-
Notifications
You must be signed in to change notification settings - Fork 690
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[do not merge] build SCE by default #12488
base: master
Are you sure you want to change the base?
Conversation
Add a templated SCE check to the service_enabled template. The check could be used in the "podman build" environment where the OVAL check don't work because they depend on dbus which isn't available in this environment. OVAL check isn't going to be removed.
Members of the `langs` list aren't strings but are `TemplatingLang` named tuples. Therefore, it isn't possible to write condition `if 'sce-bash' in langs` but we need to check the `name` member of the named tuple instances instead. This fix will make building templated SCE content from templates working.
We will rename the check `variable`. The `check` variable was shadowed later when OVAL check is inserted. If a rule had both SCE and OVAL check, the element referencing the SCE check was overwritten by the element referencing the OVAL check. This will allow rules to have both SCE and OVAL at the same time.
Reduce code complexity of to_xml_element method by extracting the code responsible for creating the SCE check reference element to a new method _add_sce_check_element.
Reduce code complexity by extracting code responsible for inserting the element that references the OVAL check to a new method _add_oval_check_element.
Reduce the complexity of the to_xml_element method by moving out the code responsible for creating XCCDF check element referencing OCIL to a new method.
Refactor code by extracting it to a new method build_templated_sce_check.
This variable is set and incremented but never used.
The `SCE_DIR` argument of the `/build-scripts/build_sce.py` was set to `/shared/checks/sce` and `${product}/checks/sce`. These directories don't exist and it wouldn't make sense to create them. We will remove the code working with these directories, this code is effectively unused.
This commit converts `checks()` function to a new class `SCEBuilder`. This change will allow us future refactoring and simplification.
Extracts code that processes static SCE checks to a new method _build_static_sce_check.
Transform function `build_templated_sce_check` to a method of the `SCEBuilder` class `_build_templated_sce_check`.
Simplify code in _build_templated_sce_check to prevent having too many levels.
Move variable local_env_yaml to method where it is used. Avoid passing it as a parameter if this isn't necessary.
Move code responsible for assembling a list of directories that should be interated over.
Extracting some code to a new method `_get_rule_sce_lang` allows us to get rid of the `for` loop because there is always at most 1 item with name "sce-bash". Addressing: Function _build_templated_sce_check has a Cognitive Complexity of 8 (exceeds 7 allowed). Consider refactoring.
Extract code from the `_add_sce_check_element` method to multiple new methods in order to reduce complexity. Addressing: Function _add_sce_check_element has a Cognitive Complexity of 16 (exceeds 7 allowed). Consider refactoring.
Move duplicate code to a new function. Addressing: Identical blocks of code found in 2 locations. Consider refactoring.
Addressing: Expected 2 blank lines, found 1
Improve readability and ocil. Also removed removed CIS specific mention from the description. Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
There is no change in logic but only minor updates to make it easier to read and more aligned to project style guide. Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
This rule should be applicable also during bootc image build where it's currently notapplicable therefore the platform `system_with_kernel` is more appropriate than `machine` for this rule.
The `system_with_kernel` platform will replace the `machine` platform in most of the rules. In Automatus we have `--remove-machine-only` option that intentionally remove the `machine` platform from rules to force the rule to be applicable in a container back end. To preserve the ability to test the `machine` rules in a container back end after we change their platform to `system_with_kernel` we need to extend the `--remove-machine-only` feature to remove also the `system_with_kernel` from the temporary data stream.
Rename automatus.py option `--remove-machine-only` to `--make-applicable-in-containers`. The new name better expresses the actual purpose of this option. Renaming it also removes the confusion about the "machine" platform. Consequently, rename this option also in the wrapper script test_rule_in_container.sh.
To match the rpm_verify_permissions bash remedation.
RHEL 8 CIS Benchmark v3.0.0 and RHEL 9 CIS Benchmark v2.0.0 in sections 1.7.1, 1.7.2 and 1.7.3 require to configure login banners. Currently, these requirements are covered in our content by rules `banner_etc_motd`, `banner_etc_issue` and `banner_etc_issue_net`. However, these rules don't exactly align with the CIS requirements. The rules require an exact banner text that can only differ in white space but must be the same. But, the CIS requirements allow custom banner texts with local policy. Moreover, they require not displaying versions and kernels in the banner text, which isn't checked in our rules. Although applying our rules makes the system compliant, many configurations that comply with CIS will not pass the scan. We will replace these rules with new rules that are better aligned with CIS and will pass with custom banners. The new rules are very similar and therefore a new template `cis_banner` has been created to share code among them. Resolves: https://issues.redhat.com/browse/RHEL-59133
I guess I typed ctrl+a in vim and did not notice, :)
These rules are passing by default now and after remediation they continue to passs
Align this rule's assertion with what's in other profiles.
Change the `build_product` convenient script so that it will build SCE by default for the `rhel9` and `rhel10` product.
SCE should be built in Ubuntu 20.04 and 22.04 products. However, this is specified only in the CI workflow description. In previous commit we have started to build SCE in RHEL 9 and 10. If we would like to start testing it in CI, we could do it either by changing the CI workflow description or the build_product script. It would be less complex if we could unify it in a single place which is the build_product script.
Skipping CI for Draft Pull Request. |
This datastream diff is auto generated by the check Click here to see the trimmed diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_ownership'.
--- xccdf_org.ssgproject.content_rule_rpm_verify_ownership
+++ xccdf_org.ssgproject.content_rule_rpm_verify_ownership
@@ -11,7 +11,7 @@
$ rpm -qf FILENAME
Next, run the following command to reset its permissions to the correct values:
-$ sudo rpm --setugids PACKAGENAME
+$ sudo rpm --restore PACKAGENAME
[warning]:
Profiles may require that specific files be owned by root while the default owner defined
bash remediation for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_ownership' differs.
--- xccdf_org.ssgproject.content_rule_rpm_verify_ownership
+++ xccdf_org.ssgproject.content_rule_rpm_verify_ownership
@@ -17,5 +17,5 @@
# correct values
for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
do
- rpm --setugids "${RPM_PACKAGE}"
+ rpm --restore "${RPM_PACKAGE}"
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_ownership' differs.
--- xccdf_org.ssgproject.content_rule_rpm_verify_ownership
+++ xccdf_org.ssgproject.content_rule_rpm_verify_ownership
@@ -55,7 +55,7 @@
- rpm_verify_ownership
- name: Correct file ownership with RPM
- command: rpm --setugids '{{ item }}'
+ command: rpm --restore '{{ item }}'
with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list
| unique }}'
when: (files_with_incorrect_ownership.stdout_lines | length > 0)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_permissions'.
--- xccdf_org.ssgproject.content_rule_rpm_verify_permissions
+++ xccdf_org.ssgproject.content_rule_rpm_verify_permissions
@@ -16,7 +16,7 @@
Next, run the following command to reset its permissions to the correct values:
-$ sudo rpm --setperms PACKAGENAME
+$ sudo rpm --restore PACKAGENAME
[warning]:
Profiles may require that specific files have stricter file permissions than defined by
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rpm_verify_permissions' differs.
--- xccdf_org.ssgproject.content_rule_rpm_verify_permissions
+++ xccdf_org.ssgproject.content_rule_rpm_verify_permissions
@@ -57,7 +57,7 @@
- rpm_verify_permissions
- name: Correct file permissions with RPM
- command: rpm --setperms '{{ item }}'
+ command: rpm --restore '{{ item }}'
with_items: '{{ list_of_packages.results | map(attribute=''stdout_lines'') | list
| unique }}'
when: (files_with_incorrect_permissions.stdout_lines | length > 0)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_aide_installed'.
--- xccdf_org.ssgproject.content_rule_package_aide_installed
+++ xccdf_org.ssgproject.content_rule_package_aide_installed
@@ -107,9 +107,6 @@
CCI-002696
[reference]:
-CCI-002699
-
-[reference]:
CCI-001744
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_aide_build_database'.
--- xccdf_org.ssgproject.content_rule_aide_build_database
+++ xccdf_org.ssgproject.content_rule_aide_build_database
@@ -119,6 +119,12 @@
DSS06.06
[reference]:
+CCI-002696
+
+[reference]:
+CCI-001744
+
+[reference]:
4.3.4.3.2
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_aide_check_audit_tools'.
--- xccdf_org.ssgproject.content_rule_aide_check_audit_tools
+++ xccdf_org.ssgproject.content_rule_aide_check_audit_tools
@@ -7,6 +7,15 @@
[reference]:
CCI-001496
+
+[reference]:
+CCI-001494
+
+[reference]:
+CCI-001495
+
+[reference]:
+CCI-001493
[reference]:
AU-9(3)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking'.
--- xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
+++ xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
@@ -109,13 +109,13 @@
DSS06.06
[reference]:
+CCI-002702
+
+[reference]:
CCI-001744
[reference]:
CCI-002699
-
-[reference]:
-CCI-002702
[reference]:
4.3.4.3.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_aide_scan_notification'.
--- xccdf_org.ssgproject.content_rule_aide_scan_notification
+++ xccdf_org.ssgproject.content_rule_aide_scan_notification
@@ -81,13 +81,13 @@
DSS05.07
[reference]:
+CCI-002702
+
+[reference]:
CCI-001744
[reference]:
CCI-002699
-
-[reference]:
-CCI-002702
[reference]:
4.3.4.3.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_aide_verify_acls'.
--- xccdf_org.ssgproject.content_rule_aide_verify_acls
+++ xccdf_org.ssgproject.content_rule_aide_verify_acls
@@ -10,6 +10,7 @@
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default.
+
The remediation provided with this rule adds acl to all rule sets available in
/etc/aide.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_aide_verify_acls' differs.
--- xccdf_org.ssgproject.content_rule_aide_verify_acls
+++ xccdf_org.ssgproject.content_rule_aide_verify_acls
@@ -7,7 +7,9 @@
aide_conf="/etc/aide.conf"
+
groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
+
for group in $groups
do
New content has different text for rule 'xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes'.
--- xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
+++ xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
@@ -10,6 +10,7 @@
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already
configured by default.
+
The remediation provided with this rule adds xattrs to all rule sets available in
/etc/aide.conf
bash remediation for rule 'xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes' differs.
--- xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
+++ xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes
@@ -7,7 +7,9 @@
aide_conf="/etc/aide.conf"
+
groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
+
for group in $groups
do
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership'.
--- xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership
+++ xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership
@@ -11,12 +11,6 @@
[reference]:
CCI-001493
-
-[reference]:
-CCI-001494
-
-[reference]:
-CCI-001495
[reference]:
AU-9
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_audit_tools_ownership'.
--- xccdf_org.ssgproject.content_rule_file_audit_tools_ownership
+++ xccdf_org.ssgproject.content_rule_file_audit_tools_ownership
@@ -11,12 +11,6 @@
[reference]:
CCI-001493
-
-[reference]:
-CCI-001494
-
-[reference]:
-CCI-001495
[reference]:
AU-9
New content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'.
--- xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
+++ xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
@@ -27,13 +27,16 @@
this process.
[reference]:
+CCI-002450
+
+[reference]:
CCI-000068
[reference]:
-CCI-000803
+CCI-002418
[reference]:
-CCI-002450
+CCI-000877
[reference]:
1446
New content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode'.
--- xccdf_org.ssgproject.content_rule_enable_fips_mode
+++ xccdf_org.ssgproject.content_rule_enable_fips_mode
@@ -23,13 +23,16 @@
This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.
[reference]:
+CCI-002450
+
+[reference]:
CCI-000068
[reference]:
-CCI-000803
+CCI-002418
[reference]:
-CCI-002450
+CCI-000877
[reference]:
1446
OVAL for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs.
--- oval:ssg-enable_fips_mode:def:1
+++ oval:ssg-enable_fips_mode:def:1
@@ -1,5 +1,5 @@
criteria AND
-extend_definition oval:ssg-etc_system_fips_exists:def:1
+criterion oval:ssg-test_proc_sys_crypto_fips_enabled:tst:1
extend_definition oval:ssg-sysctl_crypto_fips_enabled:def:1
extend_definition oval:ssg-enable_dracut_fips_module:def:1
extend_definition oval:ssg-configure_crypto_policy:def:1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled'.
--- xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled
+++ xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled
@@ -31,28 +31,16 @@
this process.
[reference]:
-CCI-000068
+CCI-002450
[reference]:
-CCI-000803
-
-[reference]:
-CCI-000877
-
-[reference]:
-CCI-001453
+CCI-000068
[reference]:
CCI-002418
[reference]:
-CCI-002450
-
-[reference]:
-CCI-002890
-
-[reference]:
-CCI-003123
+CCI-000877
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_crypto-policies_installed'.
--- xccdf_org.ssgproject.content_rule_package_crypto-policies_installed
+++ xccdf_org.ssgproject.content_rule_package_crypto-policies_installed
@@ -6,6 +6,15 @@
The crypto-policies package can be installed with the following command:
$ sudo yum install crypto-policies
+
+[reference]:
+CCI-002890
+
+[reference]:
+CCI-002450
+
+[reference]:
+CCI-003123
[reference]:
FCS_COP.1(1)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy
@@ -12,6 +12,12 @@
In the options section of /etc/named.conf, make sure that the following line
is not commented out or superseded by later includes:
include "/etc/crypto-policies/back-ends/bind.config";
+
+[reference]:
+CCI-002418
+
+[reference]:
+CCI-002422
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_crypto_policy
@@ -30,6 +30,27 @@
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process.
+
+[reference]:
+CCI-000068
+
+[reference]:
+CCI-003123
+
+[reference]:
+CCI-002450
+
+[reference]:
+CCI-000877
+
+[reference]:
+CCI-002418
+
+[reference]:
+CCI-001453
+
+[reference]:
+CCI-002890
[reference]:
164.308(a)(4)(i)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
@@ -9,6 +9,9 @@
To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings.
+
+[reference]:
+CCI-000803
[reference]:
0418
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
@@ -12,6 +12,9 @@
In /etc/ipsec.conf, make sure that the following line
is not commented out or superseded by later includes:
include /etc/crypto-policies/back-ends/libreswan.config
+
+[reference]:
+CCI-000068
[reference]:
CIP-003-8 R4.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
@@ -34,22 +34,7 @@
submits to this process.
[reference]:
-CCI-000068
-
-[reference]:
-CCI-000877
-
-[reference]:
CCI-001453
-
-[reference]:
-CCI-002418
-
-[reference]:
-CCI-002890
-
-[reference]:
-CCI-003123
[reference]:
AC-17(2)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
@@ -34,9 +34,6 @@
submits to this process.
[reference]:
-CCI-000877
-
-[reference]:
CCI-001453
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_encrypt_partitions'.
--- xccdf_org.ssgproject.content_rule_encrypt_partitions
+++ xccdf_org.ssgproject.content_rule_encrypt_partitions
@@ -74,13 +74,13 @@
3.13.16
[reference]:
+CCI-002476
+
+[reference]:
CCI-001199
[reference]:
CCI-002475
-
-[reference]:
-CCI-002476
[reference]:
164.308(a)(1)(ii)(D)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_home'.
--- xccdf_org.ssgproject.content_rule_partition_for_home
+++ xccdf_org.ssgproject.content_rule_partition_for_home
@@ -26,9 +26,6 @@
[reference]:
CCI-000366
-
-[reference]:
-CCI-001208
[reference]:
SR 3.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp'.
--- xccdf_org.ssgproject.content_rule_partition_for_var_tmp
+++ xccdf_org.ssgproject.content_rule_partition_for_var_tmp
@@ -6,6 +6,9 @@
The /var/tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM.
+
+[reference]:
+CCI-000366
[reference]:
SRG-OS-000480-GPOS-00227
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_db_up_to_date'.
--- xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
+++ xccdf_org.ssgproject.content_rule_dconf_db_up_to_date
@@ -9,6 +9,9 @@
in the following directories:
/etc/dconf/db/gdm.d
/etc/dconf/db/local.d
+
+[reference]:
+CCI-000366
[reference]:
164.308(a)(1)(ii)(B)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list
@@ -18,6 +18,9 @@
user modification. For example:
/org/gnome/login-screen/disable-user-list
After the settings have been set, run dconf update.
+
+[reference]:
+CCI-000366
[reference]:
CM-6(a)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth
@@ -40,7 +40,7 @@
CCI-000884
[reference]:
-CCI-001948
+CCI-004046
[reference]:
CCI-001954
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal
@@ -19,10 +19,10 @@
After the settings have been set, run dconf update.
[reference]:
-CCI-000056
+CCI-000057
[reference]:
-CCI-000058
+CCI-000056
[reference]:
SRG-OS-000028-GPOS-00009
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
@@ -47,10 +47,10 @@
3.1.7
[reference]:
-CCI-000366
+CCI-000778
[reference]:
-CCI-000778
+CCI-000366
[reference]:
CCI-001958
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
@@ -50,10 +50,13 @@
CCI-000366
[reference]:
-CCI-000778
+CCI-001764
[reference]:
CCI-001958
+
+[reference]:
+CCI-000778
[reference]:
4.3.3.2.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
@@ -37,13 +37,7 @@
3.1.10
[reference]:
-CCI-000056
-
-[reference]:
CCI-000057
-
-[reference]:
-CCI-000060
[reference]:
4.3.3.6.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -43,13 +43,10 @@
3.1.10
[reference]:
-CCI-000056
+CCI-000057
[reference]:
-CCI-000058
-
-[reference]:
-CCI-000060
+CCI-000056
[reference]:
4.3.3.6.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
@@ -36,9 +36,6 @@
[reference]:
CCI-000057
-
-[reference]:
-CCI-000060
[reference]:
4.3.3.6.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_sudo_installed'.
--- xccdf_org.ssgproject.content_rule_package_sudo_installed
+++ xccdf_org.ssgproject.content_rule_package_sudo_installed
@@ -6,6 +6,9 @@
The sudo package can be installed with the following command:
$ sudo yum install sudo
+
+[reference]:
+CCI-002235
[reference]:
1382
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot'.
--- xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
+++ xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
@@ -5,7 +5,7 @@
[description]:
The sudo ignore_dot tag, when specified, will ignore the current directory
in the PATH environment variable.
-On Red Hat Enterprise Linux 8, env_reset is enabled by default
+On Red Hat Enterprise Linux 8, ignore_dot is enabled by default
This should be enabled by making sure that the ignore_dot tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate'.
--- xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
+++ xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
@@ -36,7 +36,7 @@
DSS06.10
[reference]:
-CCI-002038
+CCI-004895
[reference]:
4.3.3.5.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd'.
--- xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
+++ xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
@@ -41,7 +41,7 @@
DSS06.10
[reference]:
-CCI-002038
+CCI-004895
[reference]:
4.3.3.5.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'.
--- xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
+++ xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
@@ -13,7 +13,7 @@
and the user will not have to re-authenticate for privileged actions until the user's session is terminated.
[reference]:
-CCI-002038
+CCI-004895
[reference]:
IA-11
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudoers_validate_passwd'.
--- xccdf_org.ssgproject.content_rule_sudoers_validate_passwd
+++ xccdf_org.ssgproject.content_rule_sudoers_validate_passwd
@@ -20,9 +20,6 @@
CCI-000366
[reference]:
-CCI-002227
-
-[reference]:
CM-6(b)
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed'.
--- xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed
+++ xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed
@@ -6,6 +6,9 @@
The gnutls-utils package can be installed with the following command:
$ sudo yum install gnutls-utils
+
+[reference]:
+CCI-000366
[reference]:
FIA_X509_EXT.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_nss-tools_installed'.
--- xccdf_org.ssgproject.content_rule_package_nss-tools_installed
+++ xccdf_org.ssgproject.content_rule_package_nss-tools_installed
@@ -6,6 +6,12 @@
The nss-tools package can be installed with the following command:
$ sudo yum install nss-tools
+
+[reference]:
+CCI-000366
+
+[reference]:
+FMT_SMF_EXT.1
[reference]:
SRG-OS-000480-GPOS-00227
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_subscription-manager_installed'.
--- xccdf_org.ssgproject.content_rule_package_subscription-manager_installed
+++ xccdf_org.ssgproject.content_rule_package_subscription-manager_installed
@@ -6,6 +6,9 @@
The subscription-manager package can be installed with the following command:
$ sudo yum install subscription-manager
+
+[reference]:
+CCI-003992
[reference]:
0940
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_gssproxy_removed'.
--- xccdf_org.ssgproject.content_rule_package_gssproxy_removed
+++ xccdf_org.ssgproject.content_rule_package_gssproxy_removed
@@ -12,10 +12,10 @@
RHV uses NFS storage, which has dependency on gssproxy.
[reference]:
-CCI-000381
+CCI-000366
[reference]:
-CCI-000366
+CCI-000381
[reference]:
SRG-OS-000095-GPOS-00049
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_iprutils_removed'.
--- xccdf_org.ssgproject.content_rule_package_iprutils_removed
+++ xccdf_org.ssgproject.content_rule_package_iprutils_removed
@@ -9,6 +9,9 @@
[reference]:
CCI-000366
+
+[reference]:
+CCI-000381
[reference]:
SRG-OS-000095-GPOS-00049
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_tuned_removed'.
--- xccdf_org.ssgproject.content_rule_package_tuned_removed
+++ xccdf_org.ssgproject.content_rule_package_tuned_removed
@@ -13,6 +13,9 @@
[reference]:
CCI-000366
+
+[reference]:
+CCI-000381
[reference]:
SRG-OS-000095-GPOS-00049
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated'.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
@@ -53,7 +53,7 @@
3.4.8
[reference]:
-CCI-001749
+CCI-003992
[reference]:
164.308(a)(1)(ii)(D)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages'.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
@@ -32,7 +32,7 @@
3.4.8
[reference]:
-CCI-001749
+CCI-003992
[reference]:
164.308(a)(1)(ii)(D)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled'.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
@@ -50,7 +50,7 @@
3.4.8
[reference]:
-CCI-001749
+CCI-003992
[reference]:
164.308(a)(1)(ii)(D)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed'.
--- xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
+++ xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
@@ -63,7 +63,7 @@
3.4.8
[reference]:
-CCI-001749
+CCI-003992
[reference]:
164.308(a)(1)(ii)(D)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_security_patches_up_to_date'.
--- xccdf_org.ssgproject.content_rule_security_patches_up_to_date
+++ xccdf_org.ssgproject.content_rule_security_patches_up_to_date
@@ -52,9 +52,6 @@
[reference]:
CCI-000366
-
-[reference]:
-CCI-001227
[reference]:
4.2.3
New content has different text for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue'.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue
@@ -63,25 +63,22 @@
3.1.9
[reference]:
-CCI-000048
-
-[reference]:
-CCI-000050
+CCI-001387
[reference]:
CCI-001384
[reference]:
-CCI-001385
+CCI-000048
[reference]:
CCI-001386
[reference]:
-CCI-001387
+CCI-001388
[reference]:
-CCI-001388
+CCI-001385
[reference]:
4.3.3.6.1
@@ -168,9 +165,6 @@
RHEL-08-010060
[reference]:
-1.7.2
-
-[reference]:
SV-230227r627750_rule
[rationale]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_banner_etc_issue_net'.
--- xccdf_org.ssgproject.content_rule_banner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_banner_etc_issue_net
@@ -61,9 +61,6 @@
[reference]:
SRG-OS-000228-GPOS-00088
-[reference]:
-1.7.3
-
[rationale]:
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
New content has different text for rule 'xccdf_org.ssgproject.content_rule_banner_etc_motd'.
--- xccdf_org.ssgproject.content_rule_banner_etc_motd
+++ xccdf_org.ssgproject.content_rule_banner_etc_motd
@@ -37,9 +37,6 @@
I've read & consent to terms in IS user agreem't.
-[reference]:
-1.7.1
-
[rationale]:
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
@@ -44,25 +44,22 @@
3.1.9
[reference]:
-CCI-000048
-
-[reference]:
-CCI-000050
+CCI-001387
[reference]:
CCI-001384
[reference]:
-CCI-001385
+CCI-000048
[reference]:
CCI-001386
[reference]:
-CCI-001387
+CCI-001388
[reference]:
-CCI-001388
+CCI-001385
[reference]:
4.3.3.6.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo'.
--- xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo
+++ xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo
@@ -9,7 +9,7 @@
If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.
[reference]:
-CCI-002038
+CCI-004895
[reference]:
IA-11
New content has different text for rule 'xccdf_org.ssgproject.content_rule_display_login_attempts'.
--- xccdf_org.ssgproject.content_rule_display_login_attempts
+++ xccdf_org.ssgproject.content_rule_display_login_attempts
@@ -48,7 +48,7 @@
DSS06.10
[reference]:
-CCI-000052
+CCI-000366
[reference]:
4.3.3.6.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny'.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
@@ -56,12 +56,6 @@
CCI-000044
[reference]:
-CCI-002236
-
-[reference]:
-CCI-002237
-
-[reference]:
CCI-002238
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root'.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
@@ -42,10 +42,10 @@
DSS06.10
[reference]:
-CCI-002238
+CCI-000044
[reference]:
-CCI-000044
+CCI-002238
[reference]:
4.3.3.6.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir'.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -27,9 +27,6 @@
[reference]:
CCI-000044
-
-[reference]:
-CCI-002238
[reference]:
AC-7(b)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval'.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval
@@ -49,12 +49,6 @@
CCI-000044
[reference]:
-CCI-002236
-
-[reference]:
-CCI-002237
-
-[reference]:
CCI-002238
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time'.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
@@ -66,12 +66,6 @@
CCI-000044
[reference]:
-CCI-002236
-
-[reference]:
-CCI-002237
-
-[reference]:
CCI-002238
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
@@ -43,9 +43,6 @@
DSS06.10
[reference]:
-CCI-000194
-
-[reference]:
CCI-004066
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_difok'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_difok
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_difok
@@ -46,9 +46,6 @@
[reference]:
DSS06.10
-
-[reference]:
-CCI-000195
[reference]:
CCI-004066
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root
@@ -9,25 +9,7 @@
to use complex passwords.
[reference]:
-CCI-000194
-
-[reference]:
-CCI-000193
-
-[reference]:
-CCI-001619
-
-[reference]:
-CCI-000205
-
-[reference]:
-CCI-000195
-
-[reference]:
-CCI-000192
-
-[reference]:
-CCI-000366
+CCI-004066
[reference]:
IA-5(c)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
@@ -43,9 +43,6 @@
DSS06.10
[reference]:
-CCI-000193
-
-[reference]:
CCI-004066
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
@@ -43,7 +43,7 @@
DSS06.10
[reference]:
-CCI-000195
+CCI-004066
[reference]:
4.3.3.2.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
@@ -43,7 +43,7 @@
DSS06.10
[reference]:
-CCI-000195
+CCI-004066
[reference]:
4.3.3.2.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
@@ -54,7 +54,7 @@
DSS06.10
[reference]:
-CCI-000195
+CCI-004066
[reference]:
4.3.3.2.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
@@ -43,9 +43,6 @@
[reference]:
DSS06.10
-
-[reference]:
-CCI-000205
[reference]:
CCI-004066
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
@@ -45,9 +45,6 @@
DSS06.10
[reference]:
-CCI-001619
-
-[reference]:
CCI-004066
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth
@@ -9,7 +9,7 @@
password requisite pam_pwquality.so.
[reference]:
-CCI-000366
+CCI-004066
[reference]:
SRG-OS-000069-GPOS-00037
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
@@ -70,10 +70,7 @@
DSS06.10
[reference]:
-CCI-000192
-
-[reference]:
-CCI-000366
+CCI-004066
[reference]:
4.3.3.2.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
@@ -43,12 +43,6 @@
DSS06.10
[reference]:
-CCI-000192
-
-[reference]:
-CCI-000193
-
-[reference]:
CCI-004066
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf
@@ -48,7 +48,7 @@
3.13.11
[reference]:
-CCI-000196
+CCI-004062
[reference]:
4.3.3.2.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
@@ -47,7 +47,7 @@
3.13.11
[reference]:
-CCI-000196
+CCI-004062
[reference]:
4.3.3.2.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
@@ -68,10 +68,7 @@
3.13.11
[reference]:
-CCI-000196
-
-[reference]:
-CCI-000803
+CCI-004062
[reference]:
4.3.3.2.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
@@ -12,10 +12,10 @@
If either is set, they must have the minimum value of 5000.
[reference]:
-CCI-000196
+CCI-000803
[reference]:
-CCI-000803
+CCI-004062
[reference]:
SRG-OS-000073-GPOS-00041
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_debug-shell_disabled'.
--- xccdf_org.ssgproject.content_rule_service_debug-shell_disabled
+++ xccdf_org.ssgproject.content_rule_service_debug-shell_disabled
@@ -21,6 +21,9 @@
[reference]:
CCI-000366
+
+[reference]:
+CCI-002235
[reference]:
164.308(a)(1)(ii)(B)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction'.
--- xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
+++ xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
@@ -62,6 +62,9 @@
CCI-000366
[reference]:
+CCI-002235
+
+[reference]:
164.308(a)(1)(ii)(B)
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot'.
--- xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot
+++ xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot
@@ -61,6 +61,9 @@
CCI-000366
[reference]:
+CCI-002235
+
+[reference]:
164.308(a)(1)(ii)(B)
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot'.
--- xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot
+++ xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot
@@ -66,7 +66,7 @@
3.4.5
[reference]:
-CCI-000213
+CCI-000366
[reference]:
164.308(a)(1)(ii)(B)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_logind_session_timeout'.
--- xccdf_org.ssgproject.content_rule_logind_session_timeout
+++ xccdf_org.ssgproject.content_rule_logind_session_timeout
@@ -86,6 +86,9 @@
3.1.11
[reference]:
+CCI-001133
+
+[reference]:
4.3.3.2.2
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_tmux_installed'.
--- xccdf_org.ssgproject.content_rule_package_tmux_installed
+++ xccdf_org.ssgproject.content_rule_package_tmux_installed
@@ -40,7 +40,7 @@
3.1.10
[reference]:
-CCI-000058
+CCI-000057
[reference]:
CCI-000056
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_bashrc_tmux'.
--- xccdf_org.ssgproject.content_rule_configure_bashrc_tmux
+++ xccdf_org.ssgproject.content_rule_configure_bashrc_tmux
@@ -12,10 +12,10 @@
drops the user into a regular shell instead of logging them out, therefore the session locking mechanism is not enforced on the user.
[reference]:
-CCI-000056
+CCI-000060
[reference]:
-CCI-000058
+CCI-000056
[reference]:
SRG-OS-000031-GPOS-00012
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_command'.
--- xccdf_org.ssgproject.content_rule_configure_tmux_lock_command
+++ xccdf_org.ssgproject.content_rule_configure_tmux_lock_command
@@ -13,9 +13,6 @@
[reference]:
CCI-000056
-
-[reference]:
-CCI-000058
[reference]:
AC-11(a)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_no_tmux_in_shells'.
--- xccdf_org.ssgproject.content_rule_no_tmux_in_shells
+++ xccdf_org.ssgproject.content_rule_no_tmux_in_shells
@@ -8,10 +8,10 @@
/etc/shells.
[reference]:
-CCI-000056
+CCI-002235
[reference]:
-CCI-000058
+CCI-000056
[reference]:
CM-6
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_opensc_installed'.
--- xccdf_org.ssgproject.content_rule_package_opensc_installed
+++ xccdf_org.ssgproject.content_rule_package_opensc_installed
@@ -8,10 +8,10 @@
$ sudo yum install opensc
[reference]:
-CCI-001954
+CCI-001953
[reference]:
-CCI-001953
+CCI-004046
[reference]:
1382
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed'.
--- xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed
+++ xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed
@@ -8,7 +8,7 @@
$ sudo yum install pcsc-lite
[reference]:
-CCI-001954
+CCI-004046
[reference]:
1382
New content has different text for rule 'xccdf_org.ssgproject.content_rule_install_smartcard_packages'.
--- xccdf_org.ssgproject.content_rule_install_smartcard_packages
+++ xccdf_org.ssgproject.content_rule_install_smartcard_packages
@@ -14,12 +14,6 @@
CCI-000765
[reference]:
-CCI-000766
-
-[reference]:
-CCI-001948
-
-[reference]:
CCI-001953
[reference]:
@@ -27,9 +21,6 @@
[reference]:
CCI-004046
-
-[reference]:
-CCI-004047
[reference]:
CM-6(a)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_pcscd_enabled'.
--- xccdf_org.ssgproject.content_rule_service_pcscd_enabled
+++ xccdf_org.ssgproject.content_rule_service_pcscd_enabled
@@ -7,7 +7,7 @@
$ sudo systemctl enable pcscd.service
[reference]:
-CCI-001954
+CCI-004046
[reference]:
1382
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_opensc_card_drivers'.
--- xccdf_org.ssgproject.content_rule_configure_opensc_card_drivers
+++ xccdf_org.ssgproject.content_rule_configure_opensc_card_drivers
@@ -51,25 +51,19 @@
DSS06.10
[reference]:
+CCI-001941
+
+[reference]:
+CCI-004045
+
+[reference]:
CCI-000765
[reference]:
CCI-000766
[reference]:
-CCI-000767
-
-[reference]:
-CCI-000768
-
-[reference]:
-CCI-000771
-
-[reference]:
-CCI-000772
-
-[reference]:
-CCI-000884
+CCI-000764
[reference]:
4.3.3.2.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration'.
--- xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
+++ xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
@@ -80,10 +80,10 @@
3.5.6
[reference]:
-CCI-000017
-
-[reference]:
-CCI-000795
+CCI-003628
+
+[reference]:
+CCI-003627
[reference]:
4.3.3.2.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs'.
--- xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs
@@ -52,9 +52,6 @@
3.5.6
[reference]:
-CCI-000199
-
-[reference]:
CCI-004066
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs'.
--- xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs
@@ -52,9 +52,6 @@
3.5.8
[reference]:
-CCI-000198
-
-[reference]:
CCI-004066
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs'.
--- xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
@@ -58,7 +58,7 @@
3.5.7
[reference]:
-CCI-000205
+CCI-004066
[reference]:
4.3.3.2.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing'.
--- xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
+++ xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
@@ -9,7 +9,7 @@
USER
[reference]:
-CCI-000199
+CCI-004066
[reference]:
IA-5(f)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing'.
--- xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing
+++ xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing
@@ -8,7 +8,7 @@
$ sudo chage -m 1 USER
[reference]:
-CCI-000198
+CCI-004066
[reference]:
IA-5(f)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512'.
--- xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512
+++ xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512
@@ -16,10 +16,10 @@
this is a finding.
[reference]:
-CCI-000196
+CCI-000803
[reference]:
-CCI-000803
+CCI-004062
[reference]:
IA-5(1)(c)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
@@ -21,7 +21,10 @@
but requires more CPU resources to authenticate users.
[reference]:
-CCI-000196
+CCI-000803
+
+[reference]:
+CCI-004062
[reference]:
SRG-OS-000073-GPOS-00041
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth
@@ -19,7 +19,10 @@
but requires more CPU resources to authenticate users.
[reference]:
-CCI-000196
+CCI-000803
+
+[reference]:
+CCI-004062
[reference]:
SRG-OS-000073-GPOS-00041
bash remediation for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords' differs.
--- xccdf_org.ssgproject.content_rule_no_empty_passwords
+++ xccdf_org.ssgproject.content_rule_no_empty_passwords
@@ -1,5 +1,5 @@
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+if rpm --quiet -q kernel; then
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords' differs.
--- xccdf_org.ssgproject.content_rule_no_empty_passwords
+++ xccdf_org.ssgproject.content_rule_no_empty_passwords
@@ -1,9 +1,32 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-80841-0
+ - CJIS-5.5.2
+ - DISA-STIG-RHEL-08-020331
+ - DISA-STIG-RHEL-08-020332
+ - NIST-800-171-3.1.1
+ - NIST-800-171-3.1.5
+ - NIST-800-53-CM-6(a)
+ - NIST-800-53-IA-5(1)(a)
+ - NIST-800-53-IA-5(c)
+ - PCI-DSS-Req-8.2.3
+ - PCI-DSSv4-8.3
+ - PCI-DSSv4-8.3.1
+ - configure_strategy
+ - high_severity
+ - low_complexity
+ - medium_disruption
+ - no_empty_passwords
+ - no_reboot_needed
+
- name: Prevent Login to Accounts With Empty Password - Check if system relies on
authselect
ansible.builtin.stat:
path: /usr/bin/authselect
register: result_authselect_present
- when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ when: '"kernel" in ansible_facts.packages'
tags:
- CCE-80841-0
- CJIS-5.5.2
@@ -76,7 +99,7 @@
- result_authselect_enable_feature_cmd is not skipped
- result_authselect_enable_feature_cmd is success
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"kernel" in ansible_facts.packages'
- result_authselect_present.stat.exists
tags:
- CCE-80841-0
@@ -107,7 +130,7 @@
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
when:
- - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
+ - '"kernel" in ansible_facts.packages'
- not result_authselect_present.stat.exists
tags:
- CCE-80841-0
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords'
--- xccdf_org.ssgproject.content_rule_no_empty_passwords
+++ xccdf_org.ssgproject.content_rule_no_empty_passwords
@@ -1 +1 @@
-oval:ssg-installed_env_is_a_machine:def:1
+oval:ssg-system_with_kernel:def:1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su'.
--- xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
+++ xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
@@ -12,6 +12,12 @@
Members of "wheel" or GID 0 groups are checked by default if the group option is not set
for pam_wheel.so module. Therefore, members of these groups should be manually checked or
a different group should be informed according to the site policy.
+
+[reference]:
+CCI-002165
+
+[reference]:
+CCI-004895
[reference]:
FMT_SMF_EXT.1.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_tmout'.
--- xccdf_org.ssgproject.content_rule_accounts_tmout
+++ xccdf_org.ssgproject.content_rule_accounts_tmout
@@ -46,9 +46,6 @@
[reference]:
CCI-001133
-
-[reference]:
-CCI-002361
[reference]:
4.3.3.6.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users'.
--- xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users
+++ xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users
@@ -7,9 +7,6 @@
[reference]:
CCI-000366
-
-[reference]:
-CCI-001814
[reference]:
SRG-OS-000480-GPOS-00227
New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_pti_argument'.
--- xccdf_org.ssgproject.content_rule_grub2_pti_argument
+++ xccdf_org.ssgproject.content_rule_grub2_pti_argument
@@ -12,6 +12,9 @@
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... pti=on ..."
Run the following command to update command line for already installed kernels:# grubby --update-kernel=ALL --args="pti=on"
+
+[reference]:
+CCI-002824
[reference]:
CCI-000381
New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument'.
--- xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
+++ xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument
@@ -17,6 +17,9 @@
The vsyscall emulation is only available on x86_64 architecture
(CONFIG_X86_VSYSCALL_EMULATION) making this rule not applicable
to other CPU architectures.
+
+[reference]:
+CCI-000366
[reference]:
CCI-001084
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
@@ -53,7 +53,7 @@
3.4.5
[reference]:
-CCI-000225
+CCI-000366
[reference]:
164.308(a)(1)(ii)(B)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
@@ -53,7 +53,7 @@
3.4.5
[reference]:
-CCI-000225
+CCI-000366
[reference]:
164.308(a)(1)(ii)(B)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_no_removeable_media'.
--- xccdf_org.ssgproject.content_rule_grub2_no_removeable_media
+++ xccdf_org.ssgproject.content_rule_grub2_no_removeable_media
@@ -13,7 +13,7 @@
CCI-001813
[reference]:
-CCI-001814
+CCI-003938
[reference]:
SRG-OS-000364-GPOS-00151
New content has different text for rule 'xccdf_org.ssgproject.content_rule_uefi_no_removeable_media'.
--- xccdf_org.ssgproject.content_rule_uefi_no_removeable_media
+++ xccdf_org.ssgproject.content_rule_uefi_no_removeable_media
@@ -13,7 +13,7 @@
CCI-001813
[reference]:
-CCI-001814
+CCI-003938
[reference]:
SRG-OS-000364-GPOS-00151
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed'.
--- xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed
+++ xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed
@@ -11,6 +11,9 @@
[reference]:
CCI-000366
+
+[reference]:
+CCI-000803
[reference]:
SRG-OS-000480-GPOS-00227
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_rsyslog_installed'.
--- xccdf_org.ssgproject.content_rule_package_rsyslog_installed
+++ xccdf_org.ssgproject.content_rule_package_rsyslog_installed
@@ -42,13 +42,13 @@
MEA02.01
[reference]:
-CCI-001311
+CCI-000366
[reference]:
-CCI-001312
+CCI-000154
[reference]:
-CCI-000366
+CCI-001851
[reference]:
164.312(a)(2)(ii)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_rsyslog_enabled'.
--- xccdf_org.ssgproject.content_rule_service_rsyslog_enabled
+++ xccdf_org.ssgproject.content_rule_service_rsyslog_enabled
@@ -106,18 +106,6 @@
[reference]:
MEA02.01
-
-[reference]:
-CCI-001311
-
-[reference]:
-CCI-001312
-
-[reference]:
-CCI-001557
-
-[reference]:
-CCI-001851
[reference]:
CCI-000366
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring'.
--- xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
+++ xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
@@ -11,7 +11,9 @@
/etc/rsyslog.d/*.conf file should contain a match for the following
selectors: auth.*, authpriv.*, and daemon.*. If
not, use the following as an example configuration:
-auth.*;authpriv.*;daemon.* /var/log/secure
+
+ auth.*;authpriv.* /var/log/secure
+ daemon.* /var/log/messages
[reference]:
CCI-000067
bash remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
+++ xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
@@ -2,25 +2,26 @@
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
declare -A REMOTE_METHODS=( ['auth.*']='^[^#]*auth\.\*.*$' ['authpriv.*']='^[^#]*authpriv\.\*.*$' ['daemon.*']='^[^#]*daemon\.\*.*$' )
+declare -A LOCATIONS=( ['auth.*']='/var/log/secure' ['authpriv.*']='/var/log/secure' ['daemon.*']='/var/log/messages' )
if [[ ! -f /etc/rsyslog.conf ]]; then
# Something is not right, create the file
touch /etc/rsyslog.conf
fi
-APPEND_LINE=$(sed -rn '/^\S+\s+\/var\/log\/secure$/p' /etc/rsyslog.conf)
# Loop through the remote methods associative array
for K in "${!REMOTE_METHODS[@]}"
do
# Check to see if selector/value exists
if ! grep -rq "${REMOTE_METHODS[$K]}" /etc/rsyslog.*; then
+ APPEND_LINE=$(sed -rn "/^\S+\s+\${LOCATIONS[$K]}$/p" /etc/rsyslog.conf)
# Make sure we have a line to insert after, otherwise append to end
if [[ ! -z ${APPEND_LINE} ]]; then
# Add selector to file
sed -r -i "0,/^(\S+\s+\/var\/log\/secure$)/s//\1\n${K} \/var\/log\/secure/" /etc/rsyslog.conf
else
- echo "${K} /var/log/secure" >> /etc/rsyslog.conf
+ echo "${K} ${LOCATIONS[$K]}" >> /etc/rsyslog.conf
fi
fi
done
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
+++ xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring
@@ -5,10 +5,13 @@
remote_methods:
- selector: auth.*
regexp: ^.*auth\.\*.*$
+ location: /var/log/secure
- selector: authpriv.*
regexp: ^.*authpriv\.\*.*$
+ location: /var/log/secure
- selector: daemon.*
regexp: ^.*daemon\.\*.*$
+ location: /var/log/messages
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83426-7
@@ -100,7 +103,7 @@
- name: 'Ensure remote access methods are monitored in Rsyslog: Configure'
lineinfile:
path: /etc/rsyslog.conf
- line: '{{ item.item.0.selector }} /var/log/secure'
+ line: '{{ item.item.0.selector }} {{ item.item.0.location }}'
insertafter: ^.*\/var\/log\/secure.*$
create: true
loop: '{{ remote_method_values.results }}'
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_nolisten'.
--- xccdf_org.ssgproject.content_rule_rsyslog_nolisten
+++ xccdf_org.ssgproject.content_rule_rsyslog_nolisten
@@ -110,22 +110,7 @@
MEA02.01
[reference]:
-CCI-000318
-
-[reference]:
CCI-000366
-
-[reference]:
-CCI-000368
-
-[reference]:
-CCI-001812
-
-[reference]:
-CCI-001813
-
-[reference]:
-CCI-001814
[reference]:
4.2.3.4
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost'.
--- xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
+++ xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost
@@ -96,12 +96,6 @@
CCI-000366
[reference]:
-CCI-001348
-
-[reference]:
-CCI-000136
-
-[reference]:
CCI-001851
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_firewalld_installed'.
--- xccdf_org.ssgproject.content_rule_package_firewalld_installed
+++ xccdf_org.ssgproject.content_rule_package_firewalld_installed
@@ -8,7 +8,16 @@
$ sudo yum install firewalld
[reference]:
+CCI-000382
+
+[reference]:
+CCI-000366
+
+[reference]:
CCI-002314
+
+[reference]:
+CCI-002322
[reference]:
CM-6(a)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_firewalld_enabled'.
--- xccdf_org.ssgproject.content_rule_service_firewalld_enabled
+++ xccdf_org.ssgproject.content_rule_service_firewalld_enabled
@@ -34,10 +34,10 @@
3.4.7
[reference]:
-CCI-000366
+CCI-000382
[reference]:
-CCI-000382
+CCI-000366
[reference]:
CCI-002314
@@ -118,6 +118,9 @@
RHEL-08-040101
[reference]:
+SYS.1.6.A5
+
+[reference]:
3.4.1.2
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configured_firewalld_default_deny'.
--- xccdf_org.ssgproject.content_rule_configured_firewalld_default_deny
+++ xccdf_org.ssgproject.content_rule_configured_firewalld_default_deny
@@ -8,7 +8,7 @@
The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.
[reference]:
-CCI-002314
+CCI-000366
[reference]:
AC-17 (1)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_libreswan_installed'.
--- xccdf_org.ssgproject.content_rule_package_libreswan_installed
+++ xccdf_org.ssgproject.content_rule_package_libreswan_installed
@@ -40,10 +40,10 @@
DSS05.04
[reference]:
-CCI-001130
+CCI-000366
[reference]:
-CCI-001131
+CCI-000803
[reference]:
4.3.3.6.5
New content has different text for rule 'xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels'.
--- xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels
+++ xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels
@@ -72,7 +72,7 @@
DSS06.02
[reference]:
-CCI-000336
+CCI-000366
[reference]:
164.308(a)(4)(i)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects'.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
@@ -46,9 +46,6 @@
CCI-000366
[reference]:
-CCI-001551
-
-[reference]:
4.3.3.5.1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects'.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects
@@ -46,9 +46,6 @@
CCI-000366
[reference]:
-CCI-001551
-
-[reference]:
4.3.3.5.1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects'.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects
@@ -86,12 +86,6 @@
[reference]:
CCI-000366
-
-[reference]:
-CCI-001503
-
-[reference]:
-CCI-001551
[reference]:
4.3.3.5.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians'.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians
@@ -88,7 +88,7 @@
3.1.20
[reference]:
-CCI-000126
+CCI-000366
[reference]:
4.3.3.5.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter'.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
@@ -83,9 +83,6 @@
[reference]:
CCI-000366
-
-[reference]:
-CCI-001551
[reference]:
4.2.3.4
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects'.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects
@@ -110,9 +110,6 @@
[reference]:
CCI-000366
-
-[reference]:
-CCI-001551
[reference]:
4.2.3.4
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route'.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route
@@ -110,9 +110,6 @@
[reference]:
CCI-000366
-
-[reference]:
-CCI-001551
[reference]:
4.2.3.4
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians'.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians
@@ -88,7 +88,7 @@
3.1.20
[reference]:
-CCI-000126
+CCI-000366
[reference]:
4.3.3.5.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses'.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses
@@ -82,6 +82,9 @@
3.1.20
[reference]:
+CCI-000366
+
+[reference]:
4.3.3.5.1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies'.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies
@@ -85,10 +85,13 @@
3.1.20
[reference]:
+CCI-001095
+
+[reference]:
CCI-000366
[reference]:
-CCI-001095
+CCI-002385
[reference]:
4.2.3.4
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled
@@ -17,9 +17,6 @@
[reference]:
CCI-000381
-
-[reference]:
-CCI-000366
[reference]:
AC-18
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_can_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_can_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_can_disabled
@@ -17,9 +17,6 @@
[reference]:
CCI-000381
-
-[reference]:
-CCI-000366
[reference]:
AC-18
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
@@ -59,9 +59,6 @@
CCI-000381
[reference]:
-CCI-000366
-
-[reference]:
4.3.3.5.1
[reference]:
New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
@@ -67,19 +67,10 @@
3.1.16
[reference]:
-CCI-000085
-
-[reference]:
CCI-001443
[reference]:
-CCI-001444
-
-[reference]:
-CCI-001551
-
-[reference]:
-CCI-002418
+CCI-000381
[reference]:
4.3.3.5.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_wireless_disable_interfaces'.
--- xccdf_org.ssgproject.content_rule_wireless_disable_interfaces
+++ xccdf_org.ssgproject.content_rule_wireless_disable_interfaces
@@ -66,19 +66,16 @@
3.1.16
[reference]:
-CCI-000085
+CCI-001443
+
+[reference]:
+CCI-001444
+
+[reference]:
+CCI-002421
[reference]:
CCI-002418
-
-[reference]:
-CCI-002421
-
-[reference]:
-CCI-001443
-
-[reference]:
-CCI-001444
[reference]:
4.3.3.5.1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned'.
--- xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned
+++ xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned
@@ -9,6 +9,9 @@
[reference]:
CCI-000366
+
+[reference]:
+CCI-001090
[reference]:
SRG-OS-000480-GPOS-00227
New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned'.
--- xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
+++ xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
@@ -86,9 +86,6 @@
[reference]:
CCI-000366
-
-[reference]:
-CCI-002165
[reference]:
4.3.3.2.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_no_files_unowned_by_user'.
--- xccdf_org.ssgproject.content_rule_no_files_unowned_by_user
+++ xccdf_org.ssgproject.content_rule_no_files_unowned_by_user
@@ -93,9 +93,6 @@
[reference]:
CCI-000366
-
-[reference]:
-CCI-002165
[reference]:
4.3.3.2.2
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks'.
--- xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks
+++ xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks
@@ -5,6 +5,9 @@
[description]:
To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_hardlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_hardlinks = 1
+
+[reference]:
+CCI-002235
[reference]:
CCI-002165
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks'.
--- xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks
+++ xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks
@@ -5,6 +5,9 @@
[description]:
... The diff is trimmed here ... |
Change in Ansible Please consider using more suitable Ansible module than |
Code Climate has analyzed commit 66c6569 and detected 4 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 69.1% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.0% (1.5% change). View more on Code Climate. |
Description:
Rationale:
Rationale here. Replace this text. Don't use the italics format!
Fixes # Issue number here (e.g. Updating sysctl XCCDF naming #26) or remove this line if no issue exists.
Review Hints:
Review hints here. Replace this text. Don't use the italics format!
Use this optional section to give any relevant information which could help the reviewer to more quickly and assertively understand and test the changes.
Good examples are useful commands, if it is better to review all commits together or in a suggested sequence, any relevant discussion in other PRs or issues, etc.