From e8cfb1fcf8df1175cce896c440ee9434d8329b6e Mon Sep 17 00:00:00 2001 From: Simon THOBY Date: Mon, 6 Nov 2023 21:37:34 +0100 Subject: [PATCH 1/3] Switch set_firewalld_default_zone to a 'lineinfile' template --- .../oval/shared.xml | 21 ------------------- .../set_firewalld_default_zone/rule.yml | 11 ++++++++++ 2 files changed, 11 insertions(+), 21 deletions(-) delete mode 100644 linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml deleted file mode 100644 index d1c89b4fc85..00000000000 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml +++ /dev/null @@ -1,21 +0,0 @@ - - - {{{ oval_metadata("Change the default firewalld zone to drop.") }}} - - - - - - - - - - - /etc/firewalld/firewalld.conf - ^DefaultZone=drop$ - 1 - - diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml index d7cd7bc8304..0d4b0091b33 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/rule.yml @@ -50,6 +50,7 @@ references: pcidss4: "1.5.1" srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-040810 + stigid@rhel8: RHEL-08-040090 ocil_clause: 'the default zone is not set to DROP' @@ -64,3 +65,13 @@ warnings: of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. + +template: + name: lineinfile + vars: + path: '/etc/firewalld/firewalld.conf' + text: 'DefaultZone=drop' + backends: + # Disable remediations, see the warning above + ansible: "off" + bash: "off" From 63fe1946326820c2c850415c638f244e6253c8af Mon Sep 17 00:00:00 2001 From: THOBY Simon Date: Mon, 6 Nov 2023 17:13:00 +0100 Subject: [PATCH 2/3] Fix multiple STIG IDs for RHEL8 --- .../account_emergency_expire_date/rule.yml | 1 - .../account_temp_expire_date/rule.yml | 2 +- products/rhel8/profiles/stig.profile | 15 ++++++++++++++- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml index 826119eafb4..a6b350375c1 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml @@ -44,7 +44,6 @@ references: srg: SRG-OS-000123-GPOS-00064,SRG-OS-000002-GPOS-00002 stigid@ol8: OL08-00-020270 stigid@rhel7: RHEL-07-010271 - stigid@rhel8: RHEL-08-020270 ocil_clause: 'any emergency accounts have no expiration date set or do not expire within 72 hours' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml index 45fb5119835..f20ad4d5a8f 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml @@ -46,7 +46,7 @@ references: stigid@ol7: OL07-00-010271 stigid@ol8: OL08-00-020000 stigid@rhel7: RHEL-07-010271 - stigid@rhel8: RHEL-08-020000 + stigid@rhel8: RHEL-08-020000,RHEL-08-020270 stigid@rhel9: RHEL-09-411040 stigid@sle12: SLES-12-010360 stigid@sle15: SLES-15-020000 diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 0011e4059de..fc12c24a512 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -498,7 +498,7 @@ selections: # RHEL-08-020000 - account_temp_expire_date - # RHEL-08-020010, RHEL-08-020011, RHEL-08-020025, RHEL-08-020026 + # RHEL-08-020010, RHEL-08-020011 - accounts_passwords_pam_faillock_deny # RHEL-08-020012, RHEL-08-020013 @@ -522,6 +522,12 @@ selections: # RHEL-08-020024 - accounts_max_concurrent_login_sessions + # RHEL-08-020025 + - account_password_pam_faillock_system_auth + + # RHEL-08-020026 + - account_password_pam_faillock_password_auth + # RHEL-08-020027, RHEL-08-020028 - account_password_selinux_faillock_dir @@ -566,6 +572,9 @@ selections: # RHEL-08-020081 - dconf_gnome_session_idle_user_locks + # RHEL-08-020082 + - dconf_gnome_screensaver_lock_locked + # RHEL-08-020090 - sssd_enable_certmap @@ -988,6 +997,7 @@ selections: - package_rsh-server_removed # RHEL-08-040020 + - kernel_module_uvcvideo_disabled # RHEL-08-040021 - kernel_module_atm_disabled @@ -1020,6 +1030,8 @@ selections: - kernel_module_usb-storage_disabled # RHEL-08-040090 + - configured_firewalld_default_deny + - set_firewalld_default_zone # RHEL-08-040100 - package_firewalld_installed @@ -1097,6 +1109,7 @@ selections: - service_usbguard_enabled # RHEL-08-040150 + - firewalld-backend # RHEL-08-040159 - package_openssh-server_installed From a17a63633b6b354da7980d300305b328d325bf15 Mon Sep 17 00:00:00 2001 From: Simon THOBY Date: Mon, 6 Nov 2023 22:21:38 +0100 Subject: [PATCH 3/3] Update the RHEL8 STIG profile stability data --- tests/data/profile_stability/rhel8/stig.profile | 11 +++++++++-- tests/data/profile_stability/rhel8/stig_gui.profile | 12 ++++++++++-- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 60dc9d3a505..4493a8d985b 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -1,6 +1,6 @@ description: 'This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 8 V1R11. + DISA STIG for Red Hat Enterprise Linux 8 V1R12. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes @@ -22,13 +22,15 @@ description: 'This profile contains configuration checks that align to the - Red Hat Containers with a Red Hat Enterprise Linux 8 image' extends: null metadata: - version: V1R11 + version: V1R12 SMEs: - mab879 - ggbecker reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux selections: - account_disable_post_pw_expiration +- account_password_pam_faillock_password_auth +- account_password_pam_faillock_system_auth - account_password_selinux_faillock_dir - account_temp_expire_date - account_unique_id @@ -179,6 +181,7 @@ selections: - configure_tmux_lock_command - configure_tmux_lock_keybinding - configure_usbguard_auditbackend +- configured_firewalld_default_deny - coredump_disable_backtraces - coredump_disable_storage - dconf_gnome_banner_enabled @@ -189,6 +192,7 @@ selections: - dconf_gnome_screensaver_idle_delay - dconf_gnome_screensaver_lock_delay - dconf_gnome_screensaver_lock_enabled +- dconf_gnome_screensaver_lock_locked - dconf_gnome_screensaver_user_locks - dconf_gnome_session_idle_user_locks - dir_group_ownership_library_dirs @@ -239,6 +243,7 @@ selections: - file_permissions_var_log - file_permissions_var_log_audit - file_permissions_var_log_messages +- firewalld-backend - gnome_gdm_disable_automatic_login - grub2_admin_username - grub2_audit_argument @@ -265,6 +270,7 @@ selections: - kernel_module_sctp_disabled - kernel_module_tipc_disabled - kernel_module_usb-storage_disabled +- kernel_module_uvcvideo_disabled - logind_session_timeout - mount_option_boot_efi_nosuid - mount_option_boot_nosuid @@ -365,6 +371,7 @@ selections: - service_sshd_enabled - service_systemd-coredump_disabled - service_usbguard_enabled +- set_firewalld_default_zone - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_passwordauth - set_password_hashing_algorithm_systemauth diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index b77c8eab2f0..50981bf99a9 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -1,6 +1,6 @@ description: 'This profile contains configuration checks that align to the - DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R11. + DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R12. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes @@ -33,13 +33,15 @@ description: 'This profile contains configuration checks that align to the standard DISA STIG for Red Hat Enterprise Linux 8 profile.' extends: null metadata: - version: V1R11 + version: V1R12 SMEs: - mab879 - ggbecker reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux selections: - account_disable_post_pw_expiration +- account_password_pam_faillock_password_auth +- account_password_pam_faillock_system_auth - account_password_selinux_faillock_dir - account_temp_expire_date - account_unique_id @@ -190,6 +192,7 @@ selections: - configure_tmux_lock_command - configure_tmux_lock_keybinding - configure_usbguard_auditbackend +- configured_firewalld_default_deny - coredump_disable_backtraces - coredump_disable_storage - dconf_gnome_banner_enabled @@ -200,6 +203,7 @@ selections: - dconf_gnome_screensaver_idle_delay - dconf_gnome_screensaver_lock_delay - dconf_gnome_screensaver_lock_enabled +- dconf_gnome_screensaver_lock_locked - dconf_gnome_screensaver_user_locks - dconf_gnome_session_idle_user_locks - dir_group_ownership_library_dirs @@ -250,6 +254,7 @@ selections: - file_permissions_var_log - file_permissions_var_log_audit - file_permissions_var_log_messages +- firewalld-backend - gnome_gdm_disable_automatic_login - grub2_admin_username - grub2_audit_argument @@ -276,6 +281,7 @@ selections: - kernel_module_sctp_disabled - kernel_module_tipc_disabled - kernel_module_usb-storage_disabled +- kernel_module_uvcvideo_disabled - logind_session_timeout - mount_option_boot_efi_nosuid - mount_option_boot_nosuid @@ -375,6 +381,7 @@ selections: - service_sshd_enabled - service_systemd-coredump_disabled - service_usbguard_enabled +- set_firewalld_default_zone - set_password_hashing_algorithm_logindefs - set_password_hashing_algorithm_passwordauth - set_password_hashing_algorithm_systemauth @@ -489,6 +496,7 @@ selections: - var_sudo_timestamp_timeout=always_prompt - var_slub_debug_options=P - var_screensaver_lock_delay=5_seconds +- var_auditd_name_format=stig unselected_groups: [] platforms: !!set {} cpe_names: !!set {}