment for Red Hat Product STIGS. As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. For official DISA FSO STIG content, -refer to https://public.cyber.mil/stigs/. +refer to https://www.cyber.mil/stigs/. While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT diff --git a/build-scripts/verify_references.py b/build-scripts/verify_references.py index 1e50e0d2ba20..882b8d2b868b 100755 --- a/build-scripts/verify_references.py +++ b/build-scripts/verify_references.py @@ -40,7 +40,7 @@ # we use these strings to look for references within the XCCDF rules nist_ref_href = "http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" -disa_ref_href = "https://public.cyber.mil/stigs/cci/" +disa_ref_href = "https://www.cyber.mil/stigs/cci/" # default exit value - success exit_value = 0 diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index fa52b8fc3695..d39b265fff84 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -2,7 +2,7 @@ policy: SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide title: SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide id: stig_slmicro5 -source: https://public.cyber.mil/stigs/downloads/ +source: https://www.cyber.mil/stigs/downloads/ version: V1R2 reference_type: stigid product: slmicro5 diff --git a/controls/stig_ubuntu2204.yml b/controls/stig_ubuntu2204.yml index 2d2e9bb8bfae..db8a53a9bcca 100644 --- a/controls/stig_ubuntu2204.yml +++ b/controls/stig_ubuntu2204.yml @@ -3,7 +3,7 @@ policy: Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG title: Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) id: stig_ubuntu2204 version: V2R3 -source: https://public.cyber.mil/stigs/downloads/ +source: https://www.cyber.mil/stigs/downloads/ levels: - id: high diff --git a/docs/manual/developer/03_creating_content.md b/docs/manual/developer/03_creating_content.md index 9bb20f59d27f..633123b11127 100644 --- a/docs/manual/developer/03_creating_content.md +++ b/docs/manual/developer/03_creating_content.md @@ -538,7 +538,7 @@ EOF ``` cat << EOF > $NEW_PRODUCT/transforms/xccdf2table-profileccirefs.xslt - + diff --git a/docs/manual/developer/05_tools_and_utilities.md b/docs/manual/developer/05_tools_and_utilities.md index 0fcc3fc98276..2a5d2c171f09 100644 --- a/docs/manual/developer/05_tools_and_utilities.md +++ b/docs/manual/developer/05_tools_and_utilities.md @@ -431,7 +431,7 @@ Generate the HTML diffs: The goal of this script is to compare the result of two ARF files. It will show what rules are missing, different, and the same between the two files. -The script can take results from content created by this repo and by [DISA](https://public.cyber.mil/stigs/scap/). +The script can take results from content created by this repo and by [DISA](https://www.cyber.mil/stigs/scap/). If the result files come from the same source the script will use XCCDF ids as basis for the comparison. Otherwise, the script will use STIG ids to compare. diff --git a/docs/manual/user/20_scanning.md b/docs/manual/user/20_scanning.md index 5401c9810e8e..302586c3d7c4 100644 --- a/docs/manual/user/20_scanning.md +++ b/docs/manual/user/20_scanning.md @@ -189,4 +189,4 @@ See [Red Hat Ansible Engine Life Cycle Page](https://access.redhat.com/support/p Funded by the Internal Revenue Service, the National Security Agency, and other United States government agencies Naval Information Warfare Center (NIWC) Atlantic has authored a SCAP Compliance Checker (SCC). The NIWC SCC tool is available to the general public. The NIWC SCC website is [www.niwcatlantic.navy.mil/scap](https://www.niwcatlantic.navy.mil/scap/). -The SCC tool is available for download at [public.cyber.mil/stigs/scap](https://public.cyber.mil/stigs/scap/). +The SCC tool is available for download at [www.cyber.mil/stigs/scap](https://www.cyber.mil/stigs/scap/). diff --git a/products/alinux2/transforms/xccdf2table-profileccirefs.xslt b/products/alinux2/transforms/xccdf2table-profileccirefs.xslt index 5a104d956f14..e394e837d88e 100644 --- a/products/alinux2/transforms/xccdf2table-profileccirefs.xslt +++ b/products/alinux2/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/alinux3/transforms/xccdf2table-profileccirefs.xslt b/products/alinux3/transforms/xccdf2table-profileccirefs.xslt index 5a104d956f14..e394e837d88e 100644 --- a/products/alinux3/transforms/xccdf2table-profileccirefs.xslt +++ b/products/alinux3/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/almalinux9/transforms/xccdf2table-profileccirefs.xslt b/products/almalinux9/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/almalinux9/transforms/xccdf2table-profileccirefs.xslt +++ b/products/almalinux9/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/anolis23/transforms/xccdf2table-profileccirefs.xslt b/products/anolis23/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/anolis23/transforms/xccdf2table-profileccirefs.xslt +++ b/products/anolis23/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/anolis8/transforms/xccdf2table-profileccirefs.xslt b/products/anolis8/transforms/xccdf2table-profileccirefs.xslt index 5a104d956f14..e394e837d88e 100644 --- a/products/anolis8/transforms/xccdf2table-profileccirefs.xslt +++ b/products/anolis8/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/chromium/profiles/stig.profile b/products/chromium/profiles/stig.profile index da33e0bdb56d..0e737350cd9d 100644 --- a/products/chromium/profiles/stig.profile +++ b/products/chromium/profiles/stig.profile @@ -8,7 +8,7 @@ description: |- As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. - For official DISA FSO STIG content, refer to https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cbrowser-guidance. + For official DISA FSO STIG content, refer to https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cbrowser-guidance. While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example diff --git a/products/chromium/transforms/xccdf2table-profileccirefs.xslt b/products/chromium/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/chromium/transforms/xccdf2table-profileccirefs.xslt +++ b/products/chromium/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/debian11/transforms/xccdf2table-profileccirefs.xslt b/products/debian11/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/debian11/transforms/xccdf2table-profileccirefs.xslt +++ b/products/debian11/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/debian12/transforms/xccdf2table-profileccirefs.xslt b/products/debian12/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/debian12/transforms/xccdf2table-profileccirefs.xslt +++ b/products/debian12/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/debian13/transforms/xccdf2table-profileccirefs.xslt b/products/debian13/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/debian13/transforms/xccdf2table-profileccirefs.xslt +++ b/products/debian13/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/example/new_product.sh b/products/example/new_product.sh index d6e0adbe03ce..519a4d25544f 100755 --- a/products/example/new_product.sh +++ b/products/example/new_product.sh @@ -85,7 +85,7 @@ cat << EOF >> $NEW_PRODUCT/transforms/constants.xslt EOF -cat << EOF >> $NEW_PRODUCT/transforms/table-style.xslt +cat << EOF >> $NEW_PRODUCT/transforms/table-style.xslt @@ -118,7 +118,7 @@ EOF cat << EOF >> $NEW_PRODUCT/transforms/xccdf2table-profileccirefs.xslt - + diff --git a/products/firefox/profiles/stig.profile b/products/firefox/profiles/stig.profile index 1ffd33181f8e..451ca9933559 100644 --- a/products/firefox/profiles/stig.profile +++ b/products/firefox/profiles/stig.profile @@ -13,7 +13,7 @@ description: |- As a result of the upstream/downstream relationship between the SCAP Security Guide project and the official DISA FSO STIG baseline, users should expect variance between SSG and DISA FSO content. - For official DISA FSO STIG content, refer to https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cbrowser-guidance. + For official DISA FSO STIG content, refer to https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cbrowser-guidance. While this profile is packaged by Red Hat as part of the SCAP Security Guide package, please note that commercial support of this SCAP content is NOT available. This profile is provided as example diff --git a/products/firefox/transforms/xccdf2table-profileccirefs.xslt b/products/firefox/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/firefox/transforms/xccdf2table-profileccirefs.xslt +++ b/products/firefox/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/ocp4/profiles/stig-node.profile b/products/ocp4/profiles/stig-node.profile index 521fac424730..4f03e95717fe 100644 --- a/products/ocp4/profiles/stig-node.profile +++ b/products/ocp4/profiles/stig-node.profile @@ -10,7 +10,7 @@ metadata: - rhmdnd - yuumasato -reference: https://public.cyber.mil/stigs/downloads/ +reference: https://www.cyber.mil/stigs/downloads/ title: 'DISA STIG for Red Hat OpenShift Container Platform 4 - Node level' diff --git a/products/ocp4/profiles/stig.profile b/products/ocp4/profiles/stig.profile index 70f5f4c31cb5..099981457cb9 100644 --- a/products/ocp4/profiles/stig.profile +++ b/products/ocp4/profiles/stig.profile @@ -10,7 +10,7 @@ metadata: - rhmdnd - yuumasato -reference: https://public.cyber.mil/stigs/downloads/ +reference: https://www.cyber.mil/stigs/downloads/ title: 'DISA STIG for Red Hat OpenShift Container Platform 4 - Platform level' diff --git a/products/ol10/profiles/stig.profile b/products/ol10/profiles/stig.profile index 1b49065bf761..01c8b533c882 100644 --- a/products/ol10/profiles/stig.profile +++ b/products/ol10/profiles/stig.profile @@ -1,6 +1,6 @@ documentation_complete: true -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux title: 'DRAFT - STIG for Oracle Linux 10' diff --git a/products/ol10/profiles/stig_gui.profile b/products/ol10/profiles/stig_gui.profile index 83b5d884dd57..fff2c7a328e1 100644 --- a/products/ol10/profiles/stig_gui.profile +++ b/products/ol10/profiles/stig_gui.profile @@ -1,6 +1,6 @@ documentation_complete: true -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux title: 'DRAFT - STIG with GUI for Oracle Linux 10' diff --git a/products/ol10/transforms/xccdf2table-profileccirefs.xslt b/products/ol10/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/ol10/transforms/xccdf2table-profileccirefs.xslt +++ b/products/ol10/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/ol7/transforms/xccdf2table-profileccirefs.xslt b/products/ol7/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/ol7/transforms/xccdf2table-profileccirefs.xslt +++ b/products/ol7/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/ol8/profiles/stig.profile b/products/ol8/profiles/stig.profile index d0f8f227e51e..fcc93dec66fc 100644 --- a/products/ol8/profiles/stig.profile +++ b/products/ol8/profiles/stig.profile @@ -3,7 +3,7 @@ documentation_complete: true metadata: version: V2R4 -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux title: 'DISA STIG for Oracle Linux 8' diff --git a/products/ol8/transforms/xccdf2table-profileccirefs.xslt b/products/ol8/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/ol8/transforms/xccdf2table-profileccirefs.xslt +++ b/products/ol8/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/ol9/profiles/stig.profile b/products/ol9/profiles/stig.profile index 8894701e3326..5d82a0b96c08 100644 --- a/products/ol9/profiles/stig.profile +++ b/products/ol9/profiles/stig.profile @@ -3,7 +3,7 @@ documentation_complete: true metadata: version: V1R1 -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux title: 'DISA STIG for Oracle Linux 9' diff --git a/products/ol9/profiles/stig_gui.profile b/products/ol9/profiles/stig_gui.profile index a9d8db91358d..852ebe5d4125 100644 --- a/products/ol9/profiles/stig_gui.profile +++ b/products/ol9/profiles/stig_gui.profile @@ -3,7 +3,7 @@ documentation_complete: true metadata: version: V1R1 -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux title: 'DISA STIG with GUI for Oracle Linux 9' diff --git a/products/ol9/transforms/xccdf2table-profileccirefs.xslt b/products/ol9/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/ol9/transforms/xccdf2table-profileccirefs.xslt +++ b/products/ol9/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/openembedded/transforms/xccdf2table-profileccirefs.xslt b/products/openembedded/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/openembedded/transforms/xccdf2table-profileccirefs.xslt +++ b/products/openembedded/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/rhcos4/transforms/xccdf2table-profileccirefs.xslt b/products/rhcos4/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/rhcos4/transforms/xccdf2table-profileccirefs.xslt +++ b/products/rhcos4/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/rhel10/profiles/stig.profile b/products/rhel10/profiles/stig.profile index 6446c059f45b..3c1b0ee2b7cf 100644 --- a/products/rhel10/profiles/stig.profile +++ b/products/rhel10/profiles/stig.profile @@ -5,7 +5,7 @@ metadata: SMEs: - mab879 -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux title: 'Red Hat STIG for Red Hat Enterprise Linux 10' diff --git a/products/rhel10/profiles/stig_gui.profile b/products/rhel10/profiles/stig_gui.profile index 93f4225791c6..9cb82f5fd937 100644 --- a/products/rhel10/profiles/stig_gui.profile +++ b/products/rhel10/profiles/stig_gui.profile @@ -5,7 +5,7 @@ metadata: SMEs: - mab879 -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux title: 'Red Hat STIG for Red Hat Enterprise Linux 10' diff --git a/products/rhel10/transforms/xccdf2table-profileccirefs.xslt b/products/rhel10/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/rhel10/transforms/xccdf2table-profileccirefs.xslt +++ b/products/rhel10/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index bc6232c76518..e191e42458ce 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -7,7 +7,7 @@ metadata: - mab879 - ggbecker -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux title: 'DISA STIG for Red Hat Enterprise Linux 8' diff --git a/products/rhel8/profiles/stig_gui.profile b/products/rhel8/profiles/stig_gui.profile index a1bf75945340..b71f2367636e 100644 --- a/products/rhel8/profiles/stig_gui.profile +++ b/products/rhel8/profiles/stig_gui.profile @@ -7,7 +7,7 @@ metadata: - mab879 - ggbecker -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux title: 'DISA STIG with GUI for Red Hat Enterprise Linux 8' diff --git a/products/rhel8/transforms/xccdf2table-profileccirefs.xslt b/products/rhel8/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/rhel8/transforms/xccdf2table-profileccirefs.xslt +++ b/products/rhel8/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile index 4a64a7100b11..e7a50ba811d2 100644 --- a/products/rhel9/profiles/stig.profile +++ b/products/rhel9/profiles/stig.profile @@ -7,7 +7,7 @@ metadata: - mab879 - ggbecker -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux title: 'DISA STIG for Red Hat Enterprise Linux 9' diff --git a/products/rhel9/profiles/stig_gui.profile b/products/rhel9/profiles/stig_gui.profile index b69eeb4862ea..a72416eb62cb 100644 --- a/products/rhel9/profiles/stig_gui.profile +++ b/products/rhel9/profiles/stig_gui.profile @@ -7,7 +7,7 @@ metadata: - mab879 - ggbecker -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux title: 'DISA STIG with GUI for Red Hat Enterprise Linux 9' diff --git a/products/rhel9/transforms/xccdf2table-profileccirefs.xslt b/products/rhel9/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/rhel9/transforms/xccdf2table-profileccirefs.xslt +++ b/products/rhel9/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/rhv4/profiles/rhvh-stig.profile b/products/rhv4/profiles/rhvh-stig.profile index e2ff04f44bb1..ec2dd7bdbfb5 100644 --- a/products/rhv4/profiles/rhvh-stig.profile +++ b/products/rhv4/profiles/rhvh-stig.profile @@ -6,7 +6,7 @@ metadata: - mab879 - ggbecker -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux title: 'DRAFT - DISA STIG for Red Hat Virtualization Host (RHVH)' diff --git a/products/rhv4/transforms/xccdf2table-profileccirefs.xslt b/products/rhv4/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/rhv4/transforms/xccdf2table-profileccirefs.xslt +++ b/products/rhv4/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/sle12/profiles/stig.profile b/products/sle12/profiles/stig.profile index a864da15d895..33b341569721 100644 --- a/products/sle12/profiles/stig.profile +++ b/products/sle12/profiles/stig.profile @@ -7,7 +7,7 @@ metadata: - rumch-se - teacup-on-rockingchair -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux title: 'DISA STIG for SUSE Linux Enterprise 12' diff --git a/products/sle12/transforms/xccdf2table-profileccirefs.xslt b/products/sle12/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/sle12/transforms/xccdf2table-profileccirefs.xslt +++ b/products/sle12/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/sle15/profiles/stig.profile b/products/sle15/profiles/stig.profile index ab95f516637d..309c043b17a3 100644 --- a/products/sle15/profiles/stig.profile +++ b/products/sle15/profiles/stig.profile @@ -7,7 +7,7 @@ metadata: - rumch-se - teacup-on-rockingchair -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux title: 'DISA STIG for SUSE Linux Enterprise 15' diff --git a/products/sle15/transforms/xccdf2table-profileccirefs.xslt b/products/sle15/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/sle15/transforms/xccdf2table-profileccirefs.xslt +++ b/products/sle15/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/slmicro5/profiles/stig.profile b/products/slmicro5/profiles/stig.profile index e50fb4087f51..f5024ff753bd 100644 --- a/products/slmicro5/profiles/stig.profile +++ b/products/slmicro5/profiles/stig.profile @@ -7,7 +7,7 @@ metadata: - rumch-se - teacup-on-rockingchair -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +reference: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux title: 'DISA STIG for SUSE Linux Enterprise Micro (SLEM) 5' diff --git a/products/slmicro5/transforms/xccdf2table-profileccirefs.xslt b/products/slmicro5/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/slmicro5/transforms/xccdf2table-profileccirefs.xslt +++ b/products/slmicro5/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/slmicro6/transforms/xccdf2table-profileccirefs.xslt b/products/slmicro6/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/slmicro6/transforms/xccdf2table-profileccirefs.xslt +++ b/products/slmicro6/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/tencentos4/transforms/xccdf2table-profileccirefs.xslt b/products/tencentos4/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/tencentos4/transforms/xccdf2table-profileccirefs.xslt +++ b/products/tencentos4/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/ubuntu2204/profiles/stig.profile b/products/ubuntu2204/profiles/stig.profile index 5ccad7c398ca..0a7b4bf2fb2e 100644 --- a/products/ubuntu2204/profiles/stig.profile +++ b/products/ubuntu2204/profiles/stig.profile @@ -9,7 +9,7 @@ metadata: - alanmcanonical - ericeberry -reference: https://public.cyber.mil/stigs/downloads +reference: https://www.cyber.mil/stigs/downloads title: 'Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) V2R3' diff --git a/products/ubuntu2204/transforms/xccdf2table-profileccirefs.xslt b/products/ubuntu2204/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/ubuntu2204/transforms/xccdf2table-profileccirefs.xslt +++ b/products/ubuntu2204/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/products/ubuntu2404/profiles/stig.profile b/products/ubuntu2404/profiles/stig.profile index 1a2ad0f2905a..043c9f21e8a2 100644 --- a/products/ubuntu2404/profiles/stig.profile +++ b/products/ubuntu2404/profiles/stig.profile @@ -7,7 +7,7 @@ metadata: - dodys - alanmcanonical -reference: https://public.cyber.mil/stigs/downloads +reference: https://www.cyber.mil/stigs/downloads title: 'Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide (STIG) V1R1' diff --git a/products/ubuntu2404/transforms/xccdf2table-profileccirefs.xslt b/products/ubuntu2404/transforms/xccdf2table-profileccirefs.xslt index 30419e92b283..9d8d3e5faf1f 100644 --- a/products/ubuntu2404/transforms/xccdf2table-profileccirefs.xslt +++ b/products/ubuntu2404/transforms/xccdf2table-profileccirefs.xslt @@ -1,5 +1,5 @@ - + diff --git a/shared/transforms/shared_constants.xslt b/shared/transforms/shared_constants.xslt index ada340f61ad9..09b1ea464375 100644 --- a/shared/transforms/shared_constants.xslt +++ b/shared/transforms/shared_constants.xslt @@ -12,16 +12,16 @@ https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf http://www.cnss.gov/Assets/pdf/CNSSI-1253.pdf not_officially_available -https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers -https://public.cyber.mil/stigs/cci/ -https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os -https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Capp-security-dev -https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Capplication-servers -https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cbrowser-guidance -https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cweb-servers -https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cmainframe -https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux -https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cvirtualization +https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers +https://www.cyber.mil/stigs/cci/ +https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os +https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Capp-security-dev +https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Capplication-servers +https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cbrowser-guidance +https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Cweb-servers +https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cmainframe +https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux +https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cvirtualization https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf https://www.iso.org/contents/data/standard/05/45/54534.html http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf diff --git a/shared/transforms/shared_xccdf-apply-overlay-stig.xslt b/shared/transforms/shared_xccdf-apply-overlay-stig.xslt index 65472920db4f..557b048c9482 100644 --- a/shared/transforms/shared_xccdf-apply-overlay-stig.xslt +++ b/shared/transforms/shared_xccdf-apply-overlay-stig.xslt @@ -61,7 +61,7 @@ - +     @@ -70,7 +70,7 @@ - + diff --git a/ssg/constants.py b/ssg/constants.py index c001f697eb9b..0dd3752b3087 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -22,7 +22,7 @@ 'cjis': 'https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf', 'cui': 'http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf', 'dcid': 'not_officially_available', - 'disa': 'https://public.cyber.mil/stigs/cci/', + 'disa': 'https://www.cyber.mil/stigs/cci/', 'pcidss': 'https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf', 'pcidss4': 'https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf', 'ospp': 'https://www.niap-ccevs.org/Profile/PP.cfm', @@ -30,11 +30,11 @@ 'ism': 'https://www.cyber.gov.au/acsc/view-all-content/ism', 'iso27001-2013': 'https://www.iso.org/contents/data/standard/05/45/54534.html', 'nerc-cip': 'https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx', - 'stigid': 'https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux', - 'os-srg': 'https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os', - 'app-srg': 'https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers', - 'app-srg-ctr': 'https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security', - 'stigref': 'https://public.cyber.mil/stigs/srg-stig-tools/', + 'stigid': 'https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux', + 'os-srg': 'https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os', + 'app-srg': 'https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers', + 'app-srg-ctr': 'https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security', + 'stigref': 'https://www.cyber.mil/stigs/srg-stig-tools/', } product_directories = [ @@ -92,7 +92,7 @@ kickstart_system = "urn:xccdf:fix:script:kickstart" bootc_system = "urn:xccdf:fix:script:bootc" cce_uri = "https://ncp.nist.gov/cce" -stig_ns = "https://public.cyber.mil/stigs/srg-stig-tools/" +stig_ns = "https://www.cyber.mil/stigs/srg-stig-tools/" ccn_ns = "https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html" cis_ns = "https://www.cisecurity.org/benchmark/red_hat_linux/" hipaa_ns = "https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf" @@ -100,8 +100,8 @@ ospp_ns = "https://www.niap-ccevs.org/Profile/PP.cfm" pcidss4_ns = "https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf" cui_ns = 'http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf' -stig_refs = 'https://public.cyber.mil/stigs/' -disa_cciuri = "https://public.cyber.mil/stigs/cci/" +stig_refs = 'https://www.cyber.mil/stigs/' +disa_cciuri = "https://www.cyber.mil/stigs/cci/" ssg_version_uri = \ "https://github.com/ComplianceAsCode/content/releases/latest" OSCAP_VENDOR = "org.ssgproject" diff --git a/tests/data/product_stability/alinux2.yml b/tests/data/product_stability/alinux2.yml index 39671bc9d3bb..ddf6ba73b93d 100644 --- a/tests/data/product_stability/alinux2.yml +++ b/tests/data/product_stability/alinux2.yml @@ -52,15 +52,15 @@ product: alinux2 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis-csc: https://www.cisecurity.org/controls/ cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -69,12 +69,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' sysctl_remediate_drop_in_file: 'false' diff --git a/tests/data/product_stability/alinux3.yml b/tests/data/product_stability/alinux3.yml index f0f77b6cce18..c85415cdb1e2 100644 --- a/tests/data/product_stability/alinux3.yml +++ b/tests/data/product_stability/alinux3.yml @@ -52,15 +52,15 @@ product: alinux3 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis-csc: https://www.cisecurity.org/controls/ cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -69,12 +69,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' sysctl_remediate_drop_in_file: 'false' diff --git a/tests/data/product_stability/anolis23.yml b/tests/data/product_stability/anolis23.yml index fc888382905e..5b4e9263edce 100644 --- a/tests/data/product_stability/anolis23.yml +++ b/tests/data/product_stability/anolis23.yml @@ -52,15 +52,15 @@ product: anolis23 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis-csc: https://www.cisecurity.org/controls/ cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -69,12 +69,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' sysctl_remediate_drop_in_file: 'false' diff --git a/tests/data/product_stability/anolis8.yml b/tests/data/product_stability/anolis8.yml index a04d0ef133e1..dcc0851b3acc 100644 --- a/tests/data/product_stability/anolis8.yml +++ b/tests/data/product_stability/anolis8.yml @@ -52,15 +52,15 @@ product: anolis8 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis-csc: https://www.cisecurity.org/controls/ cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -69,12 +69,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' sysctl_remediate_drop_in_file: 'false' diff --git a/tests/data/product_stability/chromium.yml b/tests/data/product_stability/chromium.yml index 4871609f8f1f..3799af985d8e 100644 --- a/tests/data/product_stability/chromium.yml +++ b/tests/data/product_stability/chromium.yml @@ -48,15 +48,15 @@ product: chromium profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis-csc: https://www.cisecurity.org/controls/ cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -65,12 +65,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' sysctl_remediate_drop_in_file: 'false' diff --git a/tests/data/product_stability/debian11.yml b/tests/data/product_stability/debian11.yml index 8d9aa784a337..af3df69f4cbe 100644 --- a/tests/data/product_stability/debian11.yml +++ b/tests/data/product_stability/debian11.yml @@ -60,8 +60,8 @@ product: debian11 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis: https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf cis-csc: https://www.cisecurity.org/controls/ @@ -69,7 +69,7 @@ reference_uris: cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -78,12 +78,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' sysctl_remediate_drop_in_file: 'false' diff --git a/tests/data/product_stability/debian12.yml b/tests/data/product_stability/debian12.yml index 3cdce74fe59e..69a4843ea0a3 100644 --- a/tests/data/product_stability/debian12.yml +++ b/tests/data/product_stability/debian12.yml @@ -61,8 +61,8 @@ product: debian12 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis: https://www.cisecurity.org/benchmark/debian_linux/ cis-csc: https://www.cisecurity.org/controls/ @@ -70,7 +70,7 @@ reference_uris: cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -79,12 +79,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' sysctl_remediate_drop_in_file: 'false' diff --git a/tests/data/product_stability/debian13.yml b/tests/data/product_stability/debian13.yml index 4a1712ff0630..33f39dd41bb6 100644 --- a/tests/data/product_stability/debian13.yml +++ b/tests/data/product_stability/debian13.yml @@ -62,15 +62,15 @@ product: debian13 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis-csc: https://www.cisecurity.org/controls/ cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -79,12 +79,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' sysctl_remediate_drop_in_file: 'false' diff --git a/tests/data/product_stability/eks.yml b/tests/data/product_stability/eks.yml index df0f2c1e7f6a..fb03872065aa 100644 --- a/tests/data/product_stability/eks.yml +++ b/tests/data/product_stability/eks.yml @@ -58,8 +58,8 @@ product: eks profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis: https://www.cisecurity.org/benchmark/kubernetes/ cis-csc: https://www.cisecurity.org/controls/ @@ -67,7 +67,7 @@ reference_uris: cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -76,12 +76,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' sysctl_remediate_drop_in_file: 'false' diff --git a/tests/data/product_stability/example.yml b/tests/data/product_stability/example.yml index 79a3bae81f9c..a8b07fc995f7 100644 --- a/tests/data/product_stability/example.yml +++ b/tests/data/product_stability/example.yml @@ -53,15 +53,15 @@ product: example profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis-csc: https://www.cisecurity.org/controls/ cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -70,12 +70,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' sysctl_remediate_drop_in_file: 'false' diff --git a/tests/data/product_stability/fedora.yml b/tests/data/product_stability/fedora.yml index c2409d9538b8..ce5322647269 100644 --- a/tests/data/product_stability/fedora.yml +++ b/tests/data/product_stability/fedora.yml @@ -96,8 +96,8 @@ rawhide_release_fingerprint: 115DF9AEF857853EE8445D0A0727707EA15B79CC rawhide_version: 40 reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis: https://workbench.cisecurity.org/communities/101 cis-csc: https://www.cisecurity.org/controls/ @@ -105,7 +105,7 @@ reference_uris: cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -114,12 +114,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem sshd_distributed_config: 'true' sysctl_remediate_drop_in_file: 'false' diff --git a/tests/data/product_stability/firefox.yml b/tests/data/product_stability/firefox.yml index abaf8f81587f..128101c5362f 100644 --- a/tests/data/product_stability/firefox.yml +++ b/tests/data/product_stability/firefox.yml @@ -48,15 +48,15 @@ product: firefox profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis-csc: https://www.cisecurity.org/controls/ cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -65,12 +65,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' sysctl_remediate_drop_in_file: 'false' diff --git a/tests/data/product_stability/ocp4.yml b/tests/data/product_stability/ocp4.yml index 852c8f7d6a19..3c8a8efa4519 100644 --- a/tests/data/product_stability/ocp4.yml +++ b/tests/data/product_stability/ocp4.yml @@ -134,8 +134,8 @@ product: ocp4 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis: https://www.cisecurity.org/benchmark/kubernetes/ cis-csc: https://www.cisecurity.org/controls/ @@ -143,7 +143,7 @@ reference_uris: cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -152,12 +152,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=container-platform - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' sysctl_remediate_drop_in_file: 'false' diff --git a/tests/data/product_stability/ol7.yml b/tests/data/product_stability/ol7.yml index ec2e708d8028..097d7964e012 100644 --- a/tests/data/product_stability/ol7.yml +++ b/tests/data/product_stability/ol7.yml @@ -62,8 +62,8 @@ product: ol7 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis: https://www.cisecurity.org/benchmark/oracle_linux/ cis-csc: https://www.cisecurity.org/controls/ @@ -71,7 +71,7 @@ reference_uris: cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -80,12 +80,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ release_key_fingerprint: 42144123FECFC55B9086313D72F97B74EC551F03 rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' diff --git a/tests/data/product_stability/ol8.yml b/tests/data/product_stability/ol8.yml index fe1c602704ba..3654b55f4709 100644 --- a/tests/data/product_stability/ol8.yml +++ b/tests/data/product_stability/ol8.yml @@ -61,8 +61,8 @@ product: ol8 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis: https://www.cisecurity.org/benchmark/oracle_linux/ cis-csc: https://www.cisecurity.org/controls/ @@ -70,7 +70,7 @@ reference_uris: cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -79,12 +79,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ release_key_fingerprint: 76FD3DB13AB67410B89DB10E82562EA9AD986DA3 rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' diff --git a/tests/data/product_stability/ol9.yml b/tests/data/product_stability/ol9.yml index cad4bb53d7ae..3aa673935969 100644 --- a/tests/data/product_stability/ol9.yml +++ b/tests/data/product_stability/ol9.yml @@ -64,8 +64,8 @@ product: ol9 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf ccn: https://www.ccn-cert.cni.es/es/guias-de-acceso-publico-ccn-stic/6669-ccn-stic-620-guia-de-aplicaciones-de-perfilado-de-seguridad-para-oracle-linux/file.html cis: '' @@ -74,7 +74,7 @@ reference_uris: cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -83,12 +83,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ release_key_fingerprint: 3E6D826D3FBAB389C2F38E34BC4D06A08D8B756F rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'true' diff --git a/tests/data/product_stability/openembedded.yml b/tests/data/product_stability/openembedded.yml index f98c8f65abb6..047aeb23a905 100644 --- a/tests/data/product_stability/openembedded.yml +++ b/tests/data/product_stability/openembedded.yml @@ -64,15 +64,15 @@ product: openembedded profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis-csc: https://www.cisecurity.org/controls/ cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -81,12 +81,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' sysctl_remediate_drop_in_file: 'false' diff --git a/tests/data/product_stability/opensuse.yml b/tests/data/product_stability/opensuse.yml index bb9bbcec0ff7..fd4cc2bb714a 100644 --- a/tests/data/product_stability/opensuse.yml +++ b/tests/data/product_stability/opensuse.yml @@ -64,15 +64,15 @@ product: opensuse profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis-csc: https://www.cisecurity.org/controls/ cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -81,12 +81,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' sysctl_remediate_drop_in_file: 'false' diff --git a/tests/data/product_stability/rhcos4.yml b/tests/data/product_stability/rhcos4.yml index 00d8d9828960..a32e2f906f9d 100644 --- a/tests/data/product_stability/rhcos4.yml +++ b/tests/data/product_stability/rhcos4.yml @@ -56,15 +56,15 @@ product: rhcos4 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis-csc: https://www.cisecurity.org/controls/ cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -73,12 +73,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=container-platform - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51 rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' diff --git a/tests/data/product_stability/rhel10.yml b/tests/data/product_stability/rhel10.yml index 981705808f57..766c25d68427 100644 --- a/tests/data/product_stability/rhel10.yml +++ b/tests/data/product_stability/rhel10.yml @@ -63,8 +63,8 @@ product: rhel10 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis: https://www.cisecurity.org/benchmark/red_hat_linux/ cis-csc: https://www.cisecurity.org/controls/ @@ -72,7 +72,7 @@ reference_uris: cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -81,12 +81,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51 rsyslog_cafile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem sshd_distributed_config: 'true' diff --git a/tests/data/product_stability/rhel8.yml b/tests/data/product_stability/rhel8.yml index 4697348d83ea..0c44b19d713d 100644 --- a/tests/data/product_stability/rhel8.yml +++ b/tests/data/product_stability/rhel8.yml @@ -112,8 +112,8 @@ product: rhel8 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis: https://www.cisecurity.org/benchmark/red_hat_linux/ cis-csc: https://www.cisecurity.org/controls/ @@ -121,7 +121,7 @@ reference_uris: cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -130,12 +130,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51 rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' diff --git a/tests/data/product_stability/rhel9.yml b/tests/data/product_stability/rhel9.yml index 0a34603ef9f1..b8bfe1bc9137 100644 --- a/tests/data/product_stability/rhel9.yml +++ b/tests/data/product_stability/rhel9.yml @@ -68,8 +68,8 @@ product: rhel9 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf ccn: https://www.ccn-cert.cni.es/pdf/guias/series-ccn-stic/guias-de-acceso-publico-ccn-stic/6768-ccn-stic-610a22-perfilado-de-seguridad-red-hat-enterprise-linux-9-0/file.html cis: https://www.cisecurity.org/benchmark/red_hat_linux/ @@ -78,7 +78,7 @@ reference_uris: cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -87,12 +87,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51 rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'true' diff --git a/tests/data/product_stability/rhv4.yml b/tests/data/product_stability/rhv4.yml index b81038cb3977..af3ee9ad7ca8 100644 --- a/tests/data/product_stability/rhv4.yml +++ b/tests/data/product_stability/rhv4.yml @@ -61,15 +61,15 @@ product: rhv4 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis-csc: https://www.cisecurity.org/controls/ cjis: https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -78,12 +78,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ release_key_fingerprint: 567E347AD0044ADE55BA8A5F199E2F91FD431D51 rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' diff --git a/tests/data/product_stability/sle12.yml b/tests/data/product_stability/sle12.yml index b772c01fbd68..af131d07bd7e 100644 --- a/tests/data/product_stability/sle12.yml +++ b/tests/data/product_stability/sle12.yml @@ -61,8 +61,8 @@ product: sle12 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis: https://www.cisecurity.org/benchmark/suse_linux/ cis-csc: https://www.cisecurity.org/controls/ @@ -70,7 +70,7 @@ reference_uris: cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -79,12 +79,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' sysctl_remediate_drop_in_file: 'true' diff --git a/tests/data/product_stability/sle15.yml b/tests/data/product_stability/sle15.yml index 765dff4ee26a..e3820998ec4c 100644 --- a/tests/data/product_stability/sle15.yml +++ b/tests/data/product_stability/sle15.yml @@ -65,8 +65,8 @@ product: sle15 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis: https://www.cisecurity.org/benchmark/suse_linux/ cis-csc: https://www.cisecurity.org/controls/ @@ -74,7 +74,7 @@ reference_uris: cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -83,12 +83,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ release_key_fingerprint: FEAB502539D846DB2C0961CA70AF9E8139DB7C82 rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'false' diff --git a/tests/data/product_stability/ubuntu2204.yml b/tests/data/product_stability/ubuntu2204.yml index a4e3fbab9a9b..a31b5059ce2a 100644 --- a/tests/data/product_stability/ubuntu2204.yml +++ b/tests/data/product_stability/ubuntu2204.yml @@ -70,8 +70,8 @@ product: ubuntu2204 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis: https://www.cisecurity.org/benchmark/ubuntu_linux/ cis-csc: https://www.cisecurity.org/controls/ @@ -79,7 +79,7 @@ reference_uris: cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -88,12 +88,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'true' sysctl_remediate_drop_in_file: 'false' diff --git a/tests/data/product_stability/ubuntu2404.yml b/tests/data/product_stability/ubuntu2404.yml index 2116bbbd3a67..8db2933f77f5 100644 --- a/tests/data/product_stability/ubuntu2404.yml +++ b/tests/data/product_stability/ubuntu2404.yml @@ -71,8 +71,8 @@ product: ubuntu2404 profiles_root: ./profiles reference_uris: anssi: https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf - app-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers - app-srg-ctr: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security + app-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers + app-srg-ctr: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security bsi: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Grundschutz/International/bsi_it_gs_comp_2022.pdf cis: https://www.cisecurity.org/benchmark/ubuntu_linux/ cis-csc: https://www.cisecurity.org/controls/ @@ -80,7 +80,7 @@ reference_uris: cobit5: https://www.isaca.org/resources/cobit cui: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf dcid: not_officially_available - disa: https://public.cyber.mil/stigs/cci/ + disa: https://www.cyber.mil/stigs/cci/ hipaa: https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf isa-62443-2009: https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu @@ -89,12 +89,12 @@ reference_uris: nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf - os-srg: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os + os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os ospp: https://www.niap-ccevs.org/Profile/PP.cfm pcidss: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf pcidss4: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - stigid: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - stigref: https://public.cyber.mil/stigs/srg-stig-tools/ + stigid: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + stigref: https://www.cyber.mil/stigs/srg-stig-tools/ rsyslog_cafile: /etc/pki/tls/cert.pem sshd_distributed_config: 'true' sysctl_remediate_drop_in_file: 'false' diff --git a/tests/stig_srg_mapping.py b/tests/stig_srg_mapping.py index 000a41adf14a..853e20acb23a 100755 --- a/tests/stig_srg_mapping.py +++ b/tests/stig_srg_mapping.py @@ -22,7 +22,7 @@ SSG_ROOT = os.path.abspath(os.path.join(os.path.dirname(__file__), "..")) BINARY_DIR = os.path.join(SSG_ROOT, "build") PREFIX = "xccdf_org.ssgproject.content_" -SRG_GPOS_URL = "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os" +SRG_GPOS_URL = "https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os" SRG_PREFIX = "SRG-OS" diff --git a/tests/unit/ssg-module/data/accounts_tmout.xml b/tests/unit/ssg-module/data/accounts_tmout.xml index edf81ae26033..cce964e05e93 100644 --- a/tests/unit/ssg-module/data/accounts_tmout.xml +++ b/tests/unit/ssg-module/data/accounts_tmout.xml @@ -52,8 +52,8 @@ setting in a file loaded by /etc/profile, e.g. CM-6(a) PR.AC-7 FMT_MOF_EXT.1 - SRG-OS-000163-GPOS-00072 - SRG-OS-000029-GPOS-00010 + SRG-OS-000163-GPOS-00072 + SRG-OS-000029-GPOS-00010 Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been diff --git a/utils/build_stig_control.py b/utils/build_stig_control.py index 5725f61031e5..d767fbf1ca29 100755 --- a/utils/build_stig_control.py +++ b/utils/build_stig_control.py @@ -191,7 +191,7 @@ def main(): output['title'] = root.find('checklist:title', ns).text output['id'] = 'stig_%s' % args.product output['version'] = get_disa_stig_version(root, ns) - output['source'] = 'https://public.cyber.mil/stigs/downloads/' + output['source'] = 'https://www.cyber.mil/stigs/downloads/' output['reference_type'] = "stigid" output['product'] = args.product output['levels'] = list() diff --git a/utils/create-stig-overlay.py b/utils/create-stig-overlay.py index 759451cb731f..339c2b58f986 100755 --- a/utils/create-stig-overlay.py +++ b/utils/create-stig-overlay.py @@ -17,10 +17,10 @@ owner = "disastig" -stig_ns = ["https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux", - "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os", - "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Capplication-servers", - "https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Capp-security-dev"] +stig_ns = ["https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux", + "https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os", + "https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Capplication-servers", + "https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security%2Capp-security-dev"] dc_ns = "http://purl.org/dc/elements/1.1/" outfile = "stig_overlay.xml" From 8849803a8f0b966dc6d53ba8b01ee1bbe7d39a96 Mon Sep 17 00:00:00 2001 From: vojtapolasek Date: Fri, 5 Sep 2025 15:38:16 +0200 Subject: [PATCH 382/403] Initial commit on stable branch From 564b663cb81f8f9a993a41e81cfa21a28372e97a Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Thu, 20 Nov 2025 13:38:47 -0600 Subject: [PATCH 383/403] Add RHEL 10 to ./utils/ansible_playbook_to_role.py --- utils/ansible_playbook_to_role.py | 1 + 1 file changed, 1 insertion(+) diff --git a/utils/ansible_playbook_to_role.py b/utils/ansible_playbook_to_role.py index e3c4bc4ae195..537959b6a8f2 100755 --- a/utils/ansible_playbook_to_role.py +++ b/utils/ansible_playbook_to_role.py @@ -65,6 +65,7 @@ def dict_constructor(loader, node): PRODUCT_ALLOWLIST = set([ "rhel8", "rhel9", + "rhel10", ]) PROFILE_ALLOWLIST = set([ From 3698403186e895d52c8cbf0fac8cde32e33fedce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 21 Nov 2025 13:55:27 +0100 Subject: [PATCH 384/403] Fix XCCDF value type Fixes failing SCAPVal requirement SRC-38. Addressing: Values of XCCDF datatype 'number', when bound to OVAL variables, the OVAL variables must be of the following OVAL types: int, float. --- linux_os/guide/auditing/var_audit_backlog_limit.var | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/auditing/var_audit_backlog_limit.var b/linux_os/guide/auditing/var_audit_backlog_limit.var index f2ff3a34d942..6254b02137a1 100644 --- a/linux_os/guide/auditing/var_audit_backlog_limit.var +++ b/linux_os/guide/auditing/var_audit_backlog_limit.var @@ -7,7 +7,7 @@ description: |- The audit_backlog_limit parameter determines how auditd records can be held in the auditd backlog. -type: number +type: string operator: equals From c65b8c6e476b9abc2ef2763592535af5f46b0187 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 21 Nov 2025 14:03:42 +0100 Subject: [PATCH 385/403] Fix broken URLs --- products/ocp4/profiles/nerc-cip-node.profile | 2 +- products/ocp4/profiles/nerc-cip.profile | 2 +- products/rhcos4/profiles/nerc-cip.profile | 2 +- shared/transforms/shared_constants.xslt | 2 +- ssg/constants.py | 2 +- tests/data/product_stability/alinux2.yml | 2 +- tests/data/product_stability/alinux3.yml | 2 +- tests/data/product_stability/anolis23.yml | 2 +- tests/data/product_stability/anolis8.yml | 2 +- tests/data/product_stability/debian11.yml | 2 +- tests/data/product_stability/debian12.yml | 2 +- tests/data/product_stability/debian13.yml | 2 +- tests/data/product_stability/eks.yml | 2 +- tests/data/product_stability/example.yml | 2 +- tests/data/product_stability/fedora.yml | 2 +- tests/data/product_stability/firefox.yml | 2 +- tests/data/product_stability/ocp4.yml | 2 +- tests/data/product_stability/ol7.yml | 2 +- tests/data/product_stability/ol8.yml | 2 +- tests/data/product_stability/ol9.yml | 2 +- tests/data/product_stability/openembedded.yml | 2 +- tests/data/product_stability/opensuse.yml | 2 +- tests/data/product_stability/rhcos4.yml | 2 +- tests/data/product_stability/rhel10.yml | 2 +- tests/data/product_stability/rhel8.yml | 2 +- tests/data/product_stability/rhel9.yml | 2 +- tests/data/product_stability/rhv4.yml | 2 +- tests/data/product_stability/sle12.yml | 2 +- tests/data/product_stability/sle15.yml | 2 +- tests/data/product_stability/ubuntu2204.yml | 2 +- tests/data/product_stability/ubuntu2404.yml | 2 +- tests/unit/ssg-module/data/accounts_tmout.xml | 12 ++++++------ 32 files changed, 37 insertions(+), 37 deletions(-) diff --git a/products/ocp4/profiles/nerc-cip-node.profile b/products/ocp4/profiles/nerc-cip-node.profile index aacb77fb3c60..a24f94b5132e 100644 --- a/products/ocp4/profiles/nerc-cip-node.profile +++ b/products/ocp4/profiles/nerc-cip-node.profile @@ -9,7 +9,7 @@ metadata: platform: ocp4-node -reference: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx +reference: https://www.nerc.com/standards/reliability-standards/cip title: >- North American Electric Reliability Corporation (NERC) Critical Infrastructure diff --git a/products/ocp4/profiles/nerc-cip.profile b/products/ocp4/profiles/nerc-cip.profile index ae788d880d00..252806f41f35 100644 --- a/products/ocp4/profiles/nerc-cip.profile +++ b/products/ocp4/profiles/nerc-cip.profile @@ -9,7 +9,7 @@ metadata: platform: ocp4 -reference: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx +reference: https://www.nerc.com/standards/reliability-standards/cip title: >- North American Electric Reliability Corporation (NERC) Critical Infrastructure diff --git a/products/rhcos4/profiles/nerc-cip.profile b/products/rhcos4/profiles/nerc-cip.profile index c436f115df69..575ff42cfe44 100644 --- a/products/rhcos4/profiles/nerc-cip.profile +++ b/products/rhcos4/profiles/nerc-cip.profile @@ -6,7 +6,7 @@ metadata: - mrogers950 - jhrozek -reference: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx +reference: https://www.nerc.com/standards/reliability-standards/cip title: >- North American Electric Reliability Corporation (NERC) Critical Infrastructure diff --git a/shared/transforms/shared_constants.xslt b/shared/transforms/shared_constants.xslt index 09b1ea464375..2180fc398f80 100644 --- a/shared/transforms/shared_constants.xslt +++ b/shared/transforms/shared_constants.xslt @@ -33,7 +33,7 @@ https://www.cisecurity.org/controls/ https://www.niap-ccevs.org/Profile/PP.cfm https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf -https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx +https://www.nerc.com/standards/reliability-standards/cip https://github.com/ComplianceAsCode/content/wiki/Contributors diff --git a/ssg/constants.py b/ssg/constants.py index 25a9693a4cb9..eedd39ab6b5e 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -29,7 +29,7 @@ 'hipaa': 'https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf', 'ism': 'https://www.cyber.gov.au/acsc/view-all-content/ism', 'iso27001-2013': 'https://www.iso.org/contents/data/standard/05/45/54534.html', - 'nerc-cip': 'https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx', + 'nerc-cip': 'https://www.nerc.com/standards/reliability-standards/cip', 'stigid': 'https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux', 'os-srg': 'https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os', 'app-srg': 'https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers', diff --git a/tests/data/product_stability/alinux2.yml b/tests/data/product_stability/alinux2.yml index a5ea062bfc8c..0b0414ba5122 100644 --- a/tests/data/product_stability/alinux2.yml +++ b/tests/data/product_stability/alinux2.yml @@ -74,7 +74,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/alinux3.yml b/tests/data/product_stability/alinux3.yml index 9cfcf3c7f5fd..9378559b1745 100644 --- a/tests/data/product_stability/alinux3.yml +++ b/tests/data/product_stability/alinux3.yml @@ -74,7 +74,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/anolis23.yml b/tests/data/product_stability/anolis23.yml index f358fb6d2b30..290550e5cd5b 100644 --- a/tests/data/product_stability/anolis23.yml +++ b/tests/data/product_stability/anolis23.yml @@ -73,7 +73,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/anolis8.yml b/tests/data/product_stability/anolis8.yml index 6ea514a4da3e..657c95065e7d 100644 --- a/tests/data/product_stability/anolis8.yml +++ b/tests/data/product_stability/anolis8.yml @@ -73,7 +73,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/debian11.yml b/tests/data/product_stability/debian11.yml index 4a82ddf4bf23..3107f55cd24c 100644 --- a/tests/data/product_stability/debian11.yml +++ b/tests/data/product_stability/debian11.yml @@ -83,7 +83,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/debian12.yml b/tests/data/product_stability/debian12.yml index 8fe0afe738af..41e1dda18b29 100644 --- a/tests/data/product_stability/debian12.yml +++ b/tests/data/product_stability/debian12.yml @@ -84,7 +84,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/debian13.yml b/tests/data/product_stability/debian13.yml index 75a041831bf1..12612b788e9c 100644 --- a/tests/data/product_stability/debian13.yml +++ b/tests/data/product_stability/debian13.yml @@ -84,7 +84,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/eks.yml b/tests/data/product_stability/eks.yml index b1c88cb7b8b3..df0985cbbbda 100644 --- a/tests/data/product_stability/eks.yml +++ b/tests/data/product_stability/eks.yml @@ -81,7 +81,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/example.yml b/tests/data/product_stability/example.yml index b44035b82b63..ad1cbdc352e5 100644 --- a/tests/data/product_stability/example.yml +++ b/tests/data/product_stability/example.yml @@ -75,7 +75,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/fedora.yml b/tests/data/product_stability/fedora.yml index b0cc325cbc69..2681ef60f4b0 100644 --- a/tests/data/product_stability/fedora.yml +++ b/tests/data/product_stability/fedora.yml @@ -119,7 +119,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/firefox.yml b/tests/data/product_stability/firefox.yml index 5e2e4b39888d..414210e4d2df 100644 --- a/tests/data/product_stability/firefox.yml +++ b/tests/data/product_stability/firefox.yml @@ -70,7 +70,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/ocp4.yml b/tests/data/product_stability/ocp4.yml index 6d944e445d7d..0d1e3096633f 100644 --- a/tests/data/product_stability/ocp4.yml +++ b/tests/data/product_stability/ocp4.yml @@ -181,7 +181,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/ol7.yml b/tests/data/product_stability/ol7.yml index 28fc8780ad5d..edb6411e3cdb 100644 --- a/tests/data/product_stability/ol7.yml +++ b/tests/data/product_stability/ol7.yml @@ -84,7 +84,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/ol8.yml b/tests/data/product_stability/ol8.yml index 98abd16cb3d7..609a20b12bc5 100644 --- a/tests/data/product_stability/ol8.yml +++ b/tests/data/product_stability/ol8.yml @@ -83,7 +83,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/ol9.yml b/tests/data/product_stability/ol9.yml index e3173eaef355..f604bba5dfa8 100644 --- a/tests/data/product_stability/ol9.yml +++ b/tests/data/product_stability/ol9.yml @@ -87,7 +87,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/openembedded.yml b/tests/data/product_stability/openembedded.yml index 68ecc97b11e7..a29f85bda72b 100644 --- a/tests/data/product_stability/openembedded.yml +++ b/tests/data/product_stability/openembedded.yml @@ -86,7 +86,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/opensuse.yml b/tests/data/product_stability/opensuse.yml index 36f1cdb2d0f3..2d6f414b0685 100644 --- a/tests/data/product_stability/opensuse.yml +++ b/tests/data/product_stability/opensuse.yml @@ -82,7 +82,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/rhcos4.yml b/tests/data/product_stability/rhcos4.yml index 2518614670e0..b6bf881fde64 100644 --- a/tests/data/product_stability/rhcos4.yml +++ b/tests/data/product_stability/rhcos4.yml @@ -78,7 +78,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/rhel10.yml b/tests/data/product_stability/rhel10.yml index 284e84613488..de33ae1dbc15 100644 --- a/tests/data/product_stability/rhel10.yml +++ b/tests/data/product_stability/rhel10.yml @@ -85,7 +85,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/rhel8.yml b/tests/data/product_stability/rhel8.yml index d8aef9ae3647..99dfa18bcf98 100644 --- a/tests/data/product_stability/rhel8.yml +++ b/tests/data/product_stability/rhel8.yml @@ -135,7 +135,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/rhel9.yml b/tests/data/product_stability/rhel9.yml index cd1afd61b31e..809b04862210 100644 --- a/tests/data/product_stability/rhel9.yml +++ b/tests/data/product_stability/rhel9.yml @@ -92,7 +92,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/rhv4.yml b/tests/data/product_stability/rhv4.yml index 198d6f3db0a5..239cb8bcbb12 100644 --- a/tests/data/product_stability/rhv4.yml +++ b/tests/data/product_stability/rhv4.yml @@ -83,7 +83,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/sle12.yml b/tests/data/product_stability/sle12.yml index 858c9119c96c..dc5ed457eed2 100644 --- a/tests/data/product_stability/sle12.yml +++ b/tests/data/product_stability/sle12.yml @@ -84,7 +84,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/sle15.yml b/tests/data/product_stability/sle15.yml index a3cecb591326..f5e264d7b755 100644 --- a/tests/data/product_stability/sle15.yml +++ b/tests/data/product_stability/sle15.yml @@ -88,7 +88,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/ubuntu2204.yml b/tests/data/product_stability/ubuntu2204.yml index 7ed5f5618aeb..4d4c0d185f24 100644 --- a/tests/data/product_stability/ubuntu2204.yml +++ b/tests/data/product_stability/ubuntu2204.yml @@ -92,7 +92,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/data/product_stability/ubuntu2404.yml b/tests/data/product_stability/ubuntu2404.yml index 9ce793a8454b..7d2efc7194dd 100644 --- a/tests/data/product_stability/ubuntu2404.yml +++ b/tests/data/product_stability/ubuntu2404.yml @@ -93,7 +93,7 @@ reference_uris: isa-62443-2013: https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu ism: https://www.cyber.gov.au/acsc/view-all-content/ism iso27001-2013: https://www.iso.org/contents/data/standard/05/45/54534.html - nerc-cip: https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx + nerc-cip: https://www.nerc.com/standards/reliability-standards/cip nist: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf nist-csf: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf os-srg: https://www.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os diff --git a/tests/unit/ssg-module/data/accounts_tmout.xml b/tests/unit/ssg-module/data/accounts_tmout.xml index cce964e05e93..1883a8769e31 100644 --- a/tests/unit/ssg-module/data/accounts_tmout.xml +++ b/tests/unit/ssg-module/data/accounts_tmout.xml @@ -40,12 +40,12 @@ setting in a file loaded by /etc/profile, e.g. A.9.3.1 A.9.4.2 A.9.4.3 - CIP-004-6 R2.2.3 - CIP-007-3 R5.1 - CIP-007-3 R5.2 - CIP-007-3 R5.3.1 - CIP-007-3 R5.3.2 - CIP-007-3 R5.3.3 + CIP-004-6 R2.2.3 + CIP-007-3 R5.1 + CIP-007-3 R5.2 + CIP-007-3 R5.3.1 + CIP-007-3 R5.3.2 + CIP-007-3 R5.3.3 AC-12 SC-10 AC-2(5) From 8e921d782db123e13afc55d116d769d92c3526b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 21 Nov 2025 15:46:24 +0100 Subject: [PATCH 386/403] Fix Ansible sysctl template If the value of the sysctl item contains a special character it needs to be escaped before using it in a regular expression or the regular expression won't work correctly. This happens in rule sysctl_kernel_core_pattern where the value is `|/bin/false` which contains the `|` character. This fixes multiple failing test scenarios for Ansible remediation in rule sysctl_kernel_core_pattern. --- shared/templates/sysctl/ansible.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template index 348683cba0b0..f368dd1a987f 100644 --- a/shared/templates/sysctl/ansible.template +++ b/shared/templates/sysctl/ansible.template @@ -39,7 +39,7 @@ {{%- if SYSCTLVAL == "" or SYSCTLVAL is not string %}} cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*{{{ SYSCTLVAR }}}\s*=\s*{{ sysctl_{{{ SYSCTLID }}}_value }}$' {{%- else %}} - cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*{{{ SYSCTLVAR }}}\s*=\s*{{{ SYSCTLVAL }}}$' + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*{{{ SYSCTLVAR }}}\s*=\s*{{{ SYSCTLVAL | escape_regex }}}$' {{%- endif %}} register: find_correct_value check_mode: false From 77cb2b8e3810ed0e154637915a3e923dfeb75b8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 21 Nov 2025 16:47:24 +0100 Subject: [PATCH 387/403] Fix Ansible remediation in network_sniffer_disabled The rule network_sniffer_disabled failed the test scenario promisc_interface_exists.fail.sh with Ansible remeditaion. The task condition is wrong because the `ip -o link show` command output typically contains more colons than 3 colons because it typically contains MAC addresses where colons are user as separators. This problem has been discovered during stabilization run on RHEL 10.0. --- .../system/network/network_sniffer_disabled/ansible/shared.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/network/network_sniffer_disabled/ansible/shared.yml b/linux_os/guide/system/network/network_sniffer_disabled/ansible/shared.yml index 039b573c0468..b7bd3f26eb9d 100644 --- a/linux_os/guide/system/network/network_sniffer_disabled/ansible/shared.yml +++ b/linux_os/guide/system/network/network_sniffer_disabled/ansible/shared.yml @@ -13,5 +13,5 @@ ansible.builtin.command: cmd: ip link set dev {{ (item.split(':')[1] | trim).split('@')[0] }} multicast off promisc off loop: "{{ network_interfaces.stdout_lines }}" - when: network_interfaces.stdout_lines is defined and item.split(':') | length == 3 + when: network_interfaces.stdout_lines is defined and item.split(':') | length >= 3 From 0bd2b4a847a55afde86f25e0de42e992f46064ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 21 Nov 2025 16:59:38 +0100 Subject: [PATCH 388/403] Fix test scenarios metadata During stabilization we discovered that these scenarios fail the `/static-checks/unit-tests-metadata` test because `remediation=none` doesn't make sense for a `.pass.sh` test. --- .../sssd/sssd_enable_user_cert/tests/correct_value.pass.sh | 1 - .../tests/multiple_in_section_and_correct_value.pass.sh | 1 - .../prevent_direct_root_logins/tests/asterisk.pass.sh | 1 - 3 files changed, 3 deletions(-) diff --git a/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/correct_value.pass.sh index c730815a5b6c..6fa5920ea690 100644 --- a/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/correct_value.pass.sh +++ b/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/correct_value.pass.sh @@ -1,5 +1,4 @@ #!/bin/bash -# remediation = none # packages = sssd CONF="/etc/sssd/sssd.conf" diff --git a/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/multiple_in_section_and_correct_value.pass.sh b/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/multiple_in_section_and_correct_value.pass.sh index f353351af0da..9bb6f9fd0b04 100644 --- a/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/multiple_in_section_and_correct_value.pass.sh +++ b/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/multiple_in_section_and_correct_value.pass.sh @@ -1,5 +1,4 @@ #!/bin/bash -# remediation = none # packages = sssd CONF="/etc/sssd/sssd.conf" diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/prevent_direct_root_logins/tests/asterisk.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/prevent_direct_root_logins/tests/asterisk.pass.sh index 0befe304ae50..c5638eafff25 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/prevent_direct_root_logins/tests/asterisk.pass.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/prevent_direct_root_logins/tests/asterisk.pass.sh @@ -1,6 +1,5 @@ #!/bin/bash # packages = passwd # platform = multi_platform_all -# remediation = none sed -i "s/^root:[^:]*/root:*/" /etc/shadow From 2ff3c9314a83a96849f7ff97cddac08b27b7f6b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Mon, 24 Nov 2025 11:05:18 +0100 Subject: [PATCH 389/403] Prevent Ansible fail in check mode Fixes failing /scanning/host-os/ansible-check/check-mode tests. Addressing: {"changed": false, "msg": "Source /var/lib/aide/aide.db.new.gz not found"} --- .../aide/aide_build_database/ansible/shared.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/shared.yml index 0b53d7ef6d16..3255fa424d66 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/ansible/shared.yml @@ -43,4 +43,6 @@ dest: {{{ aide_stage_dest }}} backup: yes remote_src: yes - when: aide_database_init is changed + when: + - aide_database_init is changed + - not ansible_check_mode From 8ae1bf3c286cad4dd7cd72fbbb0b835aae45688e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Tue, 25 Nov 2025 11:05:22 +0100 Subject: [PATCH 390/403] Add reference to requirement 1.6.2 This change fixes incomplete references in rule `configure_custom_crypto_policy_cis` in RHEL 8 CIS profiles. The rule is present in the CIS profiles because it's selected by multiple other requirements. However, the rule is missing a reference to requirement 1.6.2, which is confusing for users of HTML reports and guides. To add the reference we need to add the selection to the rules key. Related to: https://issues.redhat.com/browse/RHEL-76009 --- controls/cis_rhel8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml index 16d0122a9d67..a5b889cd589e 100644 --- a/controls/cis_rhel8.yml +++ b/controls/cis_rhel8.yml @@ -547,7 +547,7 @@ controls: status: automated notes: |- This requirement is already satisfied by 1.6.1. - related_rules: + rules: - configure_custom_crypto_policy_cis - id: 1.6.3 From ac284b3dd3a80ab2d7bcc0d9aab4c87eca2b3f60 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 23 Feb 2026 11:20:45 +0100 Subject: [PATCH 391/403] Fix drop in template to ignore commented out lines. In cases where a compliant commented out value was found, the script would consider a found=true directive and would then ignore the rest of the remediation. for example, if it would find [Journal] \#ForwardToSyslog=no for the rule journald_disable_forward_to_syslog, then it would not run the entire remediation with the proper fix. Detailed description of implemented changes Anchor at Start of Line: Added ^ to grep and sed patterns. This ensures that a line starting with #{{{ key }}} will not match, as the regex now expects the line to start with either whitespace or the key itself. Multiline Mode for Grep: Added (?m) to the grep -P commands. This flag makes the ^ anchor match the start of every line within the file buffer instead of just the very beginning of the file. Selective Sed Replacement: The sed command now specifically selects the line to edit by matching the un-commented key at the start of a line (/^[[:space:]]*{{{ key }}}/) before performing the substitution (s/=.*/.../). Active Value Verification: The second grep check now verifies if the active configuration matches the target value, preventing it from seeing a commented-out correct value and wrongly deciding that no action is needed. --- shared/macros/10-bash.jinja | 14 +++++++------- .../commented_out_correct_value_master.fail.sh | 13 +++++++++++++ .../bash/test_bash_ensure_ini_config.bats.jinja | 6 +++--- 3 files changed, 23 insertions(+), 10 deletions(-) create mode 100644 shared/templates/systemd_dropin_configuration/tests/commented_out_correct_value_master.fail.sh diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja index 7a92cfd8cdb7..7ad8a71c0246 100644 --- a/shared/macros/10-bash.jinja +++ b/shared/macros/10-bash.jinja @@ -2253,23 +2253,23 @@ for f in $(echo -n "{{{ files }}}"); do fi # find key in section and change value - if grep -qzosP "[[:space:]]*\[{{{ section }}}\]([^\n\[]*\n+)+?[[:space:]]*{{{ key }}}" "$f"; then - if ! grep -qPz "{{{ key }}}={{{ value }}}" "$f"; then + if grep -qzosP "(?m)^[[:space:]]*\[{{{ section }}}\]([^\n\[]*\n+)+?[[:space:]]*{{{ key }}}" "$f"; then + if ! grep -qzosP "(?m)^[[:space:]]*{{{ key }}}[[:space:]]*=[[:space:]]*{{{ value }}}" "$f"; then {{% if no_quotes %}} - sed -i "s/{{{ key }}}[^(\n)]*/{{{ key }}}={{{ value | replace("/", "\/") }}}/" "$f" + sed -i "/^[[:space:]]*{{{ key }}}/s/\([[:blank:]]*=[[:blank:]]*\).*/\1{{{ value | replace("/", "\/") }}}/" "$f" {{% else %}} - sed -i 's/{{{ key }}}[^(\n)]*/{{{ key }}}="{{{ value | replace("/", "\/") }}}"/' "$f" + sed -i '/^[[:space:]]*{{{ key }}}/s/\([[:blank:]]*=[[:blank:]]*\).*/\1"{{{ value | replace("/", "\/") }}}"/' "$f" {{% endif %}} fi found=true # find section and add key = value to it - elif grep -qs "[[:space:]]*\[{{{ section }}}\]" "$f"; then + elif grep -qs "^[[:space:]]*\[{{{ section }}}\]" "$f"; then {{% if no_quotes %}} - sed -i "/[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}={{{ value | replace("/", "\/") }}}" "$f" + sed -i "/^[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}={{{ value | replace("/", "\/") }}}" "$f" {{% else %}} - sed -i '/[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}="{{{ value | replace ("/", "\/") }}}"' "$f" + sed -i '/^[[:space:]]*\[{{{ section }}}\]/a {{{ key }}}="{{{ value | replace ("/", "\/") }}}"' "$f" {{% endif %}} found=true fi diff --git a/shared/templates/systemd_dropin_configuration/tests/commented_out_correct_value_master.fail.sh b/shared/templates/systemd_dropin_configuration/tests/commented_out_correct_value_master.fail.sh new file mode 100644 index 000000000000..90b69e6f4047 --- /dev/null +++ b/shared/templates/systemd_dropin_configuration/tests/commented_out_correct_value_master.fail.sh @@ -0,0 +1,13 @@ +#!/bin/bash +SECTION="{{{ SECTION }}}" +PARAM="{{{ PARAM }}}" +VALUE="{{{ VALUE }}}" +MASTER_CFG_FILE="{{{ MASTER_CFG_FILE }}}" + +# This setup tests if remediation is "tricked" by a commented-out correct value. +# It sets an active bad value and a commented-out good value. +{{% if NO_QUOTES %}} +echo -e "[$SECTION]\n$PARAM=badval\n#$PARAM=$VALUE" > "$MASTER_CFG_FILE" +{{% else %}} +echo -e "[$SECTION]\n$PARAM=\"badval\"\n#$PARAM=\"$VALUE\"" > "$MASTER_CFG_FILE" +{{% endif %}} diff --git a/tests/unit/bash/test_bash_ensure_ini_config.bats.jinja b/tests/unit/bash/test_bash_ensure_ini_config.bats.jinja index 34a90ce2398b..95dfa0acb8da 100644 --- a/tests/unit/bash/test_bash_ensure_ini_config.bats.jinja +++ b/tests/unit/bash/test_bash_ensure_ini_config.bats.jinja @@ -46,7 +46,7 @@ teardown() { @test "bash_ensure_ini_config - Basic value remediation" { printf "[pam]\npam_cert_auth = false\n" > sssd_test/sssd.conf - expected_output="[pam]\npam_cert_auth=true\n" + expected_output="[pam]\npam_cert_auth = true\n" call_bash_ensure_ini_config "sssd_test/sssd.conf" "pam" "pam_cert_auth" "true" @@ -57,7 +57,7 @@ teardown() { @test "bash_ensure_ini_config - Value remediation in multiple files" { printf "[pam]\npam_cert_auth = false\n" > sssd_test/sssd.conf printf "[pam]\npam_cert_auth = false\n" > pam_cert_auth.conf - expected_output="[pam]\npam_cert_auth=true\n" + expected_output="[pam]\npam_cert_auth = true\n" call_bash_ensure_ini_config "sssd_test/sssd.conf pam_cert_auth.conf" "pam" "pam_cert_auth" "true" @@ -70,7 +70,7 @@ teardown() { @test "bash_ensure_ini_config - No remediation happened" { printf "[pam]\npam_cert_auth = true\n" > sssd_test/sssd.conf - expected_output="[pam]\npam_cert_auth=true\n" + expected_output="[pam]\npam_cert_auth = true\n" call_bash_ensure_ini_config "sssd_test/sssd.conf" "pam" "pam_cert_auth" "true" From 21147ec9931c70ea1fbf64a17d6fcf7d5f8dab3e Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 24 Feb 2026 12:14:46 +0100 Subject: [PATCH 392/403] sysctl_kernel_core_pattern_empty_string: make implementation of the rule similar to the templated one Ansible, BAsh, OVAL Template not used, because empty string is tricky to implement in the current sysctl template and I decided that reengineering the whole template is not worth the result. --- .../ansible/shared.yml | 29 +++- .../bash/shared.sh | 42 ++--- .../oval/shared.xml | 164 +++++------------- 3 files changed, 85 insertions(+), 150 deletions(-) diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml index 8d95be5ac6b1..174866b22b55 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/ansible/shared.yml @@ -4,9 +4,16 @@ # complexity = low # disruption = medium +- name: "{{{ rule_title }}} - Set fact for sysctl paths" + ansible.builtin.set_fact: + sysctl_paths: + - "/etc/sysctl.d/" + - "/run/sysctl.d/" + - "/usr/local/lib/sysctl.d/" + - name: "{{{ rule_title }}} - Find all files that contain kernel.core_pattern" ansible.builtin.shell: - cmd: find -L /etc/sysctl.conf /etc/sysctl.d/ /run/sysctl.d/ -type f -name '*.conf' | xargs grep -HP '^\s*kernel.core_pattern\s*=\s*.*$' + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.core_pattern\s*=\s*.*$' register: find_all_values check_mode: false changed_when: false @@ -14,7 +21,7 @@ - name: "{{{ rule_title }}} - Find all files that set kernel.core_pattern to correct value" ansible.builtin.shell: - cmd: find -L /etc/sysctl.conf /etc/sysctl.d/ /run/sysctl.d/ -type f -name '*.conf' | xargs grep -HP '^\s*kernel.core_pattern\s*=\s*$' + cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep -HP '^\s*kernel.core_pattern\s*=\s*$' register: find_correct_value check_mode: false changed_when: false @@ -23,15 +30,23 @@ - name: "{{{ rule_title }}} - Comment out any occurrences of kernel.core_pattern from config files" ansible.builtin.replace: path: '{{ item | split(":") | first }}' - regexp: ^[\s]*kernel.core_pattern + regexp: '^[\s]*kernel.core_pattern' replace: '#kernel.core_pattern' loop: '{{ find_all_values.stdout_lines }}' when: find_correct_value.stdout_lines | length == 0 or find_all_values.stdout_lines | length > find_correct_value.stdout_lines | length +- name: "{{{ rule_title }}} - Comment out any occurrences of kernel.core_pattern from /etc/sysctl.conf" + ansible.builtin.replace: + path: "{{ item }}" + regexp: '^[\s]*kernel.core_pattern' + replace: '#kernel.core_pattern' + with_fileglob: + - "/etc/sysctl.conf" + - name: "{{{ rule_title }}} - Ensure sysctl kernel.core_pattern is set to empty" ansible.posix.sysctl: - name: kernel.core_pattern - value: ' ' # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces - sysctl_file: "/etc/sysctl.conf" + name: "kernel.core_pattern" + value: ' ' # ansible sysctl module doesn't allow empty string, a space string is allowed and has the same semantics as sysctl will ignore spaces + sysctl_file: "/etc/sysctl.d/kernel_core_pattern.conf" state: present - reload: true + reload: yes diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh index 2b2f1cd70b66..301e434e8c03 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/bash/shared.sh @@ -5,49 +5,39 @@ # disruption = medium # Comment out any occurrences of kernel.core_pattern from /etc/sysctl.d/*.conf files -for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf; do +for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do + + # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf) + if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi matching_list=$(grep -P '^(?!#).*[\s]*kernel.core_pattern.*$' $f | uniq ) if ! test -z "$matching_list"; then while IFS= read -r entry; do escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry") # comment out "kernel.core_pattern" matches to preserve user data - sed -i "s/^${escaped_entry}$/# &/g" $f + sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f done <<< "$matching_list" fi done +# +# Set sysctl config file which to save the desired value +# + +SYSCONFIG_FILE='/etc/sysctl.d/kernel_core_pattern.conf' + # # Set runtime for kernel.core_pattern # -/sbin/sysctl -q -n -w kernel.core_pattern="" +if {{{ bash_not_bootc_build() }}} ; then + /sbin/sysctl -q -n -w kernel.core_pattern="" +fi # # If kernel.core_pattern present in /etc/sysctl.conf, change value to empty # else, add "kernel.core_pattern =" to /etc/sysctl.conf # -# Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. -# Otherwise, regular sed command will do. -sed_command=('sed' '-i') -if test -L "/etc/sysctl.conf"; then - sed_command+=('--follow-symlinks') -fi - -# Strip any search characters in the key arg so that the key can be replaced without -# adding any search characters to the config file. -stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.core_pattern") -# shellcheck disable=SC2059 -printf -v formatted_output "%s=" "$stripped_key" +sed -i --follow-symlinks "/^kernel.core_pattern/d" /etc/sysctl.conf -# If the key exists, change it. Otherwise, add it to the config_file. -# We search for the key string followed by a word boundary (matched by \>), -# so if we search for 'setting', 'setting2' won't match. -if LC_ALL=C grep -q -m 1 -i -e "^kernel.core_pattern\\>" "/etc/sysctl.conf"; then - escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output") - "${sed_command[@]}" "s/^kernel.core_pattern\\>.*/$escaped_formatted_output/gi" "/etc/sysctl.conf" -else - # \n is precaution for case where file ends without trailing newline - - printf '%s\n' "$formatted_output" >> "/etc/sysctl.conf" -fi +{{{ bash_replace_or_append('${SYSCONFIG_FILE}', '^kernel.core_pattern', '', cce_identifiers=cce_identifiers) }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml index 3fba84e44eac..8005c5990f02 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_core_pattern_empty_string/oval/shared.xml @@ -37,155 +37,68 @@     + {{{ oval_metadata("The kernel 'kernel.core_pattern' parameter should be set to an empty string in the system configuration.", rule_title=rule_title) }}} - - - - - - + + + + + - - + - + - - - - + + + - - + + + - -{{% if target_oval_version >= [5, 11] %}} - - - - - - - local_var_sysctl_kernel_core_pattern_empty_string_counter - - - - 1 - - - - - - - - - - - - - object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered - state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink - - - - - - - - - - - - - - - - - var_obj_symlink_sysctl_kernel_core_pattern_empty_string - var_obj_blank_sysctl_kernel_core_pattern_empty_string - - - - - local_var_blank_path_sysctl_kernel_core_pattern_empty_string - - - - - - - - local_var_symlinks_sysctl_kernel_core_pattern_empty_string - - - - - - - - - - - - - state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string - - - - - ^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$ - -{{% endif %}} - - - - - - + + - object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string - object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string + object_static_etc_lib_sysctls_sysctl_kernel_core_pattern_empty_string + object_static_run_usr_local_sysctls_sysctl_kernel_core_pattern_empty_string - + object_static_sysctl_sysctl_kernel_core_pattern_empty_string object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string - + + object_static_usr_local_lib_sysctld_sysctl_kernel_core_pattern_empty_string object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string + /etc/sysctl.conf ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ @@ -205,6 +118,23 @@ ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ 1 + + + /usr/local/lib/sysctl.d + ^.*\.conf$ + ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ + 1 + + + + + /usr/lib/sysctl.d + ^.*\.conf$ + ^[[:blank:]]*kernel.core_pattern[[:blank:]]*=[[:blank:]]*(.*)$ + 1 + + + From c252ac3cfa3a84e72e8f2e43cd881181c8812cba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 25 Feb 2026 11:15:56 +0100 Subject: [PATCH 393/403] Set rpm crypto only if rpm scope exists Setting a crypto policy for RPM is possible only if the crypto-policies package provides the `rpm-sequoia` scope. This scope is new in RHEL 9.7 and doesn't exist in older minor versions of RHEL 9. If the `rpm-sequoia` scope isn't present in crypto-policies, the `update-crypto-policies` command fails to set the `NO-RPMSHA1` custom crypto policy module. That causes multiple problems, namely termination of the profile Ansible Playbook for CIS profiles. We will fix the problem by first checking if the `rpm-sequoia` scope exists and we will define the `NO-RPMSHA1` custom crypto policy module only if the scope exists. Addressing: ``` {"changed": true, "cmd": ["update-crypto-policies", "--set", "DEFAULT:NO-SHA1:NO-SSHCBC:NO-SSHWEAKCIPHERS:NO-SSHWEAKMACS:NO-WEAKMAC:NO-RPMSHA1"], "delta": "0:00:00.070451", "end": "2026-02-16 19:47:56.444333", "msg": "non-zero return code", "rc": 1, "start": "2026-02-16 19:47:56.373882", "stderr": "ScopeUnknownError: Unknown scope rpm\nErrors found in policy, first one: \nunknown scope rpm", "stderr_lines": ["ScopeUnknownError: Unknown scope rpm", "Errors found in policy, first one: ", "unknown scope rpm"], "stdout": "", "stdout_lines": []} ``` --- .../rule.yml | 3 ++- .../crypto_sub_policies/ansible.template | 25 +++++++++++++++++-- .../crypto_sub_policies/bash.template | 18 ++++++++++--- .../crypto_sub_policies/oval.template | 21 +++++++++++++++- .../templates/crypto_sub_policies/template.py | 3 --- 5 files changed, 59 insertions(+), 11 deletions(-) delete mode 100644 shared/templates/crypto_sub_policies/template.py diff --git a/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml index b80f01777048..72387b459f09 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_custom_crypto_policy_cis/rule.yml @@ -52,7 +52,8 @@ title: Implement Custom Crypto Policy Modules for CIS Benchmark { "module_name": "NO-RPMSHA1", "key": "hash@rpm", - "value": "-SHA1" + "value": "-SHA1", + "scope": "rpm-sequoia" }, ] %}} {{% elif product == "rhel10" or product == "fedora" %}} diff --git a/shared/templates/crypto_sub_policies/ansible.template b/shared/templates/crypto_sub_policies/ansible.template index 688b681a97bd..7152802d1b50 100644 --- a/shared/templates/crypto_sub_policies/ansible.template +++ b/shared/templates/crypto_sub_policies/ansible.template @@ -4,7 +4,18 @@ # complexity = low # disruption = low +- name: "{{{ rule_title }}} - Set the base crypto policy" + ansible.builtin.set_fact: + expected_crypto_policy: "{{{ BASE_POLICY }}}" + {{% for sub_policy in SUB_POLICIES %}} +{{% if "scope" in sub_policy %}} +- name: "{{{ rule_title }}} - Check That /etc/crypto-policies/back-ends/{{{ sub_policy.scope }}}.config Exists" + ansible.builtin.stat: + path: /etc/crypto-policies/back-ends/{{{ sub_policy.scope }}}.config + register: crypto_{{{ sub_policy.scope | replace("-", "_") }}}_scope +{{% endif %}} + - name: "{{{ rule_title }}} - Create custom crypto policy module {{{ sub_policy.module_name }}}" ansible.builtin.lineinfile: path: /etc/crypto-policies/policies/modules/{{{ sub_policy.module_name }}}.pmod @@ -14,6 +25,16 @@ line: {{{ sub_policy.key }}} = {{{ sub_policy.value }}} create: true regexp: "{{{ sub_policy.key }}}" +{{% if "scope" in sub_policy %}} + when: crypto_{{{ sub_policy.scope | replace("-", "_") }}}_scope.stat.exists +{{% endif %}} + +- name: "{{{ rule_title }}} - Update the expected policy" + ansible.builtin.set_fact: + expected_crypto_policy: "{{ expected_crypto_policy + ':{{{ sub_policy.module_name }}}' }}" +{{% if "scope" in sub_policy %}} + when: crypto_{{{ sub_policy.scope | replace("-", "_") }}}_scope.stat.exists +{{% endif %}} {{% endfor %}} - name: "{{{ rule_title }}} - Check current crypto policy" @@ -24,5 +45,5 @@ check_mode: false - name: "{{{ rule_title }}} - Update crypto-policies" - ansible.builtin.command: update-crypto-policies --set {{{ BASE_POLICY }}}:{{{ CONFIGURE_CRYPTO_POLICY_MODULES }}} - when: current_crypto_policy.stdout.strip() != "{{{ BASE_POLICY }}}:{{{ CONFIGURE_CRYPTO_POLICY_MODULES }}}" + ansible.builtin.command: update-crypto-policies --set {{ expected_crypto_policy }} + when: current_crypto_policy.stdout.strip() != expected_crypto_policy diff --git a/shared/templates/crypto_sub_policies/bash.template b/shared/templates/crypto_sub_policies/bash.template index e8915cb3daf3..685e90e54846 100644 --- a/shared/templates/crypto_sub_policies/bash.template +++ b/shared/templates/crypto_sub_policies/bash.template @@ -4,12 +4,22 @@ # complexity = low # disruption = low -{{% for sub_policy in SUB_POLICIES %}} -{{{ bash_file_contents("/etc/crypto-policies/policies/modules/" ~ sub_policy.module_name ~ ".pmod", sub_policy.key ~ " = " ~ sub_policy.value) }}} -{{% endfor %}} +expected_crypto_policy="{{{ BASE_POLICY }}}" + +{{% for sub_policy in SUB_POLICIES -%}} +{{% if "scope" in sub_policy %}} +# this module is applicable only if {{{ sub_policy.scope }}} scope is available in crypto-policies +if [[ -f /etc/crypto-policies/back-ends/{{{ sub_policy.scope }}}.config ]] ; then +{{%- endif %}} +expected_crypto_policy="${expected_crypto_policy}:{{{ sub_policy.module_name }}}" +{{{ bash_file_contents("/etc/crypto-policies/policies/modules/" ~ sub_policy.module_name ~ ".pmod", sub_policy.key ~ " = " ~ sub_policy.value) | trim }}} +{{% if "scope" in sub_policy -%}} +fi +{{% endif %}} +{{%- endfor %}} current_crypto_policy=$(update-crypto-policies --show) -expected_crypto_policy="{{{ BASE_POLICY }}}:{{{ CONFIGURE_CRYPTO_POLICY_MODULES }}}" + if [[ "$current_crypto_policy" != "$expected_crypto_policy" ]] ; then update-crypto-policies --set "$expected_crypto_policy" fi diff --git a/shared/templates/crypto_sub_policies/oval.template b/shared/templates/crypto_sub_policies/oval.template index 272ae6ee31df..b45e533287a9 100644 --- a/shared/templates/crypto_sub_policies/oval.template +++ b/shared/templates/crypto_sub_policies/oval.template @@ -3,8 +3,18 @@ {{{ oval_metadata("Ensure that the custom crypto policy module is configured", rule_title=rule_title) }}} {{% for sub_policy in SUB_POLICIES %}} - + + + + + + + {{% else %}} + + {{% endif %}} {{% endfor %}} @@ -21,5 +31,14 @@ ^{{{ sub_policy.key }}} = {{{ sub_policy.value | escape_regex }}}$ 1 + {{% if "scope" in sub_policy %}} + + + + + + /etc/crypto-policies/back-ends/{{{ sub_policy.scope }}}.config + + {{% endif %}} {{% endfor %}} diff --git a/shared/templates/crypto_sub_policies/template.py b/shared/templates/crypto_sub_policies/template.py deleted file mode 100644 index 8e256ae08291..000000000000 --- a/shared/templates/crypto_sub_policies/template.py +++ /dev/null @@ -1,3 +0,0 @@ -def preprocess(data, lang): - data["configure_crypto_policy_modules"] = ":".join([sub_policy["module_name"] for sub_policy in data["sub_policies"]]) - return data From 80b91a81903746e88347515409327777762c3345 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Wed, 25 Feb 2026 13:53:30 +0100 Subject: [PATCH 394/403] Fix a broken link I can't find the original content that the link pointed to. I think the content wasn't so important, so I will remove it. --- .../gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml index 4f228f0c3a4a..ac8e9953350d 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_xdmcp/rule.yml @@ -11,9 +11,7 @@ title: 'Disable XDMCP in GDM' {{% endif %}} description: |- - XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g. - {{{ weblink("https://help.gnome.org/admin/gdm/stable/security.html.en_GB#xdmcpsecurity", "XDMCP Gnome docs") }}}. - + XDMCP is an unencrypted protocol, and therefore, presents a security risk. To disable XDMCP support in Gnome, set Enable to false under the [xdmcp] configuration section in {{{ gdm_conf_path }}}. For example: 
         [xdmcp]

From c40ed3885ecbecec4738672c59d817ca2f47355c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= 
Date: Thu, 26 Feb 2026 13:54:16 +0100
Subject: [PATCH 395/403] Check for PQC GPG key only on RHEL 10.1 and newer

The redhat-release RPM package in RHEL 10.0 won't contain the
postquantum OpenGPG key. This key will be present in RHEL 10.1
and newer.

Addressing:
Failing rule `ensure_redhat_gpgkey_installed` in multiple contest
tests `/hardening/host-os/oscap` on RHEL 10.0.
---
 .../ansible/shared.yml                        | 18 +++++++++++--
 .../bash/shared.sh                            | 13 ++++++----
 .../oval/shared.xml                           | 26 +++++++++++++++++--
 3 files changed, 48 insertions(+), 9 deletions(-)

diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
index 8080f0c6ced3..750852c52a4f 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
@@ -40,13 +40,27 @@
 
 {{% endif %}}
 
-- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints"
+{{% if "rhel" in families and major_version_ordinal >= 10 %}}
+- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints (without PQC)"
+  ansible.builtin.set_fact:
+    gpg_valid_fingerprints:
+    - "{{{ release_key_fingerprint }}}"
+    - "{{{ auxiliary_key_fingerprint }}}"
+  when: ansible_distribution_version is version('10.1', '<')
+
+- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints (with PQC)"
   ansible.builtin.set_fact:
     gpg_valid_fingerprints:
     - "{{{ release_key_fingerprint }}}"
     - "{{{ auxiliary_key_fingerprint }}}"
-{{% if "rhel" in families  and major_version_ordinal >= 10 %}}
     - "{{{ pqc_key_fingerprint }}}"
+  when: ansible_distribution_version is version('10.1', '>=')
+{{% else %}}
+- name: "{{{ rule_title }}}: Set Fact - Valid fingerprints"
+  ansible.builtin.set_fact:
+    gpg_valid_fingerprints:
+    - "{{{ release_key_fingerprint }}}"
+    - "{{{ auxiliary_key_fingerprint }}}"
 {{% endif %}}
 
 - name: "{{{ rule_title }}}: Import RedHat GPG key"
diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh
index 53931cd4009d..5fdb792b79cd 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/bash/shared.sh
@@ -25,13 +25,16 @@ then
   # No CRC error, safe to proceed
   if [ "${GPG_RESULT}" -eq "0" ]
   then
+  # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
 {{% if "rhel" in families  and major_version_ordinal >= 10 %}}
-    echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}|${REDHAT_PQC_FINGERPRINT}" || {
+    if {{{ bash_os_linux_conditional("rhel", expected_ver="10.1", op=">=") | trim }}}
+    then
+      echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}|${REDHAT_PQC_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}"
+    else
+      echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}"
+    fi
 {{% else %}}
-    echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || {
+    echo "${GPG_OUT[*]}" | grep -vE "${REDHAT_RELEASE_FINGERPRINT}|${REDHAT_AUXILIARY_FINGERPRINT}" || rpm --import "${REDHAT_RELEASE_KEY}"
 {{% endif %}}
-      # If $REDHAT_RELEASE_KEY file doesn't contain any keys with unknown fingerprint, import it
-      rpm --import "${REDHAT_RELEASE_KEY}"
-    }
   fi
 fi
diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
index 6871feba83b3..52461f678900 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
@@ -13,8 +13,13 @@
           
 {{% if "rhel" in families  and major_version_ordinal >= 10 %}}
-          
+          
+            
+            
+              
+              
+            
+          
 {{% endif %}}
       
       {{%- if centos_major_version %}}
@@ -88,5 +93,22 @@
   
   {{%- endif %}}
 
+{{% if "rhel" in families and major_version_ordinal >= 10 %}}
+  
+    
+    
+  
+
+  
+    /etc/os-release
+    ^VERSION_ID=["']?([\w.]+)["']?$
+    1
+  
+
+  
+    10.1
+  
+{{% endif %}}
+
 
 {{% endif %}}

From a76eb807447039e646ce5ba47880fb868e6b4099 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek 
Date: Tue, 3 Mar 2026 09:35:10 +0100
Subject: [PATCH 396/403] ensure:redhat_gpgkey_installed: in ansible
 remediation use direct command instead of rpmkey Ansible module

The module is currently not working when encountering keys with PQC signatures

Relevant issue: https://github.com/ansible/ansible/issues/86157
---
 .../ensure_redhat_gpgkey_installed/ansible/shared.yml         | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
index 750852c52a4f..514841546662 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
@@ -64,9 +64,7 @@
 {{% endif %}}
 
 - name: "{{{ rule_title }}}: Import RedHat GPG key"
-  ansible.builtin.rpm_key:
-    state: present
-    key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+  ansible.builtin.command: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
   when:
    - gpg_key_directory_permission.stat.mode <= '0755'
    - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0

From 5581ba1bf51026520cd7dcd97ff879ae900d941c Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Tue, 3 Mar 2026 10:46:28 -0600
Subject: [PATCH 397/403] Adjust RHEL 8 and RHEL 9 kickstarts to fit in 20 GB

---
 .../ssg-rhel8-anssi_bp28_enhanced-ks.cfg       | 18 +++++++++---------
 .../kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 18 +++++++++---------
 .../ssg-rhel8-anssi_bp28_intermediary-ks.cfg   | 18 +++++++++---------
 .../ssg-rhel9-anssi_bp28_enhanced-ks.cfg       | 18 +++++++++---------
 .../kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg | 18 +++++++++---------
 .../ssg-rhel9-anssi_bp28_intermediary-ks.cfg   | 18 +++++++++---------
 .../ssg-rhel9-ccn_intermediate-ks.cfg          |  8 ++++----
 7 files changed, 58 insertions(+), 58 deletions(-)

diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
index 1b95e71705f9..069855e80d26 100644
--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
+++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
@@ -80,7 +80,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -95,15 +95,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6536 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -118,17 +118,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon org_fedora_oscap
diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
index 461459e5d2bd..3477225767b6 100644
--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
@@ -84,7 +84,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -99,15 +99,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=4096 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid,noexec"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -123,17 +123,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon org_fedora_oscap
diff --git a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
index 9080117a63c3..5789b94da59d 100644
--- a/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
+++ b/products/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
@@ -81,7 +81,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -96,15 +96,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6536 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid,noexec"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -119,17 +119,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/kickstart-commands-and-options-reference_installing-rhel-as-an-experienced-user#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon org_fedora_oscap
diff --git a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_enhanced-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_enhanced-ks.cfg
index 5b170c0a635f..48dbcf396ce8 100644
--- a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_enhanced-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_enhanced-ks.cfg
@@ -80,7 +80,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -95,15 +95,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,noexec,nosuid"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -118,17 +118,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon com_redhat_oscap
diff --git a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg
index 7cb225c2da56..bbb3a2cadf90 100644
--- a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_high-ks.cfg
@@ -84,7 +84,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -99,15 +99,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=4096 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid,noexec"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -122,17 +122,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon com_redhat_oscap
diff --git a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_intermediary-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_intermediary-ks.cfg
index 4feee55f0f8c..d5649e10ece3 100644
--- a/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_intermediary-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-anssi_bp28_intermediary-ks.cfg
@@ -80,7 +80,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -95,15 +95,15 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=5000 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /srv Located On Separate Partition
-logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+logvol /srv --fstype=xfs --name=srv --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid"
 # Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=128 --fsoptions="nodev,nosuid,noexec"
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var/tmp Located On Separate Partition
@@ -118,17 +118,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon com_redhat_oscap
diff --git a/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg
index 263be16f4566..73e367ce22dc 100644
--- a/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-ccn_intermediate-ks.cfg
@@ -94,7 +94,7 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=9728 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /home Located On Separate Partition
 logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
 # Ensure /tmp Located On Separate Partition
@@ -111,17 +111,17 @@ logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon com_redhat_oscap

From 544b1caf4783b67b56bbc76b57999d0abe57d019 Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Tue, 3 Mar 2026 15:33:04 -0600
Subject: [PATCH 398/403] Move to service_dnsmasq_disabled for CIS in RHEL

Remove the package was causing issues in installs
---
 products/rhel10/controls/cis_rhel10.yml | 2 ++
 products/rhel8/controls/cis_rhel8.yml   | 2 ++
 products/rhel9/controls/cis_rhel9.yml   | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/products/rhel10/controls/cis_rhel10.yml b/products/rhel10/controls/cis_rhel10.yml
index 8269196f2993..f6abf020f44a 100644
--- a/products/rhel10/controls/cis_rhel10.yml
+++ b/products/rhel10/controls/cis_rhel10.yml
@@ -817,6 +817,8 @@ controls:
           - l1_workstation
       status: automated
       rules:
+          - service_dnsmasq_disabled
+      related_rules:
           - package_dnsmasq_removed
 
     - id: 2.1.7
diff --git a/products/rhel8/controls/cis_rhel8.yml b/products/rhel8/controls/cis_rhel8.yml
index cbe5d4d6454e..57ff2e16abc4 100644
--- a/products/rhel8/controls/cis_rhel8.yml
+++ b/products/rhel8/controls/cis_rhel8.yml
@@ -860,6 +860,8 @@ controls:
           - l1_workstation
       status: automated
       rules:
+          - service_dnsmasq_disabled
+      related_rules:
           - package_dnsmasq_removed
 
     - id: 2.1.7
diff --git a/products/rhel9/controls/cis_rhel9.yml b/products/rhel9/controls/cis_rhel9.yml
index f73fbd1f6d79..2ded1b128c92 100644
--- a/products/rhel9/controls/cis_rhel9.yml
+++ b/products/rhel9/controls/cis_rhel9.yml
@@ -819,6 +819,8 @@ controls:
           - l1_workstation
       status: automated
       rules:
+          - service_dnsmasq_disabled
+      related_rules:
           - package_dnsmasq_removed
 
     - id: 2.1.6

From 585678ed25d2312db054eb4d17f370b8e4ed0cda Mon Sep 17 00:00:00 2001
From: Vojtech Polasek 
Date: Wed, 4 Mar 2026 12:45:25 +0100
Subject: [PATCH 399/403] update profile stability tests

---
 tests/data/profile_stability/rhel10/cis.profile                | 2 +-
 tests/data/profile_stability/rhel10/cis_server_l1.profile      | 2 +-
 tests/data/profile_stability/rhel10/cis_workstation_l1.profile | 2 +-
 tests/data/profile_stability/rhel10/cis_workstation_l2.profile | 2 +-
 tests/data/profile_stability/rhel8/cis.profile                 | 2 +-
 tests/data/profile_stability/rhel8/cis_server_l1.profile       | 2 +-
 tests/data/profile_stability/rhel8/cis_workstation_l1.profile  | 2 +-
 tests/data/profile_stability/rhel8/cis_workstation_l2.profile  | 2 +-
 tests/data/profile_stability/rhel9/cis.profile                 | 2 +-
 tests/data/profile_stability/rhel9/cis_server_l1.profile       | 2 +-
 tests/data/profile_stability/rhel9/cis_workstation_l1.profile  | 2 +-
 tests/data/profile_stability/rhel9/cis_workstation_l2.profile  | 2 +-
 12 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile
index acb21b876b66..be281650fc10 100644
--- a/tests/data/profile_stability/rhel10/cis.profile
+++ b/tests/data/profile_stability/rhel10/cis.profile
@@ -322,7 +322,6 @@ package_audit_installed
 package_bind_removed
 package_cron_installed
 package_cyrus-imapd_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -369,6 +368,7 @@ service_bluetooth_disabled
 service_cockpit_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile
index 1a8d4a413244..40d910b58ee9 100644
--- a/tests/data/profile_stability/rhel10/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel10/cis_server_l1.profile
@@ -226,7 +226,6 @@ package_aide_installed
 package_bind_removed
 package_cron_installed
 package_cyrus-imapd_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -262,6 +261,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
index 63186a34c258..f2f820c05c60 100644
--- a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
@@ -222,7 +222,6 @@ package_aide_installed
 package_bind_removed
 package_cron_installed
 package_cyrus-imapd_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -253,6 +252,7 @@ rsyslog_files_permissions
 selinux_not_disabled
 selinux_policytype
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
index 221ffac17557..68ed725b2d73 100644
--- a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
@@ -322,7 +322,6 @@ package_audit_installed
 package_bind_removed
 package_cron_installed
 package_cyrus-imapd_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -365,6 +364,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_cockpit_disabled
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel8/cis.profile b/tests/data/profile_stability/rhel8/cis.profile
index 40ef7718866d..f17b30ec001e 100644
--- a/tests/data/profile_stability/rhel8/cis.profile
+++ b/tests/data/profile_stability/rhel8/cis.profile
@@ -323,7 +323,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -376,6 +375,7 @@ service_bluetooth_disabled
 service_cockpit_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel8/cis_server_l1.profile b/tests/data/profile_stability/rhel8/cis_server_l1.profile
index c186914d253b..8acdac5b799c 100644
--- a/tests/data/profile_stability/rhel8/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel8/cis_server_l1.profile
@@ -237,7 +237,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -279,6 +278,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
index f53d2e0dd714..3a115c19fbf6 100644
--- a/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel8/cis_workstation_l1.profile
@@ -234,7 +234,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -271,6 +270,7 @@ rsyslog_nolisten
 selinux_not_disabled
 selinux_policytype
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
index f43c7d9ea9b5..c7700c1f700b 100644
--- a/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel8/cis_workstation_l2.profile
@@ -323,7 +323,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -372,6 +371,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_cockpit_disabled
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_rpcbind_disabled
diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile
index 65f2ddc07f7e..398d9f9c3132 100644
--- a/tests/data/profile_stability/rhel9/cis.profile
+++ b/tests/data/profile_stability/rhel9/cis.profile
@@ -292,7 +292,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -339,6 +338,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_nftables_disabled
diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile
index ac83e2c0a321..549ae2ca45b2 100644
--- a/tests/data/profile_stability/rhel9/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile
@@ -201,7 +201,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -238,6 +237,7 @@ service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_crond_enabled
 service_cups_disabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_nftables_disabled
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
index fb685c741479..fc3d0e7e594a 100644
--- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
@@ -198,7 +198,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -230,6 +229,7 @@ rsyslog_files_permissions
 selinux_not_disabled
 selinux_policytype
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_nftables_disabled
diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
index 3fc4bebf0c4a..ac08a0eb2e05 100644
--- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
@@ -292,7 +292,6 @@ package_chrony_installed
 package_cron_installed
 package_cyrus-imapd_removed
 package_dhcp_removed
-package_dnsmasq_removed
 package_dovecot_removed
 package_firewalld_installed
 package_ftp_removed
@@ -335,6 +334,7 @@ service_autofs_disabled
 service_avahi-daemon_disabled
 service_bluetooth_disabled
 service_crond_enabled
+service_dnsmasq_disabled
 service_firewalld_enabled
 service_nfs_disabled
 service_nftables_disabled

From e6ae4f5421f0eb6309580cf3d0ff703ede99845d Mon Sep 17 00:00:00 2001
From: Vojtech Polasek 
Date: Wed, 4 Mar 2026 12:52:40 +0100
Subject: [PATCH 400/403] add cces to service_dnsmasq_disabled

---
 linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml | 3 +++
 shared/references/cce-redhat-avail.txt                        | 3 ---
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml b/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml
index b030a645a893..51fe990a7a8f 100644
--- a/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml
+++ b/linux_os/guide/services/dns/service_dnsmasq_disabled/rule.yml
@@ -13,6 +13,9 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-90720-4
+    cce@rhel9: CCE-90721-2
+    cce@rhel10: CCE-90722-0
     cce@sle15: CCE-92602-2
 
 platform: system_with_kernel
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 19129c0f0065..3681684fcdf0 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -2341,6 +2341,3 @@ CCE-90706-3
 CCE-90707-1
 CCE-90710-5
 CCE-90715-4
-CCE-90720-4
-CCE-90721-2
-CCE-90722-0

From 5f342684b0d2521310eb8e6d886240c779c78712 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek 
Date: Wed, 4 Mar 2026 12:57:11 +0100
Subject: [PATCH 401/403] add package_dnsmasq_removed to default profiles for
 rhels

---
 products/rhel10/profiles/default.profile | 1 +
 products/rhel8/profiles/default.profile  | 1 +
 products/rhel9/profiles/default.profile  | 1 +
 3 files changed, 3 insertions(+)

diff --git a/products/rhel10/profiles/default.profile b/products/rhel10/profiles/default.profile
index 4d9b46867bc6..3be6b3d8376a 100644
--- a/products/rhel10/profiles/default.profile
+++ b/products/rhel10/profiles/default.profile
@@ -45,3 +45,4 @@ selections:
     - file_etc_security_opasswd
     - sshd_use_strong_macs
     - configure_ssh_crypto_policy
+    - package_dnsmasq_removed
diff --git a/products/rhel8/profiles/default.profile b/products/rhel8/profiles/default.profile
index 6865a9615f79..7e7401a04ac7 100644
--- a/products/rhel8/profiles/default.profile
+++ b/products/rhel8/profiles/default.profile
@@ -738,3 +738,4 @@ selections:
     - configure_openssl_tls_crypto_policy
     - sshd_use_approved_kex_ordered_stig
     - accounts_user_dot_no_world_writable_programs
+    - package_dnsmasq_removed
diff --git a/products/rhel9/profiles/default.profile b/products/rhel9/profiles/default.profile
index 876e5516b32a..f817322dbdab 100644
--- a/products/rhel9/profiles/default.profile
+++ b/products/rhel9/profiles/default.profile
@@ -592,3 +592,4 @@ selections:
     - audit_rules_login_events_tallylog
     - configure_ssh_crypto_policy
     - accounts_user_dot_no_world_writable_programs
+    - package_dnsmasq_removed

From bd9035cb4068d6b9794f26294bca3b810af367ca Mon Sep 17 00:00:00 2001
From: Vojtech Polasek 
Date: Wed, 4 Mar 2026 12:29:29 +0100
Subject: [PATCH 402/403] enlarge /usr partition in bsi kickstart

---
 products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg
index 47ef01e7fa56..2989a47c9225 100644
--- a/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg
@@ -97,16 +97,16 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=3192 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # Ensure /usr Located On Separate Partition
 # partition_for_usr
-logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=3192 --fsoptions="nodev"
+logvol /usr --fstype=xfs --name=usr --vgname=VolGroup --size=6667 --fsoptions="nodev"
 # Ensure /opt Located On Separate Partition
 # partition_for_opt
-logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=512
+logvol /opt --fstype=xfs --name=opt --vgname=VolGroup --size=128
 # Ensure /home Located On Separate Partition
 # partition_for_home
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev"
 # Ensure /tmp Located On Separate Partition
 # partition_for_tmp
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"

From 71385924a1157431f8f7875776e597bd7e3678d3 Mon Sep 17 00:00:00 2001
From: Matthew Burket 
Date: Thu, 5 Mar 2026 11:29:46 -0600
Subject: [PATCH 403/403] Adjust BSI and PCI DSS kickstarts

---
 products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg    |  2 +-
 .../rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg     | 16 ++++++++--------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg
index 2989a47c9225..68a69d4d0d9c 100644
--- a/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-bsi-ks.cfg
@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
 logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
 # Ensure /var Located On Separate Partition
 # partition_for_var
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=4096
 # Ensure /var/log Located On Separate Partition
 # partition_for_var_log
 logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024
diff --git a/products/rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg
index 55a0a069cac0..cbb5ce7e2dcb 100644
--- a/products/rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-pci-dss-ks.cfg
@@ -78,7 +78,7 @@ zerombr
 
 # The following partition layout scheme assumes disk of size 20GB or larger
 # Modify size of partitions appropriately to reflect actual machine's hardware
-# 
+#
 # Remove Linux partitions from the system prior to creating new ones (optional)
 # --linux	erase all Linux partitions
 # --initlabel	initialize the disk label to the default based on the underlying architecture
@@ -93,32 +93,32 @@ part pv.01 --grow --size=1
 volgroup VolGroup pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=5120 --grow
+logvol / --fstype=xfs --name=root --vgname=VolGroup --size=1024 --grow
 # CCE-26557-9: Ensure /home Located On Separate Partition
-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=512 --fsoptions="nodev"
 # CCE-26435-8: Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
 # CCE-26639-5: Ensure /var Located On Separate Partition
-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=4096 --fsoptions="nodev"
 # CCE-26215-4: Ensure /var/log Located On Separate Partition
-logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=1024 --fsoptions="nodev"
+logvol /var/log --fstype=xfs --name=varlog --vgname=VolGroup --size=512 --fsoptions="nodev"
 # CCE-26436-6: Ensure /var/log/audit Located On Separate Partition
 logvol /var/log/audit --fstype=xfs --name=varlogaudit --vgname=VolGroup --size=512 --fsoptions="nodev"
 logvol swap --name=swap --vgname=VolGroup --size=2016
 
 # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
 # content - security policies - on the installed system.This add-on has been enabled by default
-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this
 # functionality will automatically be installed. However, by default, no policies are enforced,
 # meaning that no checks are performed during or after installation unless specifically configured.
-#  
+#
 #  Important
 #   Applying a security policy is not necessary on all systems. This screen should only be used
 #   when a specific policy is mandated by your organization rules or government regulations.
 #   Unlike most other commands, this add-on does not accept regular options, but uses key-value
 #   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
 #   Values can be optionally enclosed in single quotes (') or double quotes (").
-#   
+#
 # For more details and configuration options see
 # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/performing_an_advanced_rhel_9_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon com_redhat_oscap