Merge pull request #12298 from ericeberry/master

Ubuntu 22.04 STIG V2R1 changes

controls/srg_gpos/SRG-OS-000356-GPOS-00144.yml

@@ -8,4 +8,7 @@ controls:
         rules:
             - var_time_service_set_maxpoll=18_hours
             - chronyd_or_ntpd_set_maxpoll
+            {{% if 'ubuntu' in product %}}
+            - chronyd_sync_clock
+            {{% endif %}}
         status: automated

controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml

@@ -12,6 +12,9 @@ controls:
             - ensure_gpgcheck_globally_activated
             - ensure_gpgcheck_local_packages
             - ensure_gpgcheck_never_disabled
+            {{% if 'ubuntu' in product %}}
+            - apt_conf_disallow_unauthenticated
+            {{% endif %}}
             {{% if 'rhel' in product %}}
             - ensure_redhat_gpgkey_installed
             {{% endif %}}

linux_os/guide/auditing/package_audit_installed/rule.yml

@@ -21,7 +21,7 @@ references:
     cis@sle15: 4.1.1.1
     cis@ubuntu2004: 4.1.1.1
     cis@ubuntu2204: 4.1.1.1
-    disa: CCI-000130,CCI-000131,CCI-000132,CCI-000133,CCI-000134,CCI-000135,CCI-000154,CCI-000158,CCI-000172,CCI-001464,CCI-001487,CCI-001814,CCI-001875,CCI-001876,CCI-001877,CCI-001878,CCI-001879,CCI-001880,CCI-001881,CCI-001882,CCI-001889,CCI-001914,CCI-002884,CCI-000169
+    disa: CCI-000130,CCI-000131,CCI-000132,CCI-000133,CCI-000134,CCI-000135,CCI-000154,CCI-000158,CCI-000172,CCI-001464,CCI-001487,CCI-001814,CCI-001875,CCI-001876,CCI-001877,CCI-001878,CCI-001879,CCI-001880,CCI-001881,CCI-001882,CCI-001889,CCI-001914,CCI-002884,CCI-000169,CCI-003938
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(C),164.310(a)(2)(iv),164.310(d)(2)(iii),164.312(b)
     nerc-cip: CIP-004-6 R3.3,CIP-007-3 R6.5
     nist: AC-7(a),AU-7(1),AU-7(2),AU-14,AU-12(2),AU-2(a),CM-6(a)

linux_os/guide/auditing/service_auditd_enabled/rule.yml

@@ -40,7 +40,7 @@ references:
     cjis: 5.4.1.1
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.3.1,3.3.2,3.3.6
-    disa: CCI-000126,CCI-000130,CCI-000131,CCI-000132,CCI-000133,CCI-000134,CCI-000135,CCI-000154,CCI-000158,CCI-000172,CCI-000366,CCI-001464,CCI-001487,CCI-001814,CCI-001875,CCI-001876,CCI-001877,CCI-002884,CCI-001878,CCI-001879,CCI-001880,CCI-001881,CCI-001882,CCI-001889,CCI-001914,CCI-000169
+    disa: CCI-000126,CCI-000130,CCI-000131,CCI-000132,CCI-000133,CCI-000134,CCI-000135,CCI-000154,CCI-000158,CCI-000172,CCI-000366,CCI-001464,CCI-001487,CCI-001814,CCI-001875,CCI-001876,CCI-001877,CCI-002884,CCI-001878,CCI-001879,CCI-001880,CCI-001881,CCI-001882,CCI-001889,CCI-001914,CCI-000169,CCI-003938
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(5)(ii)(C),164.310(a)(2)(iv),164.310(d)(2)(iii),164.312(b)
     isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'

linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/rule.yml

@@ -12,5 +12,7 @@ rationale: |-
 severity: unknown
 
 references:
+    disa: CCI-003992
+    srg: SRG-OS-000366-GPOS-00153
     stigid@ubuntu2004: UBTU-20-010438
     stigid@ubuntu2204: UBTU-22-214010

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml

@@ -82,7 +82,7 @@ identifiers:
 references:
     cis-csc: 1,14,15,16,3,5,6
     cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01
-    disa: CCI-001891,CCI-002046
+    disa: CCI-001891,CCI-002046,CCI-004923
     isa-62443-2009: 4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9'
     iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1

linux_os/guide/services/ntp/chronyd_sync_clock/rule.yml

@@ -22,7 +22,7 @@ rationale: |-
 severity: medium
 
 references:
-    disa: CCI-002046
+    disa: CCI-002046,CCI-004926
     srg: SRG-OS-000356-GPOS-00144
     stigid@ubuntu2004: UBTU-20-010436
     stigid@ubuntu2204: UBTU-22-252015

linux_os/guide/services/ssh/ssh_server/sshd_enable_pubkey_auth/rule.yml

@@ -28,7 +28,7 @@ identifiers:
     cce@rhel10: CCE-90625-5
 
 references:
-    disa: CCI-000765,CCI-000766,CCI-000767,CCI-000768
+    disa: CCI-000765,CCI-000766,CCI-000767,CCI-000768,CCI-004047
     srg: SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055
     stigid@ubuntu2004: UBTU-20-010033
     stigid@ubuntu2204: UBTU-22-612020

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml

@@ -41,7 +41,6 @@ references:
     pcidss: Req-8.2.5
     srg: SRG-OS-000077-GPOS-00045
     stigid@ubuntu2004: UBTU-20-010070
-    stigid@ubuntu2204: UBTU-22-611050
 
 ocil_clause: 'the value of remember is not equal to or greater than the expected value'
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml

@@ -36,7 +36,7 @@ references:
     cis@ubuntu2004: 5.3.1
     cis@ubuntu2204: 5.4.1
     cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
-    disa: CCI-000194
+    disa: CCI-000194,CCI-004066
     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
     ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml

@@ -37,7 +37,7 @@ references:
     cis-csc: 1,12,15,16,5
     cjis: 5.6.2.1.1
     cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
-    disa: CCI-000195
+    disa: CCI-000195,CCI-004066
     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
     iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml

@@ -36,7 +36,7 @@ references:
     cis@ubuntu2004: 5.3.1
     cis@ubuntu2204: 5.4.1
     cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
-    disa: CCI-000193
+    disa: CCI-000193,CCI-004066
     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
     ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml

@@ -36,7 +36,7 @@ references:
     cis@ubuntu2204: 5.4.1
     cjis: 5.6.2.1.1
     cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
-    disa: CCI-000205
+    disa: CCI-000205,CCI-004066
     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
     ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml

@@ -38,7 +38,7 @@ references:
     cis@ubuntu2004: 5.3.1
     cis@ubuntu2204: 5.4.1
     cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
-    disa: CCI-001619
+    disa: CCI-001619,CCI-004066
     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
     ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml

@@ -33,7 +33,7 @@ references:
     cis@ubuntu2004: 5.3.1
     cis@ubuntu2204: 5.4.1
     cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
-    disa: CCI-000192,CCI-000193
+    disa: CCI-000192,CCI-000193,CCI-004066
     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
     ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml

@@ -54,7 +54,7 @@ references:
     cjis: 5.6.2.2
     cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
     cui: 3.13.11
-    disa: CCI-000196,CCI-000803
+    disa: CCI-000196,CCI-000803,CCI-004062
     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
     ism: 0418,1055,1402

linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/vlock_installed/rule.yml

@@ -33,7 +33,7 @@ identifiers:
     cce@sle15: CCE-83268-3
 
 references:
-    disa: CCI-000056,CCI-000058,CCI-000060
+    disa: CCI-000056,CCI-000057,CCI-000058,CCI-000060
     nist@sle12: AC-11(a),AC-11(b),AC-11(1)
     srg: SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011
     stigid@ol8: OL08-00-020043

linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml

@@ -47,7 +47,7 @@ identifiers:
     cce@slmicro5: CCE-93761-5
 
 references:
-    disa: CCI-000765,CCI-001948,CCI-001953,CCI-001954
+    disa: CCI-000765,CCI-000766,CCI-001948,CCI-001953,CCI-001954,CCI-004046,CCI-004047
     nist: CM-6(a)
     pcidss: Req-8.3
     srg: SRG-OS-000105-GPOS-00052,SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000377-GPOS-00162

linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_crl/rule.yml

@@ -19,7 +19,7 @@ rationale: |-
 severity: medium
 
 references:
-    disa: CCI-001991
+    disa: CCI-001991,CCI-004068
     srg: SRG-OS-000384-GPOS-00167
     stigid@ubuntu2004: UBTU-20-010066
     stigid@ubuntu2204: UBTU-22-612035

linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/rule.yml

@@ -55,7 +55,7 @@ identifiers:
     cce@sle15: CCE-85556-9
 
 references:
-    disa: CCI-000765,CCI-000766,CCI-000767,CCI-000768,CCI-000187,CCI-001948,CCI-001953,CCI-001954
+    disa: CCI-000765,CCI-000766,CCI-000767,CCI-000768,CCI-000187,CCI-001948,CCI-001953,CCI-001954,CCI-004047
     nist@sle12: IA-2(1),IA-2(1).1,IA-2(2),IA-2(2).1,IA-2(3),IA-2(3).1,IA-2(4),IA-2(4).1,IA-5(2),IA-5(2).1,IA-5(2)(c),IA-2(11),IA-2(12)
     srg: SRG-OS-000068-GPOS-00036,SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162
     stigid@sle12: SLES-12-030520

linux_os/guide/system/accounts/accounts-restrictions/account_expiration/policy_temp_passwords_immediate_change/rule.yml

@@ -34,7 +34,6 @@ references:
     srg: SRG-OS-000380-GPOS-00165
     stigid@sle12: SLES-12-010660
     stigid@ubuntu2004: UBTU-20-010440
-    stigid@ubuntu2204: UBTU-22-411020
 
 ocil_clause: 'any temporary or emergency accounts have no expiration date set or do not expire within a documented time frame'
 

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml

@@ -41,7 +41,7 @@ references:
     cjis: 5.6.2.1
     cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
     cui: 3.5.6
-    disa: CCI-000199
+    disa: CCI-000199,CCI-004066
     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
     ism: 0418,1055,1402

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml

@@ -40,7 +40,7 @@ references:
     cjis: 5.6.2.1.1
     cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
     cui: 3.5.8
-    disa: CCI-000198
+    disa: CCI-000198,CCI-004066
     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
     ism: 0418,1055,1402
@@ -60,7 +60,7 @@ references:
 ocil_clause: 'the "PASS_MIN_DAYS" parameter value is not "{{{ xccdf_value("var_accounts_minimum_age_login_defs") }}}" or greater, or is commented out'
 
 ocil: |-
-    Verify {{{ full_name }}} enforces 24 hours/1 day as the minimum password lifetime for new user accounts.
+    Verify {{{ full_name }}} enforces 24 hours/one day as the minimum password lifetime for new user accounts.
 
     Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command:
 
@@ -69,13 +69,13 @@ ocil: |-
     PASS_MIN_DAYS {{{ xccdf_value("var_accounts_minimum_age_login_defs") }}}</pre>
 
 fixtext: |-
-    Configure {{{ full_name }}} to enforce 24 hours/1 day as the minimum password lifetime.
+    Configure {{{ full_name }}} to enforce 24 hours/one day as the minimum password lifetime.
 
     Add the following line in "/etc/login.defs" (or modify the line to have the required value):
 
     PASS_MIN_DAYS {{{ xccdf_value("var_accounts_minimum_age_login_defs") }}}
 
 srg_requirement: |-
-    {{{ full_name }}} passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs.
+    {{{ full_name }}} passwords for new users or password changes must have a 24 hours/one day minimum password lifetime restriction in /etc/login.defs.
 
 platform: package[shadow-utils]

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_set_post_pw_existing/rule.yml

@@ -26,7 +26,7 @@ references:
     cis@sle15: 5.4.1.5
     cobit5: DSS01.03,DSS03.05,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
     cui: 3.5.6
-    disa: CCI-000017,CCI-000795
+    disa: CCI-000017,CCI-000795,CCI-003627,CCI-003628
     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 6.2'
     iso27001-2013: A.12.4.1,A.12.4.3,A.18.1.4,A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5

linux_os/guide/system/accounts/accounts-restrictions/root_logins/prevent_direct_root_logins/rule.yml

@@ -15,7 +15,7 @@ rationale: |-
 severity: medium
 
 references:
-    disa: CCI-000770
+    disa: CCI-000770,CCI-004045
     srg: SRG-OS-000109-GPOS-00056
     stigid@ubuntu2004: UBTU-20-010408
     stigid@ubuntu2204: UBTU-22-411010

linux_os/guide/system/software/integrity/endpoint_security_software/install_endpoint_security_software/rule.yml

@@ -19,7 +19,6 @@ severity: medium
 
 references:
     disa: CCI-001233
-    stigid@ubuntu2204: UBTU-22-211010
 
 fixtext: |-
     Install an Endpoint Security Solution that can provide a continuous mechanism to

linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml

@@ -37,7 +37,6 @@ references:
     stigid@rhel8: RHEL-08-010001
     stigid@sle12: SLES-12-010599
     stigid@ubuntu2004: UBTU-20-010415
-    stigid@ubuntu2204: UBTU-22-211010
 
 ocil_clause: 'the package is not installed'
 

linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml

@@ -30,7 +30,7 @@ references:
     cis-csc: 1,12,15,16,5
     cis@ubuntu2204: 5.3.4
     cobit5: DSS05.04,DSS05.10,DSS06.03,DSS06.10
-    disa: CCI-002038
+    disa: CCI-002038,CCI-004895
     isa-62443-2009: 4.3.3.5.1,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
     iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3

products/ubuntu2204/profiles/stig.profile

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-title: 'Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) V1R1'
+title: 'Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) V2R1'
 
 description: |-
     This Security Technical Implementation Guide is published as a tool to
@@ -26,7 +26,7 @@ selections:
     # UBTU-22-612040 The Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication.
     - verify_use_mappers
 
-    # UBTU-22-411025 The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime. Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction.
+    # UBTU-22-411025 The Ubuntu operating system must enforce 24 hours/one day as the minimum password lifetime. Passwords for new users must have a 24 hours/one day minimum password lifetime restriction.
     - var_accounts_minimum_age_login_defs=1
     - accounts_minimum_age_login_defs
 
@@ -154,10 +154,6 @@ selections:
     # UBTU-22-612035 The Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.
     - smartcard_configure_crl
 
-    # UBTU-22-611050 The Ubuntu operating system must prohibit password reuse for a minimum of five generations.
-    - var_password_pam_unix_remember=5
-    - accounts_password_pam_unix_remember
-
     # UBTU-22-411045 The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
     - var_accounts_passwords_pam_faillock_deny=3
     - var_accounts_passwords_pam_faillock_fail_interval=900
@@ -436,9 +432,6 @@ selections:
     # UBTU-22-231010 Ubuntu operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
     - encrypt_partitions
 
-    # UBTU-22-211010 The Ubuntu operating system must deploy an Endpoint Security Solution.
-    - install_endpoint_security_software
-
     # UBTU-22-232026 The Ubuntu operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
     - permissions_local_var_log
 
@@ -512,9 +505,6 @@ selections:
     # UBTU-22-431015 The Ubuntu operating system must be configured to use AppArmor.
     - apparmor_configured
 
-    # UBTU-22-411020 The Ubuntu operating system must allow the use of a temporary password for system logons with an immediate change to a permanent password.
-    - policy_temp_passwords_immediate_change
-
     # UBTU-22-631015 The Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.
     - sssd_offline_cred_expiration