Merge pull request #12376 from Mab879/rhel10_stig_rules_update

Update RHEL 10 STIG Selections
ComplianceAsCode · Sep 18, 2024 · db7b59b · db7b59b
2 parents b2f8f74 + 8e8e245
commit db7b59b
Show file tree

Hide file tree

Showing 17 changed files with 31 additions and 7 deletions.
diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml
@@ -22,7 +22,7 @@ controls:
             - sshd_approved_macs=stig_extended
             - sshd_approved_ciphers=stig_extended
             - sshd_idle_timeout_value=10_minutes
-            - var_accounts_authorized_local_users_regex=rhel8
+            - var_accounts_authorized_local_users_regex=rhel9
             - var_account_disable_post_pw_expiration=35
             - login_banner_text=dod_banners
             - var_authselect_profile=sssd

diff --git a/controls/srg_gpos/SRG-OS-000031-GPOS-00012.yml b/controls/srg_gpos/SRG-OS-000031-GPOS-00012.yml
@@ -6,4 +6,5 @@ controls:
             visible on the display with a publicly viewable image.
         rules:
             - configure_tmux_lock_after_time
+            - dconf_gnome_screensaver_mode_blank
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000073-GPOS-00041.yml b/controls/srg_gpos/SRG-OS-000073-GPOS-00041.yml
@@ -11,4 +11,6 @@ controls:
             - set_password_hashing_algorithm_systemauth
             - set_password_hashing_min_rounds_logindefs
             - accounts_password_all_shadowed_sha512
+            - var_password_hashing_algorithm_pam=sha512
+            - var_password_pam_unix_rounds=5000
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000163-GPOS-00072.yml b/controls/srg_gpos/SRG-OS-000163-GPOS-00072.yml
@@ -13,4 +13,5 @@ controls:
             - sshd_set_keepalive
             - accounts_tmout
             - var_accounts_tmout=15_min
+            - var_sshd_set_keepalive=1
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000324-GPOS-00125.yml b/controls/srg_gpos/SRG-OS-000324-GPOS-00125.yml
@@ -13,4 +13,8 @@ controls:
             - sysctl_fs_protected_hardlinks
             - sysctl_fs_protected_symlinks
             - package_sudo_installed
+            - sudo_remove_no_authenticate
+            - sudo_remove_nopasswd
+            - sudo_require_reauthentication
+            - disallow_bypass_password_sudo
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000343-GPOS-00134.yml b/controls/srg_gpos/SRG-OS-000343-GPOS-00134.yml
@@ -8,6 +8,7 @@ controls:
         rules:
             - auditd_data_retention_action_mail_acct
             - auditd_data_retention_admin_space_left_action
+            - var_auditd_admin_space_left_action=single
             - auditd_data_retention_admin_space_left_percentage
             - var_auditd_admin_space_left_percentage=5pc
             - auditd_data_retention_space_left_action

diff --git a/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml b/controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml
@@ -8,4 +8,6 @@ controls:
             - aide_periodic_cron_checking
             - package_aide_installed
             - package_s-nail_installed
+            - aide_build_database
+            - aide_use_fips_hashes
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000433-GPOS-00192.yml b/controls/srg_gpos/SRG-OS-000433-GPOS-00192.yml
@@ -8,4 +8,5 @@ controls:
             - sysctl_kernel_kptr_restrict
             - bios_enable_execution_restrictions
             - grub2_slub_debug_argument
+            - sysctl_kernel_exec_shield
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml b/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml
@@ -11,4 +11,6 @@ controls:
             - enable_dracut_fips_module
             - enable_fips_mode
             - sysctl_crypto_fips_enabled
+            - aide_use_fips_hashes
+            - configure_kerberos_crypto_policy
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
@@ -17,6 +17,7 @@ controls:
             - file_groupowner_etc_gshadow
             - file_groupowner_etc_passwd
             - file_groupowner_etc_shadow
+            - file_owner_grub2_cfg
             - file_groupowner_grub2_cfg
             - file_owner_cron_d
             - file_owner_cron_daily
@@ -66,6 +67,8 @@ controls:
             - no_files_unowned_by_user
             - file_owner_cron_deny
             - file_groupowner_cron_deny
+            - file_permission_user_init_files_root
+            - var_user_initialization_files_regex=all_dotfiles
 
             # service disabled
             # - service_rngd_enabled - this rule was removed because it does bring questionable value on modern systems
@@ -98,7 +101,6 @@ controls:
             - package_firewalld_installed
             - package_gnutls-utils_installed
             - package_rng-tools_installed
-            - package_MFEhiplsm_installed
             - package_nss-tools_installed
             - package_policycoreutils-python-utils_installed
             - package_policycoreutils_installed
@@ -146,6 +148,7 @@ controls:
             - sysctl_net_ipv6_conf_default_accept_source_route
             - sysctl_net_ipv4_conf_all_accept_redirects
             - sysctl_net_ipv4_conf_all_accept_source_route
+            - sysctl_net_ipv4_conf_all_forwarding
             - sysctl_net_ipv4_conf_default_accept_source_route
             - sysctl_net_ipv4_conf_all_rp_filter
             - sysctl_net_ipv4_conf_default_rp_filter
@@ -155,6 +158,7 @@ controls:
             - sysctl_net_ipv4_conf_default_accept_redirects
             - sysctl_net_ipv4_conf_default_send_redirects
             - sysctl_net_ipv4_ip_forward
+            - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
             - sysctl_kernel_core_pattern
             - sysctl_kernel_kexec_load_disabled
             - sysctl_kernel_unprivileged_bpf_disabled
@@ -238,5 +242,7 @@ controls:
             - tftpd_uses_secure_mode
             - display_login_attempts
             - installed_OS_is_vendor_supported
+            - selinux_all_devicefiles_labeled
+            - xwindows_remove_packages
 
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000730-GPOS-00190.yml b/controls/srg_gpos/SRG-OS-000730-GPOS-00190.yml
@@ -10,3 +10,7 @@ controls:
             - var_password_pam_maxclassrepeat=3
             - var_password_pam_dictcheck=1
             - accounts_password_pam_dictcheck
+            - var_password_hashing_algorithm_pam=sha512
+            - var_password_pam_unix_rounds=5000
+            - var_password_pam_remember=5
+            - var_password_pam_remember_control_flag=requisite_or_required
diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_remove_packages/rule.yml
@@ -28,6 +28,7 @@ severity: medium
 identifiers:
     cce@rhel8: CCE-83411-9
     cce@rhel9: CCE-84106-4
+    cce@rhel10: CCE-88391-8
     cce@sle12: CCE-92242-7
     cce@sle15: CCE-91362-4
 

diff --git a/...x_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml b/...x_os/guide/system/accounts/accounts-session/file_permission_user_init_files_root/rule.yml
@@ -20,6 +20,7 @@ severity: medium
 identifiers:
     cce@rhel8: CCE-86106-2
     cce@rhel9: CCE-87087-3
+    cce@rhel10: CCE-89585-4
 
 references:
     disa: CCI-000366

diff --git a/...rk-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml b/...rk-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_forwarding/rule.yml
@@ -15,6 +15,7 @@ severity: medium
 identifiers:
     cce@rhel8: CCE-86220-1
     cce@rhel9: CCE-87181-4
+    cce@rhel10: CCE-87420-6
 
 references:
     disa: CCI-000366

diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/rule.yml
@@ -25,6 +25,7 @@ severity: medium
 identifiers:
     cce@rhel8: CCE-80866-7
     cce@rhel9: CCE-85920-7
+    cce@rhel10: CCE-90192-6
 
 references:
     cis-csc: 1,11,12,13,14,15,16,18,2,3,5,6,7,8,9

diff --git a/..._os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml b/..._os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/rule.yml
@@ -21,6 +21,7 @@ severity: medium
 identifiers:
     cce@rhel8: CCE-86404-1
     cce@rhel9: CCE-88939-4
+    cce@rhel10: CCE-90260-1
 
 references:
     cis-csc: 2,3

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -529,7 +529,6 @@ CCE-87412-3
 CCE-87413-1
 CCE-87418-0
 CCE-87419-8
-CCE-87420-6
 CCE-87422-2
 CCE-87426-3
 CCE-87427-1
@@ -1133,7 +1132,6 @@ CCE-88387-6
 CCE-88388-4
 CCE-88389-2
 CCE-88390-0
-CCE-88391-8
 CCE-88392-6
 CCE-88393-4
 CCE-88394-2
@@ -1854,7 +1852,6 @@ CCE-89580-5
 CCE-89582-1
 CCE-89583-9
 CCE-89584-7
-CCE-89585-4
 CCE-89586-2
 CCE-89588-8
 CCE-89590-4
@@ -2266,7 +2263,6 @@ CCE-90183-5
 CCE-90188-4
 CCE-90189-2
 CCE-90190-0
-CCE-90192-6
 CCE-90193-4
 CCE-90194-2
 CCE-90195-9
@@ -2319,7 +2315,6 @@ CCE-90255-1
 CCE-90256-9
 CCE-90258-5
 CCE-90259-3
-CCE-90260-1
 CCE-90263-5
 CCE-90264-3
 CCE-90265-0