From 4baa8594a2751e2c39d0aadf28af4c299a42c26d Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 27 Aug 2024 17:47:22 -0500 Subject: [PATCH 01/12] Update titles for upgrade to SRG GPOS to V3R1 --- controls/srg_gpos/SRG-OS-000024-GPOS-00007.yml | 9 +++------ controls/srg_gpos/SRG-OS-000069-GPOS-00037.yml | 4 ++-- controls/srg_gpos/SRG-OS-000070-GPOS-00038.yml | 4 ++-- controls/srg_gpos/SRG-OS-000072-GPOS-00040.yml | 4 ++-- controls/srg_gpos/SRG-OS-000075-GPOS-00043.yml | 2 +- controls/srg_gpos/SRG-OS-000076-GPOS-00044.yml | 2 +- controls/srg_gpos/SRG-OS-000108-GPOS-00055.yml | 4 ++-- controls/srg_gpos/SRG-OS-000113-GPOS-00058.yml | 6 ++---- controls/srg_gpos/SRG-OS-000123-GPOS-00064.yml | 4 ++-- controls/srg_gpos/SRG-OS-000138-GPOS-00069.yml | 4 ++-- controls/srg_gpos/SRG-OS-000228-GPOS-00088.yml | 7 ++++--- controls/srg_gpos/SRG-OS-000269-GPOS-00103.yml | 6 +++--- controls/srg_gpos/SRG-OS-000276-GPOS-00106.yml | 15 +++++++++------ controls/srg_gpos/SRG-OS-000304-GPOS-00121.yml | 4 ++-- controls/srg_gpos/SRG-OS-000324-GPOS-00125.yml | 8 +++----- controls/srg_gpos/SRG-OS-000341-GPOS-00132.yml | 8 +++----- controls/srg_gpos/SRG-OS-000355-GPOS-00143.yml | 11 ++++++----- controls/srg_gpos/SRG-OS-000395-GPOS-00175.yml | 7 +++---- controls/srg_gpos/SRG-OS-000403-GPOS-00182.yml | 6 +++--- 19 files changed, 55 insertions(+), 60 deletions(-) diff --git a/controls/srg_gpos/SRG-OS-000024-GPOS-00007.yml b/controls/srg_gpos/SRG-OS-000024-GPOS-00007.yml index 15826d7e146..a88ee082aa7 100644 --- a/controls/srg_gpos/SRG-OS-000024-GPOS-00007.yml +++ b/controls/srg_gpos/SRG-OS-000024-GPOS-00007.yml @@ -2,12 +2,9 @@ controls: - id: SRG-OS-000024-GPOS-00007 levels: - medium - - title: |- - {{{ full_name }}} must display the Standard Mandatory DoD Notice and Consent Banner until - users acknowledge the usage conditions and take explicit actions to log on for - further access. - + title: '{{{ full_name }}} must display the Standard Mandatory DoD Notice and Consent + Banner until users acknowledge the usage conditions and take explicit actions + to log on for further access.' status: does not meet rationale: |- The banner must be acknowledged by the user prior to allowing the user access to the operating system. diff --git a/controls/srg_gpos/SRG-OS-000069-GPOS-00037.yml b/controls/srg_gpos/SRG-OS-000069-GPOS-00037.yml index 96c17fc62f1..435b885d1d5 100644 --- a/controls/srg_gpos/SRG-OS-000069-GPOS-00037.yml +++ b/controls/srg_gpos/SRG-OS-000069-GPOS-00037.yml @@ -1,9 +1,9 @@ controls: - id: SRG-OS-000069-GPOS-00037 + title: '{{{ full_name }}} must enforce password complexity by requiring that at + least one uppercase character be used.' levels: - medium - title: {{{ full_name }}} must enforce password complexity by requiring that at - least one upper-case character be used. rules: - var_password_pam_retry=3 - accounts_password_pam_enforce_root diff --git a/controls/srg_gpos/SRG-OS-000070-GPOS-00038.yml b/controls/srg_gpos/SRG-OS-000070-GPOS-00038.yml index e3e6f09d30d..fd9632c482b 100644 --- a/controls/srg_gpos/SRG-OS-000070-GPOS-00038.yml +++ b/controls/srg_gpos/SRG-OS-000070-GPOS-00038.yml @@ -1,9 +1,9 @@ controls: - id: SRG-OS-000070-GPOS-00038 + title: '{{{ full_name }}} must enforce password complexity by requiring that at + least one lowercase character be used.' levels: - medium - title: {{{ full_name }}} must enforce password complexity by requiring that at - least one lower-case character be used. rules: - accounts_password_pam_enforce_root - var_password_pam_lcredit=1 diff --git a/controls/srg_gpos/SRG-OS-000072-GPOS-00040.yml b/controls/srg_gpos/SRG-OS-000072-GPOS-00040.yml index 81a04712103..5a1e25d8d1c 100644 --- a/controls/srg_gpos/SRG-OS-000072-GPOS-00040.yml +++ b/controls/srg_gpos/SRG-OS-000072-GPOS-00040.yml @@ -1,9 +1,9 @@ controls: - id: SRG-OS-000072-GPOS-00040 + title: '{{{ full_name }}} must require the change of at least 50 percent of the + total number of characters when passwords are changed.' levels: - medium - title: {{{ full_name }}} must require the change of at least 50% of the total - number of characters when passwords are changed. rules: - accounts_password_pam_difok - var_password_pam_difok=8 diff --git a/controls/srg_gpos/SRG-OS-000075-GPOS-00043.yml b/controls/srg_gpos/SRG-OS-000075-GPOS-00043.yml index d5dd419383d..d3a1f30a44f 100644 --- a/controls/srg_gpos/SRG-OS-000075-GPOS-00043.yml +++ b/controls/srg_gpos/SRG-OS-000075-GPOS-00043.yml @@ -1,8 +1,8 @@ controls: - id: SRG-OS-000075-GPOS-00043 + title: {{{ full_name }}} must enforce 24 hours/1 day as the minimum password lifetime. levels: - medium - title: {{{ full_name }}} must enforce 24 hours/1 day as the minimum password lifetime. rules: - var_accounts_minimum_age_login_defs=1 - accounts_minimum_age_login_defs diff --git a/controls/srg_gpos/SRG-OS-000076-GPOS-00044.yml b/controls/srg_gpos/SRG-OS-000076-GPOS-00044.yml index 2ae4ede9ded..8e65bb7a1bf 100644 --- a/controls/srg_gpos/SRG-OS-000076-GPOS-00044.yml +++ b/controls/srg_gpos/SRG-OS-000076-GPOS-00044.yml @@ -1,8 +1,8 @@ controls: - id: SRG-OS-000076-GPOS-00044 + title: Operating systems must enforce a 60-day maximum password lifetime restriction. levels: - medium - title: {{{ full_name }}} must enforce a 60-day maximum password lifetime restriction. rules: - var_accounts_maximum_age_login_defs=60 - accounts_maximum_age_login_defs diff --git a/controls/srg_gpos/SRG-OS-000108-GPOS-00055.yml b/controls/srg_gpos/SRG-OS-000108-GPOS-00055.yml index 1eb3ad2dc76..d493b7bc6cb 100644 --- a/controls/srg_gpos/SRG-OS-000108-GPOS-00055.yml +++ b/controls/srg_gpos/SRG-OS-000108-GPOS-00055.yml @@ -1,9 +1,9 @@ controls: - id: SRG-OS-000108-GPOS-00055 + title: '{{{ full_name }}} must use multifactor authentication for local access to + nonprivileged accounts.' levels: - medium - title: {{{ full_name }}} must use multifactor authentication for local access - to non-privileged accounts. rules: - sshd_enable_pubkey_auth - configure_opensc_card_drivers diff --git a/controls/srg_gpos/SRG-OS-000113-GPOS-00058.yml b/controls/srg_gpos/SRG-OS-000113-GPOS-00058.yml index 37d01e84ca2..0aabf903733 100644 --- a/controls/srg_gpos/SRG-OS-000113-GPOS-00058.yml +++ b/controls/srg_gpos/SRG-OS-000113-GPOS-00058.yml @@ -2,10 +2,8 @@ controls: - id: SRG-OS-000113-GPOS-00058 levels: - medium - title: {{{ full_name }}} must implement replay-resistant authentication mechanisms for - network access to non-privileged accounts. - - status: inherently met + title: '{{{ full_name }}} must implement replay-resistant authentication mechanisms + for network access to nonprivileged accounts.' check: |- {{{ full_name }}} supports this requirement and cannot be configured to be out of compliance. {{{ full_name }}} inherently meets this requirement. diff --git a/controls/srg_gpos/SRG-OS-000123-GPOS-00064.yml b/controls/srg_gpos/SRG-OS-000123-GPOS-00064.yml index d76f034aec9..27511ab2ffa 100644 --- a/controls/srg_gpos/SRG-OS-000123-GPOS-00064.yml +++ b/controls/srg_gpos/SRG-OS-000123-GPOS-00064.yml @@ -1,9 +1,9 @@ controls: - id: SRG-OS-000123-GPOS-00064 + title: The information system must automatically remove or disable emergency accounts + after the crisis is resolved or 72 hours. levels: - medium - title: {{{ full_name }}} must automatically remove or disable emergency accounts - after the crisis is resolved or 72 hours. rules: - account_temp_expire_date status: automated diff --git a/controls/srg_gpos/SRG-OS-000138-GPOS-00069.yml b/controls/srg_gpos/SRG-OS-000138-GPOS-00069.yml index e33d680b962..308b6dd58c5 100644 --- a/controls/srg_gpos/SRG-OS-000138-GPOS-00069.yml +++ b/controls/srg_gpos/SRG-OS-000138-GPOS-00069.yml @@ -1,9 +1,9 @@ controls: - id: SRG-OS-000138-GPOS-00069 + title: Operating systems must prevent unauthorized and unintended information transfer + via shared system resources. levels: - medium - title: {{{ full_name }}} must prevent unauthorized and unintended information transfer - via shared system resources. rules: - dir_perms_world_writable_sticky_bits - dir_perms_world_writable_root_owned diff --git a/controls/srg_gpos/SRG-OS-000228-GPOS-00088.yml b/controls/srg_gpos/SRG-OS-000228-GPOS-00088.yml index c5d62cc8324..c0d324dd846 100644 --- a/controls/srg_gpos/SRG-OS-000228-GPOS-00088.yml +++ b/controls/srg_gpos/SRG-OS-000228-GPOS-00088.yml @@ -1,10 +1,11 @@ controls: - id: SRG-OS-000228-GPOS-00088 - levels: - - medium - title: Any publicly accessible connection to {{{ full_name }}} must display + title: Any publically accessible connection to the operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + + levels: + - medium rules: - sshd_enable_warning_banner - banner_etc_issue diff --git a/controls/srg_gpos/SRG-OS-000269-GPOS-00103.yml b/controls/srg_gpos/SRG-OS-000269-GPOS-00103.yml index a95e8013da2..02d55e0b9aa 100644 --- a/controls/srg_gpos/SRG-OS-000269-GPOS-00103.yml +++ b/controls/srg_gpos/SRG-OS-000269-GPOS-00103.yml @@ -1,10 +1,10 @@ controls: - id: SRG-OS-000269-GPOS-00103 - levels: - - medium - title: In the event of a system failure, {{{ full_name }}} must preserve any + title: In the event of a system failure, the operating system must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes. + levels: + - medium status: automated rules: - service_systemd-journald_enabled diff --git a/controls/srg_gpos/SRG-OS-000276-GPOS-00106.yml b/controls/srg_gpos/SRG-OS-000276-GPOS-00106.yml index 2fdfde876f0..1c248d42049 100644 --- a/controls/srg_gpos/SRG-OS-000276-GPOS-00106.yml +++ b/controls/srg_gpos/SRG-OS-000276-GPOS-00106.yml @@ -1,14 +1,17 @@ controls: - id: SRG-OS-000276-GPOS-00106 + title: '{{{ full_name }}} must notify system administrators and ISSOs when accounts + are disabled. ' levels: - medium - title: {{{ full_name }}} must notify system administrators and ISSOs when accounts are disabled. - rules: - - audit_rules_usergroup_modification_passwd - status: does not meet mitigation: |- Mitigate with third-party software. Although the listed mitigation is supporting the security function, it is not sufficient to reduce the residual risk of this requirement. - status_justification: - Notification when accounts are created/modified/deleted must be provided by a third-party application that will communicate that an audit record of these actions has been created. + rules: + - audit_rules_usergroup_modification_passwd + status: does not meet + status_justification: |- + Notification when accounts are created/modified/deleted must + be provided by a third-party application that will communicate that an audit record + of these actions has been created. diff --git a/controls/srg_gpos/SRG-OS-000304-GPOS-00121.yml b/controls/srg_gpos/SRG-OS-000304-GPOS-00121.yml index f3d1bea594f..cc90fc9fdd3 100644 --- a/controls/srg_gpos/SRG-OS-000304-GPOS-00121.yml +++ b/controls/srg_gpos/SRG-OS-000304-GPOS-00121.yml @@ -1,9 +1,9 @@ controls: - id: SRG-OS-000304-GPOS-00121 + title: '{{{ full_name }}} must notify system administrators (SAs) and information + system security officers (ISSOs) of account enabling actions.' levels: - medium - title: {{{ full_name }}} must notify system administrators and ISSOs of account - enabling actions. rules: - audit_rules_sudoers - audit_rules_sudoers_d diff --git a/controls/srg_gpos/SRG-OS-000324-GPOS-00125.yml b/controls/srg_gpos/SRG-OS-000324-GPOS-00125.yml index 54aa1d61156..dbc93f8b8ec 100644 --- a/controls/srg_gpos/SRG-OS-000324-GPOS-00125.yml +++ b/controls/srg_gpos/SRG-OS-000324-GPOS-00125.yml @@ -1,12 +1,10 @@ controls: - id: SRG-OS-000324-GPOS-00125 + title: '{{{ full_name }}} must prevent nonprivileged users from executing privileged + functions to include disabling, circumventing, or altering implemented security + safeguards/countermeasures.' levels: - high - title: |- - {{{ full_name }}} must prevent nonprivileged users from executing privileged functions - to include disabling, circumventing, or altering implemented security - safeguards/countermeasures. - rules: - disable_ctrlaltdel_burstaction - disable_ctrlaltdel_reboot diff --git a/controls/srg_gpos/SRG-OS-000341-GPOS-00132.yml b/controls/srg_gpos/SRG-OS-000341-GPOS-00132.yml index 22996a02dcf..80c82219468 100644 --- a/controls/srg_gpos/SRG-OS-000341-GPOS-00132.yml +++ b/controls/srg_gpos/SRG-OS-000341-GPOS-00132.yml @@ -1,12 +1,10 @@ controls: - id: SRG-OS-000341-GPOS-00132 + title: '{{{ full_name }}} must allocate audit record storage capacity to store at + least one week''s worth of audit records, when audit records are not immediately + sent to a central audit record storage facility.' levels: - low - title: |- - {{{ full_name }}} must allocate audit record storage capacity to store at least - one week's worth of audit records, when audit records are not immediately sent to a - central audit record storage facility. - rules: - grub2_audit_backlog_limit_argument - partition_for_var_log_audit diff --git a/controls/srg_gpos/SRG-OS-000355-GPOS-00143.yml b/controls/srg_gpos/SRG-OS-000355-GPOS-00143.yml index a1d02357d24..62dbeff86c2 100644 --- a/controls/srg_gpos/SRG-OS-000355-GPOS-00143.yml +++ b/controls/srg_gpos/SRG-OS-000355-GPOS-00143.yml @@ -1,12 +1,13 @@ controls: - id: SRG-OS-000355-GPOS-00143 + title: '{{{ full_name }}} must, for networked systems, compare internal information + system clocks at least every 24 hours with a server which is synchronized to one + of the redundant United States Naval Observatory (USNO) time servers, or a time + server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the + Global Positioning System (GPS).' + levels: - medium - title: {{{ full_name }}} must, for networked systems, compare internal information - system clocks at least every 24 hours with a server which is synchronized to one - of the redundant United States Naval Observatory (USNO) time servers, or a time - server designated for the appropriate DoD network (NIPRNet/SIPRNet), - and/or the Global Positioning System (GPS). rules: - chronyd_or_ntpd_set_maxpoll - chronyd_server_directive diff --git a/controls/srg_gpos/SRG-OS-000395-GPOS-00175.yml b/controls/srg_gpos/SRG-OS-000395-GPOS-00175.yml index 7c1132f71ba..43c28d2cbc6 100644 --- a/controls/srg_gpos/SRG-OS-000395-GPOS-00175.yml +++ b/controls/srg_gpos/SRG-OS-000395-GPOS-00175.yml @@ -2,10 +2,9 @@ controls: - id: SRG-OS-000395-GPOS-00175 levels: - medium - title: {{{ full_name }}} must verify remote disconnection at the termination of - nonlocal maintenance and diagnostic sessions, when used for nonlocal maintenance sessions. - If the remote connection is not closed and verified as closed, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. - Remote connections must be disconnected and verified as disconnected when nonlocal maintenance sessions have been terminated and are no longer available for use. + title: '{{{ full_name }}} must verify remote disconnection at the termination of + nonlocal maintenance and diagnostic sessions, when used for nonlocal maintenance + sessions.' check: {{{ full_name }}} supports this requirement and cannot be configured to be out of compliance. {{{ full_name }}} inherently meets this requirement. diff --git a/controls/srg_gpos/SRG-OS-000403-GPOS-00182.yml b/controls/srg_gpos/SRG-OS-000403-GPOS-00182.yml index df40b8ad4e6..c839bfe87b6 100644 --- a/controls/srg_gpos/SRG-OS-000403-GPOS-00182.yml +++ b/controls/srg_gpos/SRG-OS-000403-GPOS-00182.yml @@ -2,9 +2,9 @@ controls: - id: SRG-OS-000403-GPOS-00182 levels: - medium - title: {{{ full_name }}} must only allow the use of DoD PKI-established certificate - authorities for authentication in the establishment of protected sessions to - {{{ full_name }}}. + title: '{{{ full_name }}} must only allow the use of DoD PKI-established certificate + authorities for authentication in the establishment of protected sessions to the + operating system.' status: does not meet description: {{{ full_name }}} must only allow the use of DoD PKI-established certificate authorities for authentication in the establishment of protected sessions to the operating system. From 492b91df805d074f0c3501fc440dd593b774dd04 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 27 Aug 2024 18:11:11 -0500 Subject: [PATCH 02/12] Add new controls from SRG GPOS V3R1 --- controls/srg_gpos/SRG-OS-000590-GPOS-00110.yml | 8 ++++++++ controls/srg_gpos/SRG-OS-000690-GPOS-00140.yml | 7 +++++++ controls/srg_gpos/SRG-OS-000705-GPOS-00150.yml | 8 ++++++++ controls/srg_gpos/SRG-OS-000710-GPOS-00160.yml | 8 ++++++++ controls/srg_gpos/SRG-OS-000720-GPOS-00170.yml | 7 +++++++ controls/srg_gpos/SRG-OS-000725-GPOS-00180.yml | 8 ++++++++ controls/srg_gpos/SRG-OS-000730-GPOS-00190.yml | 8 ++++++++ controls/srg_gpos/SRG-OS-000745-GPOS-00210.yml | 7 +++++++ controls/srg_gpos/SRG-OS-000755-GPOS-00220.yml | 7 +++++++ controls/srg_gpos/SRG-OS-000775-GPOS-00230.yml | 8 ++++++++ controls/srg_gpos/SRG-OS-000780-GPOS-00240.yml | 8 ++++++++ controls/srg_gpos/SRG-OS-000785-GPOS-00250.yml | 7 +++++++ controls/srg_gpos/SRG-OS-000805-GPOS-00260.yml | 7 +++++++ 13 files changed, 98 insertions(+) create mode 100644 controls/srg_gpos/SRG-OS-000590-GPOS-00110.yml create mode 100644 controls/srg_gpos/SRG-OS-000690-GPOS-00140.yml create mode 100644 controls/srg_gpos/SRG-OS-000705-GPOS-00150.yml create mode 100644 controls/srg_gpos/SRG-OS-000710-GPOS-00160.yml create mode 100644 controls/srg_gpos/SRG-OS-000720-GPOS-00170.yml create mode 100644 controls/srg_gpos/SRG-OS-000725-GPOS-00180.yml create mode 100644 controls/srg_gpos/SRG-OS-000730-GPOS-00190.yml create mode 100644 controls/srg_gpos/SRG-OS-000745-GPOS-00210.yml create mode 100644 controls/srg_gpos/SRG-OS-000755-GPOS-00220.yml create mode 100644 controls/srg_gpos/SRG-OS-000775-GPOS-00230.yml create mode 100644 controls/srg_gpos/SRG-OS-000780-GPOS-00240.yml create mode 100644 controls/srg_gpos/SRG-OS-000785-GPOS-00250.yml create mode 100644 controls/srg_gpos/SRG-OS-000805-GPOS-00260.yml diff --git a/controls/srg_gpos/SRG-OS-000590-GPOS-00110.yml b/controls/srg_gpos/SRG-OS-000590-GPOS-00110.yml new file mode 100644 index 00000000000..69e614bc8ee --- /dev/null +++ b/controls/srg_gpos/SRG-OS-000590-GPOS-00110.yml @@ -0,0 +1,8 @@ +controls: + - id: SRG-OS-000590-GPOS-00110 + title: '{{{ full_name }}} must disable accounts when the accounts are no longer + associated to a user.' + levels: + - medium + status: pending + diff --git a/controls/srg_gpos/SRG-OS-000690-GPOS-00140.yml b/controls/srg_gpos/SRG-OS-000690-GPOS-00140.yml new file mode 100644 index 00000000000..12e1be42c3c --- /dev/null +++ b/controls/srg_gpos/SRG-OS-000690-GPOS-00140.yml @@ -0,0 +1,7 @@ +controls: + - id: SRG-OS-000690-GPOS-00140 + title: '{{{ full_name }}} must prohibit the use or connection of unauthorized hardware + components.' + levels: + - medium + status: pending diff --git a/controls/srg_gpos/SRG-OS-000705-GPOS-00150.yml b/controls/srg_gpos/SRG-OS-000705-GPOS-00150.yml new file mode 100644 index 00000000000..3af7aa2a73a --- /dev/null +++ b/controls/srg_gpos/SRG-OS-000705-GPOS-00150.yml @@ -0,0 +1,8 @@ +controls: + - id: SRG-OS-000705-GPOS-00150 + title: '{{{ full_name }}} must implement multifactor authentication for local, network, + and/or remote access to privileged accounts and/or nonprivileged accounts such + that the device meets organization-defined strength of mechanism requirements.' + levels: + - medium + status: pending diff --git a/controls/srg_gpos/SRG-OS-000710-GPOS-00160.yml b/controls/srg_gpos/SRG-OS-000710-GPOS-00160.yml new file mode 100644 index 00000000000..49e818b4aff --- /dev/null +++ b/controls/srg_gpos/SRG-OS-000710-GPOS-00160.yml @@ -0,0 +1,8 @@ +controls: + - id: SRG-OS-000710-GPOS-00160 + title: '{{{ full_name }}} must, for password-based authentication, verify when users + create or update passwords the passwords are not found on the list of commonly-used, + expected, or compromised passwords in IA-5 (1) (a).' + levels: + - medium + status: pending diff --git a/controls/srg_gpos/SRG-OS-000720-GPOS-00170.yml b/controls/srg_gpos/SRG-OS-000720-GPOS-00170.yml new file mode 100644 index 00000000000..776dc6af3d5 --- /dev/null +++ b/controls/srg_gpos/SRG-OS-000720-GPOS-00170.yml @@ -0,0 +1,7 @@ +controls: + - id: SRG-OS-000720-GPOS-00170 + title: '{{{ full_name }}} must for password-based authentication, require immediate + selection of a new password upon account recovery.' + levels: + - medium + status: pending diff --git a/controls/srg_gpos/SRG-OS-000725-GPOS-00180.yml b/controls/srg_gpos/SRG-OS-000725-GPOS-00180.yml new file mode 100644 index 00000000000..2d196b09394 --- /dev/null +++ b/controls/srg_gpos/SRG-OS-000725-GPOS-00180.yml @@ -0,0 +1,8 @@ +controls: + - id: SRG-OS-000725-GPOS-00180 + title: '{{{ full_name }}} must for password-based authentication, allow user selection + of long passwords and passphrases, including spaces and all printable characters.' + levels: + - medium + status: pending + diff --git a/controls/srg_gpos/SRG-OS-000730-GPOS-00190.yml b/controls/srg_gpos/SRG-OS-000730-GPOS-00190.yml new file mode 100644 index 00000000000..bfb25579307 --- /dev/null +++ b/controls/srg_gpos/SRG-OS-000730-GPOS-00190.yml @@ -0,0 +1,8 @@ +controls: + - id: SRG-OS-000730-GPOS-00190 + title: '{{{ full_name }}} must, for password-based authentication, employ automated + tools to assist the user in selecting strong password authenticators.' + levels: + - medium + status: pending + diff --git a/controls/srg_gpos/SRG-OS-000745-GPOS-00210.yml b/controls/srg_gpos/SRG-OS-000745-GPOS-00210.yml new file mode 100644 index 00000000000..dc4e4eb868d --- /dev/null +++ b/controls/srg_gpos/SRG-OS-000745-GPOS-00210.yml @@ -0,0 +1,7 @@ +controls: + - id: SRG-OS-000745-GPOS-00210 + title: '{{{ full_name }}} must accept only external credentials that are NIST-compliant.' + levels: + - medium + status: pending + diff --git a/controls/srg_gpos/SRG-OS-000755-GPOS-00220.yml b/controls/srg_gpos/SRG-OS-000755-GPOS-00220.yml new file mode 100644 index 00000000000..9b0991f60b3 --- /dev/null +++ b/controls/srg_gpos/SRG-OS-000755-GPOS-00220.yml @@ -0,0 +1,7 @@ +controls: + - id: SRG-OS-000755-GPOS-00220 + title: '{{{ full_name }}} must monitor the use of maintenance tools that execute + with increased privilege.' + levels: + - medium + status: pending diff --git a/controls/srg_gpos/SRG-OS-000775-GPOS-00230.yml b/controls/srg_gpos/SRG-OS-000775-GPOS-00230.yml new file mode 100644 index 00000000000..5c2a81cfe93 --- /dev/null +++ b/controls/srg_gpos/SRG-OS-000775-GPOS-00230.yml @@ -0,0 +1,8 @@ +controls: + - id: SRG-OS-000775-GPOS-00230 + title: '{{{ full_name }}} must include only approved trust anchors in trust stores + or certificate stores managed by the organization.' + levels: + - medium + status: pending + diff --git a/controls/srg_gpos/SRG-OS-000780-GPOS-00240.yml b/controls/srg_gpos/SRG-OS-000780-GPOS-00240.yml new file mode 100644 index 00000000000..e3f72339188 --- /dev/null +++ b/controls/srg_gpos/SRG-OS-000780-GPOS-00240.yml @@ -0,0 +1,8 @@ +controls: + - id: SRG-OS-000780-GPOS-00240 + title: '{{{ full_name }}} must provide protected storage for cryptographic keys + with organization-defined safeguards and/or hardware protected key store.' + levels: + - medium + status: pending + diff --git a/controls/srg_gpos/SRG-OS-000785-GPOS-00250.yml b/controls/srg_gpos/SRG-OS-000785-GPOS-00250.yml new file mode 100644 index 00000000000..ad742e2e8b9 --- /dev/null +++ b/controls/srg_gpos/SRG-OS-000785-GPOS-00250.yml @@ -0,0 +1,7 @@ +controls: + - id: SRG-OS-000785-GPOS-00250 + title: '{{{ full_name }}} must synchronize system clocks within and between systems + or system components.' + levels: + - medium + status: pending diff --git a/controls/srg_gpos/SRG-OS-000805-GPOS-00260.yml b/controls/srg_gpos/SRG-OS-000805-GPOS-00260.yml new file mode 100644 index 00000000000..b8976288313 --- /dev/null +++ b/controls/srg_gpos/SRG-OS-000805-GPOS-00260.yml @@ -0,0 +1,7 @@ +controls: + - id: SRG-OS-000805-GPOS-00260 + title: '{{{ full_name }}} must employ automated patch management tools to facilitate + flaw remediation to the organization-defined system components.' + levels: + - medium + status: pending From 48e0210df333e8dedae01728946440dffa9df4a3 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 27 Aug 2024 18:16:59 -0500 Subject: [PATCH 03/12] Remove in the project that SRG GPSO V3R1 removed --- .../srg_gpos/SRG-OS-000077-GPOS-00045.yml | 11 ------- .../srg_gpos/SRG-OS-000126-GPOS-00066.yml | 7 ----- .../srg_gpos/SRG-OS-000191-GPOS-00080.yml | 14 --------- .../srg_gpos/SRG-OS-000373-GPOS-00156.yml | 14 --------- .../srg_gpos/SRG-OS-000373-GPOS-00157.yml | 10 ------- .../srg_gpos/SRG-OS-000373-GPOS-00158.yml | 10 ------- .../srg_gpos/SRG-OS-000374-GPOS-00159.yml | 18 ----------- .../srg_gpos/SRG-OS-000380-GPOS-00165.yml | 30 ------------------- 8 files changed, 114 deletions(-) delete mode 100644 controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml delete mode 100644 controls/srg_gpos/SRG-OS-000126-GPOS-00066.yml delete mode 100644 controls/srg_gpos/SRG-OS-000191-GPOS-00080.yml delete mode 100644 controls/srg_gpos/SRG-OS-000373-GPOS-00156.yml delete mode 100644 controls/srg_gpos/SRG-OS-000373-GPOS-00157.yml delete mode 100644 controls/srg_gpos/SRG-OS-000373-GPOS-00158.yml delete mode 100644 controls/srg_gpos/SRG-OS-000374-GPOS-00159.yml delete mode 100644 controls/srg_gpos/SRG-OS-000380-GPOS-00165.yml diff --git a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml b/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml deleted file mode 100644 index b02b7da4198..00000000000 --- a/controls/srg_gpos/SRG-OS-000077-GPOS-00045.yml +++ /dev/null @@ -1,11 +0,0 @@ -controls: - - id: SRG-OS-000077-GPOS-00045 - levels: - - medium - title: {{{ full_name }}} must prohibit password reuse for a minimum of five generations. - rules: - - var_password_pam_remember=5 - - var_password_pam_remember_control_flag=requisite_or_required - - accounts_password_pam_pwhistory_remember_password_auth - - accounts_password_pam_pwhistory_remember_system_auth - status: automated diff --git a/controls/srg_gpos/SRG-OS-000126-GPOS-00066.yml b/controls/srg_gpos/SRG-OS-000126-GPOS-00066.yml deleted file mode 100644 index 3c5f70dd57e..00000000000 --- a/controls/srg_gpos/SRG-OS-000126-GPOS-00066.yml +++ /dev/null @@ -1,7 +0,0 @@ -controls: - - id: SRG-OS-000126-GPOS-00066 - levels: - - medium - title: {{{ full_name }}} must terminate all sessions and network connections - related to nonlocal maintenance when nonlocal maintenance is completed. - status: pending diff --git a/controls/srg_gpos/SRG-OS-000191-GPOS-00080.yml b/controls/srg_gpos/SRG-OS-000191-GPOS-00080.yml deleted file mode 100644 index c9a0b4ecdd2..00000000000 --- a/controls/srg_gpos/SRG-OS-000191-GPOS-00080.yml +++ /dev/null @@ -1,14 +0,0 @@ -controls: - - id: SRG-OS-000191-GPOS-00080 - levels: - - medium - title: |- - {{{ full_name }}} must employ automated mechanisms to determine the state of system - components with regard to flaw remediation using the following frequency: - continuously, 30 days, and annually, for external scans by Computer Network - Defense Service Provider (CNDSP). - - rules: - - package_mcafeetp_installed - status: automated - diff --git a/controls/srg_gpos/SRG-OS-000373-GPOS-00156.yml b/controls/srg_gpos/SRG-OS-000373-GPOS-00156.yml deleted file mode 100644 index 7e7ee512ef6..00000000000 --- a/controls/srg_gpos/SRG-OS-000373-GPOS-00156.yml +++ /dev/null @@ -1,14 +0,0 @@ -controls: - - id: SRG-OS-000373-GPOS-00156 - levels: - - medium - title: {{{ full_name }}} must require users to re-authenticate for privilege - escalation. - rules: - - use_pam_wheel_for_su - - sudo_remove_no_authenticate - - sudo_remove_nopasswd - - sudo_require_reauthentication - - disallow_bypass_password_sudo - - var_sudo_timestamp_timeout=always_prompt - status: automated diff --git a/controls/srg_gpos/SRG-OS-000373-GPOS-00157.yml b/controls/srg_gpos/SRG-OS-000373-GPOS-00157.yml deleted file mode 100644 index d046b52c6eb..00000000000 --- a/controls/srg_gpos/SRG-OS-000373-GPOS-00157.yml +++ /dev/null @@ -1,10 +0,0 @@ -controls: - - id: SRG-OS-000373-GPOS-00157 - levels: - - medium - title: {{{ full_name }}} must require users to re-authenticate when changing - roles. - rules: - - sudo_remove_no_authenticate - - sudo_remove_nopasswd - status: automated diff --git a/controls/srg_gpos/SRG-OS-000373-GPOS-00158.yml b/controls/srg_gpos/SRG-OS-000373-GPOS-00158.yml deleted file mode 100644 index 208065e24fa..00000000000 --- a/controls/srg_gpos/SRG-OS-000373-GPOS-00158.yml +++ /dev/null @@ -1,10 +0,0 @@ -controls: - - id: SRG-OS-000373-GPOS-00158 - levels: - - medium - title: {{{ full_name }}} must require users to re-authenticate when changing - authenticators. - rules: - - sudo_remove_no_authenticate - - sudo_remove_nopasswd - status: automated diff --git a/controls/srg_gpos/SRG-OS-000374-GPOS-00159.yml b/controls/srg_gpos/SRG-OS-000374-GPOS-00159.yml deleted file mode 100644 index 5d544932212..00000000000 --- a/controls/srg_gpos/SRG-OS-000374-GPOS-00159.yml +++ /dev/null @@ -1,18 +0,0 @@ -controls: - - id: SRG-OS-000374-GPOS-00159 - levels: - - medium - title: {{{ full_name }}} must require devices to re-authenticate when changing - authenticators. - status: not applicable - rationale: |- - Without re-authentication, devices may access resources or perform tasks for which they do not have authorization. - - When {{{ full_name }}} provide the capability to change device authenticators, it is critical the device re-authenticate. - check: - This requirement is NA for {{{ full_name }}}. - fixtext: - The requirement is NA. - No fix is required. - status_justification: - Devices are not assigned authenticators in {{{ full_name }}}. diff --git a/controls/srg_gpos/SRG-OS-000380-GPOS-00165.yml b/controls/srg_gpos/SRG-OS-000380-GPOS-00165.yml deleted file mode 100644 index c1a24296c71..00000000000 --- a/controls/srg_gpos/SRG-OS-000380-GPOS-00165.yml +++ /dev/null @@ -1,30 +0,0 @@ -controls: - - id: SRG-OS-000380-GPOS-00165 - levels: - - medium - title: {{{ full_name }}} must allow the use of a temporary password for system - logons with an immediate change to a permanent password. - status: inherently met - rationale: |- - Without providing this capability, an account may be created without a password. - Non-repudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary password upon initial logon. - - Temporary passwords are typically used to allow access when new accounts are created or passwords are changed. - It is common practice for administrators to create temporary passwords for user accounts that allow the users to log on, yet force them to change the password once they have successfully authenticated. - check: |- - {{{ full_name }}} supports this requirement and cannot be configured to be out of compliance. - {{{ full_name }}} inherently meets this requirement. - fixtext: |- - {{{ full_name }}} inherently meets this requirement. - No fix is required. - artifact_description: |- - {{{ full_name }}} offers the following commands to facilitate the use of a temporary password. - - chage -d 0 [username] - (forces the user to change their password at next logon) - - passwd -e [username] - (expires the passwd for a given user forcing a change at next logon.) - status_justification: |- - {{{ full_name }}} has the capability to perform temporary passwords based on organization policy. - Configuration is not appropriate to define at an enterprise level. From 5ebd96f05a44a07e598c169de5b5a97f6cdb8c4a Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Tue, 27 Aug 2024 18:18:41 -0500 Subject: [PATCH 04/12] Update SRG GPOS to V3R1 --- .github/workflows/srg-mapping-table.yaml | 10 +- cmake/SSGCommon.cmake | 2 +- controls/srg_gpos.yml | 2 +- docs/manual/developer/03_creating_content.md | 2 +- ...a-os-srg-v2r7.xml => disa-os-srg-v3r1.xml} | 388 +++++++++--------- .../shared_xccdf2table-profileccirefs.xslt | 2 +- utils/create_srg_export.py | 2 +- 7 files changed, 207 insertions(+), 201 deletions(-) rename shared/references/{disa-os-srg-v2r7.xml => disa-os-srg-v3r1.xml} (76%) diff --git a/.github/workflows/srg-mapping-table.yaml b/.github/workflows/srg-mapping-table.yaml index 93ad0c9b80b..c3a146f1537 100644 --- a/.github/workflows/srg-mapping-table.yaml +++ b/.github/workflows/srg-mapping-table.yaml @@ -44,20 +44,20 @@ jobs: run: python3 utils/create_srg_export.py -c controls/srg_ctr.yml -p ocp4 -m shared/references/disa-ctr-srg-v1r3.xml --out-format html --output $PAGES_DIR/srg-mapping-ocp4.html --prefer-controls env: PYTHONPATH: ${{ github.workspace }} - - name: Generate XLSX for RHEL9 - run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel9 -m shared/references/disa-os-srg-v2r7.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-rhel9.xlsx + - name: Generate XLSX for RHEL9disa-os-srg-v3r1.xml + run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel9 -m shared/references/ --out-format xlsx --output $PAGES_DIR/srg-mapping-rhel9.xlsx env: PYTHONPATH: ${{ github.workspace }} - name: Generate HTML for RHEL9 - run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel9 -m shared/references/disa-os-srg-v2r7.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel9.html + run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel9 -m shared/references/disa-os-srg-v3r1.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel9.html env: PYTHONPATH: ${{ github.workspace }} - name: Generate XLSX for RHEL10 - run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v2r7.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-rhel10.xlsx + run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v3r1.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-rhel10.xlsx env: PYTHONPATH: ${{ github.workspace }} - name: Generate HTML for RHEL10 - run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v2r7.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel10.html + run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v3r1.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel10.html env: PYTHONPATH: ${{ github.workspace }} - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4 diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake index b6506054135..a2b713cedbc 100644 --- a/cmake/SSGCommon.cmake +++ b/cmake/SSGCommon.cmake @@ -1095,7 +1095,7 @@ macro(ssg_build_html_srgmap_tables PRODUCT) OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap.html" OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap-flat.html" COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables" - COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_srg_table.py" --build-dir "${CMAKE_BINARY_DIR}" "${PRODUCT}" "${SSG_SHARED_REFS}/disa-os-srg-v2r7.xml" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap.html" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap-flat.html" + COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_srg_table.py" --build-dir "${CMAKE_BINARY_DIR}" "${PRODUCT}" "${SSG_SHARED_REFS}/disa-os-srg-v3r1.xml" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap.html" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap-flat.html" DEPENDS ${PRODUCT}-compile-all "${CMAKE_CURRENT_BINARY_DIR}/ssg_build_compile_all-${PRODUCT}" COMMENT "[${PRODUCT}-tables] generating HTML SRG map tables" ) diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml index 6cf82e5582a..0649e435760 100644 --- a/controls/srg_gpos.yml +++ b/controls/srg_gpos.yml @@ -1,7 +1,7 @@ policy: Security Requirements Guide - General Purpose Operating System title: Security Requirements Guide - General Purpose Operating System id: srg_gpos -version: 'v2r7' +version: 'v3r1' source: https://public.cyber.mil/stigs/downloads/ controls_dir: srg_gpos levels: diff --git a/docs/manual/developer/03_creating_content.md b/docs/manual/developer/03_creating_content.md index c89155e1068..572814dc930 100644 --- a/docs/manual/developer/03_creating_content.md +++ b/docs/manual/developer/03_creating_content.md @@ -1257,7 +1257,7 @@ In order for export for DISA the IDs of your control must be SRG ID form the Gen If you have an existing product that you want to base your new STIG you can create the skeleton with the following command: - $ ./utils/build_stig_control.py --split -p rhel9 -m shared/references/disa-os-srg-v2r7.xml -o controls/srg_gpos.yml + $ ./utils/build_stig_control.py --split -p rhel9 -m shared/references/disa-os-srg-v3r1.xml -o controls/srg_gpos.yml The manual (`-m`) should be an SRG XML from DISA. diff --git a/shared/references/disa-os-srg-v2r7.xml b/shared/references/disa-os-srg-v3r1.xml similarity index 76% rename from shared/references/disa-os-srg-v2r7.xml rename to shared/references/disa-os-srg-v3r1.xml index 4aa04b994d7..6a4684c3d3e 100644 --- a/shared/references/disa-os-srg-v2r7.xml +++ b/shared/references/disa-os-srg-v3r1.xml @@ -1,18 +1,18 @@ -acceptedGeneral Purpose Operating System Security Requirements GuideThis Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 7 Benchmark Date: 24 Jan 20243.4.1.229161.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000001<GroupDescription></GroupDescription>SRG-OS-000001-GPOS-00001The operating system must provide automated mechanisms for supporting account management functions.<VulnDiscussion>Enterprise environments make account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other errors. +acceptedGeneral Purpose Operating System Security Requirements GuideThis Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 24 Jul 20243.51.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>