Merge pull request #12551 from Mab879/rhel9_stig_v2r2

Update RHEL 9 STIG to V2R2

components/openssh.yml

@@ -19,6 +19,7 @@ rules:
 - file_permissions_sshd_config
 - file_permissions_sshd_private_key
 - file_permissions_sshd_pub_key
+- file_sshd_50_redhat_exists
 - firewalld_sshd_disabled
 - firewalld_sshd_port_enabled
 - iptables_sshd_disabled
@@ -79,5 +80,6 @@ rules:
 - sshd_use_strong_macs
 - sshd_use_strong_rng
 - sshd_x11_use_localhost
+- sshd_include_crypto_policy
 templates:
 - sshd_lineinfile

controls/stig_rhel9.yml

@@ -662,16 +662,6 @@ controls:
             - mount_option_home_noexec
         status: automated
 
-    -   id: RHEL-09-231060
-        levels:
-            - medium
-        title:
-            RHEL 9 must be configured so that the Network File System (NFS) is configured
-            to use RPCSEC_GSS.
-        rules:
-            - mount_option_krb_sec_remote_filesystems
-        status: automated
-
     -   id: RHEL-09-231065
         levels:
             - medium
@@ -1402,14 +1392,6 @@ controls:
             - configured_firewalld_default_deny
         status: automated
 
-    -   id: RHEL-09-251025
-        levels:
-            - medium
-        title: RHEL 9 must control remote access methods.
-        rules:
-            - configure_firewalld_ports
-        status: automated
-
     -   id: RHEL-09-251030
         levels:
             - medium
@@ -1531,16 +1513,6 @@ controls:
             - postfix_prevent_unrestricted_relay
         status: automated
 
-    -   id: RHEL-09-252055
-        levels:
-            - medium
-        title:
-            If the Trivial File Transfer Protocol (TFTP) server is required, RHEL 9 TFTP
-            daemon must be configured to operate in secure mode.
-        rules:
-            - tftpd_uses_secure_mode
-        status: automated
-
     -   id: RHEL-09-252060
         levels:
             - medium
@@ -1847,7 +1819,8 @@ controls:
             - medium
         title: RHEL 9 SSH daemon must be configured to use system-wide crypto policies.
         rules:
-            - configure_ssh_crypto_policy
+            - file_sshd_50_redhat_exists
+            - sshd_include_crypto_policy
         status: automated
 
     -   id: RHEL-09-255060
@@ -2040,14 +2013,6 @@ controls:
             - sshd_print_last_log
         status: automated
 
-    -   id: RHEL-09-255170
-        levels:
-            - medium
-        title: RHEL 9 SSH daemon must be configured to use privilege separation.
-        rules:
-            - sshd_use_priv_separation
-        status: automated
-
     -   id: RHEL-09-255175
         levels:
             - medium
@@ -2542,52 +2507,6 @@ controls:
             - accounts_user_dot_no_world_writable_programs
         status: automated
 
-    -   id: RHEL-09-412010
-        levels:
-            - medium
-        title: RHEL 9 must have the tmux package installed.
-        rules:
-            - package_tmux_installed
-        status: automated
-
-    -   id: RHEL-09-412015
-        levels:
-            - medium
-        title: RHEL 9 must ensure session control is automatically started at shell initialization.
-        rules:
-            - configure_bashrc_tmux
-        status: automated
-
-    -   id: RHEL-09-412020
-        levels:
-            - medium
-        title:
-            RHEL 9 must enable a user session lock until that user re-establishes access
-            using established identification and authentication procedures for command line
-            sessions.
-        rules:
-            - configure_tmux_lock_command
-            - configure_tmux_lock_keybinding
-        status: automated
-
-    -   id: RHEL-09-412025
-        levels:
-            - medium
-        title:
-            RHEL 9 must automatically lock command line user sessions after 15 minutes
-            of inactivity.
-        rules:
-            - configure_tmux_lock_after_time
-        status: automated
-
-    -   id: RHEL-09-412030
-        levels:
-            - low
-        title: RHEL 9 must prevent users from disabling session control mechanisms.
-        rules:
-            - no_tmux_in_shells
-        status: automated
-
     -   id: RHEL-09-412035
         levels:
             - medium
@@ -2596,6 +2515,7 @@ controls:
             15 minutes of inactivity.
         rules:
             - accounts_tmout
+            - var_accounts_tmout=10_min
         status: automated
 
     -   id: RHEL-09-412040
@@ -2941,14 +2861,6 @@ controls:
             - var_password_pam_minlen=15
         status: automated
 
-    -   id: RHEL-09-611095
-        levels:
-            - medium
-        title: RHEL 9 passwords for new users must have a minimum of 15 characters.
-        rules:
-            - accounts_password_minlen_login_defs
-        status: automated
-
     -   id: RHEL-09-611100
         levels:
             - medium
@@ -3056,16 +2968,6 @@ controls:
             - disallow_bypass_password_sudo
         status: automated
 
-    -   id: RHEL-09-611150
-        levels:
-            - medium
-        title:
-            RHEL 9 shadow password suite must be configured to use a sufficient number
-            of hashing rounds.
-        rules:
-            - set_password_hashing_min_rounds_logindefs
-        status: automated
-
     -   id: RHEL-09-611155
         levels:
             - medium

linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_relay/postfix_prevent_unrestricted_relay/rule.yml

@@ -1,6 +1,5 @@
 documentation_complete: true
 
-
 title: 'Prevent Unrestricted Mail Relaying'
 
 description: |-
@@ -13,6 +12,8 @@ rationale: |-
     host as a mail relay for the purpose of sending spam or other unauthorized
     activity.
 
+platform: package[postfix]
+
 severity: medium
 
 identifiers:

linux_os/guide/services/ssh/file_sshd_50_redhat_exists/rule.yml

@@ -0,0 +1,36 @@
+documentation_complete: true
+
+title: 'The File /etc/ssh/sshd_config.d/50-redhat.conf Must Exist'
+
+description: |-
+    The <tt>/etc/ssh/sshd_config.d/50-redhat.conf</tt> file must exist as it contains important
+    settings to secure SSH.
+
+
+rationale: |-
+    The file must exist to configure SSH correctly.
+
+identifiers:
+    cce@rhel9: CCE-88599-6
+
+references:
+    disa: CCI-001453
+    nist: AC-17 (2)
+    srg: SRG-OS-000250-GPOS-00093
+
+severity: medium
+
+warnings:
+    - general:
+        There is no remediation available for this rule since this file
+        needs to have the correct content for the given system.
+
+
+template:
+    name: 'file_existence'
+    vars:
+        filepath: '/etc/ssh/sshd_config.d/50-redhat.conf'
+        exists: true
+    backends:
+        ansible: off
+        bash: off

linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/ansible/shared.yml

@@ -0,0 +1,19 @@
+# platform = multi_platform_all
+# complexity = low
+# strategy = configure
+# disruption = low
+# reboot = false
+
+-   name: "{{{ rule_title }}} - Ensure That Drop In SSH Config Files are Included"
+    ansible.builtin.lineinfile:
+      path: "/etc/ssh/sshd_config"
+      line: "Include /etc/ssh/sshd_config.d/*.conf"
+      regexp: "^Include /etc/ssh/sshd_config.d/\\*.conf"
+      state: present
+
+-   name: "{{{ rule_title }}} - Ensure That System Crypto Policies are Included"
+    ansible.builtin.lineinfile:
+      path: "/etc/ssh/ssh_config.d/50-redhat.conf"
+      regexp: "Include /etc/crypto-policies/back-ends/opensshserver.config"
+      line: "Include /etc/crypto-policies/back-ends/opensshserver.config"
+      state: present

linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/bash/shared.sh

@@ -0,0 +1,4 @@
+# platform = multi_platform_all
+
+echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
+echo "Include /etc/crypto-policies/back-ends/opensshserver.config" >> /etc/ssh/ssh_config.d/50-redhat.conf

linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/oval/shared.xml

@@ -0,0 +1,32 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+        {{{ oval_metadata("Ensure SSHD to include the system crypto policy") }}}
+        <criteria>
+            <criterion test_ref="test_{{{ rule_id }}}_include_sshd_drop_in"></criterion>
+            <criterion test_ref="test_{{{ rule_id }}}_include_sshd_include_system_crypto"></criterion>
+        </criteria>
+    </definition>
+
+    <ind:textfilecontent54_test id="test_{{{ rule_id }}}_include_sshd_drop_in"
+                                comment="Ensure that drop in config files are included" version="1" check="all">
+        <ind:object object_ref="obj_{{{ rule_id }}}_include_sshd_drop_in"/>
+    </ind:textfilecontent54_test>
+
+    <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_include_sshd_drop_in" version="1">
+        <ind:filepath operation="pattern match">/etc/ssh/sshd_config</ind:filepath>
+        <ind:pattern operation="pattern match">^Include /etc/ssh/sshd_config.d/\*.conf$</ind:pattern>
+        <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+    </ind:textfilecontent54_object>
+
+
+    <ind:textfilecontent54_test id="test_{{{ rule_id }}}_include_sshd_include_system_crypto"
+                                comment="Ensure that drop in config files are included" version="1" check="all">
+        <ind:object object_ref="obj_{{{ rule_id }}}_include_sshd_drop_in"/>
+    </ind:textfilecontent54_test>
+
+    <ind:textfilecontent54_object id="obj_{{{ rule_id }}}_include_sshd_include_system_crypto" version="1">
+        <ind:filepath operation="pattern match">/etc/ssh/sshd_config</ind:filepath>
+        <ind:pattern operation="pattern match">^Include /etc/crypto-policies/back-ends/opensshserver\.config</ind:pattern>
+        <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+    </ind:textfilecontent54_object>
+</def-group>

linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/rule.yml

@@ -0,0 +1,20 @@
+documentation_complete: true
+
+title: 'SSHD Must Include System Crypto Policy Config File'
+
+description: |-
+    SSHD should follow the system cryptographic policy.
+    In order to accomplish this the SSHD configuration should include the system
+
+rationale: |-
+    Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-90566-1
+
+references:
+    disa: CCI-001453
+    nist: AC-17 (2)
+    srg: SRG-OS-000250-GPOS-00093

linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/default_pass.pass.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+if [ grep -q "Include /etc/crypto-policies/back-ends/opensshserver.config" /etc/ssh/ssh_config.d/*.conf /etc/ssh/sshd_config -ne 0 ]; then
+  echo "Include /etc/crypto-policies/back-ends/opensshserver.config" >> /etc/ssh/ssh_config.d/50-redhat.conf
+fi
+
+if [ grep -q "Include /etc/ssh/sshd_config.d/*.conf" /etc/ssh/sshd_config -ne 0 ]; then
+  echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/ssh_config
+fi

linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_crypto.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+sed -i '/Include/d' /etc/ssh/sshd_config
+
+if [ grep -q "Include /etc/ssh/sshd_config.d/*.conf" /etc/ssh/sshd_config -ne 0 ]; then
+  echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/ssh_config.d/50-redhat.conf
+fi

linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_drop_in.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+sed -i '/Include/d' /etc/ssh/sshd_config
+
+if [ grep -q "Include /etc/ssh/sshd_config.d/*.conf" /etc/ssh/sshd_config -ne 0 ]; then
+  echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/ssh_config
+fi

linux_os/guide/services/ssh/ssh_server/sshd_include_crypto_policy/tests/no_includes.fail.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i '/Include/d' /etc/ssh/sshd_config

shared/references/cce-redhat-avail.txt

@@ -1243,7 +1243,6 @@ CCE-88595-4
 CCE-88596-2
 CCE-88597-0
 CCE-88598-8
-CCE-88599-6
 CCE-88600-2
 CCE-88601-0
 CCE-88602-8
@@ -2506,7 +2505,6 @@ CCE-90562-0
 CCE-90563-8
 CCE-90564-6
 CCE-90565-3
-CCE-90566-1
 CCE-90570-3
 CCE-90574-5
 CCE-90575-2