Merge pull request #12922 from Mab879/rhel9_v2r3

Update RHEL 9 STIG to V2R3

components/openssh.yml

@@ -11,12 +11,15 @@ packages:
 rules:
 - disable_host_auth
 - file_groupowner_sshd_config
+- file_groupowner_sshd_drop_in_config
 - file_groupownership_sshd_private_key
 - file_groupownership_sshd_pub_key
 - file_owner_sshd_config
+- file_owner_sshd_drop_in_config
 - file_ownership_sshd_private_key
 - file_ownership_sshd_pub_key
 - file_permissions_sshd_config
+- file_permissions_sshd_drop_in_config
 - file_permissions_sshd_private_key
 - file_permissions_sshd_pub_key
 - file_sshd_50_redhat_exists

controls/stig_rhel9.yml

@@ -2,7 +2,7 @@ policy: 'Red Hat Enterprise Linux 9 Security Technical Implementation Guide'
 title: 'Red Hat Enterprise Linux 9 Security Technical Implementation Guide'
 id: stig_rhel9
 source: https://public.cyber.mil/stigs/downloads/
-version: V2R1
+version: V2R3
 reference_type: stigid
 product: rhel9
 levels:
@@ -17,6 +17,11 @@ controls:
             - enable_authselect
             - var_authselect_profile=sssd
 
+    -   id: RHEL-09-171011
+        levels:
+            - medium
+        rules:
+            - dconf_gnome_login_banner_text
     -   id: RHEL-09-211010
         levels:
             - high
@@ -574,6 +579,22 @@ controls:
             - package_s-nail_installed
         status: automated
 
+    -   id: RHEL-09-215100
+        levels:
+            - medium
+        title: RHEL 9 must have the crypto-policies package installed.
+        rules:
+            - package_crypto-policies_installed
+        status: automated
+
+    -   id: RHEL-09-215105
+        levels:
+            - medium
+        title: RHEL 9 must implement a FIPS 140-3 compliant systemwide cryptographic policy.
+        rules:
+            - configure_crypto_policy
+        status: automated
+
     -   id: RHEL-09-231010
         levels:
             - medium
@@ -1077,8 +1098,22 @@ controls:
         title: RHEL 9 /etc/group- file must be owned by root.
         rules:
             - file_owner_backup_etc_group
+
+    -   id: RHEL-09-232103
+        title: RHEL 9 "/etc/audit/" must be owned by root.
+        levels:
+        - medium
+        rules:
+            - file_ownership_audit_configuration
         status: automated
 
+    -   id: RHEL-09-232104
+        title: RHEL 9 "/etc/audit/" must be group-owned by root.
+        levels:
+            - medium
+        rules:
+            - file_groupownership_audit_configuration
+
     -   id: RHEL-09-232105
         levels:
             - medium
@@ -1834,7 +1869,13 @@ controls:
             - harden_sshd_ciphers_openssh_conf_crypto_policy
             - sshd_approved_ciphers=stig_rhel9
         status: automated
-
+    -   id: RHEL-09-255064
+        title: The RHEL 9 SSH client must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
+        levels:
+            - medium
+        rules:
+            - harden_sshd_ciphers_openssh_conf_crypto_policy
+            - sshd_approved_ciphers=stig_rhel9
     -   id: RHEL-09-255065
         levels:
             - medium
@@ -1844,14 +1885,23 @@ controls:
         rules:
             - harden_sshd_ciphers_opensshserver_conf_crypto_policy
         status: automated
+    -   id: RHEL-09-255070
+        levels:
+            - medium
+        title: The RHEL 9 SSH client must be configured to use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.
+        rules:
+            - sshd_use_strong_macs
+            - sshd_strong_macs=stig_rhel9
 
     -   id: RHEL-09-255075
         levels:
             - medium
         title:
             RHEL 9 SSH server must be configured to use only Message Authentication Codes
             (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.
-        status: pending
+        status: automated
+        rules:
+            - configure_ssh_crypto_policy
 
     -   id: RHEL-09-255080
         levels:
@@ -1909,6 +1959,7 @@ controls:
         title: RHEL 9 SSH server configuration file must be group-owned by root.
         rules:
             - file_groupowner_sshd_config
+            - file_groupowner_sshd_drop_in_config
         status: automated
 
     -   id: RHEL-09-255110
@@ -1917,6 +1968,7 @@ controls:
         title: RHEL 9 SSH server configuration file must be owned by root.
         rules:
             - file_owner_sshd_config
+            - file_owner_sshd_drop_in_config
         status: automated
 
     -   id: RHEL-09-255115
@@ -1925,6 +1977,7 @@ controls:
         title: RHEL 9 SSH server configuration file must have mode 0600 or less permissive.
         rules:
             - file_permissions_sshd_config
+            - file_permissions_sshd_drop_in_config
         status: automated
 
     -   id: RHEL-09-255120
@@ -2255,6 +2308,7 @@ controls:
         title: RHEL 9 must have the USBGuard package installed.
         rules:
             - package_usbguard_installed
+            - service_usbguard_enabled
         status: automated
 
     -   id: RHEL-09-291020
@@ -2789,7 +2843,7 @@ controls:
             rounds.
         rules:
             - accounts_password_pam_unix_rounds_password_auth
-            - var_password_pam_unix_rounds=5000
+            - var_password_pam_unix_rounds=100000
         status: automated
 
     -   id: RHEL-09-611055
@@ -3203,16 +3257,6 @@ controls:
             - rsyslog_remote_access_monitoring
         status: automated
 
-    -   id: RHEL-09-652035
-        levels:
-            - medium
-        title:
-            RHEL 9 must be configured to offload audit records onto a different system
-            from the system being audited via syslog.
-        rules:
-            - auditd_audispd_syslog_plugin_activated
-        status: automated
-
     -   id: RHEL-09-652040
         levels:
             - medium
@@ -3470,7 +3514,7 @@ controls:
             individuals or roles appointed by the ISSM) to select which auditable events are
             to be audited.
         rules:
-            - file_permissions_etc_audit_rulesd
+            - file_permissions_audit_configuration
         status: automated
 
     -   id: RHEL-09-653115
@@ -4046,14 +4090,6 @@ controls:
             - set_password_hashing_algorithm_passwordauth
         status: automated
 
-    -   id: RHEL-09-672010
-        levels:
-            - medium
-        title: RHEL 9 must have the crypto-policies package installed.
-        rules:
-            - package_crypto-policies_installed
-        status: automated
-
     -   id: RHEL-09-672015
         levels:
             - high
@@ -4101,14 +4137,6 @@ controls:
             - configure_openssl_tls_crypto_policy
         status: automated
 
-    -   id: RHEL-09-672045
-        levels:
-            - medium
-        title: RHEL 9 must implement a system-wide encryption policy.
-        rules:
-            - configure_crypto_policy
-        status: automated
-
     -   id: RHEL-09-672050
         levels:
             - medium

linux_os/guide/auditing/auditd_configure_rules/file_permissions_audit_configuration/rule.yml

@@ -22,6 +22,11 @@ identifiers:
     cce@rhel9: CCE-88002-1
     cce@rhel10: CCE-88067-4
 
+references:
+    disa: CCI-000171
+    nist: AU-12 b
+    srg: SRG-OS-000063-GPOS-00032
+
 ocil: |-
     {{{ describe_file_permissions(file="/etc/audit/", perms="0640") }}}
     {{{ describe_file_permissions(file="/etc/audit/rules.d/", perms="0640") }}}

linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/policy/stig/shared.yml

@@ -0,0 +1,19 @@
+srg_requirement: |-
+    {{{ full_name }}} SSH server configuration file must be group-owned by root.
+
+vuldiscussion: |-
+    Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.
+
+checktext: |-
+    Verify the group ownership of the "/etc/ssh/sshd_config.d" directory and files under it with the following command:
+
+    $ ls -al /etc/ssh/sshd_config.d/*
+
+    rw-------. 1 root root 3669 Feb 22 11:34 /etc/ssh/sshd_config
+
+    If the "/etc/ssh/sshd_config" file does not have a group owner of "root", this is a finding.
+
+fixtext: |-
+    Configure the "/etc/ssh/sshd_config" file to be group-owned by root with the following command:
+
+    $ sudo chgrp -R root /etc/ssh/sshd_config.d

linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/rule.yml

@@ -0,0 +1,46 @@
+documentation_complete: true
+
+
+title: 'Verify Group Who Owns SSH Server config file'
+
+description: |-
+    {{{ describe_file_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}
+
+rationale: |-
+    Service configuration files enable or disable features of their respective
+    services that if configured incorrectly can lead to insecure and vulnerable
+    configurations. Therefore, service configuration files should be owned by the
+    correct group to prevent unauthorized changes.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86253-2
+    cce@rhel10: CCE-86254-0
+
+references:
+    cis-csc: 12,13,14,15,16,18,3,5
+    cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
+    disa: CCI-000366
+    isa-62443-2009: 4.3.3.7.3
+    isa-62443-2013: 'SR 2.1,SR 5.2'
+    iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
+    nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
+    nist: AC-17(a),CM-6(a),AC-6(1)
+    nist-csf: PR.AC-4,PR.DS-5
+    srg: SRG-OS-000480-GPOS-00227
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}
+
+fixtext: '{{{ fixtext_file_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}'
+
+srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/ssh/sshd_config.d", group="root") }}}'
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /etc/ssh/sshd_config.d/
+        gid_or_name: '0'

linux_os/guide/services/ssh/file_groupowner_sshd_drop_in_config/tests/ocp4/e2e.yml

@@ -0,0 +1,2 @@
+---
+default_result: PASS

linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/policy/stig/shared.yml

@@ -0,0 +1,19 @@
+srg_requirement: |-
+    {{{ full_name }}} SSH server configuration file must be owned by root.
+
+vuldiscussion: |-
+    Service configuration files enable or disable features of their respective services, which if configured incorrectly, can lead to insecure and vulnerable configurations. Therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.
+
+checktext: |-
+    Verify the ownership of the "/etc/ssh/sshd_config.d" directory and files under it with the following command:
+
+    $ ls -al /etc/ssh/sshd_config.d/*
+
+    rw-------. 1 root root 3669 Feb 22 11:34 /etc/ssh/sshd_config
+
+    If the "/etc/ssh/sshd_config" file does not have a owner of "root", this is a finding.
+
+fixtext: |-
+    Configure the "/etc/ssh/sshd_config" file to be owned by root with the following command:
+
+    $ sudo chgrp -R root /etc/ssh/sshd_config.d

linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/rule.yml

@@ -0,0 +1,47 @@
+documentation_complete: true
+
+
+title: 'Verify Owner on SSH Server config file'
+
+description: |-
+    {{{ describe_file_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}
+
+rationale: |-
+    Service configuration files enable or disable features of their respective
+    services that if configured incorrectly can lead to insecure and vulnerable
+    configurations. Therefore, service configuration files should be owned by the
+    correct group to prevent unauthorized changes.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86217-7
+    cce@rhel10: CCE-86268-0
+
+
+references:
+    cis-csc: 12,13,14,15,16,18,3,5
+    cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
+    disa: CCI-000366
+    isa-62443-2009: 4.3.3.7.3
+    isa-62443-2013: 'SR 2.1,SR 5.2'
+    iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
+    nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
+    nist: AC-17(a),CM-6(a),AC-6(1)
+    nist-csf: PR.AC-4,PR.DS-5
+    srg: SRG-OS-000480-GPOS-00227
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}
+
+fixtext: '{{{ fixtext_file_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}'
+
+srg_requirement: '{{{ srg_requirement_file_owner(file="/etc/ssh/sshd_config.d", owner="root") }}}'
+
+template:
+    name: file_owner
+    vars:
+        filepath: /etc/ssh/sshd_config.d/
+        fileuid: '0'

linux_os/guide/services/ssh/file_owner_sshd_drop_in_config/tests/ocp4/e2e.yml

@@ -0,0 +1,2 @@
+---
+default_result: PASS

linux_os/guide/services/ssh/file_permissions_sshd_config/rule.yml

@@ -51,5 +51,7 @@ srg_requirement: '{{{ srg_requirement_file_permission(file="/etc/ssh/sshd_config
 template:
     name: file_permissions
     vars:
-        filepath: /etc/ssh/sshd_config
+        filepath:
+            - /etc/ssh/sshd_config
+            - /etc/ssh/sshd_config.d
         filemode: '0600'