|
 |
9be3b2 |
From 27804748b2b50e472a7c22c8809d1179f49b50cb Mon Sep 17 00:00:00 2001
|
|
|
9be3b2 |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
9be3b2 |
Date: Mon, 30 Aug 2021 14:16:21 +0200
|
|
|
9be3b2 |
Subject: [PATCH 1/5] Enable sudo_require_reauthentication in RHEL7 and select
|
|
|
9be3b2 |
it in STIG.
|
|
|
9be3b2 |
|
|
|
9be3b2 |
Assign the STIG id RHEL-07-010343.
|
|
|
9be3b2 |
---
|
|
|
9be3b2 |
.../software/sudo/sudo_require_reauthentication/rule.yml | 4 +++-
|
|
|
9be3b2 |
products/rhel7/profiles/stig.profile | 1 +
|
|
|
9be3b2 |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
9be3b2 |
3 files changed, 4 insertions(+), 2 deletions(-)
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
|
|
|
9be3b2 |
index 8622d6af9c1..bc94a705124 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
|
|
|
9be3b2 |
@@ -1,6 +1,6 @@
|
|
|
9be3b2 |
documentation_complete: true
|
|
|
9be3b2 |
|
|
|
9be3b2 |
-prodtype: rhel8,sle12,sle15
|
|
|
9be3b2 |
+prodtype: rhel7,rhel8,sle12,sle15
|
|
|
9be3b2 |
|
|
|
9be3b2 |
title: 'The operating system must require Re-Authentication when using the sudo command.
|
|
|
9be3b2 |
Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeout'
|
|
|
9be3b2 |
@@ -25,6 +25,7 @@ rationale: |-
|
|
|
9be3b2 |
severity: medium
|
|
|
9be3b2 |
|
|
|
9be3b2 |
identifiers:
|
|
|
9be3b2 |
+ cce@rhel7: CCE-85963-7
|
|
|
9be3b2 |
cce@rhel8: CCE-87838-9
|
|
|
9be3b2 |
cce@sle12: CCE-83231-1
|
|
|
9be3b2 |
cce@sle15: CCE-85764-9
|
|
|
9be3b2 |
@@ -33,6 +34,7 @@ references:
|
|
|
9be3b2 |
disa: CCI-002038
|
|
|
9be3b2 |
nist: IA-11
|
|
|
9be3b2 |
srg: SRG-OS-000373-GPOS-00156
|
|
|
9be3b2 |
+ stigid@rhel7: RHEL-07-010343
|
|
|
9be3b2 |
stigid@rhel8: RHEL-08-010384
|
|
|
9be3b2 |
stigid@sle12: SLES-12-010113
|
|
|
9be3b2 |
stigid@sle15: SLES-15-020102
|
|
|
9be3b2 |
diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile
|
|
|
9be3b2 |
index f073da46836..409078670a2 100644
|
|
|
9be3b2 |
--- a/products/rhel7/profiles/stig.profile
|
|
|
9be3b2 |
+++ b/products/rhel7/profiles/stig.profile
|
|
|
9be3b2 |
@@ -107,6 +107,7 @@ selections:
|
|
|
9be3b2 |
- sudo_remove_nopasswd
|
|
|
9be3b2 |
- sudo_restrict_privilege_elevation_to_authorized
|
|
|
9be3b2 |
- sudo_remove_no_authenticate
|
|
|
9be3b2 |
+ - sudo_require_reauthentication
|
|
|
9be3b2 |
- sudoers_validate_passwd
|
|
|
9be3b2 |
- accounts_logon_fail_delay
|
|
|
9be3b2 |
- gnome_gdm_disable_automatic_login
|
|
|
9be3b2 |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
index ee4c156b79c..56a6586de7d 100644
|
|
|
9be3b2 |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
@@ -84,7 +84,6 @@ CCE-85959-5
|
|
|
9be3b2 |
CCE-85960-3
|
|
|
9be3b2 |
CCE-85961-1
|
|
|
9be3b2 |
CCE-85962-9
|
|
|
9be3b2 |
-CCE-85963-7
|
|
|
9be3b2 |
CCE-85965-2
|
|
|
9be3b2 |
CCE-85966-0
|
|
|
9be3b2 |
CCE-85967-8
|
|
|
9be3b2 |
|
|
|
9be3b2 |
From 309a57fe36c4fe214060883d11c937eb1e42daf2 Mon Sep 17 00:00:00 2001
|
|
|
9be3b2 |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
9be3b2 |
Date: Mon, 30 Aug 2021 14:44:44 +0200
|
|
|
9be3b2 |
Subject: [PATCH 2/5] Enable accounts_authorized_local_users in RHEL7 and
|
|
|
9be3b2 |
select it in STIG.
|
|
|
9be3b2 |
|
|
|
9be3b2 |
Assign the STIG id RHEL-07-020270.
|
|
|
9be3b2 |
---
|
|
|
9be3b2 |
.../accounts_authorized_local_users/rule.yml | 4 +++-
|
|
|
9be3b2 |
.../var_accounts_authorized_local_users_regex.var | 1 +
|
|
|
9be3b2 |
products/rhel7/profiles/stig.profile | 2 ++
|
|
|
9be3b2 |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
9be3b2 |
4 files changed, 6 insertions(+), 2 deletions(-)
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
|
|
|
9be3b2 |
index e2311f6a5c3..189accf892a 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
|
|
|
9be3b2 |
@@ -1,6 +1,6 @@
|
|
|
9be3b2 |
documentation_complete: true
|
|
|
9be3b2 |
|
|
|
9be3b2 |
-prodtype: ol7,sle12,sle15,fedora,rhel8
|
|
|
9be3b2 |
+prodtype: ol7,sle12,sle15,fedora,rhel7,rhel8
|
|
|
9be3b2 |
|
|
|
9be3b2 |
title: 'Only Authorized Local User Accounts Exist on Operating System'
|
|
|
9be3b2 |
|
|
|
9be3b2 |
@@ -26,6 +26,7 @@ rationale: |-
|
|
|
9be3b2 |
severity: medium
|
|
|
9be3b2 |
|
|
|
9be3b2 |
identifiers:
|
|
|
9be3b2 |
+ cce@rhel7: CCE-88380-1
|
|
|
9be3b2 |
cce@rhel8: CCE-85987-6
|
|
|
9be3b2 |
cce@sle12: CCE-83195-8
|
|
|
9be3b2 |
cce@sle15: CCE-85561-9
|
|
|
9be3b2 |
@@ -34,6 +35,7 @@ references:
|
|
|
9be3b2 |
disa: CCI-000366
|
|
|
9be3b2 |
nist@sle12: CM-6(b),CM-6.1(iv)
|
|
|
9be3b2 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
9be3b2 |
+ stigid@rhel7: RHEL-07-020270
|
|
|
9be3b2 |
stigid@rhel8: RHEL-08-020320
|
|
|
9be3b2 |
stigid@sle12: SLES-12-010630
|
|
|
9be3b2 |
stigid@sle15: SLES-15-020090
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var b/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
|
|
|
9be3b2 |
index 2f456764617..e376906b005 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
|
|
|
9be3b2 |
@@ -22,6 +22,7 @@ operator: pattern match
|
|
|
9be3b2 |
interactive: true
|
|
|
9be3b2 |
|
|
|
9be3b2 |
options:
|
|
|
9be3b2 |
+ rhel7: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$"
|
|
|
9be3b2 |
rhel8: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$"
|
|
|
9be3b2 |
ol7forsap: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$"
|
|
|
9be3b2 |
saponol7 : "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|[a-z][a-z0-9][a-z0-9]adm|ora[a-z][a-z0-9][a-z0-9]|sapadm|oracle)$"
|
|
|
9be3b2 |
diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile
|
|
|
9be3b2 |
index 409078670a2..05a1ccc6753 100644
|
|
|
9be3b2 |
--- a/products/rhel7/profiles/stig.profile
|
|
|
9be3b2 |
+++ b/products/rhel7/profiles/stig.profile
|
|
|
9be3b2 |
@@ -55,6 +55,7 @@ selections:
|
|
|
9be3b2 |
- var_password_pam_retry=3
|
|
|
9be3b2 |
- var_accounts_max_concurrent_login_sessions=10
|
|
|
9be3b2 |
- var_accounts_tmout=15_min
|
|
|
9be3b2 |
+ - var_accounts_authorized_local_users_regex=rhel7
|
|
|
9be3b2 |
- var_time_service_set_maxpoll=system_default
|
|
|
9be3b2 |
- sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
|
|
|
9be3b2 |
- sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
|
|
|
9be3b2 |
@@ -322,3 +323,4 @@ selections:
|
|
|
9be3b2 |
- sysctl_net_ipv4_conf_default_rp_filter
|
|
|
9be3b2 |
- package_mcafeetp_installed
|
|
|
9be3b2 |
- agent_mfetpd_running
|
|
|
9be3b2 |
+ - accounts_authorized_local_users
|
|
|
9be3b2 |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
index 56a6586de7d..137dba1e96d 100644
|
|
|
9be3b2 |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
@@ -2434,7 +2434,6 @@ CCE-88376-9
|
|
|
9be3b2 |
CCE-88377-7
|
|
|
9be3b2 |
CCE-88378-5
|
|
|
9be3b2 |
CCE-88379-3
|
|
|
9be3b2 |
-CCE-88380-1
|
|
|
9be3b2 |
CCE-88381-9
|
|
|
9be3b2 |
CCE-88382-7
|
|
|
9be3b2 |
CCE-88383-5
|
|
|
9be3b2 |
|
|
|
9be3b2 |
From 5be99f99a40b3e5ac9173fc5552dfc903f2dd9a3 Mon Sep 17 00:00:00 2001
|
|
|
9be3b2 |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
9be3b2 |
Date: Mon, 30 Aug 2021 15:17:40 +0200
|
|
|
9be3b2 |
Subject: [PATCH 3/5] Enable auditd_overflow_action in RHEL7 and select it in
|
|
|
9be3b2 |
STIG.
|
|
|
9be3b2 |
|
|
|
9be3b2 |
Assign the STIG id RHEL-07-030210.
|
|
|
9be3b2 |
---
|
|
|
9be3b2 |
.../auditd_overflow_action/rule.yml | 2 ++
|
|
|
9be3b2 |
products/rhel7/profiles/stig.profile | 1 +
|
|
|
9be3b2 |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
9be3b2 |
3 files changed, 3 insertions(+), 1 deletion(-)
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml
|
|
|
9be3b2 |
index d41ca000761..78898954f2f 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml
|
|
|
9be3b2 |
@@ -15,12 +15,14 @@ rationale: |-
|
|
|
9be3b2 |
severity: medium
|
|
|
9be3b2 |
|
|
|
9be3b2 |
identifiers:
|
|
|
9be3b2 |
+ cce@rhel7: CCE-88073-2
|
|
|
9be3b2 |
cce@rhel8: CCE-85889-4
|
|
|
9be3b2 |
|
|
|
9be3b2 |
references:
|
|
|
9be3b2 |
disa: CCI-001851
|
|
|
9be3b2 |
nist: AU-4(1)
|
|
|
9be3b2 |
srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
|
|
|
9be3b2 |
+ stigid@rhel7: RHEL-07-030210
|
|
|
9be3b2 |
stigid@rhel8: RHEL-08-030700
|
|
|
9be3b2 |
|
|
|
9be3b2 |
ocil_clause: 'auditd overflow action is not setup correctly'
|
|
|
9be3b2 |
diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile
|
|
|
9be3b2 |
index 05a1ccc6753..3db49afa815 100644
|
|
|
9be3b2 |
--- a/products/rhel7/profiles/stig.profile
|
|
|
9be3b2 |
+++ b/products/rhel7/profiles/stig.profile
|
|
|
9be3b2 |
@@ -324,3 +324,4 @@ selections:
|
|
|
9be3b2 |
- package_mcafeetp_installed
|
|
|
9be3b2 |
- agent_mfetpd_running
|
|
|
9be3b2 |
- accounts_authorized_local_users
|
|
|
9be3b2 |
+ - auditd_overflow_action
|
|
|
9be3b2 |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
index 137dba1e96d..f022156d2bb 100644
|
|
|
9be3b2 |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
9be3b2 |
@@ -2134,7 +2134,6 @@ CCE-88069-0
|
|
|
9be3b2 |
CCE-88070-8
|
|
|
9be3b2 |
CCE-88071-6
|
|
|
9be3b2 |
CCE-88072-4
|
|
|
9be3b2 |
-CCE-88073-2
|
|
|
9be3b2 |
CCE-88074-0
|
|
|
9be3b2 |
CCE-88075-7
|
|
|
9be3b2 |
CCE-88076-5
|
|
|
9be3b2 |
|
|
|
9be3b2 |
From 92b54da56dcf0a75687d611eaca3fe0273d1ed3a Mon Sep 17 00:00:00 2001
|
|
|
9be3b2 |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
9be3b2 |
Date: Mon, 30 Aug 2021 15:25:58 +0200
|
|
|
9be3b2 |
Subject: [PATCH 4/5] Enable auditd_name_format in RHEL7 and select it in STIG.
|
|
|
9be3b2 |
|
|
|
9be3b2 |
Assign the STIG id RHEL-07-030211.
|
|
|
9be3b2 |
---
|
|
|
9be3b2 |
.../configure_auditd_data_retention/auditd_name_format/rule.yml | 1 +
|
|
|
9be3b2 |
products/rhel7/profiles/stig.profile | 1 +
|
|
|
9be3b2 |
2 files changed, 2 insertions(+)
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
|
|
|
9be3b2 |
index b0bbf91f745..cb79b2dc8d2 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml
|
|
|
9be3b2 |
@@ -26,6 +26,7 @@ references:
|
|
|
9be3b2 |
ospp: FAU_GEN.1
|
|
|
9be3b2 |
srg: SRG-OS-000039-GPOS-00017,SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
|
|
|
9be3b2 |
stigid@ol7: OL07-00-030211
|
|
|
9be3b2 |
+ stigid@rhel7: RHEL-07-030211
|
|
|
9be3b2 |
stigid@rhel8: RHEL-08-030062
|
|
|
9be3b2 |
|
|
|
9be3b2 |
ocil_clause: name_format isn't set to hostname
|
|
|
9be3b2 |
diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile
|
|
|
9be3b2 |
index 3db49afa815..5c2ae21326f 100644
|
|
|
9be3b2 |
--- a/products/rhel7/profiles/stig.profile
|
|
|
9be3b2 |
+++ b/products/rhel7/profiles/stig.profile
|
|
|
9be3b2 |
@@ -325,3 +325,4 @@ selections:
|
|
|
9be3b2 |
- agent_mfetpd_running
|
|
|
9be3b2 |
- accounts_authorized_local_users
|
|
|
9be3b2 |
- auditd_overflow_action
|
|
|
9be3b2 |
+ - auditd_name_format
|
|
|
9be3b2 |
|
|
|
9be3b2 |
From ff65d97a9332af6df25031a06971f86b9958c337 Mon Sep 17 00:00:00 2001
|
|
|
9be3b2 |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
9be3b2 |
Date: Mon, 30 Aug 2021 15:30:02 +0200
|
|
|
9be3b2 |
Subject: [PATCH 5/5] Remove STIG id RHEL-07-010090 from
|
|
|
9be3b2 |
package_screen_installed.
|
|
|
9be3b2 |
|
|
|
9be3b2 |
This item has been removed from STIG during V2R7 -> V2R8 and there is no
|
|
|
9be3b2 |
reason to keep the reference assigned to that rule.
|
|
|
9be3b2 |
---
|
|
|
9be3b2 |
.../console_screen_locking/package_screen_installed/rule.yml | 1 -
|
|
|
9be3b2 |
1 file changed, 1 deletion(-)
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed/rule.yml
|
|
|
9be3b2 |
index 07d84b86ae4..7918554ba66 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed/rule.yml
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed/rule.yml
|
|
|
9be3b2 |
@@ -39,7 +39,6 @@ references:
|
|
|
9be3b2 |
ospp: FMT_MOF_EXT.1
|
|
|
9be3b2 |
srg: SRG-OS-000029-GPOS-00010
|
|
|
9be3b2 |
stigid@ol7: OL07-00-010090
|
|
|
9be3b2 |
- stigid@rhel7: RHEL-07-010090
|
|
|
9be3b2 |
vmmsrg: SRG-OS-000030-VMM-000110
|
|
|
9be3b2 |
|
|
|
9be3b2 |
ocil_clause: 'the package is not installed'
|