-
Notifications
You must be signed in to change notification settings - Fork 698
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update RHEL 9 STIG to V2R2 #12551
Update RHEL 9 STIG to V2R2 #12551
Conversation
This datastream diff is auto generated by the check Click here to see the trimmed diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_crypto_policy
@@ -158,7 +158,7 @@
SV-258238r991554_rule
[reference]:
-SV-258241r987791_rule
+SV-258241r1017572_rule
[rationale]:
Centralized cryptographic policies simplify applying secure ciphers across an operating system and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
@@ -79,12 +79,6 @@
[reference]:
2.2
-[reference]:
-RHEL-09-255055
-
-[reference]:
-SV-257987r991554_rule
-
[rationale]:
Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented.
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
@@ -5,7 +5,6 @@
regexp: (?i)^\s*CRYPTO_POLICY.*$
tags:
- CCE-83445-7
- - DISA-STIG-RHEL-09-255055
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_encrypt_partitions'.
--- xccdf_org.ssgproject.content_rule_encrypt_partitions
+++ xccdf_org.ssgproject.content_rule_encrypt_partitions
@@ -233,7 +233,7 @@
RHEL-09-231190
[reference]:
-SV-257879r958872_rule
+SV-257879r1014836_rule
[rationale]:
The risk of a system's physical compromise, particularly mobile systems such as
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown
@@ -165,7 +165,7 @@
RHEL-09-271100
[reference]:
-SV-258029r991589_rule
+SV-258029r1014857_rule
[reference]:
SV-258030r991589_rule
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal
@@ -37,10 +37,10 @@
RHEL-09-271050
[reference]:
-SV-258019r997071_rule
+SV-258019r1015086_rule
[reference]:
-SV-258020r997072_rule
+SV-258020r1015087_rule
[rationale]:
Locking the screen automatically when removing the smartcard can
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -142,10 +142,10 @@
RHEL-09-271060
[reference]:
-SV-258021r997073_rule
+SV-258021r1015088_rule
[reference]:
-SV-258022r997074_rule
+SV-258022r1015089_rule
[rationale]:
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate'.
--- xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
+++ xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
@@ -147,7 +147,7 @@
RHEL-09-432025
[reference]:
-SV-258086r997081_rule
+SV-258086r1015095_rule
[rationale]:
Without re-authentication, users may access resources or perform tasks for which they
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd'.
--- xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
+++ xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
@@ -148,7 +148,7 @@
RHEL-09-611085
[reference]:
-SV-258106r997092_rule
+SV-258106r1015106_rule
[rationale]:
Without re-authentication, users may access resources or perform tasks for which they
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'.
--- xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
+++ xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
@@ -46,7 +46,7 @@
RHEL-09-432015
[reference]:
-SV-258084r997080_rule
+SV-258084r1015094_rule
[rationale]:
Without re-authentication, users may access resources or perform tasks for which they
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_subscription-manager_installed'.
--- xccdf_org.ssgproject.content_rule_package_subscription-manager_installed
+++ xccdf_org.ssgproject.content_rule_package_subscription-manager_installed
@@ -47,7 +47,7 @@
RHEL-09-215010
[reference]:
-SV-257825r997056_rule
+SV-257825r1015079_rule
[rationale]:
Red Hat Subscription Manager is a local service which tracks installed products
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated'.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
@@ -188,7 +188,7 @@
RHEL-09-214015
[reference]:
-SV-257820r997053_rule
+SV-257820r1015076_rule
[rationale]:
Changes to any software components can have significant effects on the
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages'.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
@@ -113,7 +113,7 @@
RHEL-09-214020
[reference]:
-SV-257821r997054_rule
+SV-257821r1015077_rule
[rationale]:
Changes to any software components can have significant effects to the overall security
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled'.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
@@ -182,7 +182,7 @@
RHEL-09-214025
[reference]:
-SV-257822r997055_rule
+SV-257822r1015078_rule
[rationale]:
Verifying the authenticity of the software prior to installation validates
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed'.
--- xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
+++ xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
@@ -201,7 +201,7 @@
RHEL-09-214010
[reference]:
-SV-257819r997052_rule
+SV-257819r1015075_rule
[rationale]:
Changes to software components can have significant effects on the overall
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
@@ -158,7 +158,7 @@
RHEL-09-271015
[reference]:
-SV-258012r958390_rule
+SV-258012r1014855_rule
[reference]:
SV-258013r958390_rule
New content has different text for rule 'xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo'.
--- xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo
+++ xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo
@@ -27,7 +27,7 @@
RHEL-09-611145
[reference]:
-SV-258118r997103_rule
+SV-258118r1015117_rule
[rationale]:
Without re-authentication, users may access resources or perform tasks for which they do not
New content has different text for rule 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth'.
--- xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth
+++ xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth
@@ -21,7 +21,7 @@
RHEL-09-611035
[reference]:
-SV-258096r958388_rule
+SV-258096r1014883_rule
[rationale]:
If the pam_faillock.so module is not loaded the system will not correctly lockout accounts to prevent
New content has different text for rule 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth'.
--- xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth
+++ xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth
@@ -21,7 +21,7 @@
RHEL-09-611030
[reference]:
-SV-258095r958388_rule
+SV-258095r1014881_rule
[rationale]:
If the pam_faillock.so module is not loaded the system will not correctly lockout accounts to prevent
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
@@ -232,7 +232,7 @@
RHEL-09-611070
[reference]:
-SV-258103r997089_rule
+SV-258103r1015103_rule
[rationale]:
Use of a complex password helps to increase the time and resources required
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_difok'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_difok
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_difok
@@ -183,7 +183,7 @@
RHEL-09-611115
[reference]:
-SV-258112r997097_rule
+SV-258112r1015111_rule
[rationale]:
Use of a complex password helps to increase the time and resources
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root
@@ -51,7 +51,7 @@
RHEL-09-611060
[reference]:
-SV-258101r997087_rule
+SV-258101r1015101_rule
[rationale]:
Use of a complex password helps to increase the time and resources required to compromise
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
@@ -232,7 +232,7 @@
RHEL-09-611065
[reference]:
-SV-258102r997088_rule
+SV-258102r1015102_rule
[rationale]:
Use of a complex password helps to increase the time and resources required
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
@@ -178,7 +178,7 @@
RHEL-09-611120
[reference]:
-SV-258113r997098_rule
+SV-258113r1015112_rule
[rationale]:
Use of a complex password helps to increase the time and resources required to compromise the password.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
@@ -175,7 +175,7 @@
RHEL-09-611125
[reference]:
-SV-258114r997099_rule
+SV-258114r1015113_rule
[rationale]:
Use of a complex password helps to increase the time and resources required to compromise the password.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
@@ -237,7 +237,7 @@
RHEL-09-611130
[reference]:
-SV-258115r997100_rule
+SV-258115r1015114_rule
[rationale]:
Use of a complex password helps to increase the time and resources required to compromise the password.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
@@ -243,7 +243,7 @@
RHEL-09-611090
[reference]:
-SV-258107r997093_rule
+SV-258107r1015107_rule
[rationale]:
The shorter the password, the lower the number of possible combinations
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
@@ -225,7 +225,7 @@
RHEL-09-611100
[reference]:
-SV-258109r997095_rule
+SV-258109r1015109_rule
[rationale]:
Use of a complex password helps to increase the time and resources required
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth
@@ -24,7 +24,7 @@
RHEL-09-611040
[reference]:
-SV-258097r997084_rule
+SV-258097r1015098_rule
[rationale]:
Enabling PAM password complexity permits to enforce strong passwords and consequently
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth
@@ -18,7 +18,7 @@
RHEL-09-611045
[reference]:
-SV-258098r991589_rule
+SV-258098r1014887_rule
[rationale]:
Enabling PAM password complexity permits to enforce strong passwords and consequently
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
@@ -238,7 +238,7 @@
RHEL-09-611010
[reference]:
-SV-258091r997083_rule
+SV-258091r1015097_rule
[rationale]:
Setting the password retry prompts that are permitted on a per-session basis to a low value
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
@@ -229,7 +229,7 @@
RHEL-09-611110
[reference]:
-SV-258111r997096_rule
+SV-258111r1015110_rule
[rationale]:
Use of a complex password helps to increase the time and resources required to compromise the password.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf
@@ -198,7 +198,7 @@
RHEL-09-611135
[reference]:
-SV-258116r997101_rule
+SV-258116r1015115_rule
[rationale]:
Passwords need to be protected at all times, and encryption is the standard method for
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
@@ -200,7 +200,7 @@
RHEL-09-611140
[reference]:
-SV-258117r997102_rule
+SV-258117r1015116_rule
[rationale]:
Passwords need to be protected at all times, and encryption is the standard method for
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
@@ -218,7 +218,7 @@
RHEL-09-671025
[reference]:
-SV-258233r997115_rule
+SV-258233r1015136_rule
[rationale]:
Passwords need to be protected at all times, and encryption is the standard method for
xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs is missing in new data stream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_logind_session_timeout'.
--- xccdf_org.ssgproject.content_rule_logind_session_timeout
+++ xccdf_org.ssgproject.content_rule_logind_session_timeout
@@ -308,7 +308,7 @@
RHEL-09-412080
[reference]:
-SV-258077r970703_rule
+SV-258077r1014874_rule
[rationale]:
Terminating an idle session within a short time period reduces the window of
xccdf_org.ssgproject.content_rule_package_tmux_installed is missing in new data stream.
xccdf_org.ssgproject.content_rule_configure_bashrc_tmux is missing in new data stream.
xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time is missing in new data stream.
xccdf_org.ssgproject.content_rule_configure_tmux_lock_command is missing in new data stream.
xccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding is missing in new data stream.
xccdf_org.ssgproject.content_rule_no_tmux_in_shells is missing in new data stream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_opensc_installed'.
--- xccdf_org.ssgproject.content_rule_package_opensc_installed
+++ xccdf_org.ssgproject.content_rule_package_opensc_installed
@@ -35,7 +35,7 @@
RHEL-09-611185
[reference]:
-SV-258126r997110_rule
+SV-258126r1015124_rule
[rationale]:
Using an authentication device, such as a CAC or token that is separate from
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed'.
--- xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed
+++ xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed
@@ -29,7 +29,7 @@
RHEL-09-611175
[reference]:
-SV-258124r997108_rule
+SV-258124r1015122_rule
[rationale]:
The pcsc-lite package must be installed if it is to be available for
New content has different text for rule 'xccdf_org.ssgproject.content_rule_install_smartcard_packages'.
--- xccdf_org.ssgproject.content_rule_install_smartcard_packages
+++ xccdf_org.ssgproject.content_rule_install_smartcard_packages
@@ -44,7 +44,7 @@
RHEL-09-215075
[reference]:
-SV-257838r997057_rule
+SV-257838r1015080_rule
[rationale]:
Using an authentication device, such as a CAC or token that is separate from
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_pcscd_enabled'.
--- xccdf_org.ssgproject.content_rule_service_pcscd_enabled
+++ xccdf_org.ssgproject.content_rule_service_pcscd_enabled
@@ -52,7 +52,7 @@
RHEL-09-611180
[reference]:
-SV-258125r997109_rule
+SV-258125r1015123_rule
[rationale]:
Using an authentication device, such as a CAC or token that is separate from
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_opensc_card_drivers'.
--- xccdf_org.ssgproject.content_rule_configure_opensc_card_drivers
+++ xccdf_org.ssgproject.content_rule_configure_opensc_card_drivers
@@ -237,7 +237,7 @@
RHEL-09-611160
[reference]:
-SV-258121r997105_rule
+SV-258121r1015119_rule
[rationale]:
Smart card login provides two-factor authentication stronger than
New content has different text for rule 'xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration'.
--- xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
+++ xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
@@ -284,7 +284,7 @@
RHEL-09-411050
[reference]:
-SV-258049r997078_rule
+SV-258049r1015092_rule
[rationale]:
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs'.
--- xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs
@@ -205,7 +205,7 @@
RHEL-09-411010
[reference]:
-SV-258041r997076_rule
+SV-258041r1015090_rule
[rationale]:
Any password, no matter how complex, can eventually be cracked. Therefore, passwords
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs'.
--- xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs
@@ -196,7 +196,7 @@
RHEL-09-611075
[reference]:
-SV-258104r997090_rule
+SV-258104r1015104_rule
[rationale]:
Enforcing a minimum password lifetime helps to prevent repeated password
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs'.
--- xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
@@ -228,12 +228,6 @@
[reference]:
R31
-[reference]:
-RHEL-09-611095
-
-[reference]:
-SV-258108r997094_rule
-
[rationale]:
Requiring a minimum password length makes password
cracking attacks more difficult by ensuring a larger
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
@@ -4,7 +4,6 @@
tags:
- CCE-83608-0
- CJIS-5.6.2.1
- - DISA-STIG-RHEL-09-611095
- NIST-800-171-3.5.7
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
@@ -32,7 +31,6 @@
tags:
- CCE-83608-0
- CJIS-5.6.2.1
- - DISA-STIG-RHEL-09-611095
- NIST-800-171-3.5.7
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-5(1)(a)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing'.
--- xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
+++ xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
@@ -39,7 +39,7 @@
RHEL-09-411015
[reference]:
-SV-258042r997077_rule
+SV-258042r1015091_rule
[rationale]:
Any password, no matter how complex, can eventually be cracked. Therefore,
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing'.
--- xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing
+++ xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing
@@ -32,7 +32,7 @@
RHEL-09-611080
[reference]:
-SV-258105r997091_rule
+SV-258105r1015105_rule
[rationale]:
Enforcing a minimum password lifetime helps to prevent repeated password
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512'.
--- xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512
+++ xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512
@@ -43,7 +43,7 @@
RHEL-09-671015
[reference]:
-SV-258231r997114_rule
+SV-258231r1015135_rule
[rationale]:
Passwords need to be protected at all times, and encryption is the standard method for
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
@@ -36,7 +36,7 @@
RHEL-09-611050
[reference]:
-SV-258099r997085_rule
+SV-258099r1015099_rule
[rationale]:
Using a higher number of rounds makes password cracking attacks more difficult.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth
@@ -34,7 +34,7 @@
RHEL-09-611055
[reference]:
-SV-258100r997086_rule
+SV-258100r1015100_rule
[rationale]:
Using a higher number of rounds makes password cracking attacks more difficult.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords'.
--- xccdf_org.ssgproject.content_rule_no_empty_passwords
+++ xccdf_org.ssgproject.content_rule_no_empty_passwords
@@ -337,7 +337,7 @@
RHEL-09-611025
[reference]:
-SV-258094r991589_rule
+SV-258094r1014878_rule
[rationale]:
If an account has an empty password, anyone could log in and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su'.
--- xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
+++ xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
@@ -35,7 +35,7 @@
RHEL-09-432035
[reference]:
-SV-258088r997082_rule
+SV-258088r1015096_rule
[rationale]:
The su program allows to run commands with a substitute user and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_tmout'.
--- xccdf_org.ssgproject.content_rule_accounts_tmout
+++ xccdf_org.ssgproject.content_rule_accounts_tmout
@@ -171,7 +171,7 @@
RHEL-09-412035
[reference]:
-SV-258068r970703_rule
+SV-258068r1014872_rule
[rationale]:
Terminating an idle session within a short time period reduces
New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_admin_username'.
--- xccdf_org.ssgproject.content_rule_grub2_admin_username
+++ xccdf_org.ssgproject.content_rule_grub2_admin_username
@@ -317,7 +317,7 @@
RHEL-09-212020
[reference]:
-SV-257789r958472_rule
+SV-257789r1014822_rule
[rationale]:
Having a non-default grub superuser username makes password-guessing attacks less effective.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_nolisten'.
--- xccdf_org.ssgproject.content_rule_rsyslog_nolisten
+++ xccdf_org.ssgproject.content_rule_rsyslog_nolisten
@@ -344,7 +344,7 @@
RHEL-09-652025
[reference]:
-SV-258143r991589_rule
+SV-258143r1014907_rule
[rationale]:
Any process which receives messages from the network incurs some risk of receiving malicious
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_firewalld_ports'.
--- xccdf_org.ssgproject.content_rule_configure_firewalld_ports
+++ xccdf_org.ssgproject.content_rule_configure_firewalld_ports
@@ -308,12 +308,6 @@
[reference]:
1.3
-[reference]:
-RHEL-09-251025
-
-[reference]:
-SV-257938r958480_rule
-
[rationale]:
In order to prevent unauthorized connection of devices, unauthorized transfer of information,
or unauthorized tunneling (i.e., embedding of data types within data types), organizations must
New content has different text for rule 'xccdf_org.ssgproject.content_rule_networkmanager_dns_mode'.
--- xccdf_org.ssgproject.content_rule_networkmanager_dns_mode
+++ xccdf_org.ssgproject.content_rule_networkmanager_dns_mode
@@ -18,7 +18,7 @@
RHEL-09-252040
[reference]:
-SV-257949r991589_rule
+SV-257949r1014841_rule
[rationale]:
To ensure that DNS resolver settings are respected, a DNS mode in NetworkManager must be configured.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_autofs_disabled'.
--- xccdf_org.ssgproject.content_rule_service_autofs_disabled
+++ xccdf_org.ssgproject.content_rule_service_autofs_disabled
@@ -254,7 +254,7 @@
RHEL-09-231040
[reference]:
-SV-257849r958498_rule
+SV-257849r1014829_rule
[rationale]:
Disabling the automounter permits the administrator to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nodev'.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
@@ -76,7 +76,7 @@
RHEL-09-231095
[reference]:
-SV-257860r958804_rule
+SV-257860r1014832_rule
[rationale]:
The only legitimate location for device files is the /dev directory
New content has different text for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid'.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
@@ -83,7 +83,7 @@
RHEL-09-231100
[reference]:
-SV-257861r958804_rule
+SV-257861r1014834_rule
[rationale]:
The presence of SUID and SGID executables should be tightly controlled. Users
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled'.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled
@@ -25,7 +25,7 @@
RHEL-09-213020
[reference]:
-SV-257799r997051_rule
+SV-257799r1015074_rule
[rationale]:
Disabling kexec_load allows greater control of the kernel memory.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces'.
--- xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces
+++ xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces
@@ -37,7 +37,7 @@
RHEL-09-213105
[reference]:
-SV-257816r991589_rule
+SV-257816r1014825_rule
[rationale]:
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled'.
--- xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled
+++ xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled
@@ -452,7 +452,7 @@
RHEL-09-232260
[reference]:
-SV-257932r991589_rule
+SV-257932r1014838_rule
[rationale]:
If a device file carries the SELinux type device_t or
New content has different text for rule 'xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay'.
--- xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
+++ xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
@@ -17,7 +17,7 @@
RHEL-09-252050
[reference]:
-SV-257951r991589_rule
+SV-257951r1014843_rule
[rationale]:
If unrestricted mail relaying is permitted, unauthorized senders could use this
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay'
--- xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
+++ xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
@@ -1 +1 @@
-
+oval:ssg-package_postfix:def:1
xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems is missing in new data stream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_chrony_installed'.
--- xccdf_org.ssgproject.content_rule_package_chrony_installed
+++ xccdf_org.ssgproject.content_rule_package_chrony_installed
@@ -47,7 +47,7 @@
RHEL-09-252010
[reference]:
-SV-257943r997065_rule
+SV-257943r1015081_rule
[rationale]:
Time synchronization is important to support time sensitive security mechanisms like
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_chronyd_enabled'.
--- xccdf_org.ssgproject.content_rule_service_chronyd_enabled
+++ xccdf_org.ssgproject.content_rule_service_chronyd_enabled
@@ -29,7 +29,7 @@
RHEL-09-252015
[reference]:
-SV-257944r997066_rule
+SV-257944r1015082_rule
[rationale]:
If chrony is in use on the system proper configuration is vital to ensuring time
New content has different text for rule 'xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server'.
--- xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server
+++ xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server
@@ -59,7 +59,7 @@
RHEL-09-252020
[reference]:
-SV-257945r997067_rule
+SV-257945r1015083_rule
[rationale]:
If chrony is in use on the system proper configuration is vital to ensuring time
New content has different text for rule 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll'.
--- xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll
+++ xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll
@@ -131,7 +131,7 @@
RHEL-09-252020
[reference]:
-SV-257945r997067_rule
+SV-257945r1015083_rule
[rationale]:
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_chronyd_server_directive'.
--- xccdf_org.ssgproject.content_rule_chronyd_server_directive
+++ xccdf_org.ssgproject.content_rule_chronyd_server_directive
@@ -30,7 +30,7 @@
RHEL-09-252020
[reference]:
-SV-257945r997067_rule
+SV-257945r1015083_rule
[rationale]:
Depending on the infrastructure being used the pool directive may not be supported.
xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode is missing in new data stream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -400,7 +400,7 @@
RHEL-09-255040
[reference]:
-SV-257984r958486_rule
+SV-257984r1014848_rule
[rationale]:
Configuring this setting for the SSH daemon provides additional assurance
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -442,7 +442,7 @@
RHEL-09-255045
[reference]:
-SV-257985r997069_rule
+SV-257985r1015085_rule
[rationale]:
Even though the communications channel may be encrypted, an additional layer of
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
@@ -37,7 +37,7 @@
RHEL-09-255035
[reference]:
-SV-257983r997068_rule
+SV-257983r1015084_rule
[rationale]:
Without the use of multifactor authentication, the ease of access to
xccdf_org.ssgproject.content_rule_sshd_use_priv_separation is missing in new data stream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification'.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -28,7 +28,7 @@
RHEL-09-611170
[reference]:
-SV-258123r997107_rule
+SV-258123r1015121_rule
[rationale]:
Ensuring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_certmap'.
--- xccdf_org.ssgproject.content_rule_sssd_enable_certmap
+++ xccdf_org.ssgproject.content_rule_sssd_enable_certmap
@@ -29,7 +29,7 @@
RHEL-09-631015
[reference]:
-SV-258132r958452_rule
+SV-258132r1014905_rule
[rationale]:
Without mapping the certificate used to authenticate to the user account, the ability to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards'.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -92,7 +92,7 @@
RHEL-09-611165
[reference]:
-SV-258122r997106_rule
+SV-258122r1015120_rule
[rationale]:
Using an authentication device, such as a CAC or token that is separate from
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sssd_has_trust_anchor'.
--- xccdf_org.ssgproject.content_rule_sssd_has_trust_anchor
+++ xccdf_org.ssgproject.content_rule_sssd_has_trust_anchor
@@ -27,7 +27,7 @@
RHEL-09-631010
[reference]:
-SV-258131r997113_rule
+SV-258131r1015125_rule
[rationale]:
Without path validation, an informed trust decision by the relying party cannot be made when
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_usbguard_installed'.
--- xccdf_org.ssgproject.content_rule_package_usbguard_installed
+++ xccdf_org.ssgproject.content_rule_package_usbguard_installed
@@ -35,7 +35,7 @@
RHEL-09-291015
[reference]:
-SV-258035r997117_rule
+SV-258035r1014859_rule
[rationale]:
usbguard is a software framework that helps to protect
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_usbguard_enabled'.
--- xccdf_org.ssgproject.content_rule_service_usbguard_enabled
+++ xccdf_org.ssgproject.content_rule_service_usbguard_enabled
@@ -39,7 +39,7 @@
RHEL-09-291020
[reference]:
-SV-258036r997118_rule
+SV-258036r1014861_rule
[rationale]:
The usbguard service must be running in order to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend'.
--- xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
+++ xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
@@ -36,7 +36,7 @@
RHEL-09-291025
[reference]:
-SV-258037r958442_rule
+SV-258037r1014863_rule
[rationale]:
Using the Linux Audit logging allows for centralized trace
New content has different text for rule 'xccdf_org.ssgproject.content_rule_usbguard_generate_policy'.
--- xccdf_org.ssgproject.content_rule_usbguard_generate_policy
+++ xccdf_org.ssgproject.content_rule_usbguard_generate_policy
@@ -27,7 +27,7 @@
RHEL-09-291030
[reference]:
-SV-258038r958820_rule
+SV-258038r1017033_rule
[rationale]:
The usbguard must be configured to allow connected USB devices to work
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_audit_installed'.
--- xccdf_org.ssgproject.content_rule_package_audit_installed
+++ xccdf_org.ssgproject.content_rule_package_audit_installed
@@ -219,7 +219,7 @@
RHEL-09-653010
[reference]:
-SV-258151r997050_rule
+SV-258151r1015126_rule
[rationale]:
The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_auditd_enabled'.
--- xccdf_org.ssgproject.content_rule_service_auditd_enabled
+++ xccdf_org.ssgproject.content_rule_service_auditd_enabled
@@ -560,7 +560,7 @@
RHEL-09-653015
[reference]:
-SV-258152r997058_rule
+SV-258152r1015127_rule
[rationale]:
Without establishing what type of events occurred, it would be difficult
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers'.
--- xccdf_org.ssgproject.content_rule_audit_rules_sudoers
+++ xccdf_org.ssgproject.content_rule_audit_rules_sudoers
@@ -105,7 +105,7 @@
RHEL-09-654215
[reference]:
-SV-258217r997059_rule
+SV-258217r1015128_rule
[rationale]:
The actions taken by system administrators should be audited to keep a record
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d'.
--- xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d
+++ xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d
@@ -105,7 +105,7 @@
RHEL-09-654220
[reference]:
-SV-258218r997060_rule
+SV-258218r1015129_rule
[rationale]:
The actions taken by system administrators should be audited to keep a record
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function'.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -77,7 +77,7 @@
RHEL-09-654010
[reference]:
-SV-258176r958730_rule
+SV-258176r1014909_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown
+++ xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown
@@ -153,7 +153,7 @@
RHEL-09-654265
[reference]:
-SV-258227r958424_rule
+SV-258227r1014992_rule
[rationale]:
It is critical for the appropriate personnel to be aware if a system
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
@@ -607,7 +607,7 @@
RHEL-09-654225
[reference]:
-SV-258219r997061_rule
+SV-258219r1015130_rule
[rationale]:
In addition to auditing new user and group accounts, these watches
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
@@ -607,7 +607,7 @@
RHEL-09-654230
[reference]:
-SV-258220r997062_rule
+SV-258220r1015131_rule
[rationale]:
In addition to auditing new user and group accounts, these watches
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
@@ -613,7 +613,7 @@
RHEL-09-654235
[reference]:
-SV-258221r997063_rule
+SV-258221r1015132_rule
[rationale]:
In addition to auditing new user and group accounts, these watches
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
@@ -622,7 +622,7 @@
RHEL-09-654240
[reference]:
-SV-258222r997064_rule
+SV-258222r1015133_rule
[rationale]:
In addition to auditing new user and group accounts, these watches
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
@@ -607,7 +607,7 @@
RHEL-09-654245
[reference]:
-SV-258223r997075_rule
+SV-258223r1015134_rule
[rationale]:
In addition to auditing new user and group accounts, these watches
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
@@ -454,7 +454,7 @@
RHEL-09-654015
[reference]:
-SV-258177r958412_rule
+SV-258177r1014911_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
@@ -457,7 +457,7 @@
RHEL-09-654020
[reference]:
-SV-258178r958412_rule
+SV-258178r1014913_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
@@ -454,7 +454,7 @@
RHEL-09-654015
[reference]:
-SV-258177r958412_rule
+SV-258177r1014911_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
@@ -454,7 +454,7 @@
RHEL-09-654015
[reference]:
-SV-258177r958412_rule
+SV-258177r1014911_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
@@ -460,7 +460,7 @@
RHEL-09-654020
[reference]:
-SV-258178r958412_rule
+SV-258178r1014913_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
@@ -457,7 +457,7 @@
RHEL-09-654020
[reference]:
-SV-258178r958412_rule
+SV-258178r1014913_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
@@ -485,7 +485,7 @@
RHEL-09-654025
[reference]:
-SV-258179r958412_rule
+SV-258179r1014915_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
@@ -479,7 +479,7 @@
RHEL-09-654025
[reference]:
-SV-258179r958412_rule
+SV-258179r1014915_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
@@ -457,7 +457,7 @@
RHEL-09-654020
[reference]:
-SV-258178r958412_rule
+SV-258178r1014913_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
@@ -491,7 +491,7 @@
RHEL-09-654025
[reference]:
-SV-258179r958412_rule
+SV-258179r1014915_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
@@ -479,7 +479,7 @@
RHEL-09-654025
[reference]:
-SV-258179r958412_rule
+SV-258179r1014915_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
@@ -490,7 +490,7 @@
RHEL-09-654025
[reference]:
-SV-258179r958412_rule
+SV-258179r1014915_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
@@ -455,7 +455,7 @@
RHEL-09-654025
[reference]:
-SV-258179r958412_rule
+SV-258179r1014915_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl
@@ -63,7 +63,7 @@
RHEL-09-654035
[reference]:
-SV-258181r958412_rule
+SV-258181r1014918_rule
[rationale]:
Without generating audit records that are specific to the security and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl
@@ -57,7 +57,7 @@
RHEL-09-654040
[reference]:
-SV-258182r958412_rule
+SV-258182r1014920_rule
[rationale]:
Without generating audit records that are specific to the security and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
@@ -291,7 +291,7 @@
RHEL-09-654045
[reference]:
-SV-258183r958412_rule
+SV-258183r1014922_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage
@@ -306,7 +306,7 @@
RHEL-09-654050
[reference]:
-SV-258184r958412_rule
+SV-258184r1014924_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles
@@ -81,7 +81,7 @@
RHEL-09-654055
[reference]:
-SV-258185r958412_rule
+SV-258185r1014926_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool
@@ -279,7 +279,7 @@
RHEL-09-654060
[reference]:
-SV-258186r958412_rule
+SV-258186r1014928_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
@@ -449,7 +449,7 @@
RHEL-09-654065
[reference]:
-SV-258187r958412_rule
+SV-258187r1014930_rule
[rationale]:
Auditing file deletions will create an audit trail for files that are removed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
@@ -449,7 +449,7 @@
RHEL-09-654065
[reference]:
-SV-258187r958412_rule
+SV-258187r1014930_rule
[rationale]:
Auditing file deletions will create an audit trail for files that are removed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
@@ -446,7 +446,7 @@
RHEL-09-654065
[reference]:
-SV-258187r958412_rule
+SV-258187r1014930_rule
[rationale]:
Auditing file deletions will create an audit trail for files that are removed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink
@@ -449,7 +449,7 @@
RHEL-09-654065
[reference]:
-SV-258187r958412_rule
+SV-258187r1014930_rule
[rationale]:
Auditing file deletions will create an audit trail for files that are removed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
@@ -449,7 +449,7 @@
RHEL-09-654065
[reference]:
-SV-258187r958412_rule
+SV-258187r1014930_rule
[rationale]:
Auditing file deletions will create an audit trail for files that are removed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat
@@ -433,7 +433,7 @@
RHEL-09-654070
[reference]:
-SV-258188r958412_rule
+SV-258188r1014932_rule
[rationale]:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate
@@ -436,7 +436,7 @@
RHEL-09-654070
[reference]:
-SV-258188r958412_rule
+SV-258188r1014932_rule
[rationale]:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open
@@ -436,7 +436,7 @@
RHEL-09-654070
[reference]:
-SV-258188r958412_rule
+SV-258188r1014932_rule
[rationale]:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at
@@ -424,7 +424,7 @@
RHEL-09-654070
[reference]:
-SV-258188r958412_rule
+SV-258188r1014932_rule
[rationale]:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat
@@ -436,7 +436,7 @@
RHEL-09-654070
[reference]:
-SV-258188r958412_rule
+SV-258188r1014932_rule
[rationale]:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate
@@ -436,7 +436,7 @@
RHEL-09-654070
[reference]:
-SV-258188r958412_rule
+SV-258188r1014932_rule
[rationale]:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete'.
--- xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete
+++ xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete
@@ -416,7 +416,7 @@
RHEL-09-654075
[reference]:
-SV-258189r958412_rule
+SV-258189r1014934_rule
[rationale]:
The removal of kernel modules can be used to alter the behavior of
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit'.
--- xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit
+++ xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit
@@ -416,7 +416,7 @@
RHEL-09-654080
[reference]:
-SV-258190r958412_rule
+SV-258190r1014936_rule
[rationale]:
The addition/removal of kernel modules can be used to alter the behavior of
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init'.
--- xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init
+++ xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init
@@ -416,7 +416,7 @@
RHEL-09-654080
[reference]:
-SV-258190r958412_rule
+SV-258190r1014936_rule
[rationale]:
The addition of kernel modules can be used to alter the behavior of
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock'.
--- xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock
+++ xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock
@@ -404,7 +404,7 @@
RHEL-09-654250
[reference]:
-SV-258224r958846_rule
+SV-258224r1014988_rule
[rationale]:
Manual editing of these files may indicate nefarious activity, such
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog'.
--- xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog
+++ xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog
@@ -431,7 +431,7 @@
RHEL-09-654255
[reference]:
-SV-258225r958412_rule
+SV-258225r1014990_rule
[rationale]:
Manual editing of these files may indicate nefarious activity, such
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_privileged_commands_init'.
--- xccdf_org.ssgproject.content_rule_audit_privileged_commands_init
+++ xccdf_org.ssgproject.content_rule_audit_privileged_commands_init
@@ -27,7 +27,7 @@
RHEL-09-654185
[reference]:
-SV-258211r991586_rule
+SV-258211r1014976_rule
[rationale]:
Misuse of the init command may cause availability issues for the system.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_privileged_commands_poweroff'.
--- xccdf_org.ssgproject.content_rule_audit_privileged_commands_poweroff
+++ xccdf_org.ssgproject.content_rule_audit_privileged_commands_poweroff
@@ -27,7 +27,7 @@
RHEL-09-654190
[reference]:
-SV-258212r991586_rule
+SV-258212r1014978_rule
[rationale]:
Misuse of the poweroff command may cause availability issues for the system.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_privileged_commands_reboot'.
--- xccdf_org.ssgproject.content_rule_audit_privileged_commands_reboot
+++ xccdf_org.ssgproject.content_rule_audit_privileged_commands_reboot
@@ -27,7 +27,7 @@
RHEL-09-654195
[reference]:
-SV-258213r991586_rule
+SV-258213r1014980_rule
[rationale]:
Misuse of the reboot command may cause availability issues for the system.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_privileged_commands_shutdown'.
--- xccdf_org.ssgproject.content_rule_audit_privileged_commands_shutdown
+++ xccdf_org.ssgproject.content_rule_audit_privileged_commands_shutdown
@@ -27,7 +27,7 @@
RHEL-09-654200
[reference]:
-SV-258214r991586_rule
+SV-258214r1017037_rule
[rationale]:
Misuse of the shutdown command may cause availability issues for the system.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
@@ -303,7 +303,7 @@
RHEL-09-654085
[reference]:
-SV-258191r958412_rule
+SV-258191r1014938_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh
@@ -291,7 +291,7 @@
RHEL-09-654090
[reference]:
-SV-258192r958412_rule
+SV-258192r1014940_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab
@@ -264,7 +264,7 @@
RHEL-09-654095
[reference]:
-SV-258193r958412_rule
+SV-258193r1014942_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
@@ -294,7 +294,7 @@
RHEL-09-654100
[reference]:
-SV-258194r958412_rule
+SV-258194r1014944_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod
@@ -87,7 +87,7 @@
RHEL-09-654105
[reference]:
-SV-258195r958412_rule
+SV-258195r1014946_rule
[rationale]:
Without generating audit records that are specific to the security and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount
@@ -66,7 +66,7 @@
RHEL-09-654180
[reference]:
-SV-258210r958412_rule
+SV-258210r1014974_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
@@ -294,7 +294,7 @@
RHEL-09-654110
[reference]:
-SV-258196r958412_rule
+SV-258196r1014948_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
@@ -269,7 +269,7 @@
RHEL-09-654115
[reference]:
-SV-258197r958412_rule
+SV-258197r1014950_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop
@@ -264,7 +264,7 @@
RHEL-09-654125
[reference]:
-SV-258199r958412_rule
+SV-258199r1014952_rule
[rationale]:
Misuse of privileged functions, either intentio
... The diff is trimmed here ... |
controls/stig_rhel9.yml
Outdated
@@ -1847,7 +1847,8 @@ controls: | |||
- medium | |||
title: RHEL 9 SSH daemon must be configured to use system-wide crypto policies. | |||
rules: | |||
- configure_ssh_crypto_policy | |||
- harden_sshd_ciphers_opensshserver_conf_crypto_policy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure if this rule should be here. Reading the relevant STIG, it seems that the audit part does not mention desired ciphers at all. But the rule you use actually checks for exact ciphers in files provided by crypto-policies package. I think we need a new rule as this STIG checks rather for correct include directives than for actual ciphers configured.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
New rule added.
/packit build |
81b5a14
to
f525658
Compare
f525658
to
ab49c2d
Compare
Code Climate has analyzed commit ab49c2d and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
LGTM now, thank you. Failing tests fail because new rules are currently present only in rhel9 benchmark. |
87f9f1e
into
ComplianceAsCode:master
@Mab879 I believe this PR should have also bumped "version: V2R1" to "version: V2R2" in /products/rhel9/profiles/stig.profile/ and /products/rhel9/profiles/stig_gui.profile/ |
Description:
Rationale: