Merge pull request ComplianceAsCode#11193 from Mab879/add_rhel9_stig

Add RHEL 9 STIG

linux_os/guide/services/base/service_kdump_disabled/rule.yml

@@ -42,6 +42,7 @@ references:
     stigid@ol8: OL08-00-010670
     stigid@rhel7: RHEL-07-021300
     stigid@rhel8: RHEL-08-010670
+    stigid@rhel9: RHEL-09-213115
     stigid@sle12: SLES-12-010840
     stigid@sle15: SLES-15-040190
     stigid@ubuntu2004: UBTU-20-010413

linux_os/guide/services/cron_and_at/file_groupowner_cron_d/rule.yml

@@ -39,6 +39,7 @@ references:
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232235
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/cron.d", group="root") }}}'
 

linux_os/guide/services/cron_and_at/file_groupowner_cron_daily/rule.yml

@@ -39,6 +39,7 @@ references:
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232235
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/cron.daily", group="root") }}}'
 

linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml

@@ -22,6 +22,7 @@ references:
     disa: CCI-000366
     nist: CM-6 b
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232235
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/cron.deny", group="root") }}}'
 

linux_os/guide/services/cron_and_at/file_groupowner_cron_hourly/rule.yml

@@ -39,6 +39,7 @@ references:
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232235
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/cron.hourly", group="root") }}}'
 

linux_os/guide/services/cron_and_at/file_groupowner_cron_monthly/rule.yml

@@ -39,6 +39,7 @@ references:
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232235
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/cron.monthly", group="root") }}}'
 

linux_os/guide/services/cron_and_at/file_groupowner_cron_weekly/rule.yml

@@ -39,6 +39,7 @@ references:
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232235
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/cron.weekly", group="root") }}}'
 

linux_os/guide/services/cron_and_at/file_groupowner_crontab/rule.yml

@@ -39,6 +39,7 @@ references:
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232235
 
 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/crontab", group="root") }}}'
 

linux_os/guide/services/cron_and_at/file_owner_cron_d/rule.yml

@@ -39,6 +39,7 @@ references:
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232230
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/cron.d", owner="root") }}}'
 

linux_os/guide/services/cron_and_at/file_owner_cron_daily/rule.yml

@@ -39,6 +39,7 @@ references:
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232230
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/cron.daily", owner="root") }}}'
 

linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml

@@ -22,6 +22,7 @@ references:
     disa: CCI-000366
     nist: CM-6 b
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232230
 
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/cron.deny", owner="root") }}}'

linux_os/guide/services/cron_and_at/file_owner_cron_hourly/rule.yml

@@ -39,6 +39,7 @@ references:
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232230
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/cron.hourly", owner="root") }}}'
 

linux_os/guide/services/cron_and_at/file_owner_cron_monthly/rule.yml

@@ -39,6 +39,7 @@ references:
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232230
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/cron.monthly", owner="root") }}}'
 

linux_os/guide/services/cron_and_at/file_owner_cron_weekly/rule.yml

@@ -39,6 +39,7 @@ references:
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232230
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/cron.weekly", owner="root") }}}'
 

linux_os/guide/services/cron_and_at/file_owner_crontab/rule.yml

@@ -39,6 +39,7 @@ references:
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232230
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/crontab", owner="root") }}}'
 

linux_os/guide/services/cron_and_at/file_permissions_cron_d/rule.yml

@@ -40,6 +40,7 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     pcidss4: "2.2.6"
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232040
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/cron.d", perms="-rwx------") }}}'
 

linux_os/guide/services/cron_and_at/file_permissions_cron_daily/rule.yml

@@ -40,6 +40,7 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     pcidss4: "2.2.6"
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232040
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/cron.daily", perms="-rwx------") }}}'
 

linux_os/guide/services/cron_and_at/file_permissions_cron_hourly/rule.yml

@@ -40,6 +40,7 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     pcidss4: "2.2.6"
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232040
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/cron.hourly", perms="-rwx------") }}}'
 

linux_os/guide/services/cron_and_at/file_permissions_cron_monthly/rule.yml

@@ -40,6 +40,7 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     pcidss4: "2.2.6"
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232040
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/cron.monthly", perms="-rwx------") }}}'
 

linux_os/guide/services/cron_and_at/file_permissions_cron_weekly/rule.yml

@@ -40,6 +40,7 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     pcidss4: "2.2.6"
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232040
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/cron.weekly", perms="-rwx------") }}}'
 

linux_os/guide/services/cron_and_at/file_permissions_crontab/rule.yml

@@ -40,6 +40,7 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     pcidss4: "2.2.6"
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-232265
 
 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/crontab", perms="-rw-------") }}}'
 

linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml

@@ -24,6 +24,7 @@ references:
     srg: SRG-OS-000370-GPOS-00155,SRG-OS-000368-GPOS-00154,SRG-OS-000480-GPOS-00230
     stigid@ol8: OL08-00-040135
     stigid@rhel8: RHEL-08-040135
+    stigid@rhel9: RHEL-09-433010
 
 ocil_clause: 'the fapolicyd package is not installed'
 

linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml

@@ -26,6 +26,7 @@ references:
     srg: SRG-OS-000370-GPOS-00155,SRG-OS-000368-GPOS-00154,SRG-OS-000480-GPOS-00230
     stigid@ol8: OL08-00-040136
     stigid@rhel8: RHEL-08-040136
+    stigid@rhel9: RHEL-09-433015
 
 ocil_clause: 'the service is not enabled'
 

linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml

@@ -42,6 +42,7 @@ references:
     stigid@ol8: OL08-00-040360
     stigid@rhel7: RHEL-07-040690
     stigid@rhel8: RHEL-08-040360
+    stigid@rhel9: RHEL-09-215015
     stigid@sle12: SLES-12-030011
     stigid@sle15: SLES-15-010030
 

linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml

@@ -28,6 +28,7 @@ references:
     srg: SRG-OS-000120-GPOS-00061
     stigid@ol8: OL08-00-010161
     stigid@rhel8: RHEL-08-010161
+    stigid@rhel9: RHEL-09-611205
 
 platforms:
     - krb5_server_older_than_1_17-18 and krb5_workstation_older_than_1_17-18

linux_os/guide/services/mail/package_s-nail_installed/rule.yml

@@ -21,6 +21,7 @@ references:
     disa: CCI-001744
     nist: CM-3(5)
     srg: SRG-OS-000363-GPOS-00150
+    stigid@rhel9: RHEL-09-215095
 
 ocil_clause: 'the package is not installed'
 

linux_os/guide/services/mail/package_sendmail_removed/rule.yml

@@ -36,6 +36,7 @@ references:
     srg: SRG-OS-000480-GPOS-00227,SRG-OS-000095-GPOS-00049
     stigid@ol8: OL08-00-040002
     stigid@rhel8: RHEL-08-040002
+    stigid@rhel9: RHEL-09-215020
 
 {{{ complete_ocil_entry_package(package="sendmail") }}}
 

linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml

@@ -31,6 +31,7 @@ references:
     nist: CM-6(a)
     nist@sle12: AU-5(a),AU-5.1(ii)
     srg: SRG-OS-000046-GPOS-00022
+    stigid@rhel9: RHEL-09-653125
     stigid@sle12: SLES-12-020050
     stigid@sle15: SLES-15-030580
 

linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias_postmaster/rule.yml

@@ -30,6 +30,7 @@ references:
     srg: SRG-OS-000046-GPOS-00022
     stigid@ol8: OL08-00-030030
     stigid@rhel8: RHEL-08-030030
+    stigid@rhel9: RHEL-09-252060
 
 ocil_clause: 'the alias is not set or is not root'
 

linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml

@@ -28,6 +28,7 @@ references:
     stigid@ol8: OL08-00-040290
     stigid@rhel7: RHEL-07-040680
     stigid@rhel8: RHEL-08-040290
+    stigid@rhel9: RHEL-09-252050
 
 ocil_clause: 'the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject"'
 

linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/rule.yml

@@ -30,6 +30,7 @@ references:
     srg: SRG-OS-000480-GPOS-00227
     stigid@ol7: OL07-00-040750
     stigid@rhel7: RHEL-07-040750
+    stigid@rhel9: RHEL-09-231060
 
 ocil_clause: 'the setting is not configured, has the ''sys'' option added, or does not have all Kerberos options added'
 

linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml

@@ -29,6 +29,7 @@ references:
     srg: SRG-OS-000480-GPOS-00227
     stigid@ol8: OL08-00-010640
     stigid@rhel8: RHEL-08-010640
+    stigid@rhel9: RHEL-09-231065
 
 ocil_clause: 'the setting does not show'
 

linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml

@@ -35,6 +35,7 @@ references:
     stigid@ol8: OL08-00-010630
     stigid@rhel7: RHEL-07-021021
     stigid@rhel8: RHEL-08-010630
+    stigid@rhel9: RHEL-09-231070
     stigid@sle12: SLES-12-010820
     stigid@sle15: SLES-15-040170
 

linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml

@@ -33,6 +33,7 @@ references:
     stigid@ol8: OL08-00-010650
     stigid@rhel7: RHEL-07-021020
     stigid@rhel8: RHEL-08-010650
+    stigid@rhel9: RHEL-09-231075
     stigid@sle12: SLES-12-010810
     stigid@sle15: SLES-15-040160
 

linux_os/guide/services/nfs_and_rpc/package_nfs-utils_removed/rule.yml

@@ -31,6 +31,7 @@ references:
     cis@sle15: 2.2.7
     pcidss4: "2.2.4"
     srg: SRG-OS-000095-GPOS-00049
+    stigid@rhel9: RHEL-09-215025
 
 {{{ complete_ocil_entry_package(package="nfs-utils") }}}
 

linux_os/guide/services/ntp/chronyd_client_only/rule.yml

@@ -30,6 +30,7 @@ references:
     srg: SRG-OS-000096-GPOS-00050,SRG-OS-000095-GPOS-00049
     stigid@ol8: OL08-00-030741
     stigid@rhel8: RHEL-08-030741
+    stigid@rhel9: RHEL-09-252025
 
 ocil_clause: 'the "port" option is not set to "0", is commented out, or is missing'
 

linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml

@@ -29,6 +29,7 @@ references:
     srg: SRG-OS-000096-GPOS-00050,SRG-OS-000095-GPOS-00049
     stigid@ol8: OL08-00-030742
     stigid@rhel8: RHEL-08-030742
+    stigid@rhel9: RHEL-09-252030
 
 ocil_clause: 'the "cmdport" option is not set to "0", is commented out, or is missing'
 

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml

@@ -96,6 +96,7 @@ references:
     stigid@ol8: OL08-00-030740
     stigid@rhel7: RHEL-07-040500
     stigid@rhel8: RHEL-08-030740
+    stigid@rhel9: RHEL-09-252020
     stigid@sle12: SLES-12-030300
     stigid@sle15: SLES-15-010400
     stigid@ubuntu2004: UBTU-20-010435

linux_os/guide/services/ntp/chronyd_server_directive/rule.yml

@@ -24,6 +24,7 @@ references:
     srg: SRG-OS-000355-GPOS-00143,SRG-OS-000356-GPOS-00144,SRG-OS-000359-GPOS-00146
     stigid@ol8: OL08-00-030740
     stigid@rhel8: RHEL-08-030740
+    stigid@rhel9: RHEL-09-252020
 
 ocil_clause: 'an authoritative remote time server is not configured or configured with pool directive'
 

linux_os/guide/services/ntp/package_chrony_installed/rule.yml

@@ -40,6 +40,7 @@ references:
     pcidss: Req-10.4
     pcidss4: "10.6.1"
     srg: SRG-OS-000355-GPOS-00143
+    stigid@rhel9: RHEL-09-252010
     stigid@ubuntu2004: UBTU-20-010435
 
 ocil_clause: 'the package is not installed'

linux_os/guide/services/ntp/service_chronyd_enabled/rule.yml

@@ -32,6 +32,7 @@ references:
     cis@ubuntu2204: 2.1.2.3
     ism: 0988,1405
     srg: SRG-OS-000355-GPOS-00143
+    stigid@rhel9: RHEL-09-252015
 
 ocil_clause: 'the chronyd process is not running'
 

linux_os/guide/services/obsolete/nis/package_ypserv_removed/rule.yml

@@ -44,6 +44,7 @@ references:
     srg: SRG-OS-000095-GPOS-00049
     stigid@ol7: OL07-00-020010
     stigid@rhel7: RHEL-07-020010
+    stigid@rhel9: RHEL-09-215030
 
 {{{ complete_ocil_entry_package(package="ypserv") }}}
 

linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml

@@ -31,6 +31,7 @@ references:
     stigid@ol8: OL08-00-010460
     stigid@rhel7: RHEL-07-040550
     stigid@rhel8: RHEL-08-010460
+    stigid@rhel9: RHEL-09-252070
     stigid@sle12: SLES-12-010410
     stigid@sle15: SLES-15-040030
 

linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml

@@ -34,6 +34,7 @@ references:
     stigid@ol8: OL08-00-010470
     stigid@rhel7: RHEL-07-040540
     stigid@rhel8: RHEL-08-010470
+    stigid@rhel9: RHEL-09-252075
     stigid@sle12: SLES-12-010400
     stigid@sle15: SLES-15-040020
 

linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml

@@ -40,6 +40,7 @@ references:
     stigid@ol8: OL08-00-040010
     stigid@rhel7: RHEL-07-020000
     stigid@rhel8: RHEL-08-040010
+    stigid@rhel9: RHEL-09-215035
     stigid@ubuntu2004: UBTU-20-010406
 
 {{{ complete_ocil_entry_package(package="rsh-server") }}}

linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml

@@ -55,6 +55,7 @@ references:
     stigid@ol8: OL08-00-040000
     stigid@rhel7: RHEL-07-021710
     stigid@rhel8: RHEL-08-040000
+    stigid@rhel9: RHEL-09-215040
     stigid@sle12: SLES-12-030000
     stigid@sle15: SLES-15-010180
 

linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/rule.yml

@@ -42,6 +42,7 @@ references:
     stigid@ol8: OL08-00-040190
     stigid@rhel7: RHEL-07-040700
     stigid@rhel8: RHEL-08-040190
+    stigid@rhel9: RHEL-09-215060
 
 {{{ complete_ocil_entry_package(package="tftp-server") }}}
 

linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml

@@ -48,6 +48,7 @@ references:
     stigid@ol8: OL08-00-040350
     stigid@rhel7: RHEL-07-040720
     stigid@rhel8: RHEL-08-040350
+    stigid@rhel9: RHEL-09-252055
 
 ocil_clause: |-
 {{%- if product in ["rhel7","ol7","rhel8","ol8","rhv4"] %}}

linux_os/guide/services/rng/service_rngd_enabled/rule.yml

@@ -25,6 +25,7 @@ references:
     srg: SRG-OS-000480-GPOS-00227
     stigid@ol8: OL08-00-010471
     stigid@rhel8: RHEL-08-010471
+    stigid@rhel9: RHEL-09-211035
 
 {{% if product == "ol8" %}}
 platform: os_linux[ol]<8.4 or not runtime_kernel_fips_enabled

linux_os/guide/services/routing/disabling_quagga/package_quagga_removed/rule.yml

@@ -30,6 +30,7 @@ references:
     nist: CM-7(a),CM-7(b),CM-6(a)
     nist-csf: PR.PT-4
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel9: RHEL-09-215065
 
 {{{ complete_ocil_entry_package(package="quagga") }}}