Add docs for create srg export

controls/stig_rhel9/SRG-OS-000004-GPOS-00004.yml

@@ -13,6 +13,4 @@ controls:
             - audit_rules_usergroup_modification_opasswd
             - audit_rules_usergroup_modification_passwd
             - audit_rules_usergroup_modification_shadow
-            - audit_ospp_general
-            - audit_rules_for_ospp
         status: automated

docs/manual/developer/03_creating_content.md

@@ -1366,3 +1366,57 @@ $ utils/controleval.py stats -i cis_rhel7 -l l2_server
 ```
 
 For more details about the `controleval.py` too, run `utils/controleval.py --help`.
+
+### Creating spreadsheets for submission
+Sometimes a control file needs to be exported to format specific for review.
+
+#### DISA STIGs
+##### Getting Started
+In order for export for DISA the IDs of your control must be SRG ID form the General Purpose Operating System SRG.
+
+If you have an existing product that you want to base your new STIG you can create the skeleton with the following command:
+
+    $ ./utils/build_stig_control.py --split -p rhel9 -m shared/references/disa-os-srg-v2r1.xml -o controls/stig_rhel9.yml
+
+The manual (`-m`) should be an SRG XML from DISA.  
+
+##### Filling out content
+Every control in the policy file will create at least one row in the export.
+For every rule on the control there will be row in the exported SRG.
+
+Below is the mapping from fields in the Compliance as Code to field in the spreadsheet.
+The **bolded** items are under direct control of  content authors.
+
+* IA Control -> DISA OS SRG XML
+  * As of v2r1 that field is blank
+* CCI -> DISA OS SRG XML
+* SRGID -> The control id
+* SRG Requirement ->  DISA OS SRG XML
+* **Requirement** -> The rule's description or if there are no rules the control's description.
+* SRG VulDiscussion -> DISA OS SRG XML
+* **Vul Discussion** -> Rule's rationale
+* **Status** -> Control
+  * If there are rules the status will be `Applicable - Configurable`
+  * The status can be set on the control as well
+* SRG Check -> DISA OS SRG XML
+* **Check** -> OCIL and OCIL clause from the rule
+  * The first part of the check comes from OCIL of the rule
+  * The last part is "If {OCIL clause}, then it is a finding"
+* SRG Fix -> DISA OS SRG XML
+  * As of V2R1 that field is blank
+* **Fix** -> Rule's fix
+* **Severity** -> DISA OS SRG XML or Control
+  * By default, it comes from the DISA OS SRG
+  * Can be overridden by the control
+* **Mitigation** -> Control
+* **Artifact Description** -> Control
+* **Status Justification** -> Control
+* **Status** -> Control
+
+#### Exporting
+To export the spreadsheet use the following command:
+
+    $ ./utils/create_srg_export.py -c controls/stig_rhel9.yml -p rhel9
+
+The output will be out in CSV file in build directory.
+The file will be a csv file named as the UNIX timestamp of when the file was created.

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml

@@ -54,11 +54,24 @@ references:
     stigid@rhel8: RHEL-08-020010
     vmmsrg: SRG-OS-000021-VMM-000050
 
-ocil_clause: 'that is not the case'
+ocil_clause: 'limiting the number of failed logon attempts for users is not configured'
 
 ocil: |-
     To ensure the failed password attempt policy is configured correctly, run the following command:
     <pre>$ grep pam_faillock /etc/pam.d/system-auth</pre>
     The output should show <tt>deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}}</tt>.
 
+fix: |-
+    Configure the operating system to lock an account when three unsuccessful logon attempts occur.
+
+    Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines:
+
+    auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0
+    auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0
+    account required pam_faillock.so
+
+    The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
+
+    $ sudo systemctl restart sssd.service
+
 platform: pam

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml

@@ -49,12 +49,29 @@ references:
     stigid@rhel7: RHEL-07-010330
     stigid@rhel8: RHEL-08-020022
 
-ocil_clause: 'that is not the case'
+ocil_clause: 'limiting the number of failed logon attempts for the root user is not configured'
 
 ocil: |-
     To ensure that even the <tt>root</tt> account is locked after a defined number of failed password
     attempts, run the following command:
     <pre>$ grep even_deny_root /etc/pam.d/system-auth</pre>
     The output should show <tt>even_deny_root</tt>.
 
+fix: |-
+    Configure the operating system to include root when locking an account after three unsuccessful logon attempts occur in 15 minutes.
+
+    Add/Modify the appropriate sections of the <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> files to match the following lines:
+
+    <pre>
+    auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0
+    auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0
+    account required pam_faillock.so
+    </pre>
+
+    The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
+
+    <pre>
+    $ sudo systemctl restart sssd.service
+    </pre>
+
 platform: pam

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml

@@ -64,4 +64,21 @@ ocil: |-
     <pre>$ grep pam_faillock /etc/pam.d/system-auth</pre>
     The output should show <tt>unlock_time=&lt;some-large-number&gt;</tt> or <tt>0</tt> for <tt>never</tt>.
 
+fix: |-
+    Configure the operating system to lock an account until released by an administrator when three unsuccessful logon attempts occur in 15 minutes.
+
+    Add/Modify the appropriate sections of the <tt>/etc/pam.d/system-auth</tt> and <tt>/etc/pam.d/password-auth</tt> files to match the following lines:
+
+    <pre>
+    auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0
+    auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0
+    account required pam_faillock.so
+    </pre>
+
+    The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
+
+    <pre>
+    $ sudo systemctl restart sssd.service
+    </pre>
+
 platform: pam

linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml

@@ -52,3 +52,19 @@ ocil: |-
     to obtain its account aging and expiration information:
     <pre>$ sudo chage -l <i>ACCOUNT_NAME</i></pre>
     Verify each of these accounts has an expiration date set as documented.
+
+warnings:
+    - general: |-
+        Due to the unique requirements of each sysetem, automated
+        remediation is not available for this configuration check.
+
+
+fix: |-
+    If an emergency account must be created, configure the system to terminate the account after
+    72 hours with the following command to set an expiration date for the account.
+    Substitute "system_account_name" with the account to be created.
+
+    $ sudo chage -E `date -d "+3 days" +%Y-%m-%d` system_account_name
+
+    The automatic expiration or disabling time period may be extended as needed until the crisis
+    is resolved.

linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml

@@ -58,3 +58,10 @@ ocil: |-
     to obtain its account aging and expiration information:
     <pre>$ sudo chage -l <i>USER</i></pre>
     Verify each of these accounts has an expiration date set as documented.
+
+fix: |-
+    If a temporary account must be created configure the system to terminate the account after a 72
+    hour time period with the following command to set an expiration date on it. Substitute
+    "system_account_name" with the account to be created.
+
+    $ sudo chage -E `date -d "+3 days" +%Y-%m-%d` system_account_name

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers/rule.yml

@@ -37,3 +37,5 @@ ocil_clause: 'there is not output'
 ocil: |-
     To verify that auditing is configured for system administrator actions, run the following command:
     <pre>$ sudo auditctl -l | grep "watch=/etc/sudoers\|-w /etc/sudoers\"</pre>
+
+fix: '{{{ fix_audit_file_watch_rule("/etc/sudoers", "identity", "/etc/audit/rules.d/audit.rules") }}}'

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml

@@ -37,3 +37,5 @@ ocil_clause: 'there is not output'
 ocil: |-
     To verify that auditing is configured for system administrator actions, run the following command:
     <pre>$ sudo auditctl -l | grep "watch=/etc/sudoers.d\|-w /etc/sudoers.d"</pre>
+
+fix: '{{{ fix_audit_file_watch_rule("/etc/sudoers.d/", "identity", "/etc/audit/rules.d/audit.rules") }}}'

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml

@@ -76,6 +76,8 @@ ocil: |-
     If the system is configured to watch for account changes, lines should be returned for
     each file specified (and with <tt>perm=wa</tt> for each).
 
+fix: '{{{ fix_audit_file_watch_rule("/etc/group", "identity", "/etc/audit/rules.d/audit.rules") }}}'
+
 template:
     name: audit_rules_usergroup_modification
     vars:

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml

@@ -76,6 +76,8 @@ ocil: |-
     If the system is configured to watch for account changes, lines should be returned for
     each file specified (and with <tt>perm=wa</tt> for each).
 
+fix: '{{{ fix_audit_file_watch_rule("/etc/gshadow", "identity", "/etc/audit/rules.d/audit.rules") }}}'
+
 template:
     name: audit_rules_usergroup_modification
     vars:

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml

@@ -77,6 +77,8 @@ ocil: |-
     If the system is configured to watch for account changes, lines should be returned for
     each file specified (and with <tt>perm=wa</tt> for each).
 
+fix: '{{{ fix_audit_file_watch_rule("/etc/security/opasswd", "identity", "/etc/audit/rules.d/audit.rules") }}}'
+
 template:
     name: audit_rules_usergroup_modification
     vars:

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml

@@ -76,6 +76,8 @@ ocil: |-
     If the system is configured to watch for account changes, lines should be returned for
     each file specified (and with <tt>perm=wa</tt> for each).
 
+fix: '{{{ fix_audit_file_watch_rule("/etc/passwd", "identity", "/etc/audit/rules.d/audit.rules") }}}'
+
 template:
     name: audit_rules_usergroup_modification
     vars:

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml

@@ -76,6 +76,8 @@ ocil: |-
     If the system is configured to watch for account changes, lines should be returned for
     each file specified (and with <tt>perm=wa</tt> for each).
 
+fix: '{{{ fix_audit_file_watch_rule("/etc/shadow", "identity", "/etc/audit/rules.d/audit.rules") }}}'
+
 template:
     name: audit_rules_usergroup_modification
     vars:

shared/macros.jinja

@@ -1574,3 +1574,23 @@ Operator see
     # chroot /host
     </pre>
 {{% endmacro %}}
+
+{{#
+    How to fix an audit rule that watches a file.
+
+:param path: Full path of file to watch
+:type path: str
+:param key: Auditd key for the system
+:type key: str
+:param rule_path: Full path to where the rule wil
+:type rule_path: str
+#}}
+{{% macro fix_audit_file_watch_rule(path, key, rule_path) -%}}
+Configure {{{ full_name }}} to generate audit records for all account creations, modifications, disabling, and termination events that affect <tt>{{{ path }}}</tt>.
+
+Add or update the following file system rule to <tt>{{{ rule_path }}}</tt>:
+
+-w {{{ path }}} -p wa -k {{{ key }}}
+
+The audit daemon must be restarted for the changes to take effect.
+{{% endmacro %}}