Merge pull request #11250 from nightmared/fix_stig_ids

Fix multiple STIG IDs for RHEL8

linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml

@@ -44,7 +44,6 @@ references:
     srg: SRG-OS-000123-GPOS-00064,SRG-OS-000002-GPOS-00002
     stigid@ol8: OL08-00-020270
     stigid@rhel7: RHEL-07-010271
-    stigid@rhel8: RHEL-08-020270
 
 ocil_clause: 'any emergency accounts have no expiration date set or do not expire within 72 hours'
 

linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml

@@ -46,7 +46,7 @@ references:
     stigid@ol7: OL07-00-010271
     stigid@ol8: OL08-00-020000
     stigid@rhel7: RHEL-07-010271
-    stigid@rhel8: RHEL-08-020000
+    stigid@rhel8: RHEL-08-020000,RHEL-08-020270
     stigid@rhel9: RHEL-09-411040
     stigid@sle12: SLES-12-010360
     stigid@sle15: SLES-15-020000

linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml

@@ -50,6 +50,7 @@ references:
     pcidss4: "1.5.1"
     srg: SRG-OS-000480-GPOS-00227
     stigid@rhel7: RHEL-07-040810
+    stigid@rhel8: RHEL-08-040090
 
 ocil_clause: 'the default zone is not set to DROP'
 
@@ -64,3 +65,13 @@ warnings:
         of this control is not available. Remediation must be automated as
         a component of machine provisioning, or followed manually as outlined
         above.
+
+template:
+    name: lineinfile
+    vars:
+      path: '/etc/firewalld/firewalld.conf'
+      text: 'DefaultZone=drop'
+    backends:
+        # Disable remediations, see the warning above
+        ansible: "off"
+        bash: "off"

products/rhel8/profiles/stig.profile

@@ -498,7 +498,7 @@ selections:
     # RHEL-08-020000
     - account_temp_expire_date
 
-    # RHEL-08-020010, RHEL-08-020011, RHEL-08-020025, RHEL-08-020026
+    # RHEL-08-020010, RHEL-08-020011
     - accounts_passwords_pam_faillock_deny
 
     # RHEL-08-020012, RHEL-08-020013
@@ -522,6 +522,12 @@ selections:
     # RHEL-08-020024
     - accounts_max_concurrent_login_sessions
 
+    # RHEL-08-020025
+    - account_password_pam_faillock_system_auth
+
+    # RHEL-08-020026
+    - account_password_pam_faillock_password_auth
+
     # RHEL-08-020027, RHEL-08-020028
     - account_password_selinux_faillock_dir
 
@@ -566,6 +572,9 @@ selections:
     # RHEL-08-020081
     - dconf_gnome_session_idle_user_locks
 
+    # RHEL-08-020082
+    - dconf_gnome_screensaver_lock_locked
+
     # RHEL-08-020090
     - sssd_enable_certmap
 
@@ -988,6 +997,7 @@ selections:
     - package_rsh-server_removed
 
     # RHEL-08-040020
+    - kernel_module_uvcvideo_disabled
 
     # RHEL-08-040021
     - kernel_module_atm_disabled
@@ -1020,6 +1030,8 @@ selections:
     - kernel_module_usb-storage_disabled
 
     # RHEL-08-040090
+    - configured_firewalld_default_deny
+    - set_firewalld_default_zone
 
     # RHEL-08-040100
     - package_firewalld_installed
@@ -1097,6 +1109,7 @@ selections:
     - service_usbguard_enabled
 
     # RHEL-08-040150
+    - firewalld-backend
 
     # RHEL-08-040159
     - package_openssh-server_installed

tests/data/profile_stability/rhel8/stig.profile

@@ -1,6 +1,6 @@
 description: 'This profile contains configuration checks that align to the
 
-    DISA STIG for Red Hat Enterprise Linux 8 V1R11.
+    DISA STIG for Red Hat Enterprise Linux 8 V1R12.
 
 
     In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
@@ -22,13 +22,15 @@ description: 'This profile contains configuration checks that align to the
     - Red Hat Containers with a Red Hat Enterprise Linux 8 image'
 extends: null
 metadata:
-    version: V1R11
+    version: V1R12
     SMEs:
     - mab879
     - ggbecker
 reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
 selections:
 - account_disable_post_pw_expiration
+- account_password_pam_faillock_password_auth
+- account_password_pam_faillock_system_auth
 - account_password_selinux_faillock_dir
 - account_temp_expire_date
 - account_unique_id
@@ -179,6 +181,7 @@ selections:
 - configure_tmux_lock_command
 - configure_tmux_lock_keybinding
 - configure_usbguard_auditbackend
+- configured_firewalld_default_deny
 - coredump_disable_backtraces
 - coredump_disable_storage
 - dconf_gnome_banner_enabled
@@ -189,6 +192,7 @@ selections:
 - dconf_gnome_screensaver_idle_delay
 - dconf_gnome_screensaver_lock_delay
 - dconf_gnome_screensaver_lock_enabled
+- dconf_gnome_screensaver_lock_locked
 - dconf_gnome_screensaver_user_locks
 - dconf_gnome_session_idle_user_locks
 - dir_group_ownership_library_dirs
@@ -239,6 +243,7 @@ selections:
 - file_permissions_var_log
 - file_permissions_var_log_audit
 - file_permissions_var_log_messages
+- firewalld-backend
 - gnome_gdm_disable_automatic_login
 - grub2_admin_username
 - grub2_audit_argument
@@ -265,6 +270,7 @@ selections:
 - kernel_module_sctp_disabled
 - kernel_module_tipc_disabled
 - kernel_module_usb-storage_disabled
+- kernel_module_uvcvideo_disabled
 - logind_session_timeout
 - mount_option_boot_efi_nosuid
 - mount_option_boot_nosuid
@@ -365,6 +371,7 @@ selections:
 - service_sshd_enabled
 - service_systemd-coredump_disabled
 - service_usbguard_enabled
+- set_firewalld_default_zone
 - set_password_hashing_algorithm_logindefs
 - set_password_hashing_algorithm_passwordauth
 - set_password_hashing_algorithm_systemauth

tests/data/profile_stability/rhel8/stig_gui.profile

@@ -1,6 +1,6 @@
 description: 'This profile contains configuration checks that align to the
 
-    DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R11.
+    DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R12.
 
 
     In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes
@@ -33,13 +33,15 @@ description: 'This profile contains configuration checks that align to the
     standard DISA STIG for Red Hat Enterprise Linux 8 profile.'
 extends: null
 metadata:
-    version: V1R11
+    version: V1R12
     SMEs:
     - mab879
     - ggbecker
 reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
 selections:
 - account_disable_post_pw_expiration
+- account_password_pam_faillock_password_auth
+- account_password_pam_faillock_system_auth
 - account_password_selinux_faillock_dir
 - account_temp_expire_date
 - account_unique_id
@@ -190,6 +192,7 @@ selections:
 - configure_tmux_lock_command
 - configure_tmux_lock_keybinding
 - configure_usbguard_auditbackend
+- configured_firewalld_default_deny
 - coredump_disable_backtraces
 - coredump_disable_storage
 - dconf_gnome_banner_enabled
@@ -200,6 +203,7 @@ selections:
 - dconf_gnome_screensaver_idle_delay
 - dconf_gnome_screensaver_lock_delay
 - dconf_gnome_screensaver_lock_enabled
+- dconf_gnome_screensaver_lock_locked
 - dconf_gnome_screensaver_user_locks
 - dconf_gnome_session_idle_user_locks
 - dir_group_ownership_library_dirs
@@ -250,6 +254,7 @@ selections:
 - file_permissions_var_log
 - file_permissions_var_log_audit
 - file_permissions_var_log_messages
+- firewalld-backend
 - gnome_gdm_disable_automatic_login
 - grub2_admin_username
 - grub2_audit_argument
@@ -276,6 +281,7 @@ selections:
 - kernel_module_sctp_disabled
 - kernel_module_tipc_disabled
 - kernel_module_usb-storage_disabled
+- kernel_module_uvcvideo_disabled
 - logind_session_timeout
 - mount_option_boot_efi_nosuid
 - mount_option_boot_nosuid
@@ -375,6 +381,7 @@ selections:
 - service_sshd_enabled
 - service_systemd-coredump_disabled
 - service_usbguard_enabled
+- set_firewalld_default_zone
 - set_password_hashing_algorithm_logindefs
 - set_password_hashing_algorithm_passwordauth
 - set_password_hashing_algorithm_systemauth
@@ -489,6 +496,7 @@ selections:
 - var_sudo_timestamp_timeout=always_prompt
 - var_slub_debug_options=P
 - var_screensaver_lock_delay=5_seconds
+- var_auditd_name_format=stig
 unselected_groups: []
 platforms: !!set {}
 cpe_names: !!set {}