From b1e0e7fc7679ecbe04630165ba139ce0d033824e Mon Sep 17 00:00:00 2001 From: MITRE SAF Date: Tue, 28 Nov 2023 00:29:08 +0000 Subject: [PATCH] Automated ingestion of profiles Signed-off-by: MITRE SAF --- ...dhat-enterprise-linux-8-stig-baseline.json | 34 ++++++++++--------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json b/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json index 65cce212..e87eae23 100644 --- a/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json +++ b/src/assets/data/baselineProfiles/redhat-enterprise-linux-8-stig-baseline.json @@ -4226,8 +4226,8 @@ "desc": "Using an authentication device, such as a DoD Common Access Card (CAC)\nor token that is separate from the information system, ensures that even if the\ninformation system is compromised, credentials stored on the authentication\ndevice will not be affected.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification (PIV) card and the DoD CAC.\n\n RHEL 8 includes multiple options for configuring certificate status\nchecking, but for this requirement focuses on the System Security Services\nDaemon (SSSD). By default, sssd performs Online Certificate Status Protocol\n(OCSP) checking and certificate verification using a sha256 digest function.", "descriptions": { "default": "Using an authentication device, such as a DoD Common Access Card (CAC)\nor token that is separate from the information system, ensures that even if the\ninformation system is compromised, credentials stored on the authentication\ndevice will not be affected.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification (PIV) card and the DoD CAC.\n\n RHEL 8 includes multiple options for configuring certificate status\nchecking, but for this requirement focuses on the System Security Services\nDaemon (SSSD). By default, sssd performs Online Certificate Status Protocol\n(OCSP) checking and certificate verification using a sha256 digest function.", - "check": "Verify the operating system implements certificate status checking for\nmultifactor authentication.\n\n Check to see if Online Certificate Status Protocol (OCSP) is enabled and\nusing the proper digest value on the system with the following command:\n\n $ sudo grep certificate_verification /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf | grep -v \"^#\"\n\n certificate_verification = ocsp_dgst=sha1\n\n If the certificate_verification line is missing from the [sssd] section, or\nis missing \"ocsp_dgst=sha1\", ask the administrator to indicate what type of\nmultifactor authentication is being utilized and how the system implements\ncertificate status checking. If there is no evidence of certificate status\nchecking being used, this is a finding.", - "fix": "Configure the operating system to implement certificate status checking for\nmultifactor authentication.\n\n Review the \"/etc/sssd/sssd.conf\" file to determine if the system is\nconfigured to prevent OCSP or certificate verification.\n\n Add the following line to the \"/etc/sssd/sssd.conf\" file:\n\n certificate_verification = ocsp_dgst=sha1\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service" + "check": "Verify the operating system implements certificate status checking for multifactor authentication.\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\nCheck to see if Online Certificate Status Protocol (OCSP) is enabled and using the proper digest value on the system with the following command:\n\n$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v \"^#\"\n\ncertificate_verification = ocsp_dgst=sha1\n\nIf the certificate_verification line is missing from the [sssd] section, or is missing \"ocsp_dgst=sha1\", ask the administrator to indicate what type of multifactor authentication is being utilized and how the system implements certificate status checking. If there is no evidence of certificate status checking being used, this is a finding.", + "fix": "Configure the operating system to implement certificate status checking for multifactor authentication.\n\nReview the \"/etc/sssd/sssd.conf\" file to determine if the system is configured to prevent OCSP or certificate verification.\n\nAdd the following line to the [sssd] section of the \"/etc/sssd/sssd.conf\" file:\n\ncertificate_verification = ocsp_dgst=sha1\n\nThe \"sssd\" service must be restarted for the changes to take effect. To restart the \"sssd\" service, run the following command:\n\n$ sudo systemctl restart sssd.service" }, "impact": 0.5, "refs": [], @@ -4239,9 +4239,9 @@ "SRG-OS-000377-GPOS-00162" ], "gid": "V-230274", - "rid": "SV-230274r743945_rule", + "rid": "SV-230274r858741_rule", "stig_id": "RHEL-08-010400", - "fix_id": "F-32918r567569_fix", + "fix_id": "F-32918r809280_fix", "cci": [ "CCI-001948" ], @@ -4249,7 +4249,7 @@ "IA-2 (11)" ] }, - "code": "control 'SV-230274' do\n title 'RHEL 8 must implement certificate status checking for multifactor\nauthentication.'\n desc 'Using an authentication device, such as a DoD Common Access Card (CAC)\nor token that is separate from the information system, ensures that even if the\ninformation system is compromised, credentials stored on the authentication\ndevice will not be affected.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification (PIV) card and the DoD CAC.\n\n RHEL 8 includes multiple options for configuring certificate status\nchecking, but for this requirement focuses on the System Security Services\nDaemon (SSSD). By default, sssd performs Online Certificate Status Protocol\n(OCSP) checking and certificate verification using a sha256 digest function.'\n desc 'check', 'Verify the operating system implements certificate status checking for\nmultifactor authentication.\n\n Check to see if Online Certificate Status Protocol (OCSP) is enabled and\nusing the proper digest value on the system with the following command:\n\n $ sudo grep certificate_verification /etc/sssd/sssd.conf\n/etc/sssd/conf.d/*.conf | grep -v \"^#\"\n\n certificate_verification = ocsp_dgst=sha1\n\n If the certificate_verification line is missing from the [sssd] section, or\nis missing \"ocsp_dgst=sha1\", ask the administrator to indicate what type of\nmultifactor authentication is being utilized and how the system implements\ncertificate status checking. If there is no evidence of certificate status\nchecking being used, this is a finding.'\n desc 'fix', 'Configure the operating system to implement certificate status checking for\nmultifactor authentication.\n\n Review the \"/etc/sssd/sssd.conf\" file to determine if the system is\nconfigured to prevent OCSP or certificate verification.\n\n Add the following line to the \"/etc/sssd/sssd.conf\" file:\n\n certificate_verification = ocsp_dgst=sha1\n\n The \"sssd\" service must be restarted for the changes to take effect. To\nrestart the \"sssd\" service, run the following command:\n\n $ sudo systemctl restart sssd.service'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000375-GPOS-00160'\n tag satisfies: ['SRG-OS-000375-GPOS-00160', 'SRG-OS-000377-GPOS-00162']\n tag gid: 'V-230274'\n tag rid: 'SV-230274r743945_rule'\n tag stig_id: 'RHEL-08-010400'\n tag fix_id: 'F-32918r567569_fix'\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n describe file('/etc/sssd/sssd.conf') do\n it { should exist }\n end\n\n sssd_conf_file_contents = command('cat /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf').stdout.strip\n\n unless sssd_conf_file_contents.empty?\n describe ini({ command: 'cat /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf' }) do\n its('sssd.certificate_verification') { should cmp 'ocsp_dgst=sha1' }\n end\n end\n end\nend\n", + "code": "control 'SV-230274' do\n title 'RHEL 8 must implement certificate status checking for multifactor\nauthentication.'\n desc 'Using an authentication device, such as a DoD Common Access Card (CAC)\nor token that is separate from the information system, ensures that even if the\ninformation system is compromised, credentials stored on the authentication\ndevice will not be affected.\n\n Multifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards such as the\nU.S. Government Personal Identity Verification (PIV) card and the DoD CAC.\n\n RHEL 8 includes multiple options for configuring certificate status\nchecking, but for this requirement focuses on the System Security Services\nDaemon (SSSD). By default, sssd performs Online Certificate Status Protocol\n(OCSP) checking and certificate verification using a sha256 digest function.'\n desc 'check', 'Verify the operating system implements certificate status checking for multifactor authentication.\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\nCheck to see if Online Certificate Status Protocol (OCSP) is enabled and using the proper digest value on the system with the following command:\n\n$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v \"^#\"\n\ncertificate_verification = ocsp_dgst=sha1\n\nIf the certificate_verification line is missing from the [sssd] section, or is missing \"ocsp_dgst=sha1\", ask the administrator to indicate what type of multifactor authentication is being utilized and how the system implements certificate status checking. If there is no evidence of certificate status checking being used, this is a finding.'\n desc 'fix', 'Configure the operating system to implement certificate status checking for multifactor authentication.\n\nReview the \"/etc/sssd/sssd.conf\" file to determine if the system is configured to prevent OCSP or certificate verification.\n\nAdd the following line to the [sssd] section of the \"/etc/sssd/sssd.conf\" file:\n\ncertificate_verification = ocsp_dgst=sha1\n\nThe \"sssd\" service must be restarted for the changes to take effect. To restart the \"sssd\" service, run the following command:\n\n$ sudo systemctl restart sssd.service'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000375-GPOS-00160'\n tag satisfies: ['SRG-OS-000375-GPOS-00160', 'SRG-OS-000377-GPOS-00162']\n tag gid: 'V-230274'\n tag rid: 'SV-230274r858741_rule'\n tag stig_id: 'RHEL-08-010400'\n tag fix_id: 'F-32918r809280_fix'\n tag cci: ['CCI-001948']\n tag nist: ['IA-2 (11)']\n\n if virtualization.system.eql?('docker')\n impact 0.0\n describe 'Control not applicable within a container' do\n skip 'Control not applicable within a container'\n end\n else\n describe file('/etc/sssd/sssd.conf') do\n it { should exist }\n end\n\n sssd_conf_file_contents = command('cat /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf').stdout.strip\n\n unless sssd_conf_file_contents.empty?\n describe ini({ command: 'cat /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf' }) do\n its('sssd.certificate_verification') { should match /ocsp_dgst(\\s+)?=(\\s+)?sha1/ }\n end\n end\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230274.rb", "line": 1 @@ -8485,12 +8485,12 @@ "id": "SV-230518" }, { - "title": "RHEL 8 must ensure a password complexity module is enabled.", - "desc": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks. \"pwquality\" enforces complex password construction\nconfiguration and has the ability to limit brute-force attacks on the system.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. This is set in both:\n /etc/pam.d/password-auth\n /etc/pam.d/system-auth\n\n Note the value of \"retry\" set in these configuration files should be\nbetween \"1\" and \"3\". Manual changes to the listed files may be overwritten\nby the \"authselect\" program.", + "title": "RHEL 8 must ensure the password complexity module is enabled in the password-auth file.", + "desc": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth", "descriptions": { - "default": "Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks. \"pwquality\" enforces complex password construction\nconfiguration and has the ability to limit brute-force attacks on the system.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. This is set in both:\n /etc/pam.d/password-auth\n /etc/pam.d/system-auth\n\n Note the value of \"retry\" set in these configuration files should be\nbetween \"1\" and \"3\". Manual changes to the listed files may be overwritten\nby the \"authselect\" program.", - "check": "Verify the operating system uses \"pwquality\" to enforce the password\ncomplexity rules.\n\n Check for the use of \"pwquality\" with the following commands:\n\n $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality\n\n password required pam_pwquality.so retry=3\n\n $ sudo cat /etc/pam.d/system-auth | grep pam_pwquality\n\n password required pam_pwquality.so retry=3\n\n If both commands do not return a line containing the value\n\"pam_pwquality.so\", or the line is commented out, this is a finding.\n\n If the value of \"retry\" is set to \"0\" or greater than \"3\", this is a\nfinding.", - "fix": "Configure the operating system to use \"pwquality\" to enforce password\ncomplexity rules.\n\n Add the following line to both \"/etc/pam.d/password-auth\" and\n\"/etc/pam.d/system-auth\" (or modify the line to have the required value):\n\n password required pam_pwquality.so retry=3" + "default": "Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth", + "check": "Verify the operating system uses \"pwquality\" to enforce the password complexity rules. \n\nCheck for the use of \"pwquality\" in the password-auth file with the following command:\n\n $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so \n\nIf the command does not return a line containing the value \"pam_pwquality.so\" as shown, or the line is commented out, this is a finding.", + "fix": "Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\nAdd the following line to the \"/etc/pam.d/password-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so" }, "impact": 0.5, "refs": [], @@ -8498,17 +8498,19 @@ "severity": "medium", "gtitle": "SRG-OS-000069-GPOS-00037", "gid": "V-230356", - "rid": "SV-230356r627750_rule", + "rid": "SV-230356r902728_rule", "stig_id": "RHEL-08-020100", - "fix_id": "F-33000r567815_fix", + "fix_id": "F-33000r902727_fix", "cci": [ - "CCI-000192" + "CCI-000192", + "CCI-000366" ], "nist": [ - "IA-5 (1) (a)" + "IA-5 (1) (a)", + "CM-6 b" ] }, - "code": "control 'SV-230356' do\n title 'RHEL 8 must ensure a password complexity module is enabled.'\n desc 'Use of a complex password helps to increase the time and resources\nrequired to compromise the password. Password complexity, or strength, is a\nmeasure of the effectiveness of a password in resisting attempts at guessing\nand brute-force attacks. \"pwquality\" enforces complex password construction\nconfiguration and has the ability to limit brute-force attacks on the system.\n\n RHEL 8 utilizes \"pwquality\" as a mechanism to enforce password\ncomplexity. This is set in both:\n /etc/pam.d/password-auth\n /etc/pam.d/system-auth\n\n Note the value of \"retry\" set in these configuration files should be\nbetween \"1\" and \"3\". Manual changes to the listed files may be overwritten\nby the \"authselect\" program.'\n desc 'check', 'Verify the operating system uses \"pwquality\" to enforce the password\ncomplexity rules.\n\n Check for the use of \"pwquality\" with the following commands:\n\n $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality\n\n password required pam_pwquality.so retry=3\n\n $ sudo cat /etc/pam.d/system-auth | grep pam_pwquality\n\n password required pam_pwquality.so retry=3\n\n If both commands do not return a line containing the value\n\"pam_pwquality.so\", or the line is commented out, this is a finding.\n\n If the value of \"retry\" is set to \"0\" or greater than \"3\", this is a\nfinding.'\n desc 'fix', 'Configure the operating system to use \"pwquality\" to enforce password\ncomplexity rules.\n\n Add the following line to both \"/etc/pam.d/password-auth\" and\n\"/etc/pam.d/system-auth\" (or modify the line to have the required value):\n\n password required pam_pwquality.so retry=3'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000069-GPOS-00037'\n tag gid: 'V-230356'\n tag rid: 'SV-230356r627750_rule'\n tag stig_id: 'RHEL-08-020100'\n tag fix_id: 'F-33000r567815_fix'\n tag cci: ['CCI-000192']\n tag nist: ['IA-5 (1) (a)']\n\n max_retry = input('max_retry')\n\n describe pam('/etc/pam.d/passwd') do\n its('lines') { should match_pam_rule('password (required|requisite) pam_pwquality.so') }\n its('lines') { should match_pam_rule('password (required|requisite) pam_pwquality.so').all_with_integer_arg('retry', '>=', 1) }\n its('lines') { should match_pam_rule('password (required|requisite) pam_pwquality.so').all_with_integer_arg('retry', '<=', max_retry) }\n end\n describe pam('/etc/pam.d/password-auth') do\n its('lines') { should match_pam_rule('password (required|requisite) pam_pwquality.so') }\n its('lines') { should match_pam_rule('password (required|requisite) pam_pwquality.so').all_with_integer_arg('retry', '>=', 1) }\n its('lines') { should match_pam_rule('password (required|requisite) pam_pwquality.so').all_with_integer_arg('retry', '<=', max_retry) }\n end\nend\n", + "code": "control 'SV-230356' do\n title 'RHEL 8 must ensure the password complexity module is enabled in the password-auth file.'\n desc 'Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \"pwquality\" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.\n\nRHEL 8 utilizes \"pwquality\" as a mechanism to enforce password complexity. This is set in both:\n/etc/pam.d/password-auth\n/etc/pam.d/system-auth'\n desc 'check', 'Verify the operating system uses \"pwquality\" to enforce the password complexity rules. \n\nCheck for the use of \"pwquality\" in the password-auth file with the following command:\n\n $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality\n\n password requisite pam_pwquality.so \n\nIf the command does not return a line containing the value \"pam_pwquality.so\" as shown, or the line is commented out, this is a finding.'\n desc 'fix', 'Configure the operating system to use \"pwquality\" to enforce password complexity rules.\n\nAdd the following line to the \"/etc/pam.d/password-auth\" file (or modify the line to have the required value):\n\n password requisite pam_pwquality.so'\n impact 0.5\n tag severity: 'medium'\n tag gtitle: 'SRG-OS-000069-GPOS-00037'\n tag gid: 'V-230356'\n tag rid: 'SV-230356r902728_rule'\n tag stig_id: 'RHEL-08-020100'\n tag fix_id: 'F-33000r902727_fix'\n tag cci: ['CCI-000192', 'CCI-000366']\n tag nist: ['IA-5 (1) (a)', 'CM-6 b']\n\n describe pam('/etc/pam.d/passwd') do\n its('lines') { should match_pam_rule('password (required|requisite) pam_pwquality.so') }\n end\n describe pam('/etc/pam.d/password-auth') do\n its('lines') { should match_pam_rule('password (required|requisite) pam_pwquality.so') }\n end\nend\n", "source_location": { "ref": "./Red Hat 8 STIG/controls/SV-230356.rb", "line": 1 @@ -15576,7 +15578,7 @@ "id": "controls/SV-230400.rb" } ], - "sha256": "1d75630b68d525cf1c187f7f4391aad0e50929c7406027ef2756caa76b0b460c", + "sha256": "88903fd2c802c7fd886590aacc1beada94805178be987a0d9482085a311487eb", "status_message": "", "status": "loaded", "generator": {