diff --git a/.github/workflows/unit-testing.yml b/.github/workflows/unit-testing.yml new file mode 100644 index 0000000..dc96700 --- /dev/null +++ b/.github/workflows/unit-testing.yml @@ -0,0 +1,42 @@ +name: Unit Tests and coverage report + +on: + workflow_dispatch: + push: + branches: + - main + paths: + - "ReviewParser.js" + - "TaskObject.js" + - "test/**" + - "WATCHER-test-files/**" + pull_request: + branches: + - main + paths: + - "ReviewParser.js" + - "TaskObject.js" + - "test/**" + - "WATCHER-test-files/**" + +jobs: + build_test: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Setup Node.js + uses: actions/setup-node@v3 + with: + node-version: 18 + - name: Install app dependencies + run: npm ci + - name: Run tests + run: npm test + - name: Upload coverage to github + uses: actions/upload-artifact@v3 + if: ${{ always() }} + with: + name: coverage + path: coverage + diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8fa2111 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +index.cjs +coverage/ +node_modules/ +.vscode/* \ No newline at end of file diff --git a/README.md b/README.md index 8800081..9d1deef 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,56 @@ # stig-manager-client-modules -ES and CJS modules for STIG Manager clients +JavaScript modules for STIG Manager clients. This README and other documentation is under construction. + +## Using the modules in Node.js +In the root of a project, open a terminal and execute: + +``` +$ npm install git+https://github.com/nuwcdivnpt/stig-manager-client-modules#rc-1 +``` + +Importing all modules into ESM code + +``` +import * as StigmanLib from `stig-manager-client-modules` + +const result = StigmanLib.reviewsFromCkl( ... ) +const result = StigmanLib.reviewsFromCklb( ... ) +const result = StigmanLib.reviewsFromXccdf( ... ) + +const tasks = new StigmanLib.TaskObject ( ... ) + +``` + +Importing an individual module into ESM code + +``` +import { reviewsFromCkl } from `stig-manager-client-modules` +const result = reviewsFromCkl( ... ) +``` + +Requiring all modules into CJS code + +``` +const StigmanLib = require('stig-manager-client-modules') + +const result = StigmanLib.reviewsFromCkl( ... ) +const result = StigmanLib.reviewsFromCklb( ... ) +const result = StigmanLib.reviewsFromXccdf( ... ) + +const tasks = new StigmanLib.TaskObject ( ... ) +``` + +Requiring an individual module into CJS code +``` +const { reviewsFromCkl } = require('stig-manager-client-modules') + +const result = reviewsFromCkl( ... ) +``` + +## + + + + + + diff --git a/ReviewParser.js b/ReviewParser.js new file mode 100644 index 0000000..5ff033d --- /dev/null +++ b/ReviewParser.js @@ -0,0 +1,965 @@ +export function reviewsFromCkl( + { + data, + fieldSettings, + allowAccept, + importOptions, + valueProcessor, + XMLParser + }) { + + const maxCommentLength = 32767 + + const normalizeKeys = function (input) { + // lowercase and remove hyphens + if (typeof input !== 'object') return input; + if (Array.isArray(input)) return input.map(normalizeKeys); + return Object.keys(input).reduce(function (newObj, key) { + let val = input[key]; + let newVal = (typeof val === 'object') && val !== null ? normalizeKeys(val) : val; + newObj[key.toLowerCase().replace('-', '')] = newVal; + return newObj; + }, {}); + } + const resultMap = { + NotAFinding: 'pass', + Open: 'fail', + Not_Applicable: 'notapplicable', + Not_Reviewed: 'notchecked' + } + const parseOptions = { + allowBooleanAttributes: false, + attributeNamePrefix: "", + cdataPropName: "__cdata", //default is 'false' + ignoreAttributes: false, + parseTagValue: false, + parseAttributeValue: false, + removeNSPrefix: true, + trimValues: true, + tagValueProcessor: valueProcessor, + commentPropName: "__comment", + isArray: (name, jpath, isLeafNode, isAttribute) => { + return name === '__comment' || !isLeafNode + } + } + const parser = new XMLParser(parseOptions) + const parsed = parser.parse(data) + + if (!parsed.CHECKLIST) throw (new Error("No CHECKLIST element")) + if (!parsed.CHECKLIST[0].ASSET) throw (new Error("No ASSET element")) + if (!parsed.CHECKLIST[0].STIGS) throw (new Error("No STIGS element")) + + const comments = parsed['__comment'] + const resultEngineCommon = comments?.length ? processRootXmlComments(comments) : null + + let returnObj = {} + returnObj.target = processAsset(parsed.CHECKLIST[0].ASSET[0]) + if (!returnObj.target.name) { + throw (new Error("No host_name in ASSET")) + } + returnObj.checklists = processIStig(parsed.CHECKLIST[0].STIGS[0].iSTIG) + if (returnObj.checklists.length === 0) { + throw (new Error("STIG_INFO element has no SI_DATA for SID_NAME == stigId")) + } + return (returnObj) + + function processAsset(assetElement) { + let obj = { + name: assetElement.HOST_NAME, + description: null, + ip: assetElement.HOST_IP || null, + fqdn: assetElement.HOST_FQDN || null, + mac: assetElement.HOST_MAC || null, + noncomputing: assetElement.ASSET_TYPE === 'Non-Computing' + } + const metadata = {} + if (assetElement.ROLE) { + metadata.cklRole = assetElement.ROLE + } + if (assetElement.TECH_AREA) { + metadata.cklTechArea = assetElement.TECH_AREA + } + if (assetElement.WEB_OR_DATABASE === 'true') { + metadata.cklWebOrDatabase = 'true' + metadata.cklHostName = assetElement.HOST_NAME + if (assetElement.WEB_DB_SITE) { + metadata.cklWebDbSite = assetElement.WEB_DB_SITE + } + if (assetElement.WEB_DB_INSTANCE) { + metadata.cklWebDbInstance = assetElement.WEB_DB_INSTANCE + } + } + obj.metadata = metadata + return obj + } + + function processIStig(iStigElement) { + let checklistArray = [] + iStigElement.forEach(iStig => { + let checklist = {} + // get benchmarkId + let stigIdElement = iStig.STIG_INFO[0].SI_DATA.filter(d => d.SID_NAME === 'stigid')?.[0] + checklist.benchmarkId = stigIdElement.SID_DATA.replace('xccdf_mil.disa.stig_benchmark_', '') + // get revision data. Extract digits from version and release fields to create revisionStr, if possible. + const stigVersionData = iStig.STIG_INFO[0].SI_DATA.filter(d => d.SID_NAME === 'version')?.[0].SID_DATA + let stigVersion = stigVersionData.match(/(\d+)/)?.[1] + let stigReleaseInfo = iStig.STIG_INFO[0].SI_DATA.filter(d => d.SID_NAME === 'releaseinfo')?.[0].SID_DATA + const stigRelease = stigReleaseInfo.match(/Release:\s*(.+?)\s/)?.[1] + const stigRevisionStr = stigVersion && stigRelease ? `V${stigVersion}R${stigRelease}` : null + checklist.revisionStr = stigRevisionStr + + if (checklist.benchmarkId) { + let x = processVuln(iStig.VULN) + checklist.reviews = x.reviews + checklist.stats = x.stats + checklistArray.push(checklist) + } + }) + return checklistArray + } + + function processVuln(vulnElements) { + // vulnElements is an array of this object: + // { + // COMMENTS + // FINDING_DETAILS + // SEVERITY_JUSTIFICATION + // SEVERITY_OVERRIDE + // STATUS + // STIG_DATA [26] + // } + + let vulnArray = [] + let resultStats = { + pass: 0, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + vulnElements?.forEach(vuln => { + const review = generateReview(vuln, resultEngineCommon) + if (review) { + vulnArray.push(review) + resultStats[review.result]++ + } + }) + + return { + reviews: vulnArray, + stats: resultStats + } + } + + function generateReview(vuln, resultEngineCommon) { + let result = resultMap[vuln.STATUS] + if (!result) return + const ruleId = getRuleIdFromVuln(vuln) + if (!ruleId) return + + const hasComments = !!vuln.FINDING_DETAILS || !!vuln.COMMENTS + + if (result === 'notchecked') { // unreviewed business rules + switch (importOptions.unreviewed) { + case 'never': + return undefined + case 'commented': + result = hasComments ? importOptions.unreviewedCommented : undefined + if (!result) return + break + case 'always': + result = hasComments ? importOptions.unreviewedCommented : 'notchecked' + break + } + } + + let detail = vuln.FINDING_DETAILS.length > maxCommentLength ? vuln.FINDING_DETAILS.slice(0, maxCommentLength) : vuln.FINDING_DETAILS + if (!vuln.FINDING_DETAILS) { + switch (importOptions.emptyDetail) { + case 'ignore': + detail = null + break + case 'import': + detail = vuln.FINDING_DETAILS + break + case 'replace': + detail = 'There is no detail provided for the assessment' + break + } + } + + let comment = vuln.COMMENTS.length > maxCommentLength ? vuln.COMMENTS.slice(0, maxCommentLength) : vuln.COMMENTS + if (!vuln.COMMENTS) { + switch (importOptions.emptyComment) { + case 'ignore': + comment = null + break + case 'import': + comment = vuln.COMMENTS + break + case 'replace': + comment = 'There is no comment provided for the assessment' + break + } + } + + const review = { + ruleId, + result, + detail, + comment + } + + if (resultEngineCommon) { + review.resultEngine = { ...resultEngineCommon } + if (vuln['__comment']) { + const overrides = [] + for (const comment of vuln['__comment']) { + if (comment.toString().startsWith('')) { + let override + try { + override = parser.parse(comment)['Evaluate-STIG'][0] + } + catch (e) { + console.log(`Failed to parse Evaluate-STIG VULN XML comment for ${ruleId}`) + } + override = normalizeKeys(override) + if (override.afmod?.toLowerCase() === 'true') { + overrides.push({ + authority: override.answerfile, + oldResult: resultMap[override.oldstatus] ?? 'unknown', + newResult: result, + remark: 'Evaluate-STIG Answer File' + }) + } + } + } + if (overrides.length) { + review.resultEngine.overrides = overrides + } + } + } + else { + review.resultEngine = null + } + + const status = bestStatusForReview(review) + if (status) { + review.status = status + } + + return review + } + + function getRuleIdFromVuln(vuln) { + let ruleId + vuln.STIG_DATA.some(stigDatum => { + if (stigDatum.VULN_ATTRIBUTE == "Rule_ID") { + ruleId = stigDatum.ATTRIBUTE_DATA + return true + } + }) + return ruleId + } + + function bestStatusForReview(review) { + if (importOptions.autoStatus === 'null') return null + if (importOptions.autoStatus === 'saved') return 'saved' + + let detailSubmittable = false + switch (fieldSettings.detail.required) { + case 'optional': + detailSubmittable = true + break + case 'findings': + if ((review.result !== 'fail') || (review.result === 'fail' && review.detail)) { + detailSubmittable = true + } + break + case 'always': + if (review.detail) { + detailSubmittable = true + } + break + } + + let commentSubmittable = false + switch (fieldSettings.comment.required) { + case 'optional': + commentSubmittable = true + break + case 'findings': + if ((review.result !== 'fail') || (review.result === 'fail' && review.comment)) { + commentSubmittable = true + } + break + case 'always': + if (review.comment) { + commentSubmittable = true + } + break + } + + const resultSubmittable = review.result === 'pass' || review.result === 'fail' || review.result === 'notapplicable' + + let status = undefined + if (detailSubmittable && commentSubmittable && resultSubmittable) { + switch (importOptions.autoStatus) { + case 'submitted': + status = 'submitted' + break + case 'accepted': + status = allowAccept ? 'accepted' : 'submitted' + break + } + } + else { + status = 'saved' + } + return status + } + + function processRootXmlComments(comments) { + let resultEngineRoot + for (const comment of comments) { + if (comment.toString().startsWith('')) { + let esRootComment + try { + esRootComment = parser.parse(comment)['Evaluate-STIG'][0] + } + catch (e) { + console.log('Failed to parse Evaluate-STIG root XML comment') + } + esRootComment = normalizeKeys(esRootComment) + resultEngineRoot = { + type: 'script', + product: 'Evaluate-STIG', + version: esRootComment?.global?.[0]?.version, + time: esRootComment?.global?.[0]?.time, + checkContent: { + location: esRootComment?.module?.[0]?.name ?? '' + } + } + } + } + return resultEngineRoot || null + } +} + +export function reviewsFromXccdf( + { + data, + fieldSettings, + allowAccept, + importOptions, + valueProcessor, + scapBenchmarkMap, + XMLParser + }) { + + // Parse the XML + const parseOptions = { + allowBooleanAttributes: false, + attributeNamePrefix: "", + cdataPropName: "__cdata", //default is 'false' + ignoreAttributes: false, + parseTagValue: false, + removeNSPrefix: true, + trimValues: true, + tagValueProcessor: valueProcessor, + commentPropName: "__comment", + isArray: (name, jpath, isLeafNode, isAttribute) => { + const arrayElements = [ + 'override', + 'overrides', + 'target', + 'target-address', + 'fact', + 'rule-result' + ] + return arrayElements.includes(name) + } + } + const parser = new XMLParser(parseOptions) + let parsed = parser.parse(data) + + // Basic sanity checks, handle root element with child + let benchmarkId, testResult + if (!parsed.Benchmark && !parsed.TestResult) throw (new Error("No Benchmark or TestResult element")) + if (parsed.Benchmark) { + if (!parsed.Benchmark.TestResult) throw (new Error("No Benchmark.TestResult element")) + if (!parsed.Benchmark.TestResult['target']) throw (new Error("No Benchmark.TestResult.target element")) + if (!parsed.Benchmark.TestResult['rule-result']) throw (new Error("No Benchmark.TestResult.rule-result element")) + testResult = parsed.Benchmark.TestResult + benchmarkId = parsed.Benchmark.id.replace('xccdf_mil.disa.stig_benchmark_', '') + } + else { + if (!parsed.TestResult['benchmark']) throw (new Error("No TestResult.benchmark element")) + if (!parsed.TestResult['target']) throw (new Error("No TestResult.target element")) + if (!parsed.TestResult['rule-result']) throw (new Error("No TestResult.rule-result element")) + testResult = parsed.TestResult + let benchmarkAttr + if (testResult.benchmark.id?.startsWith('xccdf_mil.disa.stig_benchmark_')) { + benchmarkAttr = testResult.benchmark.id + } + else if (testResult.benchmark.href?.startsWith('xccdf_mil.disa.stig_benchmark_')) { + benchmarkAttr = testResult.benchmark.href + } + else { + throw (new Error("TestResult.benchmark has no attribute starting with xccdf_mil.disa.stig_benchmark_")) + } + benchmarkId = benchmarkAttr.replace('xccdf_mil.disa.stig_benchmark_', '') + } + let DEFAULT_RESULT_TIME = testResult['end-time'] //required by XCCDF 1.2 rev 4 spec + + // Process parsed data + if (scapBenchmarkMap && scapBenchmarkMap.has(benchmarkId)) { + benchmarkId = scapBenchmarkMap.get(benchmarkId) + } + const target = processTarget(testResult) + if (!target.name) { + throw (new Error('No value for ')) + } + + // resultEngine info + const testSystem = testResult['test-system'] + // SCC injects a CPE WFN bound to a URN + const m = testSystem.match(/[c][pP][eE]:\/[AHOaho]?:(.*)/) + let vendor, product, version + if (m?.[1]) { + ;[vendor, product, version] = m[1].split(':') + } + else { + ;[product, version] = testSystem.split(':') // e.g. PAAuditEngine:6.5.3 + } + const resultEngineTpl = { + type: 'scap', + product, + version + } + const r = processRuleResults(testResult['rule-result'], resultEngineTpl) + + // Return object + return ({ + target, + checklists: [{ + benchmarkId: benchmarkId, + revisionStr: null, + reviews: r.reviews, + stats: r.stats + }] + }) + + function processRuleResults(ruleResults, resultEngineTpl) { + const stats = { + pass: 0, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + const reviews = [] + for (const ruleResult of ruleResults) { + const review = generateReview(ruleResult, resultEngineTpl) + if (review) { + reviews.push(review) + stats[review.result]++ + } + } + return { reviews, stats } + } + + function generateReview(ruleResult, resultEngineCommon) { + let result = ruleResult.result + if (!result) return + const ruleId = ruleResult.idref.replace('xccdf_mil.disa.stig_rule_', '') + if (!ruleId) return + + const hasComments = false // or look for + + if (result !== 'pass' && result !== 'fail' && result !== 'notapplicable') { // unreviewed business rules + switch (importOptions.unreviewed) { + case 'never': + return undefined + case 'commented': + result = hasComments ? importOptions.unreviewedCommented : undefined + if (!result) return + break + case 'always': + result = hasComments ? importOptions.unreviewedCommented : 'notchecked' + break + } + } + + let resultEngine + if (resultEngineCommon) { + if (resultEngineCommon.product === 'stig-manager') { + resultEngine = ruleResult.check?.['check-content']?.resultEngine + } + else { + // build the resultEngine value + const timeStr = ruleResult.time ?? DEFAULT_RESULT_TIME + resultEngine = { + time: (timeStr ? new Date(timeStr) : new Date()).toISOString(), + ...resultEngineCommon + } + // handle check-content-ref, if it exists + const checkContentHref = ruleResult?.check?.['check-content-ref']?.href?.replace('#scap_mil.disa.stig_comp_', '') + const checkContentName = ruleResult?.check?.['check-content-ref']?.name?.replace('oval:mil.disa.stig.', '') + if (checkContentHref || checkContentName) { + resultEngine.checkContent = { + location: checkContentHref, + component: checkContentName + } + } + + if (ruleResult.override?.length) { //overrides + const overrides = [] + for (const override of ruleResult.override) { + overrides.push({ + authority: override.authority, + oldResult: override['old-result'], + newResult: override['new-result'], + remark: override['remark'] + }) + } + if (overrides.length) { + resultEngine.overrides = overrides + } + } + } + } + + const replacementText = `Result was reported by product "${resultEngine?.product}" version ${resultEngine?.version} at ${resultEngine?.time} using check content "${resultEngine?.checkContent?.location}"` + + let detail = ruleResult.check?.['check-content']?.detail + if (!detail) { + switch (importOptions.emptyDetail) { + case 'ignore': + detail = null + break + case 'import': + detail = '' + break + case 'replace': + detail = replacementText + break + } + } + + let comment = ruleResult.check?.['check-content']?.comment + if (!comment) { + switch (importOptions.emptyComment) { + case 'ignore': + comment = null + break + case 'import': + comment = '' + break + case 'replace': + comment = replacementText + break + } + } + + const review = { + ruleId, + result, + resultEngine, + detail, + comment + } + + const status = bestStatusForReview(review) + if (status) { + review.status = status + } + + return review + } + + function bestStatusForReview(review) { + if (importOptions.autoStatus === 'null') return undefined + if (importOptions.autoStatus === 'saved') return 'saved' + + const fields = ['detail', 'comment'] + let commentsSubmittable + for (const field of fields) { + switch (fieldSettings[field].required) { + case 'optional': + commentsSubmittable = true + break + case 'findings': + commentsSubmittable = ((review.result !== 'fail') || (review.result === 'fail' && review[field])) + break + case 'always': + commentsSubmittable = !!review[field] + break + } + if (!commentsSubmittable) break // can end loop if commentsSubmittable becomes false + } + + const resultSubmittable = review.result === 'pass' || review.result === 'fail' || review.result === 'notapplicable' + + let status = undefined + if (commentsSubmittable && resultSubmittable) { + switch (importOptions.autoStatus) { + case 'submitted': + status = 'submitted' + break + case 'accepted': + status = allowAccept ? 'accepted' : 'submitted' + break + } + } + else { + status = 'saved' + } + return status + } + + function processTargetFacts(targetFacts) { + if (!targetFacts) return {} + + const asset = { metadata: {} } + const reTagAsset = /^tag:stig-manager@users.noreply.github.com,2020:asset:(.*)/ + const reMetadata = /^metadata:(.*)/ + + for (const targetFact of targetFacts) { + const matchesTagAsset = targetFact['name'].match(reTagAsset) + if (!matchesTagAsset) { + asset.metadata[targetFact['name']] = targetFact['#text'] + continue + } + const property = matchesTagAsset[1] + const matchesMetadata = property.match(reMetadata) + if (matchesMetadata) { + asset.metadata[decodeURI(matchesMetadata[1])] = targetFact['#text'] + } + else { + let value = targetFact['#text'] + if (property === 'noncomputing') { + value = value === 'true' + } + if (['name', 'description', 'fqdn', 'ip', 'mac', 'noncomputing'].includes(property)) { + asset[property] = value + } + } + } + return asset + } + + function processTarget(testResult) { + const assetFromFacts = processTargetFacts(testResult['target-facts']?.fact) + return { + name: testResult.target[0], + description: '', + ip: testResult['target-address']?.[0] || '', + noncomputing: false, + metadata: {}, + ...assetFromFacts + } + } +} + +export function reviewsFromCklb( + { + data, + fieldSettings, + allowAccept, + importOptions + }) { + + const maxCommentLength = 32767 + const resultMap = { + not_a_finding: 'pass', + open: 'fail', + not_applicable: 'notapplicable', + not_reviewed: 'notchecked' + } + let cklb + try { + cklb = JSON.parse(data) + } + catch (e) { + throw (new Error('Cannot parse as JSON')) + } + const validateCklb = (obj) => { + try { + if (!obj.target_data?.host_name) { + throw ('No target_data.host_name found') + } + if (!Array.isArray(obj.stigs)) { + throw ('No stigs array found') + } + return { valid: true } + } + catch (e) { + let error = e + if (e instanceof Error) { + error = e.message + } + return { valid: false, error } + } + } + + const validationResult = validateCklb(cklb) + if (!validationResult.valid) { + throw (new Error(`Invalid CKLB object: ${validationResult.error}`)) + } + + const resultEngineCommon = cklb.stig_manager_engine || null + let returnObj = {} + returnObj.target = processTargetData(cklb.target_data) + if (!returnObj.target.name) { + throw (new Error("No host_name in target_data")) + } + returnObj.checklists = processStigs(cklb.stigs) + if (returnObj.checklists.length === 0) { + throw (new Error("stigs array is empty")) + } + return (returnObj) + + function processTargetData(td) { + const obj = { + name: td.host_name, + description: td.comments, + ip: td.ip_address || null, + fqdn: td.fqdn || null, + mac: td.mac_address || null, + noncomputing: td.target_type === 'Non-Computing', + metadata: {} + } + if (td.role) { + obj.metadata.cklRole = td.role + } + if (td.technology_area) { + obj.metadata.cklTechArea = td.technology_area + } + if (td.is_web_database) { + obj.metadata.cklWebOrDatabase = 'true' + obj.metadata.cklHostName = td.host_name + if (td.web_db_site) { + obj.metadata.cklWebDbSite = td.web_db_site + } + if (td.web_db_instance) { + obj.metadata.cklWebDbInstance = td.web_db_instance + } + } + return obj + } + function processStigs(stigs) { + const checklistArray = [] + for (const stig of stigs) { + // checklist = { + // benchmarkId: 'string', + // revisionStr: 'string', + // reviews: [], + // stats: {} + // } + const checklist = {} + checklist.benchmarkId = typeof stig?.stig_id === 'string' ? stig.stig_id.replace('xccdf_mil.disa.stig_benchmark_', '') : '' + const stigVersion = '0' + const stigRelease = typeof stig?.release_info === 'string' ? stig.release_info.match(/Release:\s*(.+?)\s/)?.[1] : '' + checklist.revisionStr = checklist.benchmarkId && stigRelease ? `V${stigVersion}R${stigRelease}` : null + + if (checklist.benchmarkId) { + const result = processRules(stig.rules) + checklist.reviews = result.reviews + checklist.stats = result.stats + checklistArray.push(checklist) + } + + } + return checklistArray + } + function processRules(rules) { + const stats = { + pass: 0, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + const reviews = [] + for (const rule of rules) { + const review = generateReview(rule, resultEngineCommon) + if (review) { + reviews.push(review) + stats[review.result]++ + } + } + return { reviews, stats } + } + function generateReview(rule, resultEngineCommon) { + let result = resultMap[rule.status] + if (!result) return + const ruleId = rule.rule_id_src + if (!ruleId) return + + const hasComments = !!rule.finding_details || !!rule.comments + + if (result === 'notchecked') { // unreviewed business rules + switch (importOptions.unreviewed) { + case 'never': + return undefined + case 'commented': + result = hasComments ? importOptions.unreviewedCommented : undefined + if (!result) return + break + case 'always': + result = hasComments ? importOptions.unreviewedCommented : 'notchecked' + break + } + } + + let detail = rule.finding_details?.length > maxCommentLength ? rule.finding_details.slice(0, maxCommentLength) : rule.finding_details + if (!rule.finding_details) { + switch (importOptions.emptyDetail) { + case 'ignore': + detail = null + break + case 'import': + detail = rule.finding_details ?? '' + break + case 'replace': + detail = 'There is no detail provided for the assessment' + break + } + } + + let comment = rule.comments?.length > maxCommentLength ? rule.comments.slice(0, maxCommentLength) : rule.comments + if (!rule.comments) { + switch (importOptions.emptyComment) { + case 'ignore': + comment = null + break + case 'import': + comment = rule.comments ?? '' + break + case 'replace': + comment = 'There is no comment provided for the assessment' + break + } + } + + const review = { + ruleId, + result, + detail, + comment + } + + // if (resultEngineCommon) { + // review.resultEngine = {...resultEngineCommon} + // if (rule.stig_manager_engine) { + // const overrides = [] + // for (const comment of vuln['__comment']) { + // if (comment.toString().startsWith('')) { + // let override + // try { + // override = parser.parse(comment)['Evaluate-STIG'][0] + // } + // catch(e) { + // console.log(`Failed to parse Evaluate-STIG VULN XML comment for ${ruleId}`) + // } + // override = normalizeKeys(override) + // if (override.afmod?.toLowerCase() === 'true') { + // overrides.push({ + // authority: override.answerfile, + // oldResult: resultMap[override.oldstatus] ?? 'unknown', + // newResult: result, + // remark: 'Evaluate-STIG Answer File' + // }) + // } + // } + // } + // if (overrides.length) { + // review.resultEngine.overrides = overrides + // } + // } + // } + // else { + // review.resultEngine = null + // } + + const status = bestStatusForReview(review) + if (status) { + review.status = status + } + + return review + } + function bestStatusForReview(review) { + if (importOptions.autoStatus === 'null') return null + if (importOptions.autoStatus === 'saved') return 'saved' + + let detailSubmittable = false + switch (fieldSettings.detail.required) { + case 'optional': + detailSubmittable = true + break + case 'findings': + if ((review.result !== 'fail') || (review.result === 'fail' && review.detail)) { + detailSubmittable = true + } + break + case 'always': + if (review.detail) { + detailSubmittable = true + } + break + } + + let commentSubmittable = false + switch (fieldSettings.comment.required) { + case 'optional': + commentSubmittable = true + break + case 'findings': + if ((review.result !== 'fail') || (review.result === 'fail' && review.comment)) { + commentSubmittable = true + } + break + case 'always': + if (review.comment) { + commentSubmittable = true + } + break + } + + const resultSubmittable = review.result === 'pass' || review.result === 'fail' || review.result === 'notapplicable' + + let status = undefined + if (detailSubmittable && commentSubmittable && resultSubmittable) { + switch (importOptions.autoStatus) { + case 'submitted': + status = 'submitted' + break + case 'accepted': + status = allowAccept ? 'accepted' : 'submitted' + break + } + } + else { + status = 'saved' + } + return status + } + + +} + +export const reviewsFromScc = reviewsFromXccdf diff --git a/TaskObject.js b/TaskObject.js new file mode 100644 index 0000000..741e157 --- /dev/null +++ b/TaskObject.js @@ -0,0 +1,223 @@ +/** + * @typedef {Object} apiCollectionBasic + * @property {string} collectionId + * @property {string} name + */ +/** + * @typedef {Object} apiCollectionStig + * @property {string} benchmarkId + * @property {string} revisionStr + * @property {string} benchmarkDate + * @property {boolean} revisionPinned + * @property {number} ruleCount + */ +/** + * @typedef {Object} apiAsset + * @property {string} assetId + * @property {string} name + * @property {string} fqdn + * @property {string} description + * @property {string} ip + * @property {string} mac + * @property {boolean} noncomputing + * @property {Object} metadata + * @property {apiCollectionBasic} collection + * @property {string[]} labelIds + * @property {apiCollectionStig[]} stigs + */ +/** + * @typedef {Object} apiStig + * @property {string} benchmarkId + * @property {string} revisionStr + * @property {string} version + * @property {string} release + * @property {string} benchmarkDate + * @property {string} status + * @property {string} statusDate + * @property {string} ruleCount + * @property {string[]} collectionIds + */ + +export default class TaskObject { + /** + * @param {Object} TaskObjectParam + * @param {apiAsset[]} TaskObjectParam.apiAssets + * @param {apiStig[]} TaskObjectParam.apiStigs + */ + constructor({ apiAssets = [], apiStigs = [], parsedResults = [], options = {} }) { + // An array of results from the parsers + this.parsedResults = parsedResults + // An array of assets from the API + this.apiAssets = apiAssets + // Create Maps of the assets by assetName and metadata.cklHostName + this.mappedAssetNames = new Map() + this.mappedCklHostnames = new Map() + for (const apiAsset of apiAssets) { + // Update .stigs to an array of benchmarkId strings + apiAsset.stigs = apiAsset.stigs.map(stig => stig.benchmarkId) + this.mappedAssetNames.set(apiAsset.name.toLowerCase(), apiAsset) + if (apiAsset.metadata?.cklHostName) { + const v = this.mappedCklHostnames.get(apiAsset.metadata.cklHostName.toLowerCase()) + if (v) { + v.push(apiAsset) + } + else { + this.mappedCklHostnames.set(apiAsset.metadata.cklHostName.toLowerCase(), [apiAsset]) + } + } + } + + // A Map() of the installed benchmarkIds return by the API + // key: benchmarkId, value: array of revisionStr + this.mappedStigs = new Map() + for (const apiStig of apiStigs) { + this.mappedStigs.set(apiStig.benchmarkId, apiStig.revisionStrs) + } + + // An array of accumulated errors + this.errors = [] + + // A Map() of assets to be processed by the writer + this.taskAssets = this._createTaskAssets(options) + } + + _findAssetFromParsedTarget(target) { + if (!target.metadata.cklHostName) { + return this.mappedAssetNames.get(target.name.toLowerCase()) + } + const matchedByCklHostname = this.mappedCklHostnames.get(target.metadata.cklHostName.toLowerCase()) + if (!matchedByCklHostname) return null + const matchedByAllCklMetadata = matchedByCklHostname.find( + asset => asset.metadata.cklWebDbInstance?.toLowerCase() === target.metadata.cklWebDbInstance?.toLowerCase() + && asset.metadata.cklWebDbSite?.toLowerCase() === target.metadata.cklWebDbSite?.toLowerCase()) + if (!matchedByAllCklMetadata) return null + return matchedByAllCklMetadata + } + + _createTaskAssets(options) { + // taskAssets is a Map() keyed by lowercase asset name (or CKL metadata), the value is an object: + // { + // knownAsset: false, // does the asset need to be created + // assetProps: null, // an Asset object suitable for put/post to the API + // hasNewAssignment: false, // are there new STIG assignments? + // newAssignments: [], // any new assignments + // checklists: new Map(), // the vetted result checklists, a Map() keyed by benchmarkId + // checklistsIgnored: [], // the ignored checklists + // reviews: [] // the vetted reviews + // } + + + const taskAssets = new Map() + + for (const parsedResult of this.parsedResults) { + // Generate mapping key + let mapKey, tMeta = parsedResult.target.metadata + if (!tMeta.cklHostName) { + mapKey = parsedResult.target.name.toLowerCase() + } + else { + mapKey = `${tMeta.cklHostName}-${tMeta.cklWebDbSite ?? 'NA'}-${tMeta.cklWebDbInstance ?? 'NA'}` + } + + // Try to find the asset in the API response + const apiAsset = this._findAssetFromParsedTarget(parsedResult.target) + if (!apiAsset && !options.createObjects) { + // Bail if the asset doesn't exist and we won't create it + this.errors.push({ + file: parsedResult.file, + message: `asset does not exist for target`, + target: parsedResult.target + }) + continue + } + // Try to find the target in our Map() + let taskAsset = taskAssets.get(mapKey) + + if (!taskAsset) { + // This is our first encounter with this assetName, initialize Map() value + taskAsset = { + knownAsset: false, + assetProps: null, // an object suitable for put/post to the API + hasNewAssignment: false, + newAssignments: [], + checklists: new Map(), // the vetted result checklists + checklistsIgnored: [], // the ignored checklists + reviews: [] // the vetted reviews + } + if (!apiAsset) { + // The asset does not exist in the API. Set assetProps from this parseResult. + if (!tMeta.cklHostName) { + taskAsset.assetProps = { ...parsedResult.target, collectionId: options.collectionId, stigs: [] } + } + else { + taskAsset.assetProps = { ...parsedResult.target, name: mapKey, collectionId: options.collectionId, stigs: [] } + } + } + else { + // The asset exists in the API. Set assetProps from the apiAsset. + taskAsset.knownAsset = true + taskAsset.assetProps = apiAsset + } + // Insert the asset into taskAssets + taskAssets.set(mapKey, taskAsset) + } + + // Helper functions + const stigIsInstalled = ({ benchmarkId, revisionStr }) => { + const revisionStrs = this.mappedStigs.get(benchmarkId) + if (revisionStrs) { + return revisionStr && options.strictRevisionCheck ? revisionStrs.includes(revisionStr) : true + } + else { + return false + } + } + const stigIsAssigned = ({ benchmarkId }) => { + return taskAsset.assetProps.stigs.includes(benchmarkId) + } + const assignStig = (benchmarkId) => { + if (!stigIsAssigned(benchmarkId)) { + taskAsset.hasNewAssignment = true + taskAsset.newAssignments.push(benchmarkId) + taskAsset.assetProps.stigs.push(benchmarkId) + } + } + const stigIsNewlyAssigned = (benchmarkId) => taskAsset.newAssignments.includes(benchmarkId) + + const addToTaskAssetChecklistMapArray = (taskAsset, checklist) => { + let checklistArray = taskAsset.checklists.get(checklist.benchmarkId) + if (checklistArray) { + checklistArray.push(checklist) + } + else { + taskAsset.checklists.set(checklist.benchmarkId, [checklist]) + } + } + + // Vet the checklists in this parseResult + for (const checklist of parsedResult.checklists) { + checklist.file = parsedResult.file + if (stigIsInstalled(checklist)) { + if (stigIsAssigned(checklist)) { + checklist.newAssignment = stigIsNewlyAssigned(checklist.benchmarkId) + addToTaskAssetChecklistMapArray(taskAsset, checklist) + } + else if (options.createObjects) { + assignStig(checklist.benchmarkId) + checklist.newAssignment = true + addToTaskAssetChecklistMapArray(taskAsset, checklist) + } + else { + checklist.ignored = `Not mapped to Asset` + taskAsset.checklistsIgnored.push(checklist) + } + } + else { + checklist.ignored = `Not installed` + taskAsset.checklistsIgnored.push(checklist) + } + } + } + return taskAssets + } +} diff --git a/WATCHER-test-files/WATCHER/ckl/Asset_a-RHEL_9_TRUNCATED-V1R1-no-reviews.ckl b/WATCHER-test-files/WATCHER/ckl/Asset_a-RHEL_9_TRUNCATED-V1R1-no-reviews.ckl new file mode 100644 index 0000000..6b631a2 --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/Asset_a-RHEL_9_TRUNCATED-V1R1-no-reviews.ckl @@ -0,0 +1,1202 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-257777 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-257777r925318_rule + + + Rule_Ver + RHEL-09-211010 + + + Rule_Title + RHEL 9 must be a vendor-supported release. + + + Vuln_Discuss + An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + +Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. + + + IA_Controls + + + + Check_Content + Verify that the version or RHEL 9 is vendor supported with the following command: + +$ cat /etc/redhat-release + +Red Hat Enterprise Linux release 9.2 (Plow) + +If the installed version of RHEL 9 is not supported, this is a finding. + + + Fix_Text + Upgrade to a supported version of RHEL 9. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257778 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-257778r925321_rule + + + Rule_Ver + RHEL-09-211015 + + + Rule_Title + RHEL 9 vendor packaged system security patches and updates must be installed and up to date. + + + Vuln_Discuss + Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. + + + IA_Controls + + + + Check_Content + Verify RHEL 9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy. + +Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. + +Check that the available package security updates have been installed on the system with the following command: + +$ dnf history list | more + + ID | Command line | Date and time | Action(s) | Altered +------------------------------------------------------------------------------- + 70 | install aide | 2023-03-05 10:58 | Install | 1 + 69 | update -y | 2023-03-04 14:34 | Update | 18 EE + 68 | install vlc | 2023-02-21 17:12 | Install | 21 + 67 | update -y | 2023-02-21 17:04 | Update | 7 EE + +Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. + +If the system is in noncompliance with the organizational patching policy, this is a finding. + + + Fix_Text + Install RHEL 9 security patches and updates at the organizationally defined frequency. If system updates are installed via a centralized repository that is configured on the system, all updates can be installed with the following command: + +$ sudo dnf update + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257779 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000023-GPOS-00006 + + + Rule_ID + SV-257779r925324_rule + + + Rule_Ver + RHEL-09-211020 + + + Rule_Title + RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. + +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088 + + + IA_Controls + + + + Check_Content + Verify RHEL 9 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a command line user logon. + +Check that a banner is displayed at the command line login screen with the following command: + +$ sudo cat /etc/issue + +If the banner is set correctly it will return the following text: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +If the banner text does not match the Standard Mandatory DOD Notice and Consent Banner exactly, or the line is commented out, this is a finding. + + + Fix_Text + Configure RHEL 9 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via command line logon. + +Edit the "/etc/issue" file to replace the default text with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000048 + + + CCI_REF + CCI-001384 + + + CCI_REF + CCI-001385 + + + CCI_REF + CCI-001386 + + + CCI_REF + CCI-001387 + + + CCI_REF + CCI-001388 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257780 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000191-GPOS-00080 + + + Rule_ID + SV-257780r925327_rule + + + Rule_Ver + RHEL-09-211025 + + + Rule_Title + RHEL 9 must implement the Endpoint Security for Linux Threat Prevention tool. + + + Vuln_Discuss + Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. + +To support this requirement, the operating system may have an integrated solution incorporating continuous scanning using ESS and periodic scanning using other tools, as specified in the requirement. + + + IA_Controls + + + + Check_Content + Verify that RHEL 9 has implemented the Endpoint Security for Linux Threat Prevention tool. + +Check that the following package has been installed: + +$ sudo rpm -qa | grep -i mcafeetp + +If the "mcafeetp" package is not installed, this is a finding. + +Verify that the daemon is running: + +$ sudo ps -ef | grep -i mfetpd + +If the daemon is not running, this is a finding. + + + Fix_Text + Install and enable the latest McAfee ENSLTP package. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-001233 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257781 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-257781r925330_rule + + + Rule_Ver + RHEL-09-211030 + + + Rule_Title + The graphical display manager must not be the default target on RHEL 9 unless approved. + + + Vuln_Discuss + Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented. + + + IA_Controls + + + + Check_Content + Verify that RHEL 9 is configured to boot to the command line: + +$ systemctl get-default + +multi-user.target + +If the system default target is not set to "multi-user.target" and the information system security officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding. + + + Fix_Text + Document the requirement for a graphical user interface with the ISSO or set the default target to multi-user with the following command: + +$ sudo systemctl set-default multi-user.target + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257782 + + + Severity + low + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-257782r925333_rule + + + Rule_Ver + RHEL-09-211035 + + + Rule_Title + RHEL 9 must enable the hardware random number generator entropy gatherer service. + + + Vuln_Discuss + The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). + + + IA_Controls + + + + Check_Content + Verify that RHEL 9 has enabled the hardware random number generator entropy gatherer service with the following command: + +$ systemctl is-active rngd + +active + +If the "rngd" service is not active, this is a finding. + + + Fix_Text + Install the rng-tools package with the following command: + +$ sudo dnf install rng-tools + +Then enable the rngd service run the following command: + +$ sudo systemctl enable --now rngd + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257783 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000269-GPOS-00103 + + + Rule_ID + SV-257783r925336_rule + + + Rule_Ver + RHEL-09-211040 + + + Rule_Title + RHEL 9 systemd-journald service must be enabled. + + + Vuln_Discuss + In the event of a system failure, RHEL 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes. + + + IA_Controls + + + + Check_Content + Verify that "systemd-journald" is active with the following command: + +$ systemctl is-active systemd-journald + +active + +If the systemd-journald service is not active, this is a finding. + + + Fix_Text + To enable the systemd-journald service, run the following command: + +$ sudo systemctl enable --now systemd-journald + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-001665 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257784 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000324-GPOS-00125 + + + Rule_ID + SV-257784r925339_rule + + + Rule_Ver + RHEL-09-211045 + + + Rule_Title + The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled. + + + Vuln_Discuss + A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 + + + IA_Controls + + + + Check_Content + Verify RHEL 9 is configured to not reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command: + +$ grep -i ctrl /etc/systemd/system.conf + +CtrlAltDelBurstAction=none + +If the "CtrlAltDelBurstAction" is not set to "none", commented out, or is missing, this is a finding. + + + Fix_Text + Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file: + +CtrlAltDelBurstAction=none + +Reload the daemon for this change to take effect. + +$ sudo systemctl daemon-reload + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + + CCI_REF + CCI-002235 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257785 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000324-GPOS-00125 + + + Rule_ID + SV-257785r925342_rule + + + Rule_Ver + RHEL-09-211050 + + + Rule_Title + The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9. + + + Vuln_Discuss + A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 + + + IA_Controls + + + + Check_Content + Verify RHEL 9 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: + +$ sudo systemctl status ctrl-alt-del.target + +ctrl-alt-del.target +Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) +Active: inactive (dead) + +If the "ctrl-alt-del.target" is loaded and not masked, this is a finding. + + + Fix_Text + Configure RHEL 9 to disable the ctrl-alt-del.target with the following command: + +$ sudo systemctl disable --now ctrl-alt-del.target +$ sudo systemctl mask --now ctrl-alt-del.target + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + + CCI_REF + CCI-002235 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257786 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000324-GPOS-00125 + + + Rule_ID + SV-257786r925345_rule + + + Rule_Ver + RHEL-09-211055 + + + Rule_Title + RHEL 9 debug-shell systemd service must be disabled. + + + Vuln_Discuss + The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. + +Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 + + + IA_Controls + + + + Check_Content + Verify RHEL 9 is configured to mask the debug-shell systemd service with the following command: + +$ sudo systemctl status debug-shell.service + +debug-shell.service +Loaded: masked (Reason: Unit debug-shell.service is masked.) +Active: inactive (dead) + +If the "debug-shell.service" is loaded and not masked, this is a finding. + + + Fix_Text + Configure RHEL 9 to mask the debug-shell systemd service with the following command: + +$ sudo systemctl disable --now debug-shell.target +$ sudo systemctl mask --now debug-shell.target + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + + CCI_REF + CCI-002235 + + Not_Reviewed + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/Asset_a-VPN_TRUNCATED-V2R5.ckl b/WATCHER-test-files/WATCHER/ckl/Asset_a-VPN_TRUNCATED-V2R5.ckl new file mode 100644 index 0000000..f8a9fbc --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/Asset_a-VPN_TRUNCATED-V2R5.ckl @@ -0,0 +1,1161 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + + + + + + 2777 + false + + + + + + + + version + 2 + + + classification + + + customname + + + stigid + VPN_TRUNCATED + + + description + This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 5 Benchmark Date: 07 Jun 2023 + + + title + Virtual Private Network (VPN) TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207184 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000019 + + + Rule_ID + SV-207184r695317_rule + + + Rule_Ver + SRG-NET-000019-VPN-000040 + + + Rule_Title + The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. + + + Vuln_Discuss + Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. + +VPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network. + + + IA_Controls + + + + Check_Content + Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration). + +Review network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network. + +If the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding, + + + Fix_Text + Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001414 + + NotAFinding + xyz + + + + + + + Vuln_Num + V-207185 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000041 + + + Rule_ID + SV-207185r608988_rule + + + Rule_Ver + SRG-NET-000041-VPN-000110 + + + Rule_Title + The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +In most VPN implementations, the banner is configured in the management backplane (NDM SRG) and serves as the presentation for the VPN client connection as well as for administrator logon to the device management tool/backplane. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + + + IA_Controls + + + + Check_Content + If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. + +Determine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DoD policy. + +If the Remote Access VPN Gateway or VPN client does not display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network, this is a finding. + + + Fix_Text + Configure the Remote Access VPN to display the Standard Mandatory DoD Notice and Consent Banner in accordance with DoD policy before granting access to the device. Use the following verbiage for applications that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +-At any time, the USG may inspect and seize data stored on this IS. +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: +"I've read & consent to terms in IS user agreem't." + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000048 + + Open + xyz + + + + + + + Vuln_Num + V-207186 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000042 + + + Rule_ID + SV-207186r608988_rule + + + Rule_Ver + SRG-NET-000042-VPN-000120 + + + Rule_Title + The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. + + + Vuln_Discuss + The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. + +The banner is usually configured in NDM for client presentation as well as local logon. + +To establish acceptance of the application usage policy, a click-through banner at application logon is required. The VPN gateway must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". + +This applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary. + + + IA_Controls + + + + Check_Content + If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. + +Verify the ALG retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access. + +If the Remote Access VPN Gateway and/or client does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding. + + + Fix_Text + Configure the Remote Access VPN Gateway and/or client to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000050 + + Not_Applicable + xyz + + + + + + + Vuln_Num + V-207187 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000043 + + + Rule_ID + SV-207187r608988_rule + + + Rule_Ver + SRG-NET-000043-VPN-000130 + + + Rule_Title + The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the publicly accessible VPN gateway ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway. + +The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + + + IA_Controls + + + + Check_Content + Verify the publicly accessible VPN Gateway displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +If the publicly accessible VPN Gateway does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding. + + + Fix_Text + Configure the publicly accessible VPN Gateway to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001384 + + + CCI_REF + CCI-001385 + + + CCI_REF + CCI-001386 + + + CCI_REF + CCI-001387 + + + CCI_REF + CCI-001388 + + Not_Reviewed + xyz + + + + + + + Vuln_Num + V-207188 + + + Severity + low + + + Weight + 10.0 + + + Group_Title + SRG-NET-000049 + + + Rule_ID + SV-207188r608988_rule + + + Rule_Ver + SRG-NET-000049-VPN-000150 + + + Rule_Title + The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). + + + Vuln_Discuss + Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. + +This applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary. + + + IA_Controls + + + + Check_Content + Determine if the VPN Gateway is either configured to notify the administrator of the number of unsuccessful login attempts since the last successful login or configured to use an authentication server which would perform this function. If the administrator is not notified of the number of unsuccessful login attempts since the last successful login, this is a finding. + +If the VPN Gateway does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding. + + + Fix_Text + Configure the VPN Gateway to notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000053 + + NotAFinding + xyz + + + + + + + Vuln_Num + V-207189 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000053 + + + Rule_ID + SV-207189r608988_rule + + + Rule_Ver + SRG-NET-000053-VPN-000170 + + + Rule_Title + The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number. + + + Vuln_Discuss + VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. + +This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. + +The intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited. + + + IA_Controls + + + + Check_Content + Inspect the VPN Gateway configuration. Verify the number of concurrent sessions for user accounts to 1 or to an organization-defined number (defined in the SSP). + +If the VPN Gateway does not limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding. + + + Fix_Text + Configure the VPN Gateway to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, as documented in the SSP. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000054 + + Not_Reviewed + xyz + + + + + + + Vuln_Num + V-207190 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-NET-000062 + + + Rule_ID + SV-207190r803417_rule + + + Rule_Ver + SRG-NET-000062-VPN-000200 + + + Rule_Title + The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections. + + + Vuln_Discuss + Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. + +NIST SP 800-52 Rev2 provides guidance for client negotiation on either DoD-only or public-facing servers. + + + IA_Controls + + + + Check_Content + Verify the TLS VPN Gateway is configured to use TLS 1.2 or higher to protect the confidentiality of sensitive data during transmission. + +If the TLS VPN Gateway does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission, this is a finding. + + + Fix_Text + Configure the TLS VPN Gateway to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data for transmission. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000068 + + NotAFinding + xyz + + + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Open + xyz + xyz + + + + + + Vuln_Num + V-207192 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207192r916146_rule + + + Rule_Ver + SRG-NET-000063-VPN-000220 + + + Rule_Title + The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + + + Vuln_Discuss + Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection. + +SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. DOD systems must not be configured to use SHA-1 for integrity of remote access sessions. + +The remote access VPN provides access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. + + + IA_Controls + + + + Check_Content + Verify the VPN Gateway uses IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + +If the VPN Gateway does not use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the VPN Gateway to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Not_Reviewed + + + + + + + + Vuln_Num + V-207193 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-NET-000074 + + + Rule_ID + SV-207193r916149_rule + + + Rule_Ver + SRG-NET-000074-VPN-000250 + + + Rule_Title + The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1. + + + Vuln_Discuss + Use of an approved DH algorithm ensures the IKE (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be. + + + IA_Controls + + + + Check_Content + Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1. + +View the IKE options dh-group option. + +If the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding. + + + Fix_Text + Configure the IPsec VPN to use the DH Group of 16 or greater for IKE Phase 1. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000068 + + Not_Reviewed + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/Asset_a-VPN_TRUNCATED-V2R5.cklb b/WATCHER-test-files/WATCHER/ckl/Asset_a-VPN_TRUNCATED-V2R5.cklb new file mode 100644 index 0000000..9607b71 --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/Asset_a-VPN_TRUNCATED-V2R5.cklb @@ -0,0 +1 @@ +{"title":"Asset_aaaaaaaaaa-VPN_TRUNCATED-V2R5","id":"2f6fe9e0-8242-11ee-8b44-13c1c13d16bb","active":false,"mode":1,"has_path":true,"target_data":{"target_type":"Non-Computing","host_name":"Asset_aaaaaaaaaa","ip_address":"","mac_address":"","fqdn":"","comments":"","role":"None","is_web_database":false,"technology_area":"","web_db_site":"","web_db_instance":""},"stigs":[{"stig_name":"Virtual Private Network (VPN) TRUNCATED","display_name":"Virtual Private Network (VPN) TRUNCATED","stig_id":"VPN_TRUNCATED","version":2,"release_info":"Release: 5 Benchmark Date: 07 Jun 2023","uuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","reference_identifier":"0000","size":10,"rules":[{"uuid":"2f7281f0-8242-11ee-8b44-13c1c13d16bb","stig_uuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","target_key":null,"stig_ref":null,"group_id":"V-207184","rule_id":"SV-207184r695317","rule_id_src":"SV-207184r695317_rule","weight":"10.0","classification":"NONE","severity":"medium","rule_version":"SRG-NET-000019-VPN-000040","group_title":"SRG-NET-000019","rule_title":"The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.","fix_text":"Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.","false_positives":null,"false_negatives":null,"discussion":"Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.","check_content":"Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,","documentable":"false","mitigations":null,"potential_impacts":null,"third_party_tools":null,"mitigation_control":null,"responsibility":null,"security_override_guidance":null,"ia_controls":null,"check_content_ref":{"href":"","name":"M"},"legacy_ids":[],"group_tree":[{"id":"V-207184","title":"SRG-NET-000019","description":""}],"createdAt":"2023-11-13T16:30:36.000Z","updatedAt":"2023-11-13T16:30:36.000Z","STIGUuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","status":"not_a_finding","overrides":{},"comments":"","finding_details":"xxxxxxxxx","ccis":["CCI-001414"]},{"uuid":"2f7281f1-8242-11ee-8b44-13c1c13d16bb","stig_uuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","target_key":null,"stig_ref":null,"group_id":"V-207185","rule_id":"SV-207185r608988","rule_id_src":"SV-207185r608988_rule","weight":"10.0","classification":"NONE","severity":"medium","rule_version":"SRG-NET-000041-VPN-000110","group_title":"SRG-NET-000041","rule_title":"The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network.","fix_text":"Configure the Remote Access VPN to display the Standard Mandatory DoD Notice and Consent Banner in accordance with DoD policy before granting access to the device. Use the following verbiage for applications that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\"I've read & consent to terms in IS user agreem't.\"","false_positives":null,"false_negatives":null,"discussion":"Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nIn most VPN implementations, the banner is configured in the management backplane (NDM SRG) and serves as the presentation for the VPN client connection as well as for administrator logon to the device management tool/backplane.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n \nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"","check_content":"If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable.\n\nDetermine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DoD policy. \n\nIf the Remote Access VPN Gateway or VPN client does not display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network, this is a finding.","documentable":"false","mitigations":null,"potential_impacts":null,"third_party_tools":null,"mitigation_control":null,"responsibility":null,"security_override_guidance":null,"ia_controls":null,"check_content_ref":{"href":"","name":"M"},"legacy_ids":[],"group_tree":[{"id":"V-207185","title":"SRG-NET-000041","description":""}],"createdAt":"2023-11-13T16:30:44.000Z","updatedAt":"2023-11-13T16:30:44.000Z","STIGUuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","status":"open","overrides":{},"comments":"","finding_details":"yyyyyyyyyy","ccis":["CCI-000048"]},{"uuid":"2f7281f2-8242-11ee-8b44-13c1c13d16bb","stig_uuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","target_key":null,"stig_ref":null,"group_id":"V-207186","rule_id":"SV-207186r608988","rule_id_src":"SV-207186r608988_rule","weight":"10.0","classification":"NONE","severity":"medium","rule_version":"SRG-NET-000042-VPN-000120","group_title":"SRG-NET-000042","rule_title":"The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.","fix_text":"Configure the Remote Access VPN Gateway and/or client to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.","false_positives":null,"false_negatives":null,"discussion":"The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. \n\nThe banner is usually configured in NDM for client presentation as well as local logon.\n\nTo establish acceptance of the application usage policy, a click-through banner at application logon is required. The VPN gateway must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\". \n\nThis applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary.","check_content":"If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable.\n\nVerify the ALG retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access.\n\nIf the Remote Access VPN Gateway and/or client does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding.","documentable":"false","mitigations":null,"potential_impacts":null,"third_party_tools":null,"mitigation_control":null,"responsibility":null,"security_override_guidance":null,"ia_controls":null,"check_content_ref":{"href":"","name":"M"},"legacy_ids":[],"group_tree":[{"id":"V-207186","title":"SRG-NET-000042","description":""}],"createdAt":"2023-11-13T16:30:52.000Z","updatedAt":"2023-11-13T16:30:52.000Z","STIGUuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","status":"not_applicable","overrides":{},"comments":"","finding_details":"xxxxxxxxxxx","ccis":["CCI-000050"]},{"uuid":"2f7281f3-8242-11ee-8b44-13c1c13d16bb","stig_uuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","target_key":null,"stig_ref":null,"group_id":"V-207187","rule_id":"SV-207187r608988","rule_id_src":"SV-207187r608988_rule","weight":"10.0","classification":"NONE","severity":"medium","rule_version":"SRG-NET-000043-VPN-000130","group_title":"SRG-NET-000043","rule_title":"The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.","fix_text":"Configure the publicly accessible VPN Gateway to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.","false_positives":null,"false_negatives":null,"discussion":"Display of a standardized and approved use notification before granting access to the publicly accessible VPN gateway ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway.\n\nThe banner must be formatted in accordance with DTM-08-060. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"","check_content":"Verify the publicly accessible VPN Gateway displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nIf the publicly accessible VPN Gateway does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding.","documentable":"false","mitigations":null,"potential_impacts":null,"third_party_tools":null,"mitigation_control":null,"responsibility":null,"security_override_guidance":null,"ia_controls":null,"check_content_ref":{"href":"","name":"M"},"legacy_ids":[],"group_tree":[{"id":"V-207187","title":"SRG-NET-000043","description":""}],"createdAt":"2023-11-13T16:30:59.000Z","updatedAt":"2023-11-13T16:30:59.000Z","STIGUuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","status":"not_reviewed","overrides":{},"comments":"","finding_details":"xxxxxxxxx","ccis":["CCI-001384","CCI-001385","CCI-001386","CCI-001387","CCI-001388"]},{"uuid":"2f7281f4-8242-11ee-8b44-13c1c13d16bb","stig_uuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","target_key":null,"stig_ref":null,"group_id":"V-207188","rule_id":"SV-207188r608988","rule_id_src":"SV-207188r608988_rule","weight":"10.0","classification":"NONE","severity":"low","rule_version":"SRG-NET-000049-VPN-000150","group_title":"SRG-NET-000049","rule_title":"The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).","fix_text":"Configure the VPN Gateway to notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).","false_positives":null,"false_negatives":null,"discussion":"Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.\n\nThis applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary.","check_content":"Determine if the VPN Gateway is either configured to notify the administrator of the number of unsuccessful login attempts since the last successful login or configured to use an authentication server which would perform this function. If the administrator is not notified of the number of unsuccessful login attempts since the last successful login, this is a finding.\n\nIf the VPN Gateway does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding.","documentable":"false","mitigations":null,"potential_impacts":null,"third_party_tools":null,"mitigation_control":null,"responsibility":null,"security_override_guidance":null,"ia_controls":null,"check_content_ref":{"href":"","name":"M"},"legacy_ids":[],"group_tree":[{"id":"V-207188","title":"SRG-NET-000049","description":""}],"createdAt":"2023-11-13T16:31:06.000Z","updatedAt":"2023-11-13T16:31:06.000Z","STIGUuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","status":"not_a_finding","overrides":{},"comments":"","finding_details":"xxxxxxxxxxxxxxxxxxxxxxxxxx","ccis":["CCI-000053"]},{"uuid":"2f7281f5-8242-11ee-8b44-13c1c13d16bb","stig_uuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","target_key":null,"stig_ref":null,"group_id":"V-207189","rule_id":"SV-207189r608988","rule_id_src":"SV-207189r608988_rule","weight":"10.0","classification":"NONE","severity":"medium","rule_version":"SRG-NET-000053-VPN-000170","group_title":"SRG-NET-000053","rule_title":"The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number.","fix_text":"Configure the VPN Gateway to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, as documented in the SSP.","false_positives":null,"false_negatives":null,"discussion":"VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.\n\nThe intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited.","check_content":"Inspect the VPN Gateway configuration. Verify the number of concurrent sessions for user accounts to 1 or to an organization-defined number (defined in the SSP).\n\nIf the VPN Gateway does not limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding.","documentable":"false","mitigations":null,"potential_impacts":null,"third_party_tools":null,"mitigation_control":null,"responsibility":null,"security_override_guidance":null,"ia_controls":null,"check_content_ref":{"href":"","name":"M"},"legacy_ids":[],"group_tree":[{"id":"V-207189","title":"SRG-NET-000053","description":""}],"createdAt":"2023-11-13T16:31:15.000Z","updatedAt":"2023-11-13T16:31:15.000Z","STIGUuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","status":"not_reviewed","overrides":{},"comments":"","finding_details":"xxxxxxxxxxxxxxxxxxx","ccis":["CCI-000054"]},{"uuid":"2f7281f6-8242-11ee-8b44-13c1c13d16bb","stig_uuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","target_key":null,"stig_ref":null,"group_id":"V-207190","rule_id":"SV-207190r803417","rule_id_src":"SV-207190r803417_rule","weight":"10.0","classification":"NONE","severity":"high","rule_version":"SRG-NET-000062-VPN-000200","group_title":"SRG-NET-000062","rule_title":"The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections.","fix_text":"Configure the TLS VPN Gateway to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data for transmission.","false_positives":null,"false_negatives":null,"discussion":"Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.\n\nNIST SP 800-52 Rev2 provides guidance for client negotiation on either DoD-only or public-facing servers.","check_content":"Verify the TLS VPN Gateway is configured to use TLS 1.2 or higher to protect the confidentiality of sensitive data during transmission.\n\nIf the TLS VPN Gateway does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission, this is a finding.","documentable":"false","mitigations":null,"potential_impacts":null,"third_party_tools":null,"mitigation_control":null,"responsibility":null,"security_override_guidance":null,"ia_controls":null,"check_content_ref":{"href":"","name":"M"},"legacy_ids":[],"group_tree":[{"id":"V-207190","title":"SRG-NET-000062","description":""}],"createdAt":"2023-11-13T16:31:22.000Z","updatedAt":"2023-11-13T16:31:22.000Z","STIGUuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","status":"not_a_finding","overrides":{},"comments":"","finding_details":"xxxxxxxxxxxxxxxxx","ccis":["CCI-000068"]},{"uuid":"2f7281f7-8242-11ee-8b44-13c1c13d16bb","stig_uuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","target_key":null,"stig_ref":null,"group_id":"V-207191","rule_id":"SV-207191r803418","rule_id_src":"SV-207191r803418_rule","weight":"10.0","classification":"NONE","severity":"medium","rule_version":"SRG-NET-000063-VPN-000210","group_title":"SRG-NET-000063","rule_title":"The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions.","fix_text":"Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.","false_positives":null,"false_negatives":null,"discussion":"Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless.\n\nIntegrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function.","check_content":"Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.\n\nIf the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding.","documentable":"false","mitigations":null,"potential_impacts":null,"third_party_tools":null,"mitigation_control":null,"responsibility":null,"security_override_guidance":null,"ia_controls":null,"check_content_ref":{"href":"","name":"M"},"legacy_ids":[],"group_tree":[{"id":"V-207191","title":"SRG-NET-000063","description":""}],"createdAt":"2023-11-13T16:31:36.000Z","updatedAt":"2023-11-13T16:31:36.000Z","STIGUuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","status":"open","overrides":{},"comments":"zzzzzzzzzzzzzzzzzzzzzz","finding_details":"yyyyyyyyyyyyyyyyyyyyyyyyy","ccis":["CCI-001453"]},{"uuid":"2f7281f8-8242-11ee-8b44-13c1c13d16bb","stig_uuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","target_key":null,"stig_ref":null,"group_id":"V-207192","rule_id":"SV-207192r916146","rule_id_src":"SV-207192r916146_rule","weight":"10.0","classification":"NONE","severity":"medium","rule_version":"SRG-NET-000063-VPN-000220","group_title":"SRG-NET-000063","rule_title":"The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.","fix_text":"Configure the VPN Gateway to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.","false_positives":null,"false_negatives":null,"discussion":"Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nSHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. DOD systems must not be configured to use SHA-1 for integrity of remote access sessions. \n\nThe remote access VPN provides access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.","check_content":"Verify the VPN Gateway uses IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.\n\nIf the VPN Gateway does not use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions, this is a finding.","documentable":"false","mitigations":null,"potential_impacts":null,"third_party_tools":null,"mitigation_control":null,"responsibility":null,"security_override_guidance":null,"ia_controls":null,"check_content_ref":{"href":"","name":"M"},"legacy_ids":[],"group_tree":[{"id":"V-207192","title":"SRG-NET-000063","description":""}],"createdAt":null,"updatedAt":null,"STIGUuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","status":"not_reviewed","overrides":{},"comments":"","finding_details":"","ccis":["CCI-001453"]},{"uuid":"2f7281f9-8242-11ee-8b44-13c1c13d16bb","stig_uuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","target_key":null,"stig_ref":null,"group_id":"V-207193","rule_id":"SV-207193r916149","rule_id_src":"SV-207193r916149_rule","weight":"10.0","classification":"NONE","severity":"high","rule_version":"SRG-NET-000074-VPN-000250","group_title":"SRG-NET-000074","rule_title":"The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.","fix_text":"Configure the IPsec VPN to use the DH Group of 16 or greater for IKE Phase 1.","false_positives":null,"false_negatives":null,"discussion":"Use of an approved DH algorithm ensures the IKE (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be.","check_content":"Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1.\n\nView the IKE options dh-group option.\n\nIf the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding.","documentable":"false","mitigations":null,"potential_impacts":null,"third_party_tools":null,"mitigation_control":null,"responsibility":null,"security_override_guidance":null,"ia_controls":null,"check_content_ref":{"href":"","name":"M"},"legacy_ids":[],"group_tree":[{"id":"V-207193","title":"SRG-NET-000074","description":""}],"createdAt":null,"updatedAt":null,"STIGUuid":"2f714970-8242-11ee-8b44-13c1c13d16bb","status":"not_reviewed","overrides":{},"comments":"","finding_details":"","ccis":["CCI-000068"]}]}]} \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/ckl/Asset_a-multi-stig.ckl b/WATCHER-test-files/WATCHER/ckl/Asset_a-multi-stig.ckl new file mode 100644 index 0000000..f1c9b74 --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/Asset_a-multi-stig.ckl @@ -0,0 +1,3675 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_8_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 12 Benchmark Date: 25 Oct 2023 + + + title + Red Hat Enterprise Linux 8 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-230221 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-230221r858734_rule + + + Rule_Ver + RHEL-08-010000 + + + Rule_Title + RHEL 8 must be a vendor-supported release. + + + Vuln_Discuss + An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + +Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. +Note: The life-cycle time spans and dates are subject to adjustment. + + + IA_Controls + + + + Check_Content + Verify the version of the operating system is vendor supported. + +Note: The lifecycle time spans and dates are subject to adjustment. + +Check the version of the operating system with the following command: + +$ sudo cat /etc/redhat-release + +Red Hat Enterprise Linux Server release 8.6 (Ootpa) + +Current End of Extended Update Support for RHEL 8.1 is 30 November 2021. + +Current End of Extended Update Support for RHEL 8.2 is 30 April 2022. + +Current End of Extended Update Support for RHEL 8.4 is 31 May 2023. + +Current End of Maintenance Support for RHEL 8.5 is 31 May 2022. + +Current End of Extended Update Support for RHEL 8.6 is 31 May 2024. + +Current End of Maintenance Support for RHEL 8.7 is 31 May 2023. + +Current End of Extended Update Support for RHEL 8.8 is 31 May 2025. + +Current End of Maintenance Support for RHEL 8.9 is 31 May 2024. + +Current End of Maintenance Support for RHEL 8.10 is 31 May 2029. + +If the release is not supported by the vendor, this is a finding. + + + Fix_Text + Upgrade to a supported version of RHEL 8. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000366 + + Not_Reviewed + + + + + + + + Vuln_Num + V-230222 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-230222r627750_rule + + + Rule_Ver + RHEL-08-010010 + + + Rule_Title + RHEL 8 vendor packaged system security patches and updates must be installed and up to date. + + + Vuln_Discuss + Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. + + + IA_Controls + + + + Check_Content + Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). + +Obtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. + +Check that the available package security updates have been installed on the system with the following command: + +$ sudo yum history list | more + +Loaded plugins: langpacks, product-id, subscription-manager +ID | Command line | Date and time | Action(s) | Altered +------------------------------------------------------------------------------- +70 | install aide | 2020-03-05 10:58 | Install | 1 +69 | update -y | 2020-03-04 14:34 | Update | 18 EE +68 | install vlc | 2020-02-21 17:12 | Install | 21 +67 | update -y | 2020-02-21 17:04 | Update | 7 EE + +If package updates have not been performed on the system within the timeframe the site/program documentation requires, this is a finding. + +Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. + +If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding. + + + Fix_Text + Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000366 + + Not_Reviewed + + + + + + + + Vuln_Num + V-230223 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000033-GPOS-00014 + + + Rule_ID + SV-230223r928585_rule + + + Rule_Ver + RHEL-08-010020 + + + Rule_Title + RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. + + + Vuln_Discuss + Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + +RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. + +The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. + +Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223 + + + IA_Controls + + + + Check_Content + Verify the operating system implements DOD-approved encryption to protect the confidentiality of remote access sessions. + +Check to see if FIPS mode is enabled with the following command: + + $ fips-mode-setup --check + FIPS mode is enabled + +If FIPS mode is "enabled", check to see if the kernel boot parameter is configured for FIPS mode with the following command: + + $ sudo grub2-editenv list | grep fips + kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 + +If the kernel boot parameter is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command: + + $ sudo cat /proc/sys/crypto/fips_enabled + 1 + +If FIPS mode is not "on", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of "1" for "fips_enabled" in "/proc/sys/crypto", this is a finding. + + + Fix_Text + Configure the operating system to implement DOD-approved encryption by following the steps below: + +To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. + +Enable FIPS mode after installation (not strict FIPS-compliant) with the following command: + + $ sudo fips-mode-setup --enable + +Reboot the system for the changes to take effect. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000068 + + Not_Reviewed + + + + + + + + Vuln_Num + V-230224 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000185-GPOS-00079 + + + Rule_ID + SV-230224r917864_rule + + + Rule_Ver + RHEL-08-010030 + + + Rule_Title + All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. + + + Vuln_Discuss + RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). + +Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184 + + + IA_Controls + + + + Check_Content + Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. + +If there is a documented and approved reason for not having data-at-rest encryption at the operating system level, such as encryption provided by a hypervisor or a disk storage array in a virtualized environment, this requirement is not applicable. + +Verify all system partitions are encrypted with the following command: + + $ sudo blkid + + /dev/mapper/rhel-root: UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS" + +Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. + +If there is no evidence that these partitions are encrypted, this is a finding. + + + Fix_Text + Configure RHEL 8 to prevent unauthorized modification of all information at rest by using disk encryption. + +Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-001199 + + Not_Reviewed + + + + + + + + Vuln_Num + V-230225 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000023-GPOS-00006 + + + Rule_ID + SV-230225r858694_rule + + + Rule_Ver + RHEL-08-010040 + + + Rule_Title + RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088 + + + IA_Controls + + + + Check_Content + Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + +Check for the location of the banner file being used with the following command: + +$ sudo grep -ir banner /etc/ssh/sshd_config* + +banner /etc/issue + +This command will return the banner keyword and the name of the file that contains the ssh banner (in this case "/etc/issue"). + +If the line is commented out, this is a finding. +If conflicting results are returned, this is a finding. + +View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. + +If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. + + + Fix_Text + Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh. + +Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is: + +banner /etc/issue + +Either create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD-required text is: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +The SSH service must be restarted for changes to take effect. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000048 + + Not_Reviewed + + + + + + + + Vuln_Num + V-230226 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000023-GPOS-00006 + + + Rule_ID + SV-230226r743916_rule + + + Rule_Ver + RHEL-08-010050 + + + Rule_Title + RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088 + + + IA_Controls + + + + Check_Content + Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. + +Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. + +Check that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command: + +$ sudo grep banner-message-text /etc/dconf/db/local.d/* + +banner-message-text= +'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ' + +Note: The "\n " characters are for formatting only. They will not be displayed on the graphical interface. + +If the banner does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding. + + + Fix_Text + Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + +Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. + +Add the following lines to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message": + +banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ' + +Note: The "\n " characters are for formatting only. They will not be displayed on the graphical interface. + +Run the following command to update the database: + +$ sudo dconf update + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000048 + + Not_Reviewed + + + + + + + + Vuln_Num + V-230227 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000023-GPOS-00006 + + + Rule_ID + SV-230227r627750_rule + + + Rule_Ver + RHEL-08-010060 + + + Rule_Title + RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088 + + + IA_Controls + + + + Check_Content + Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon. + +Check that RHEL 8 displays a banner at the command line login screen with the following command: + +$ sudo cat /etc/issue + +If the banner is set correctly it will return the following text: + +“You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.” + +If the banner text does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding. + + + Fix_Text + Configure RHEL 8 to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via command line logon. + +Edit the "/etc/issue" file to replace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD-required text is: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000048 + + Not_Reviewed + + + + + + + + Vuln_Num + V-230228 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000032-GPOS-00013 + + + Rule_ID + SV-230228r627750_rule + + + Rule_Ver + RHEL-08-010070 + + + Rule_Title + All RHEL 8 remote access methods must be monitored. + + + Vuln_Discuss + Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Automated monitoring of remote access sessions allows organizations to detect cyber attacks and ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). + + + IA_Controls + + + + Check_Content + Verify that RHEL 8 monitors all remote access methods. + +Check that remote access methods are being logged by running the following command: + +$ sudo grep -E '(auth.*|authpriv.*|daemon.*)' /etc/rsyslog.conf + +auth.*;authpriv.*;daemon.* /var/log/secure + +If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged, this is a finding. + + + Fix_Text + Configure RHEL 8 to monitor all remote access methods by installing rsyslog with the following command: + +$ sudo yum install rsyslog + +Then add or update the following lines to the "/etc/rsyslog.conf" file: + +auth.*;authpriv.*;daemon.* /var/log/secure + +The "rsyslog" service must be restarted for the changes to take effect. To restart the "rsyslog" service, run the following command: + +$ sudo systemctl restart rsyslog.service + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000067 + + Not_Reviewed + + + + + + + + Vuln_Num + V-230229 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000066-GPOS-00034 + + + Rule_ID + SV-230229r858739_rule + + + Rule_Ver + RHEL-08-010090 + + + Rule_Title + RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. + + + Vuln_Discuss + Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. + +A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. + +When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. + +This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. + +Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167 + + + IA_Controls + + + + Check_Content + Verify RHEL 8 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor. + +Note: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. + +Check that the system has a valid DoD root CA installed with the following command: + +$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem + +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 + Validity + Not Before: Mar 20 18:46:41 2012 GMT + Not After : Dec 30 18:46:41 2029 GMT + Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + +If the root ca file is not a DoD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding. + + + Fix_Text + Configure RHEL 8, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. + +Obtain a valid copy of the DoD root CA file from the PKI CA certificate bundle at cyber.mil and copy into the following file: + +/etc/sssd/pki/sssd_auth_ca_db.pem + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000185 + + Not_Reviewed + + + + + + + + Vuln_Num + V-230230 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000067-GPOS-00035 + + + Rule_ID + SV-230230r627750_rule + + + Rule_Ver + RHEL-08-010100 + + + Rule_Title + RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. + + + Vuln_Discuss + If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed. + + + IA_Controls + + + + Check_Content + Verify the SSH private key files have a passcode. + +For each private key stored on the system, use the following command: + +$ sudo ssh-keygen -y -f /path/to/file + +If the contents of the key are displayed, this is a finding. + + + Fix_Text + Create a new private and public key pair that utilizes a passcode with the following command: + +$ sudo ssh-keygen -n [passphrase] + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000186 + + Not_Reviewed + + + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-257777 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-257777r925318_rule + + + Rule_Ver + RHEL-09-211010 + + + Rule_Title + RHEL 9 must be a vendor-supported release. + + + Vuln_Discuss + An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + +Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. + + + IA_Controls + + + + Check_Content + Verify that the version or RHEL 9 is vendor supported with the following command: + +$ cat /etc/redhat-release + +Red Hat Enterprise Linux release 9.2 (Plow) + +If the installed version of RHEL 9 is not supported, this is a finding. + + + Fix_Text + Upgrade to a supported version of RHEL 9. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257778 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-257778r925321_rule + + + Rule_Ver + RHEL-09-211015 + + + Rule_Title + RHEL 9 vendor packaged system security patches and updates must be installed and up to date. + + + Vuln_Discuss + Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. + + + IA_Controls + + + + Check_Content + Verify RHEL 9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy. + +Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. + +Check that the available package security updates have been installed on the system with the following command: + +$ dnf history list | more + + ID | Command line | Date and time | Action(s) | Altered +------------------------------------------------------------------------------- + 70 | install aide | 2023-03-05 10:58 | Install | 1 + 69 | update -y | 2023-03-04 14:34 | Update | 18 EE + 68 | install vlc | 2023-02-21 17:12 | Install | 21 + 67 | update -y | 2023-02-21 17:04 | Update | 7 EE + +Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. + +If the system is in noncompliance with the organizational patching policy, this is a finding. + + + Fix_Text + Install RHEL 9 security patches and updates at the organizationally defined frequency. If system updates are installed via a centralized repository that is configured on the system, all updates can be installed with the following command: + +$ sudo dnf update + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257779 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000023-GPOS-00006 + + + Rule_ID + SV-257779r925324_rule + + + Rule_Ver + RHEL-09-211020 + + + Rule_Title + RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. + +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088 + + + IA_Controls + + + + Check_Content + Verify RHEL 9 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a command line user logon. + +Check that a banner is displayed at the command line login screen with the following command: + +$ sudo cat /etc/issue + +If the banner is set correctly it will return the following text: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +If the banner text does not match the Standard Mandatory DOD Notice and Consent Banner exactly, or the line is commented out, this is a finding. + + + Fix_Text + Configure RHEL 9 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via command line logon. + +Edit the "/etc/issue" file to replace the default text with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000048 + + + CCI_REF + CCI-001384 + + + CCI_REF + CCI-001385 + + + CCI_REF + CCI-001386 + + + CCI_REF + CCI-001387 + + + CCI_REF + CCI-001388 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257780 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000191-GPOS-00080 + + + Rule_ID + SV-257780r925327_rule + + + Rule_Ver + RHEL-09-211025 + + + Rule_Title + RHEL 9 must implement the Endpoint Security for Linux Threat Prevention tool. + + + Vuln_Discuss + Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. + +To support this requirement, the operating system may have an integrated solution incorporating continuous scanning using ESS and periodic scanning using other tools, as specified in the requirement. + + + IA_Controls + + + + Check_Content + Verify that RHEL 9 has implemented the Endpoint Security for Linux Threat Prevention tool. + +Check that the following package has been installed: + +$ sudo rpm -qa | grep -i mcafeetp + +If the "mcafeetp" package is not installed, this is a finding. + +Verify that the daemon is running: + +$ sudo ps -ef | grep -i mfetpd + +If the daemon is not running, this is a finding. + + + Fix_Text + Install and enable the latest McAfee ENSLTP package. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-001233 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257781 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-257781r925330_rule + + + Rule_Ver + RHEL-09-211030 + + + Rule_Title + The graphical display manager must not be the default target on RHEL 9 unless approved. + + + Vuln_Discuss + Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented. + + + IA_Controls + + + + Check_Content + Verify that RHEL 9 is configured to boot to the command line: + +$ systemctl get-default + +multi-user.target + +If the system default target is not set to "multi-user.target" and the information system security officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding. + + + Fix_Text + Document the requirement for a graphical user interface with the ISSO or set the default target to multi-user with the following command: + +$ sudo systemctl set-default multi-user.target + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257782 + + + Severity + low + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-257782r925333_rule + + + Rule_Ver + RHEL-09-211035 + + + Rule_Title + RHEL 9 must enable the hardware random number generator entropy gatherer service. + + + Vuln_Discuss + The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). + + + IA_Controls + + + + Check_Content + Verify that RHEL 9 has enabled the hardware random number generator entropy gatherer service with the following command: + +$ systemctl is-active rngd + +active + +If the "rngd" service is not active, this is a finding. + + + Fix_Text + Install the rng-tools package with the following command: + +$ sudo dnf install rng-tools + +Then enable the rngd service run the following command: + +$ sudo systemctl enable --now rngd + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257783 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000269-GPOS-00103 + + + Rule_ID + SV-257783r925336_rule + + + Rule_Ver + RHEL-09-211040 + + + Rule_Title + RHEL 9 systemd-journald service must be enabled. + + + Vuln_Discuss + In the event of a system failure, RHEL 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes. + + + IA_Controls + + + + Check_Content + Verify that "systemd-journald" is active with the following command: + +$ systemctl is-active systemd-journald + +active + +If the systemd-journald service is not active, this is a finding. + + + Fix_Text + To enable the systemd-journald service, run the following command: + +$ sudo systemctl enable --now systemd-journald + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-001665 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257784 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000324-GPOS-00125 + + + Rule_ID + SV-257784r925339_rule + + + Rule_Ver + RHEL-09-211045 + + + Rule_Title + The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled. + + + Vuln_Discuss + A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 + + + IA_Controls + + + + Check_Content + Verify RHEL 9 is configured to not reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command: + +$ grep -i ctrl /etc/systemd/system.conf + +CtrlAltDelBurstAction=none + +If the "CtrlAltDelBurstAction" is not set to "none", commented out, or is missing, this is a finding. + + + Fix_Text + Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file: + +CtrlAltDelBurstAction=none + +Reload the daemon for this change to take effect. + +$ sudo systemctl daemon-reload + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + + CCI_REF + CCI-002235 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257785 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000324-GPOS-00125 + + + Rule_ID + SV-257785r925342_rule + + + Rule_Ver + RHEL-09-211050 + + + Rule_Title + The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9. + + + Vuln_Discuss + A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 + + + IA_Controls + + + + Check_Content + Verify RHEL 9 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: + +$ sudo systemctl status ctrl-alt-del.target + +ctrl-alt-del.target +Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) +Active: inactive (dead) + +If the "ctrl-alt-del.target" is loaded and not masked, this is a finding. + + + Fix_Text + Configure RHEL 9 to disable the ctrl-alt-del.target with the following command: + +$ sudo systemctl disable --now ctrl-alt-del.target +$ sudo systemctl mask --now ctrl-alt-del.target + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + + CCI_REF + CCI-002235 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257786 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000324-GPOS-00125 + + + Rule_ID + SV-257786r925345_rule + + + Rule_Ver + RHEL-09-211055 + + + Rule_Title + RHEL 9 debug-shell systemd service must be disabled. + + + Vuln_Discuss + The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. + +Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 + + + IA_Controls + + + + Check_Content + Verify RHEL 9 is configured to mask the debug-shell systemd service with the following command: + +$ sudo systemctl status debug-shell.service + +debug-shell.service +Loaded: masked (Reason: Unit debug-shell.service is masked.) +Active: inactive (dead) + +If the "debug-shell.service" is loaded and not masked, this is a finding. + + + Fix_Text + Configure RHEL 9 to mask the debug-shell systemd service with the following command: + +$ sudo systemctl disable --now debug-shell.target +$ sudo systemctl mask --now debug-shell.target + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + + CCI_REF + CCI-002235 + + Not_Reviewed + + + + + + + + + + version + 2 + + + classification + + + customname + + + stigid + VPN_TRUNCATED + + + description + This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 5 Benchmark Date: 07 Jun 2023 + + + title + Virtual Private Network (VPN) TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207184 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000019 + + + Rule_ID + SV-207184r695317_rule + + + Rule_Ver + SRG-NET-000019-VPN-000040 + + + Rule_Title + The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. + + + Vuln_Discuss + Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. + +VPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network. + + + IA_Controls + + + + Check_Content + Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration). + +Review network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network. + +If the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding, + + + Fix_Text + Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001414 + + NotAFinding + xxxxxxxxx + + + + + + + Vuln_Num + V-207185 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000041 + + + Rule_ID + SV-207185r608988_rule + + + Rule_Ver + SRG-NET-000041-VPN-000110 + + + Rule_Title + The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +In most VPN implementations, the banner is configured in the management backplane (NDM SRG) and serves as the presentation for the VPN client connection as well as for administrator logon to the device management tool/backplane. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + + + IA_Controls + + + + Check_Content + If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. + +Determine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DoD policy. + +If the Remote Access VPN Gateway or VPN client does not display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network, this is a finding. + + + Fix_Text + Configure the Remote Access VPN to display the Standard Mandatory DoD Notice and Consent Banner in accordance with DoD policy before granting access to the device. Use the following verbiage for applications that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +-At any time, the USG may inspect and seize data stored on this IS. +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: +"I've read & consent to terms in IS user agreem't." + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000048 + + Open + yyyyyyyyyy + + + + + + + Vuln_Num + V-207186 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000042 + + + Rule_ID + SV-207186r608988_rule + + + Rule_Ver + SRG-NET-000042-VPN-000120 + + + Rule_Title + The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. + + + Vuln_Discuss + The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. + +The banner is usually configured in NDM for client presentation as well as local logon. + +To establish acceptance of the application usage policy, a click-through banner at application logon is required. The VPN gateway must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". + +This applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary. + + + IA_Controls + + + + Check_Content + If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. + +Verify the ALG retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access. + +If the Remote Access VPN Gateway and/or client does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding. + + + Fix_Text + Configure the Remote Access VPN Gateway and/or client to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000050 + + Not_Applicable + xxxxxxxxxxx + + + + + + + Vuln_Num + V-207187 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000043 + + + Rule_ID + SV-207187r608988_rule + + + Rule_Ver + SRG-NET-000043-VPN-000130 + + + Rule_Title + The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the publicly accessible VPN gateway ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway. + +The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + + + IA_Controls + + + + Check_Content + Verify the publicly accessible VPN Gateway displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +If the publicly accessible VPN Gateway does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding. + + + Fix_Text + Configure the publicly accessible VPN Gateway to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001384 + + + CCI_REF + CCI-001385 + + + CCI_REF + CCI-001386 + + + CCI_REF + CCI-001387 + + + CCI_REF + CCI-001388 + + Not_Reviewed + xxxxxxxxx + + + + + + + Vuln_Num + V-207188 + + + Severity + low + + + Weight + 10.0 + + + Group_Title + SRG-NET-000049 + + + Rule_ID + SV-207188r608988_rule + + + Rule_Ver + SRG-NET-000049-VPN-000150 + + + Rule_Title + The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). + + + Vuln_Discuss + Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. + +This applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary. + + + IA_Controls + + + + Check_Content + Determine if the VPN Gateway is either configured to notify the administrator of the number of unsuccessful login attempts since the last successful login or configured to use an authentication server which would perform this function. If the administrator is not notified of the number of unsuccessful login attempts since the last successful login, this is a finding. + +If the VPN Gateway does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding. + + + Fix_Text + Configure the VPN Gateway to notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000053 + + NotAFinding + xxxxxxxxxxxxxxxxxxxxxxxxxx + + + + + + + Vuln_Num + V-207189 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000053 + + + Rule_ID + SV-207189r608988_rule + + + Rule_Ver + SRG-NET-000053-VPN-000170 + + + Rule_Title + The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number. + + + Vuln_Discuss + VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. + +This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. + +The intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited. + + + IA_Controls + + + + Check_Content + Inspect the VPN Gateway configuration. Verify the number of concurrent sessions for user accounts to 1 or to an organization-defined number (defined in the SSP). + +If the VPN Gateway does not limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding. + + + Fix_Text + Configure the VPN Gateway to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, as documented in the SSP. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000054 + + Not_Reviewed + xxxxxxxxxxxxxxxxxxx + + + + + + + Vuln_Num + V-207190 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-NET-000062 + + + Rule_ID + SV-207190r803417_rule + + + Rule_Ver + SRG-NET-000062-VPN-000200 + + + Rule_Title + The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections. + + + Vuln_Discuss + Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. + +NIST SP 800-52 Rev2 provides guidance for client negotiation on either DoD-only or public-facing servers. + + + IA_Controls + + + + Check_Content + Verify the TLS VPN Gateway is configured to use TLS 1.2 or higher to protect the confidentiality of sensitive data during transmission. + +If the TLS VPN Gateway does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission, this is a finding. + + + Fix_Text + Configure the TLS VPN Gateway to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data for transmission. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000068 + + NotAFinding + xxxxxxxxxxxxxxxxx + + + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Open + yyyyyyyyyyyyyyyyyyyyyyyyy + zzzzzzzzzzzzzzzzzzzzzz + + + + + + Vuln_Num + V-207192 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207192r916146_rule + + + Rule_Ver + SRG-NET-000063-VPN-000220 + + + Rule_Title + The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + + + Vuln_Discuss + Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection. + +SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. DOD systems must not be configured to use SHA-1 for integrity of remote access sessions. + +The remote access VPN provides access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. + + + IA_Controls + + + + Check_Content + Verify the VPN Gateway uses IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + +If the VPN Gateway does not use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the VPN Gateway to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Not_Reviewed + + + + + + + + Vuln_Num + V-207193 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-NET-000074 + + + Rule_ID + SV-207193r916149_rule + + + Rule_Ver + SRG-NET-000074-VPN-000250 + + + Rule_Title + The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1. + + + Vuln_Discuss + Use of an approved DH algorithm ensures the IKE (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be. + + + IA_Controls + + + + Check_Content + Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1. + +View the IKE options dh-group option. + +If the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding. + + + Fix_Text + Configure the IPsec VPN to use the DH Group of 16 or greater for IKE Phase 1. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000068 + + Not_Reviewed + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/Asset_b-VPN_TRUNCATED-V2R5.ckl b/WATCHER-test-files/WATCHER/ckl/Asset_b-VPN_TRUNCATED-V2R5.ckl new file mode 100644 index 0000000..26bc56c --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/Asset_b-VPN_TRUNCATED-V2R5.ckl @@ -0,0 +1,1161 @@ + + + + + + None + Computing + NONE + Asset_bbbbbbbbb + + + + + + 2777 + false + + + + + + + + version + 2 + + + classification + + + customname + + + stigid + VPN_TRUNCATED + + + description + This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 5 Benchmark Date: 07 Jun 2023 + + + title + Virtual Private Network (VPN) TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207184 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000019 + + + Rule_ID + SV-207184r695317_rule + + + Rule_Ver + SRG-NET-000019-VPN-000040 + + + Rule_Title + The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. + + + Vuln_Discuss + Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. + +VPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network. + + + IA_Controls + + + + Check_Content + Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration). + +Review network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network. + +If the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding, + + + Fix_Text + Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001414 + + NotAFinding + xxxxxxxxxxxx + + + + + + + Vuln_Num + V-207185 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000041 + + + Rule_ID + SV-207185r608988_rule + + + Rule_Ver + SRG-NET-000041-VPN-000110 + + + Rule_Title + The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +In most VPN implementations, the banner is configured in the management backplane (NDM SRG) and serves as the presentation for the VPN client connection as well as for administrator logon to the device management tool/backplane. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + + + IA_Controls + + + + Check_Content + If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. + +Determine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DoD policy. + +If the Remote Access VPN Gateway or VPN client does not display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network, this is a finding. + + + Fix_Text + Configure the Remote Access VPN to display the Standard Mandatory DoD Notice and Consent Banner in accordance with DoD policy before granting access to the device. Use the following verbiage for applications that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +-At any time, the USG may inspect and seize data stored on this IS. +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: +"I've read & consent to terms in IS user agreem't." + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000048 + + Not_Applicable + xxxxxxxxxxxxxxx + + + + + + + Vuln_Num + V-207186 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000042 + + + Rule_ID + SV-207186r608988_rule + + + Rule_Ver + SRG-NET-000042-VPN-000120 + + + Rule_Title + The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. + + + Vuln_Discuss + The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. + +The banner is usually configured in NDM for client presentation as well as local logon. + +To establish acceptance of the application usage policy, a click-through banner at application logon is required. The VPN gateway must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". + +This applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary. + + + IA_Controls + + + + Check_Content + If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. + +Verify the ALG retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access. + +If the Remote Access VPN Gateway and/or client does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding. + + + Fix_Text + Configure the Remote Access VPN Gateway and/or client to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000050 + + Open + yyyyyyyyyyyyyyyyyyyyyy + + + + + + + Vuln_Num + V-207187 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000043 + + + Rule_ID + SV-207187r608988_rule + + + Rule_Ver + SRG-NET-000043-VPN-000130 + + + Rule_Title + The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the publicly accessible VPN gateway ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway. + +The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + + + IA_Controls + + + + Check_Content + Verify the publicly accessible VPN Gateway displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +If the publicly accessible VPN Gateway does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding. + + + Fix_Text + Configure the publicly accessible VPN Gateway to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001384 + + + CCI_REF + CCI-001385 + + + CCI_REF + CCI-001386 + + + CCI_REF + CCI-001387 + + + CCI_REF + CCI-001388 + + Open + yyyyyyyyyyyyyyyyyyyyyyy + zzzzzzzzzzzzzzzzzzzzzzzzzzz + + + + + + Vuln_Num + V-207188 + + + Severity + low + + + Weight + 10.0 + + + Group_Title + SRG-NET-000049 + + + Rule_ID + SV-207188r608988_rule + + + Rule_Ver + SRG-NET-000049-VPN-000150 + + + Rule_Title + The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). + + + Vuln_Discuss + Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. + +This applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary. + + + IA_Controls + + + + Check_Content + Determine if the VPN Gateway is either configured to notify the administrator of the number of unsuccessful login attempts since the last successful login or configured to use an authentication server which would perform this function. If the administrator is not notified of the number of unsuccessful login attempts since the last successful login, this is a finding. + +If the VPN Gateway does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding. + + + Fix_Text + Configure the VPN Gateway to notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000053 + + Not_Reviewed + xxxxxxxxxxxxxxxxxxxxxxxxxxx + + + + + + + Vuln_Num + V-207189 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000053 + + + Rule_ID + SV-207189r608988_rule + + + Rule_Ver + SRG-NET-000053-VPN-000170 + + + Rule_Title + The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number. + + + Vuln_Discuss + VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. + +This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. + +The intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited. + + + IA_Controls + + + + Check_Content + Inspect the VPN Gateway configuration. Verify the number of concurrent sessions for user accounts to 1 or to an organization-defined number (defined in the SSP). + +If the VPN Gateway does not limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding. + + + Fix_Text + Configure the VPN Gateway to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, as documented in the SSP. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000054 + + Not_Reviewed + xxxxxxxxxxxxxxxxxxxxxxxxx + + + + + + + Vuln_Num + V-207190 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-NET-000062 + + + Rule_ID + SV-207190r803417_rule + + + Rule_Ver + SRG-NET-000062-VPN-000200 + + + Rule_Title + The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections. + + + Vuln_Discuss + Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. + +NIST SP 800-52 Rev2 provides guidance for client negotiation on either DoD-only or public-facing servers. + + + IA_Controls + + + + Check_Content + Verify the TLS VPN Gateway is configured to use TLS 1.2 or higher to protect the confidentiality of sensitive data during transmission. + +If the TLS VPN Gateway does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission, this is a finding. + + + Fix_Text + Configure the TLS VPN Gateway to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data for transmission. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000068 + + Not_Reviewed + + + + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Not_Reviewed + + + + + + + + Vuln_Num + V-207192 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207192r916146_rule + + + Rule_Ver + SRG-NET-000063-VPN-000220 + + + Rule_Title + The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + + + Vuln_Discuss + Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection. + +SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. DOD systems must not be configured to use SHA-1 for integrity of remote access sessions. + +The remote access VPN provides access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. + + + IA_Controls + + + + Check_Content + Verify the VPN Gateway uses IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + +If the VPN Gateway does not use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the VPN Gateway to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Not_Reviewed + + + + + + + + Vuln_Num + V-207193 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-NET-000074 + + + Rule_ID + SV-207193r916149_rule + + + Rule_Ver + SRG-NET-000074-VPN-000250 + + + Rule_Title + The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1. + + + Vuln_Discuss + Use of an approved DH algorithm ensures the IKE (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be. + + + IA_Controls + + + + Check_Content + Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1. + +View the IKE options dh-group option. + +If the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding. + + + Fix_Text + Configure the IPsec VPN to use the DH Group of 16 or greater for IKE Phase 1. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000068 + + Not_Reviewed + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/Asset_b-multi-stig.ckl b/WATCHER-test-files/WATCHER/ckl/Asset_b-multi-stig.ckl new file mode 100644 index 0000000..e43015f --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/Asset_b-multi-stig.ckl @@ -0,0 +1,3675 @@ + + + + + + None + Computing + NONE + Asset_bbbbbbbbb + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_8_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 12 Benchmark Date: 25 Oct 2023 + + + title + Red Hat Enterprise Linux 8 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-230221 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-230221r858734_rule + + + Rule_Ver + RHEL-08-010000 + + + Rule_Title + RHEL 8 must be a vendor-supported release. + + + Vuln_Discuss + An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + +Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. +Note: The life-cycle time spans and dates are subject to adjustment. + + + IA_Controls + + + + Check_Content + Verify the version of the operating system is vendor supported. + +Note: The lifecycle time spans and dates are subject to adjustment. + +Check the version of the operating system with the following command: + +$ sudo cat /etc/redhat-release + +Red Hat Enterprise Linux Server release 8.6 (Ootpa) + +Current End of Extended Update Support for RHEL 8.1 is 30 November 2021. + +Current End of Extended Update Support for RHEL 8.2 is 30 April 2022. + +Current End of Extended Update Support for RHEL 8.4 is 31 May 2023. + +Current End of Maintenance Support for RHEL 8.5 is 31 May 2022. + +Current End of Extended Update Support for RHEL 8.6 is 31 May 2024. + +Current End of Maintenance Support for RHEL 8.7 is 31 May 2023. + +Current End of Extended Update Support for RHEL 8.8 is 31 May 2025. + +Current End of Maintenance Support for RHEL 8.9 is 31 May 2024. + +Current End of Maintenance Support for RHEL 8.10 is 31 May 2029. + +If the release is not supported by the vendor, this is a finding. + + + Fix_Text + Upgrade to a supported version of RHEL 8. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000366 + + NotAFinding + xxxxxxxxxxxxxxxxxxxxxxxxxxx + + + + + + + Vuln_Num + V-230222 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-230222r627750_rule + + + Rule_Ver + RHEL-08-010010 + + + Rule_Title + RHEL 8 vendor packaged system security patches and updates must be installed and up to date. + + + Vuln_Discuss + Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. + + + IA_Controls + + + + Check_Content + Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). + +Obtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. + +Check that the available package security updates have been installed on the system with the following command: + +$ sudo yum history list | more + +Loaded plugins: langpacks, product-id, subscription-manager +ID | Command line | Date and time | Action(s) | Altered +------------------------------------------------------------------------------- +70 | install aide | 2020-03-05 10:58 | Install | 1 +69 | update -y | 2020-03-04 14:34 | Update | 18 EE +68 | install vlc | 2020-02-21 17:12 | Install | 21 +67 | update -y | 2020-02-21 17:04 | Update | 7 EE + +If package updates have not been performed on the system within the timeframe the site/program documentation requires, this is a finding. + +Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. + +If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding. + + + Fix_Text + Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000366 + + Not_Applicable + xxxxxxxxxxxxxxxxxxxxx + + + + + + + Vuln_Num + V-230223 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000033-GPOS-00014 + + + Rule_ID + SV-230223r928585_rule + + + Rule_Ver + RHEL-08-010020 + + + Rule_Title + RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. + + + Vuln_Discuss + Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + +RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. + +The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. + +Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223 + + + IA_Controls + + + + Check_Content + Verify the operating system implements DOD-approved encryption to protect the confidentiality of remote access sessions. + +Check to see if FIPS mode is enabled with the following command: + + $ fips-mode-setup --check + FIPS mode is enabled + +If FIPS mode is "enabled", check to see if the kernel boot parameter is configured for FIPS mode with the following command: + + $ sudo grub2-editenv list | grep fips + kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 + +If the kernel boot parameter is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command: + + $ sudo cat /proc/sys/crypto/fips_enabled + 1 + +If FIPS mode is not "on", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of "1" for "fips_enabled" in "/proc/sys/crypto", this is a finding. + + + Fix_Text + Configure the operating system to implement DOD-approved encryption by following the steps below: + +To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. + +Enable FIPS mode after installation (not strict FIPS-compliant) with the following command: + + $ sudo fips-mode-setup --enable + +Reboot the system for the changes to take effect. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000068 + + Open + yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy + + + + + + + Vuln_Num + V-230224 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000185-GPOS-00079 + + + Rule_ID + SV-230224r917864_rule + + + Rule_Ver + RHEL-08-010030 + + + Rule_Title + All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. + + + Vuln_Discuss + RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). + +Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184 + + + IA_Controls + + + + Check_Content + Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. + +If there is a documented and approved reason for not having data-at-rest encryption at the operating system level, such as encryption provided by a hypervisor or a disk storage array in a virtualized environment, this requirement is not applicable. + +Verify all system partitions are encrypted with the following command: + + $ sudo blkid + + /dev/mapper/rhel-root: UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS" + +Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. + +If there is no evidence that these partitions are encrypted, this is a finding. + + + Fix_Text + Configure RHEL 8 to prevent unauthorized modification of all information at rest by using disk encryption. + +Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-001199 + + Open + yyyyyyyyyyyyyyyyyyyyyy + zzzzzzzzzzzzzzzzzzzzzzzzzzzzz + + + + + + Vuln_Num + V-230225 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000023-GPOS-00006 + + + Rule_ID + SV-230225r858694_rule + + + Rule_Ver + RHEL-08-010040 + + + Rule_Title + RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088 + + + IA_Controls + + + + Check_Content + Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + +Check for the location of the banner file being used with the following command: + +$ sudo grep -ir banner /etc/ssh/sshd_config* + +banner /etc/issue + +This command will return the banner keyword and the name of the file that contains the ssh banner (in this case "/etc/issue"). + +If the line is commented out, this is a finding. +If conflicting results are returned, this is a finding. + +View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. + +If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. + + + Fix_Text + Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh. + +Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is: + +banner /etc/issue + +Either create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD-required text is: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +The SSH service must be restarted for changes to take effect. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000048 + + Not_Reviewed + xxxxxxxxxxxxxxxxxxxxxxx + + + + + + + Vuln_Num + V-230226 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000023-GPOS-00006 + + + Rule_ID + SV-230226r743916_rule + + + Rule_Ver + RHEL-08-010050 + + + Rule_Title + RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088 + + + IA_Controls + + + + Check_Content + Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. + +Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. + +Check that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command: + +$ sudo grep banner-message-text /etc/dconf/db/local.d/* + +banner-message-text= +'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ' + +Note: The "\n " characters are for formatting only. They will not be displayed on the graphical interface. + +If the banner does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding. + + + Fix_Text + Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + +Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. + +Add the following lines to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message": + +banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ' + +Note: The "\n " characters are for formatting only. They will not be displayed on the graphical interface. + +Run the following command to update the database: + +$ sudo dconf update + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000048 + + Not_Reviewed + xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + + + + + + + Vuln_Num + V-230227 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000023-GPOS-00006 + + + Rule_ID + SV-230227r627750_rule + + + Rule_Ver + RHEL-08-010060 + + + Rule_Title + RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088 + + + IA_Controls + + + + Check_Content + Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon. + +Check that RHEL 8 displays a banner at the command line login screen with the following command: + +$ sudo cat /etc/issue + +If the banner is set correctly it will return the following text: + +“You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.” + +If the banner text does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding. + + + Fix_Text + Configure RHEL 8 to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via command line logon. + +Edit the "/etc/issue" file to replace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD-required text is: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000048 + + Not_Reviewed + + + + + + + + Vuln_Num + V-230228 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000032-GPOS-00013 + + + Rule_ID + SV-230228r627750_rule + + + Rule_Ver + RHEL-08-010070 + + + Rule_Title + All RHEL 8 remote access methods must be monitored. + + + Vuln_Discuss + Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Automated monitoring of remote access sessions allows organizations to detect cyber attacks and ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). + + + IA_Controls + + + + Check_Content + Verify that RHEL 8 monitors all remote access methods. + +Check that remote access methods are being logged by running the following command: + +$ sudo grep -E '(auth.*|authpriv.*|daemon.*)' /etc/rsyslog.conf + +auth.*;authpriv.*;daemon.* /var/log/secure + +If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged, this is a finding. + + + Fix_Text + Configure RHEL 8 to monitor all remote access methods by installing rsyslog with the following command: + +$ sudo yum install rsyslog + +Then add or update the following lines to the "/etc/rsyslog.conf" file: + +auth.*;authpriv.*;daemon.* /var/log/secure + +The "rsyslog" service must be restarted for the changes to take effect. To restart the "rsyslog" service, run the following command: + +$ sudo systemctl restart rsyslog.service + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000067 + + Not_Reviewed + + + + + + + + Vuln_Num + V-230229 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000066-GPOS-00034 + + + Rule_ID + SV-230229r858739_rule + + + Rule_Ver + RHEL-08-010090 + + + Rule_Title + RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. + + + Vuln_Discuss + Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. + +A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. + +When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. + +This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. + +Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167 + + + IA_Controls + + + + Check_Content + Verify RHEL 8 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor. + +Note: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. + +Check that the system has a valid DoD root CA installed with the following command: + +$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem + +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 + Validity + Not Before: Mar 20 18:46:41 2012 GMT + Not After : Dec 30 18:46:41 2029 GMT + Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + +If the root ca file is not a DoD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding. + + + Fix_Text + Configure RHEL 8, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. + +Obtain a valid copy of the DoD root CA file from the PKI CA certificate bundle at cyber.mil and copy into the following file: + +/etc/sssd/pki/sssd_auth_ca_db.pem + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000185 + + Not_Reviewed + + + + + + + + Vuln_Num + V-230230 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000067-GPOS-00035 + + + Rule_ID + SV-230230r627750_rule + + + Rule_Ver + RHEL-08-010100 + + + Rule_Title + RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. + + + Vuln_Discuss + If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed. + + + IA_Controls + + + + Check_Content + Verify the SSH private key files have a passcode. + +For each private key stored on the system, use the following command: + +$ sudo ssh-keygen -y -f /path/to/file + +If the contents of the key are displayed, this is a finding. + + + Fix_Text + Create a new private and public key pair that utilizes a passcode with the following command: + +$ sudo ssh-keygen -n [passphrase] + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 8 TRUNCATED :: Version 1, Release: 12 Benchmark Date: 25 Oct 2023 + + + CCI_REF + CCI-000186 + + Not_Reviewed + + + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-257777 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-257777r925318_rule + + + Rule_Ver + RHEL-09-211010 + + + Rule_Title + RHEL 9 must be a vendor-supported release. + + + Vuln_Discuss + An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + +Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. + + + IA_Controls + + + + Check_Content + Verify that the version or RHEL 9 is vendor supported with the following command: + +$ cat /etc/redhat-release + +Red Hat Enterprise Linux release 9.2 (Plow) + +If the installed version of RHEL 9 is not supported, this is a finding. + + + Fix_Text + Upgrade to a supported version of RHEL 9. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + NotAFinding + xxxxxxxxxxxxxxxxxxxxxxxx + + + + + + + Vuln_Num + V-257778 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-257778r925321_rule + + + Rule_Ver + RHEL-09-211015 + + + Rule_Title + RHEL 9 vendor packaged system security patches and updates must be installed and up to date. + + + Vuln_Discuss + Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. + + + IA_Controls + + + + Check_Content + Verify RHEL 9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy. + +Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. + +Check that the available package security updates have been installed on the system with the following command: + +$ dnf history list | more + + ID | Command line | Date and time | Action(s) | Altered +------------------------------------------------------------------------------- + 70 | install aide | 2023-03-05 10:58 | Install | 1 + 69 | update -y | 2023-03-04 14:34 | Update | 18 EE + 68 | install vlc | 2023-02-21 17:12 | Install | 21 + 67 | update -y | 2023-02-21 17:04 | Update | 7 EE + +Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. + +If the system is in noncompliance with the organizational patching policy, this is a finding. + + + Fix_Text + Install RHEL 9 security patches and updates at the organizationally defined frequency. If system updates are installed via a centralized repository that is configured on the system, all updates can be installed with the following command: + +$ sudo dnf update + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + Not_Applicable + xxxxxxxxxxxxxxxxxxxxxxxxxx + + + + + + + Vuln_Num + V-257779 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000023-GPOS-00006 + + + Rule_ID + SV-257779r925324_rule + + + Rule_Ver + RHEL-09-211020 + + + Rule_Title + RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. + +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088 + + + IA_Controls + + + + Check_Content + Verify RHEL 9 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a command line user logon. + +Check that a banner is displayed at the command line login screen with the following command: + +$ sudo cat /etc/issue + +If the banner is set correctly it will return the following text: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +If the banner text does not match the Standard Mandatory DOD Notice and Consent Banner exactly, or the line is commented out, this is a finding. + + + Fix_Text + Configure RHEL 9 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via command line logon. + +Edit the "/etc/issue" file to replace the default text with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000048 + + + CCI_REF + CCI-001384 + + + CCI_REF + CCI-001385 + + + CCI_REF + CCI-001386 + + + CCI_REF + CCI-001387 + + + CCI_REF + CCI-001388 + + Open + yyyyyyyyyyyyyyyyyyyyyyy + + + + + + + Vuln_Num + V-257780 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000191-GPOS-00080 + + + Rule_ID + SV-257780r925327_rule + + + Rule_Ver + RHEL-09-211025 + + + Rule_Title + RHEL 9 must implement the Endpoint Security for Linux Threat Prevention tool. + + + Vuln_Discuss + Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. + +To support this requirement, the operating system may have an integrated solution incorporating continuous scanning using ESS and periodic scanning using other tools, as specified in the requirement. + + + IA_Controls + + + + Check_Content + Verify that RHEL 9 has implemented the Endpoint Security for Linux Threat Prevention tool. + +Check that the following package has been installed: + +$ sudo rpm -qa | grep -i mcafeetp + +If the "mcafeetp" package is not installed, this is a finding. + +Verify that the daemon is running: + +$ sudo ps -ef | grep -i mfetpd + +If the daemon is not running, this is a finding. + + + Fix_Text + Install and enable the latest McAfee ENSLTP package. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-001233 + + Open + yyyyyyyyyyyyyyyyyyyyyyy + zzzzzzzzzzzzzzzzzzzzzzzzzz + + + + + + Vuln_Num + V-257781 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-257781r925330_rule + + + Rule_Ver + RHEL-09-211030 + + + Rule_Title + The graphical display manager must not be the default target on RHEL 9 unless approved. + + + Vuln_Discuss + Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented. + + + IA_Controls + + + + Check_Content + Verify that RHEL 9 is configured to boot to the command line: + +$ systemctl get-default + +multi-user.target + +If the system default target is not set to "multi-user.target" and the information system security officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding. + + + Fix_Text + Document the requirement for a graphical user interface with the ISSO or set the default target to multi-user with the following command: + +$ sudo systemctl set-default multi-user.target + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + Not_Reviewed + xxxxxxxxxxxxxxxxxxxxxxxxx + + + + + + + Vuln_Num + V-257782 + + + Severity + low + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-257782r925333_rule + + + Rule_Ver + RHEL-09-211035 + + + Rule_Title + RHEL 9 must enable the hardware random number generator entropy gatherer service. + + + Vuln_Discuss + The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers). + + + IA_Controls + + + + Check_Content + Verify that RHEL 9 has enabled the hardware random number generator entropy gatherer service with the following command: + +$ systemctl is-active rngd + +active + +If the "rngd" service is not active, this is a finding. + + + Fix_Text + Install the rng-tools package with the following command: + +$ sudo dnf install rng-tools + +Then enable the rngd service run the following command: + +$ sudo systemctl enable --now rngd + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + Not_Reviewed + xxxxxxxxxxxxxxxxxxxxxxxxx + + + + + + + Vuln_Num + V-257783 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000269-GPOS-00103 + + + Rule_ID + SV-257783r925336_rule + + + Rule_Ver + RHEL-09-211040 + + + Rule_Title + RHEL 9 systemd-journald service must be enabled. + + + Vuln_Discuss + In the event of a system failure, RHEL 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes. + + + IA_Controls + + + + Check_Content + Verify that "systemd-journald" is active with the following command: + +$ systemctl is-active systemd-journald + +active + +If the systemd-journald service is not active, this is a finding. + + + Fix_Text + To enable the systemd-journald service, run the following command: + +$ sudo systemctl enable --now systemd-journald + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-001665 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257784 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000324-GPOS-00125 + + + Rule_ID + SV-257784r925339_rule + + + Rule_Ver + RHEL-09-211045 + + + Rule_Title + The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled. + + + Vuln_Discuss + A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 + + + IA_Controls + + + + Check_Content + Verify RHEL 9 is configured to not reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command: + +$ grep -i ctrl /etc/systemd/system.conf + +CtrlAltDelBurstAction=none + +If the "CtrlAltDelBurstAction" is not set to "none", commented out, or is missing, this is a finding. + + + Fix_Text + Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file: + +CtrlAltDelBurstAction=none + +Reload the daemon for this change to take effect. + +$ sudo systemctl daemon-reload + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + + CCI_REF + CCI-002235 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257785 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000324-GPOS-00125 + + + Rule_ID + SV-257785r925342_rule + + + Rule_Ver + RHEL-09-211050 + + + Rule_Title + The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9. + + + Vuln_Discuss + A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 + + + IA_Controls + + + + Check_Content + Verify RHEL 9 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: + +$ sudo systemctl status ctrl-alt-del.target + +ctrl-alt-del.target +Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) +Active: inactive (dead) + +If the "ctrl-alt-del.target" is loaded and not masked, this is a finding. + + + Fix_Text + Configure RHEL 9 to disable the ctrl-alt-del.target with the following command: + +$ sudo systemctl disable --now ctrl-alt-del.target +$ sudo systemctl mask --now ctrl-alt-del.target + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + + CCI_REF + CCI-002235 + + Not_Reviewed + + + + + + + + Vuln_Num + V-257786 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-OS-000324-GPOS-00125 + + + Rule_ID + SV-257786r925345_rule + + + Rule_Ver + RHEL-09-211055 + + + Rule_Title + RHEL 9 debug-shell systemd service must be disabled. + + + Vuln_Discuss + The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. + +Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227 + + + IA_Controls + + + + Check_Content + Verify RHEL 9 is configured to mask the debug-shell systemd service with the following command: + +$ sudo systemctl status debug-shell.service + +debug-shell.service +Loaded: masked (Reason: Unit debug-shell.service is masked.) +Active: inactive (dead) + +If the "debug-shell.service" is loaded and not masked, this is a finding. + + + Fix_Text + Configure RHEL 9 to mask the debug-shell systemd service with the following command: + +$ sudo systemctl disable --now debug-shell.target +$ sudo systemctl mask --now debug-shell.target + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + + CCI_REF + CCI-002235 + + Not_Reviewed + + + + + + + + + + version + 2 + + + classification + + + customname + + + stigid + VPN_TRUNCATED + + + description + This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 5 Benchmark Date: 07 Jun 2023 + + + title + Virtual Private Network (VPN) TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207184 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000019 + + + Rule_ID + SV-207184r695317_rule + + + Rule_Ver + SRG-NET-000019-VPN-000040 + + + Rule_Title + The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. + + + Vuln_Discuss + Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. + +VPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network. + + + IA_Controls + + + + Check_Content + Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration). + +Review network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network. + +If the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding, + + + Fix_Text + Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001414 + + NotAFinding + xxxxxxxxxxxx + + + + + + + Vuln_Num + V-207185 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000041 + + + Rule_ID + SV-207185r608988_rule + + + Rule_Ver + SRG-NET-000041-VPN-000110 + + + Rule_Title + The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +In most VPN implementations, the banner is configured in the management backplane (NDM SRG) and serves as the presentation for the VPN client connection as well as for administrator logon to the device management tool/backplane. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + + + IA_Controls + + + + Check_Content + If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. + +Determine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DoD policy. + +If the Remote Access VPN Gateway or VPN client does not display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network, this is a finding. + + + Fix_Text + Configure the Remote Access VPN to display the Standard Mandatory DoD Notice and Consent Banner in accordance with DoD policy before granting access to the device. Use the following verbiage for applications that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +-At any time, the USG may inspect and seize data stored on this IS. +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: +"I've read & consent to terms in IS user agreem't." + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000048 + + Not_Applicable + xxxxxxxxxxxxxxx + + + + + + + Vuln_Num + V-207186 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000042 + + + Rule_ID + SV-207186r608988_rule + + + Rule_Ver + SRG-NET-000042-VPN-000120 + + + Rule_Title + The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. + + + Vuln_Discuss + The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. + +The banner is usually configured in NDM for client presentation as well as local logon. + +To establish acceptance of the application usage policy, a click-through banner at application logon is required. The VPN gateway must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". + +This applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary. + + + IA_Controls + + + + Check_Content + If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. + +Verify the ALG retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access. + +If the Remote Access VPN Gateway and/or client does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding. + + + Fix_Text + Configure the Remote Access VPN Gateway and/or client to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000050 + + Open + yyyyyyyyyyyyyyyyyyyyyy + + + + + + + Vuln_Num + V-207187 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000043 + + + Rule_ID + SV-207187r608988_rule + + + Rule_Ver + SRG-NET-000043-VPN-000130 + + + Rule_Title + The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the publicly accessible VPN gateway ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway. + +The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + + + IA_Controls + + + + Check_Content + Verify the publicly accessible VPN Gateway displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +If the publicly accessible VPN Gateway does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding. + + + Fix_Text + Configure the publicly accessible VPN Gateway to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001384 + + + CCI_REF + CCI-001385 + + + CCI_REF + CCI-001386 + + + CCI_REF + CCI-001387 + + + CCI_REF + CCI-001388 + + Open + yyyyyyyyyyyyyyyyyyyyyyy + zzzzzzzzzzzzzzzzzzzzzzzzzzz + + + + + + Vuln_Num + V-207188 + + + Severity + low + + + Weight + 10.0 + + + Group_Title + SRG-NET-000049 + + + Rule_ID + SV-207188r608988_rule + + + Rule_Ver + SRG-NET-000049-VPN-000150 + + + Rule_Title + The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). + + + Vuln_Discuss + Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. + +This applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary. + + + IA_Controls + + + + Check_Content + Determine if the VPN Gateway is either configured to notify the administrator of the number of unsuccessful login attempts since the last successful login or configured to use an authentication server which would perform this function. If the administrator is not notified of the number of unsuccessful login attempts since the last successful login, this is a finding. + +If the VPN Gateway does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding. + + + Fix_Text + Configure the VPN Gateway to notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000053 + + Not_Reviewed + xxxxxxxxxxxxxxxxxxxxxxxxxxx + + + + + + + Vuln_Num + V-207189 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000053 + + + Rule_ID + SV-207189r608988_rule + + + Rule_Ver + SRG-NET-000053-VPN-000170 + + + Rule_Title + The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number. + + + Vuln_Discuss + VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. + +This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. + +The intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited. + + + IA_Controls + + + + Check_Content + Inspect the VPN Gateway configuration. Verify the number of concurrent sessions for user accounts to 1 or to an organization-defined number (defined in the SSP). + +If the VPN Gateway does not limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding. + + + Fix_Text + Configure the VPN Gateway to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, as documented in the SSP. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000054 + + Not_Reviewed + xxxxxxxxxxxxxxxxxxxxxxxxx + + + + + + + Vuln_Num + V-207190 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-NET-000062 + + + Rule_ID + SV-207190r803417_rule + + + Rule_Ver + SRG-NET-000062-VPN-000200 + + + Rule_Title + The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections. + + + Vuln_Discuss + Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. + +NIST SP 800-52 Rev2 provides guidance for client negotiation on either DoD-only or public-facing servers. + + + IA_Controls + + + + Check_Content + Verify the TLS VPN Gateway is configured to use TLS 1.2 or higher to protect the confidentiality of sensitive data during transmission. + +If the TLS VPN Gateway does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission, this is a finding. + + + Fix_Text + Configure the TLS VPN Gateway to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data for transmission. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000068 + + Not_Reviewed + + + + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Not_Reviewed + + + + + + + + Vuln_Num + V-207192 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207192r916146_rule + + + Rule_Ver + SRG-NET-000063-VPN-000220 + + + Rule_Title + The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + + + Vuln_Discuss + Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection. + +SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. DOD systems must not be configured to use SHA-1 for integrity of remote access sessions. + +The remote access VPN provides access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. + + + IA_Controls + + + + Check_Content + Verify the VPN Gateway uses IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + +If the VPN Gateway does not use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the VPN Gateway to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Not_Reviewed + + + + + + + + Vuln_Num + V-207193 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-NET-000074 + + + Rule_ID + SV-207193r916149_rule + + + Rule_Ver + SRG-NET-000074-VPN-000250 + + + Rule_Title + The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1. + + + Vuln_Discuss + Use of an approved DH algorithm ensures the IKE (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be. + + + IA_Controls + + + + Check_Content + Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1. + +View the IKE options dh-group option. + +If the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding. + + + Fix_Text + Configure the IPsec VPN to use the DH Group of 16 or greater for IKE Phase 1. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000068 + + Not_Reviewed + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/CA1294WK16078_Chrome_V2R8_20231211-125631-trimmed.ckl b/WATCHER-test-files/WATCHER/ckl/CA1294WK16078_Chrome_V2R8_20231211-125631-trimmed.ckl new file mode 100644 index 0000000..1f0a9ce --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/CA1294WK16078_Chrome_V2R8_20231211-125631-trimmed.ckl @@ -0,0 +1,480 @@ + + + + + Workstation + Computing + + CA1294WK16078 + 130.163.x.x, 192.168.x.x + 00:05:9A:3C:7A:00, 2C:DB:07:3D:E5:9B + ca1294wk16078.cranrdte.navy.mil + + + 4081 + false + + + + + + + + + version + 2 + + + classification + UNCLASSIFIED + + + customname + + + stigid + Google_Chrome_Current_Windows + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + U_Google_Chrome_STIG_V2R8_Manual-xccdf.xml + + + releaseinfo + Release: 8 Benchmark Date: 26 Jan 2023 + + + title + Google Chrome Current Windows Security Technical Implementation Guide + + + uuid + 4055d97a-e0c8-4b20-a03c-9242f6383d93 + + + notice + terms-of-use + + + source + STIG.DOD.MIL + + + + + Vuln_Num + V-221558 + + + Severity + medium + + + Group_Title + SRG-APP-000039 + + + Rule_ID + SV-221558r769351_rule + + + Rule_Ver + DTBC-0001 + + + Rule_Title + Firewall traversal from remote host must be disabled. + + + Vuln_Discuss + Remote connections should never be allowed that bypass the firewall, as there is no way to verify if they can be trusted. Enables usage of STUN and relay servers when remote clients are trying to establish a connection to this machine. If this setting is enabled, then remote clients can discover and connect to this machine even if they are separated by a firewall. If this setting is disabled and outgoing UDP connections are filtered by the firewall, then this machine will only allow connections from client machines within the local network. If this policy is left not set the setting will be enabled. + + + IA_Controls + + + + Check_Content + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If RemoteAccessHostFirewallTraversal is not displayed under the Policy Name column or it is not set to false under the Policy Value column, then this is a finding. + +Windows registry: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the RemoteAccessHostFirewallTraversal value name does not exist or its value data is not set to 0, then this is a finding. + + + + Fix_Text + Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative\Templates\Google\Google Chrome\Remote Access + Policy Name: Enable firewall traversal from remote access host + Policy State: Disabled + Policy Value: N/A + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + Check_Content_Ref + M + + + Weight + 10.0 + + + Class + Unclass + + + STIGRef + Google Chrome Current Windows Security Technical Implementation Guide :: Version 2, Release: 8 Benchmark Date: 26 Jan 2023 + + + TargetKey + 4081 + + + STIG_UUID + 6e38d515-3e60-4dcb-adf9-80623ac94a2f + + + LEGACY_ID + V-44711 + + + LEGACY_ID + SV-57545 + + + CCI_REF + CCI-001414 + + NotAFinding + Evaluate-STIG 1.2310.1 (Scan-GoogleChrome_Checks) found this to be NOT A FINDING on 12/11/2023: +------------------------------------------------------------------------ +'Enable firewall traversal from remote access host' is Disabled + +Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome +Value Name: RemoteAccessHostFirewallTraversal +Value: 0x00000000 (0) +Type: REG_DWORD + + + + + + + + Vuln_Num + V-221581 + + + Severity + medium + + + Group_Title + SRG-APP-000231 + + + Rule_ID + SV-221581r615937_rule + + + Rule_Ver + DTBC-0039 + + + Rule_Title + Browser history must be saved. + + + Vuln_Discuss + This policy disables saving browser history in Google Chrome and prevents users from changing this setting. If this setting is enabled, browsing history is not saved. If this setting is disabled or not set, browsing history is saved. + + + IA_Controls + + + + Check_Content + Universal method: + 1. In the omnibox (address bar) type chrome://policy + 2. If the policy 'SavingBrowserHistoryDisabled' is not shown or is not set to false, then this is a finding. + +Windows method: + 1. Start regedit + 2. Navigate to HKLM\Software\Policies\Google\Chrome\ + 3. If the SavingBrowserHistoryDisabled value name does not exist or its value data is not set to 0, then this is a finding. + + + + Fix_Text + Windows group policy: + 1. Open the group policy editor tool with gpedit.msc + 2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Google\Google Chrome\ + Policy Name: Disable saving browser history + Policy State: Disabled + Policy Value: N/A + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + Check_Content_Ref + M + + + Weight + 10.0 + + + Class + Unclass + + + STIGRef + Google Chrome Current Windows Security Technical Implementation Guide :: Version 2, Release: 8 Benchmark Date: 26 Jan 2023 + + + TargetKey + 4081 + + + STIG_UUID + d2321d36-170e-42b1-aad9-af5041954074 + + + LEGACY_ID + V-44793 + + + LEGACY_ID + SV-57627 + + + CCI_REF + CCI-001199 + + NotAFinding + Evaluate-STIG 1.2310.1 (Scan-GoogleChrome_Checks) found this to be NOT A FINDING on 12/11/2023: +------------------------------------------------------------------------ +'Disable saving browser history' is Disabled + +Registry Path: HKLM:\SOFTWARE\Policies\Google\Chrome +Value Name: SavingBrowserHistoryDisabled +Value: 0x00000000 (0) +Type: REG_DWORD + + + + + + + + + Vuln_Num + V-221584 + + + Severity + medium + + + Group_Title + SRG-APP-000456 + + + Rule_ID + SV-221584r850366_rule + + + Rule_Ver + DTBC-0050 + + + Rule_Title + The version of Google Chrome running on the system must be a supported version. + + + Vuln_Discuss + Google Chrome is being continually updated by the vendor in order to address identified security vulnerabilities. Running an older version of the browser can introduce security vulnerabilities to the system. + + + IA_Controls + + + + Check_Content + Universal method: +1. In the omnibox (address bar) type chrome://settings/help +2. Cross-reference the build information displayed with the Google Chrome site to identify, at minimum, the oldest supported build available. As of July 2019, this is 74.x.x. +3. If the installed version of Chrome is not supported by Google, this is a finding. + + + Fix_Text + Install a supported version of Google Chrome. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + Check_Content_Ref + M + + + Weight + 10.0 + + + Class + Unclass + + + STIGRef + Google Chrome Current Windows Security Technical Implementation Guide :: Version 2, Release: 8 Benchmark Date: 26 Jan 2023 + + + TargetKey + 4081 + + + STIG_UUID + 14692950-410a-4e68-a92d-8419c30a35f8 + + + LEGACY_ID + V-44805 + + + LEGACY_ID + SV-57639 + + + CCI_REF + CCI-002605 + + NotAFinding + Google Chrome version information: + +Google Chrome (119.0.6045.200) + + Evaluate-STIG answer file for Key 'DEFAULT' is changing the Status from 'Not_Reviewed' to 'NotAFinding' and providing the below comment on 12/11/2023: + +[ValidTrueComment]: +Google Chrome is fully managed by NSWC Crane's configuration management tool to ensure the latest version is deployed to clients. + + + + + + + + \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/ckl/GoodStatistics.ckl b/WATCHER-test-files/WATCHER/ckl/GoodStatistics.ckl new file mode 100644 index 0000000..300519e --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/GoodStatistics.ckl @@ -0,0 +1,953 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + + + + + + 2777 + false + + + + + + + + version + 2 + + + classification + + + customname + + + stigid + VPN_TRUNCATED + + + description + This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 5 Benchmark Date: 07 Jun 2023 + + + title + Virtual Private Network (VPN) TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207184 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000019 + + + Rule_ID + SV-207184r695317_rule + + + Rule_Ver + SRG-NET-000019-VPN-000040 + + + Rule_Title + The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. + + + Vuln_Discuss + Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. + +VPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network. + + + IA_Controls + + + + Check_Content + Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration). + +Review network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network. + +If the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding, + + + Fix_Text + Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001414 + + NotAFinding + NotAFindingWithADetail + + + + + + + Vuln_Num + V-207185 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000041 + + + Rule_ID + SV-207185r608988_rule + + + Rule_Ver + SRG-NET-000041-VPN-000110 + + + Rule_Title + The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +In most VPN implementations, the banner is configured in the management backplane (NDM SRG) and serves as the presentation for the VPN client connection as well as for administrator logon to the device management tool/backplane. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + + + IA_Controls + + + + Check_Content + If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. + +Determine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DoD policy. + +If the Remote Access VPN Gateway or VPN client does not display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network, this is a finding. + + + Fix_Text + Configure the Remote Access VPN to display the Standard Mandatory DoD Notice and Consent Banner in accordance with DoD policy before granting access to the device. Use the following verbiage for applications that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +-At any time, the USG may inspect and seize data stored on this IS. +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: +"I've read & consent to terms in IS user agreem't." + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000048 + + NotAFinding + + + + + + + + Vuln_Num + V-207187 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000043 + + + Rule_ID + SV-207187r608988_rule + + + Rule_Ver + SRG-NET-000043-VPN-000130 + + + Rule_Title + The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + + + Vuln_Discuss + Display of a standardized and approved use notification before granting access to the publicly accessible VPN gateway ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway. + +The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + + + IA_Controls + + + + Check_Content + Verify the publicly accessible VPN Gateway displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +If the publicly accessible VPN Gateway does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding. + + + Fix_Text + Configure the publicly accessible VPN Gateway to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001384 + + + CCI_REF + CCI-001385 + + + CCI_REF + CCI-001386 + + + CCI_REF + CCI-001387 + + + CCI_REF + CCI-001388 + + Open + xyz + + + + + + + Vuln_Num + V-207188 + + + Severity + low + + + Weight + 10.0 + + + Group_Title + SRG-NET-000049 + + + Rule_ID + SV-207188r608988_rule + + + Rule_Ver + SRG-NET-000049-VPN-000150 + + + Rule_Title + The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). + + + Vuln_Discuss + Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. + +This applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary. + + + IA_Controls + + + + Check_Content + Determine if the VPN Gateway is either configured to notify the administrator of the number of unsuccessful login attempts since the last successful login or configured to use an authentication server which would perform this function. If the administrator is not notified of the number of unsuccessful login attempts since the last successful login, this is a finding. + +If the VPN Gateway does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding. + + + Fix_Text + Configure the VPN Gateway to notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000053 + + Open + + + + + + + + Vuln_Num + V-207190 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-NET-000062 + + + Rule_ID + SV-207190r803417_rule + + + Rule_Ver + SRG-NET-000062-VPN-000200 + + + Rule_Title + The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections. + + + Vuln_Discuss + Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. + +NIST SP 800-52 Rev2 provides guidance for client negotiation on either DoD-only or public-facing servers. + + + IA_Controls + + + + Check_Content + Verify the TLS VPN Gateway is configured to use TLS 1.2 or higher to protect the confidentiality of sensitive data during transmission. + +If the TLS VPN Gateway does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission, this is a finding. + + + Fix_Text + Configure the TLS VPN Gateway to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data for transmission. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000068 + + Not_Reviewed + xyz + + + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Not_Reviewed + + + + + + + + Vuln_Num + V-207193 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-NET-000074 + + + Rule_ID + SV-207193r916149_rule + + + Rule_Ver + SRG-NET-000074-VPN-000250 + + + Rule_Title + The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1. + + + Vuln_Discuss + Use of an approved DH algorithm ensures the IKE (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be. + + + IA_Controls + + + + Check_Content + Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1. + +View the IKE options dh-group option. + +If the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding. + + + Fix_Text + Configure the IPsec VPN to use the DH Group of 16 or greater for IKE Phase 1. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000068 + + Not_Applicable + + + + + + + + Vuln_Num + V-207193 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-NET-000074 + + + Rule_ID + SV-207193r916149_rule + + + Rule_Ver + SRG-NET-000074-VPN-000250 + + + Rule_Title + The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1. + + + Vuln_Discuss + Use of an approved DH algorithm ensures the IKE (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be. + + + IA_Controls + + + + Check_Content + Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1. + +View the IKE options dh-group option. + +If the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding. + + + Fix_Text + Configure the IPsec VPN to use the DH Group of 16 or greater for IKE Phase 1. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-000068 + + Not_Applicable + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/MultiStig-Simple.ckl b/WATCHER-test-files/WATCHER/ckl/MultiStig-Simple.ckl new file mode 100644 index 0000000..7d4709a --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/MultiStig-Simple.ckl @@ -0,0 +1,752 @@ + + + + + + None + Non-Computing + NONE + MyAsset + 1.1.1.1 + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_5_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-5 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-5_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + NotAFinding + + xyz + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_4_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-4 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-4_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Open + + xyz + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_3_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-3 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-3_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Not_Applicable + + xyz + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_2_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-2 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-2_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Not_Reviewed + + + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_1_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-1 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-1_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Not_Reviewed + + xyz + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/NoASSETelement.ckl b/WATCHER-test-files/WATCHER/ckl/NoASSETelement.ckl new file mode 100644 index 0000000..8d79552 --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/NoASSETelement.ckl @@ -0,0 +1,168 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Open + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/NoCHECKLISTelement.ckl b/WATCHER-test-files/WATCHER/ckl/NoCHECKLISTelement.ckl new file mode 100644 index 0000000..237e6cb --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/NoCHECKLISTelement.ckl @@ -0,0 +1,168 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Open + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/NoResult.ckl b/WATCHER-test-files/WATCHER/ckl/NoResult.ckl new file mode 100644 index 0000000..5f4e824 --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/NoResult.ckl @@ -0,0 +1,164 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-257777 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-257777r925318_rule + + + Rule_Ver + RHEL-09-211010 + + + Rule_Title + RHEL 9 must be a vendor-supported release. + + + Vuln_Discuss + An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. + + + IA_Controls + + + + Check_Content + Verify that the version or RHEL 9 is vendor supported with the following command:$ cat /etc/redhat-release Red Hat Enterprise Linux release 9.2 (Plow)If the installed version of RHEL 9 is not supported, this is a finding. + + + Fix_Text + Upgrade to a supported version of RHEL 9. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + + aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa + + aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/NoRuleId.ckl b/WATCHER-test-files/WATCHER/ckl/NoRuleId.ckl new file mode 100644 index 0000000..0bb2d5f --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/NoRuleId.ckl @@ -0,0 +1,162 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-257777 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + + + + Rule_Ver + RHEL-09-211010 + + + Rule_Title + RHEL 9 must be a vendor-supported release. + + + Vuln_Discuss + An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. + + + IA_Controls + + + + Check_Content + Verify that the version or RHEL 9 is vendor supported with the following command:$ cat /etc/redhat-release Red Hat Enterprise Linux release 9.2 (Plow)If the installed version of RHEL 9 is not supported, this is a finding. + + + Fix_Text + Upgrade to a supported version of RHEL 9. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + Not_Reviewed + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/NoSID_DATAforStigId.ckl b/WATCHER-test-files/WATCHER/ckl/NoSID_DATAforStigId.ckl new file mode 100644 index 0000000..cd34084 --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/NoSID_DATAforStigId.ckl @@ -0,0 +1,168 @@ + + + + + + None + Non-Computing + NONE + MyAsset + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Open + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/NoSTIGSelement.ckl b/WATCHER-test-files/WATCHER/ckl/NoSTIGSelement.ckl new file mode 100644 index 0000000..ca11c01 --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/NoSTIGSelement.ckl @@ -0,0 +1,168 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Open + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/ResultEngineInvalidComment.ckl b/WATCHER-test-files/WATCHER/ckl/ResultEngineInvalidComment.ckl new file mode 100644 index 0000000..4c7960c --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/ResultEngineInvalidComment.ckl @@ -0,0 +1,196 @@ + + + + + None + Computing + DESKTOP-x516M + 192.168.0.83 + C0:B5:D7:90:FE:F1 + desktop-x516m.workgroup + + + 4072 + false + + + + + + + + version + 2 + + + classification + UNCLASSIFIED + + + customname + + + stigid + MS_Windows_10_STIG + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + U_MS_Windows_10_STIG_V2R4_Manual-xccdf.xml + + + releaseinfo + Release: 4 Benchmark Date: 31 May 2022 + + + title + Microsoft Windows 10 Security Technical Implementation Guide + + + uuid + e58a6c9c-37d0-48c3-a1fa-c48908e2e3eb + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-220697 + + + Severity + medium + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-220697r569187_rule + + + Rule_Ver + WN10-00-000005 + + + Rule_Title + Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version. + + + Vuln_Discuss + Features such as Credential Guard use virtualization based security to protect information that could be used in credential theft attacks if compromised. There are a number of system requirements that must be met in order for Credential Guard to be configured and enabled properly. Virtualization based security and Credential Guard are only available with Windows 10 Enterprise 64-bit version. + + + IA_Controls + + + + Check_Content + Verify domain-joined systems are using Windows 10 Enterprise Edition 64-bit version. + +For standalone systems, this is NA. + +Open "Settings". + +Select "System", then "About". + +If "Edition" is not "Windows 10 Enterprise", this is a finding. + +If "System type" is not "64-bit operating system…", this is a finding. + + + Fix_Text + Use Windows 10 Enterprise 64-bit version for domain-joined systems. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + Check_Content_Ref + M + + + Weight + 10.0 + + + Class + Unclass + + + STIGRef + Microsoft Windows 10 Security Technical Implementation Guide :: Version 2, Release: 4 Benchmark Date: 31 May 2022 + + + TargetKey + 4072 + + + STIG_UUID + 09bbafe1-eaff-4c31-96f5-67cdd6b63ae0 + + + LEGACY_ID + V-63319 + + + LEGACY_ID + SV-77809 + + + CCI_REF + CCI-000366 + + Not_Applicable + x + + + + + + + + \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/ckl/ResultEngineWithEvalStigModule.ckl b/WATCHER-test-files/WATCHER/ckl/ResultEngineWithEvalStigModule.ckl new file mode 100644 index 0000000..d58c72f --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/ResultEngineWithEvalStigModule.ckl @@ -0,0 +1,195 @@ + + + + + None + Computing + DESKTOP-x516M + 192.168.0.83 + C0:B5:D7:90:FE:F1 + desktop-x516m.workgroup + + + 4072 + false + + + + + + + + version + 2 + + + classification + UNCLASSIFIED + + + customname + + + stigid + MS_Windows_10_STIG + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + U_MS_Windows_10_STIG_V2R4_Manual-xccdf.xml + + + releaseinfo + Release: 4 Benchmark Date: 31 May 2022 + + + title + Microsoft Windows 10 Security Technical Implementation Guide + + + uuid + e58a6c9c-37d0-48c3-a1fa-c48908e2e3eb + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-220697 + + + Severity + medium + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-220697r569187_rule + + + Rule_Ver + WN10-00-000005 + + + Rule_Title + Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version. + + + Vuln_Discuss + Features such as Credential Guard use virtualization based security to protect information that could be used in credential theft attacks if compromised. There are a number of system requirements that must be met in order for Credential Guard to be configured and enabled properly. Virtualization based security and Credential Guard are only available with Windows 10 Enterprise 64-bit version. + + + IA_Controls + + + + Check_Content + Verify domain-joined systems are using Windows 10 Enterprise Edition 64-bit version. + +For standalone systems, this is NA. + +Open "Settings". + +Select "System", then "About". + +If "Edition" is not "Windows 10 Enterprise", this is a finding. + +If "System type" is not "64-bit operating system…", this is a finding. + + + Fix_Text + Use Windows 10 Enterprise 64-bit version for domain-joined systems. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + Check_Content_Ref + M + + + Weight + 10.0 + + + Class + Unclass + + + STIGRef + Microsoft Windows 10 Security Technical Implementation Guide :: Version 2, Release: 4 Benchmark Date: 31 May 2022 + + + TargetKey + 4072 + + + STIG_UUID + 09bbafe1-eaff-4c31-96f5-67cdd6b63ae0 + + + LEGACY_ID + V-63319 + + + LEGACY_ID + SV-77809 + + + CCI_REF + CCI-000366 + + Not_Applicable + x + + + + + + + \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/ckl/ResultEngineWithEvalStigModuleAndOverride.ckl b/WATCHER-test-files/WATCHER/ckl/ResultEngineWithEvalStigModuleAndOverride.ckl new file mode 100644 index 0000000..32bb67a --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/ResultEngineWithEvalStigModuleAndOverride.ckl @@ -0,0 +1,196 @@ + + + + + None + Computing + DESKTOP-x516M + 192.168.0.83 + C0:B5:D7:90:FE:F1 + desktop-x516m.workgroup + + + 4072 + false + + + + + + + + version + 2 + + + classification + UNCLASSIFIED + + + customname + + + stigid + MS_Windows_10_STIG + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + U_MS_Windows_10_STIG_V2R4_Manual-xccdf.xml + + + releaseinfo + Release: 4 Benchmark Date: 31 May 2022 + + + title + Microsoft Windows 10 Security Technical Implementation Guide + + + uuid + e58a6c9c-37d0-48c3-a1fa-c48908e2e3eb + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-220697 + + + Severity + medium + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-220697r569187_rule + + + Rule_Ver + WN10-00-000005 + + + Rule_Title + Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version. + + + Vuln_Discuss + Features such as Credential Guard use virtualization based security to protect information that could be used in credential theft attacks if compromised. There are a number of system requirements that must be met in order for Credential Guard to be configured and enabled properly. Virtualization based security and Credential Guard are only available with Windows 10 Enterprise 64-bit version. + + + IA_Controls + + + + Check_Content + Verify domain-joined systems are using Windows 10 Enterprise Edition 64-bit version. + +For standalone systems, this is NA. + +Open "Settings". + +Select "System", then "About". + +If "Edition" is not "Windows 10 Enterprise", this is a finding. + +If "System type" is not "64-bit operating system…", this is a finding. + + + Fix_Text + Use Windows 10 Enterprise 64-bit version for domain-joined systems. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + Check_Content_Ref + M + + + Weight + 10.0 + + + Class + Unclass + + + STIGRef + Microsoft Windows 10 Security Technical Implementation Guide :: Version 2, Release: 4 Benchmark Date: 31 May 2022 + + + TargetKey + 4072 + + + STIG_UUID + 09bbafe1-eaff-4c31-96f5-67cdd6b63ae0 + + + LEGACY_ID + V-63319 + + + LEGACY_ID + SV-77809 + + + CCI_REF + CCI-000366 + + Not_Applicable + x + + + + + + + + \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/ckl/Single-Vuln-Long-CommentDetail.ckl b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-Long-CommentDetail.ckl new file mode 100644 index 0000000..476649c --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-Long-CommentDetail.ckl @@ -0,0 +1,164 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-257777 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-257777r925318_rule + + + Rule_Ver + RHEL-09-211010 + + + Rule_Title + RHEL 9 must be a vendor-supported release. + + + Vuln_Discuss + An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. + + + IA_Controls + + + + Check_Content + Verify that the version or RHEL 9 is vendor supported with the following command:$ cat /etc/redhat-release Red Hat Enterprise Linux release 9.2 (Plow)If the installed version of RHEL 9 is not supported, this is a finding. + + + Fix_Text + Upgrade to a supported version of RHEL 9. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + Not_Reviewed + aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa + + aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-Empty-CommentDetail.ckl b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-Empty-CommentDetail.ckl new file mode 100644 index 0000000..68026bd --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-Empty-CommentDetail.ckl @@ -0,0 +1,168 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + NotAFinding + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-With-Comment.ckl b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-With-Comment.ckl new file mode 100644 index 0000000..f06b8e7 --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-With-Comment.ckl @@ -0,0 +1,168 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + NotAFinding + + xyz + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-With-Detail.ckl b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-With-Detail.ckl new file mode 100644 index 0000000..6082ad8 --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-With-Detail.ckl @@ -0,0 +1,168 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + NotAFinding + xyz + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-Empty-CommentDetail.ckl b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-Empty-CommentDetail.ckl new file mode 100644 index 0000000..6ed0755 --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-Empty-CommentDetail.ckl @@ -0,0 +1,168 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Open + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-WEBORDATABASE-true.ckl b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-WEBORDATABASE-true.ckl new file mode 100644 index 0000000..e3ac41f --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-WEBORDATABASE-true.ckl @@ -0,0 +1,168 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + 10.2.2.2 + + + hostname + + 2777 + true + test + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Open + + xyz + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-With-Detail.ckl b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-With-Detail.ckl new file mode 100644 index 0000000..d6b669d --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-With-Detail.ckl @@ -0,0 +1,168 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Open + xyz + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-with-Comment.ckl b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-with-Comment.ckl new file mode 100644 index 0000000..102cbc4 --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-with-Comment.ckl @@ -0,0 +1,168 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + 10.2.2.2 + + + hostname + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Open + + xyz + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/Single-Vuln-notReviewed-Commented-Detailed.ckl b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-notReviewed-Commented-Detailed.ckl new file mode 100644 index 0000000..cd3e6df --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-notReviewed-Commented-Detailed.ckl @@ -0,0 +1,162 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-257777 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-257777r925318_rule + + + Rule_Ver + RHEL-09-211010 + + + Rule_Title + RHEL 9 must be a vendor-supported release. + + + Vuln_Discuss + An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. + + + IA_Controls + + + + Check_Content + Verify that the version or RHEL 9 is vendor supported with the following command:$ cat /etc/redhat-release Red Hat Enterprise Linux release 9.2 (Plow)If the installed version of RHEL 9 is not supported, this is a finding. + + + Fix_Text + Upgrade to a supported version of RHEL 9. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + Not_Reviewed + xyz + xyz + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/Single-Vuln-notReviewed-Empty-CommentDetail.ckl b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-notReviewed-Empty-CommentDetail.ckl new file mode 100644 index 0000000..f8f13e3 --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/Single-Vuln-notReviewed-Empty-CommentDetail.ckl @@ -0,0 +1,162 @@ + + + + + + None + Non-Computing + NONE + Asset_aaaaaaaaaa + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-257777 + + + Severity + high + + + Weight + 10.0 + + + Group_Title + SRG-OS-000480-GPOS-00227 + + + Rule_ID + SV-257777r925318_rule + + + Rule_Ver + RHEL-09-211010 + + + Rule_Title + RHEL 9 must be a vendor-supported release. + + + Vuln_Discuss + An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. + + + IA_Controls + + + + Check_Content + Verify that the version or RHEL 9 is vendor supported with the following command:$ cat /etc/redhat-release Red Hat Enterprise Linux release 9.2 (Plow)If the installed version of RHEL 9 is not supported, this is a finding. + + + Fix_Text + Upgrade to a supported version of RHEL 9. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Red Hat Enterprise Linux 9 TRUNCATED :: Version 1, Release: 1 Benchmark Date: 22 Sep 2023 + + + CCI_REF + CCI-000366 + + Not_Reviewed + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/TargetObjectBasic.ckl b/WATCHER-test-files/WATCHER/ckl/TargetObjectBasic.ckl new file mode 100644 index 0000000..1d12d05 --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/TargetObjectBasic.ckl @@ -0,0 +1,168 @@ + + + + + + MyRole + Non-Computing + MyMarking + MyAsset + 10.10.10.10 + 00:1A:2B:3C:4D:5E + + MyAsset.hello.world + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + NotAFinding + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/TargetObjectMetaData.ckl b/WATCHER-test-files/WATCHER/ckl/TargetObjectMetaData.ckl new file mode 100644 index 0000000..512fe92 --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/TargetObjectMetaData.ckl @@ -0,0 +1,168 @@ + + + + + + MyRole + Non-Computing + MyMarking + MyAsset + 10.10.10.10 + 00:1A:2B:3C:4D:5E + + MyAsset.hello.world + CyberSec + 2777 + true + AssetDBSite + AssetWebDBInstance + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + NotAFinding + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/TargetObjectMinimal.ckl b/WATCHER-test-files/WATCHER/ckl/TargetObjectMinimal.ckl new file mode 100644 index 0000000..9efe331 --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/TargetObjectMinimal.ckl @@ -0,0 +1,168 @@ + + + + + + + + + MyAsset + + + + + + + + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + NotAFinding + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/ckl/noHost_NameElement.ckl b/WATCHER-test-files/WATCHER/ckl/noHost_NameElement.ckl new file mode 100644 index 0000000..dc31950 --- /dev/null +++ b/WATCHER-test-files/WATCHER/ckl/noHost_NameElement.ckl @@ -0,0 +1,168 @@ + + + + + + None + Non-Computing + NONE + + + + + + + 2777 + false + + + + + + + + version + 1 + + + classification + + + customname + + + stigid + RHEL_9_TRUNCATED + + + description + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + + + filename + stig-manager-oss + + + releaseinfo + Release: 1 Benchmark Date: 22 Sep 2023 + + + title + Red Hat Enterprise Linux 9 TRUNCATED + + + uuid + 391aad33-3cc3-4d9a-b5f7-0d7538b7b5a2 + + + notice + terms-of-use + + + source + + + + + Vuln_Num + V-207191 + + + Severity + medium + + + Weight + 10.0 + + + Group_Title + SRG-NET-000063 + + + Rule_ID + SV-207191r803418_rule + + + Rule_Ver + SRG-NET-000063-VPN-000210 + + + Rule_Title + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + + Vuln_Discuss + Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function. + + + IA_Controls + + + + Check_Content + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + Fix_Text + Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + + + False_Positives + + + + False_Negatives + + + + Documentable + false + + + Mitigations + + + + Potential_Impact + + + + Third_Party_Tools + + + + Mitigation_Control + + + + Responsibility + + + + Security_Override_Guidance + + + + STIGRef + Virtual Private Network (VPN) TRUNCATED :: Version 2, Release: 5 Benchmark Date: 07 Jun 2023 + + + CCI_REF + CCI-001453 + + Open + + + + + + + + diff --git a/WATCHER-test-files/WATCHER/cklb/Asset_a-VPN_TRUNCATED-V2R5.cklb b/WATCHER-test-files/WATCHER/cklb/Asset_a-VPN_TRUNCATED-V2R5.cklb new file mode 100644 index 0000000..c960bce --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/Asset_a-VPN_TRUNCATED-V2R5.cklb @@ -0,0 +1,490 @@ +{ + "title": "Asset_aaaaaaaaaa-VPN_TRUNCATED-V2R5", + "id": "2f6fe9e0-8242-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Non-Computing", + "host_name": "Asset_aaaaaaaaaa", + "ip_address": "", + "mac_address": "", + "fqdn": "", + "comments": "", + "role": "None", + "is_web_database": false, + "technology_area": "", + "web_db_site": "", + "web_db_instance": "" + }, + "stigs": [ + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-207184r695317", + "rule_id_src": "SV-207184r695317_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { "href": "", "name": "M" }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": "", + "finding_details": "xyz", + "ccis": ["CCI-001414"] + }, + { + "uuid": "2f7281f1-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207185", + "rule_id": "SV-207185r608988", + "rule_id_src": "SV-207185r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000041-VPN-000110", + "group_title": "SRG-NET-000041", + "rule_title": "The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network.", + "fix_text": "Configure the Remote Access VPN to display the Standard Mandatory DoD Notice and Consent Banner in accordance with DoD policy before granting access to the device. Use the following verbiage for applications that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\"I've read & consent to terms in IS user agreem't.\"", + "false_positives": null, + "false_negatives": null, + "discussion": "Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nIn most VPN implementations, the banner is configured in the management backplane (NDM SRG) and serves as the presentation for the VPN client connection as well as for administrator logon to the device management tool/backplane.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n \nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"", + "check_content": "If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable.\n\nDetermine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DoD policy. \n\nIf the Remote Access VPN Gateway or VPN client does not display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { "href": "", "name": "M" }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207185", + "title": "SRG-NET-000041", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:44.000Z", + "updatedAt": "2023-11-13T16:30:44.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": "", + "finding_details": "xyz", + "ccis": ["CCI-000048"] + }, + { + "uuid": "2f7281f2-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207186", + "rule_id": "SV-207186r608988", + "rule_id_src": "SV-207186r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000042-VPN-000120", + "group_title": "SRG-NET-000042", + "rule_title": "The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.", + "fix_text": "Configure the Remote Access VPN Gateway and/or client to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.", + "false_positives": null, + "false_negatives": null, + "discussion": "The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. \n\nThe banner is usually configured in NDM for client presentation as well as local logon.\n\nTo establish acceptance of the application usage policy, a click-through banner at application logon is required. The VPN gateway must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\". \n\nThis applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary.", + "check_content": "If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable.\n\nVerify the ALG retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access.\n\nIf the Remote Access VPN Gateway and/or client does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { "href": "", "name": "M" }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207186", + "title": "SRG-NET-000042", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:52.000Z", + "updatedAt": "2023-11-13T16:30:52.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_applicable", + "overrides": {}, + "comments": "", + "finding_details": "xyz", + "ccis": ["CCI-000050"] + }, + { + "uuid": "2f7281f3-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207187", + "rule_id": "SV-207187r608988", + "rule_id_src": "SV-207187r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000043-VPN-000130", + "group_title": "SRG-NET-000043", + "rule_title": "The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.", + "fix_text": "Configure the publicly accessible VPN Gateway to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.", + "false_positives": null, + "false_negatives": null, + "discussion": "Display of a standardized and approved use notification before granting access to the publicly accessible VPN gateway ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway.\n\nThe banner must be formatted in accordance with DTM-08-060. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"", + "check_content": "Verify the publicly accessible VPN Gateway displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nIf the publicly accessible VPN Gateway does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { "href": "", "name": "M" }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207187", + "title": "SRG-NET-000043", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:59.000Z", + "updatedAt": "2023-11-13T16:30:59.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "xyz", + "ccis": [ + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" + ] + }, + { + "uuid": "2f7281f4-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207188", + "rule_id": "SV-207188r608988", + "rule_id_src": "SV-207188r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "low", + "rule_version": "SRG-NET-000049-VPN-000150", + "group_title": "SRG-NET-000049", + "rule_title": "The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).", + "fix_text": "Configure the VPN Gateway to notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).", + "false_positives": null, + "false_negatives": null, + "discussion": "Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.\n\nThis applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary.", + "check_content": "Determine if the VPN Gateway is either configured to notify the administrator of the number of unsuccessful login attempts since the last successful login or configured to use an authentication server which would perform this function. If the administrator is not notified of the number of unsuccessful login attempts since the last successful login, this is a finding.\n\nIf the VPN Gateway does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { "href": "", "name": "M" }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207188", + "title": "SRG-NET-000049", + "description": "" + } + ], + "createdAt": "2023-11-13T16:31:06.000Z", + "updatedAt": "2023-11-13T16:31:06.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": "", + "finding_details": "xyz", + "ccis": ["CCI-000053"] + }, + { + "uuid": "2f7281f5-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207189", + "rule_id": "SV-207189r608988", + "rule_id_src": "SV-207189r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000053-VPN-000170", + "group_title": "SRG-NET-000053", + "rule_title": "The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number.", + "fix_text": "Configure the VPN Gateway to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, as documented in the SSP.", + "false_positives": null, + "false_negatives": null, + "discussion": "VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.\n\nThe intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited.", + "check_content": "Inspect the VPN Gateway configuration. Verify the number of concurrent sessions for user accounts to 1 or to an organization-defined number (defined in the SSP).\n\nIf the VPN Gateway does not limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { "href": "", "name": "M" }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207189", + "title": "SRG-NET-000053", + "description": "" + } + ], + "createdAt": "2023-11-13T16:31:15.000Z", + "updatedAt": "2023-11-13T16:31:15.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "xyz", + "ccis": ["CCI-000054"] + }, + { + "uuid": "2f7281f6-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207190", + "rule_id": "SV-207190r803417", + "rule_id_src": "SV-207190r803417_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "SRG-NET-000062-VPN-000200", + "group_title": "SRG-NET-000062", + "rule_title": "The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections.", + "fix_text": "Configure the TLS VPN Gateway to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data for transmission.", + "false_positives": null, + "false_negatives": null, + "discussion": "Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.\n\nNIST SP 800-52 Rev2 provides guidance for client negotiation on either DoD-only or public-facing servers.", + "check_content": "Verify the TLS VPN Gateway is configured to use TLS 1.2 or higher to protect the confidentiality of sensitive data during transmission.\n\nIf the TLS VPN Gateway does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { "href": "", "name": "M" }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207190", + "title": "SRG-NET-000062", + "description": "" + } + ], + "createdAt": "2023-11-13T16:31:22.000Z", + "updatedAt": "2023-11-13T16:31:22.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": "", + "finding_details": "xyz", + "ccis": ["CCI-000068"] + }, + { + "uuid": "2f7281f7-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207191", + "rule_id": "SV-207191r803418", + "rule_id_src": "SV-207191r803418_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000063-VPN-000210", + "group_title": "SRG-NET-000063", + "rule_title": "The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions.", + "fix_text": "Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.", + "false_positives": null, + "false_negatives": null, + "discussion": "Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless.\n\nIntegrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function.", + "check_content": "Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.\n\nIf the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { "href": "", "name": "M" }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207191", + "title": "SRG-NET-000063", + "description": "" + } + ], + "createdAt": "2023-11-13T16:31:36.000Z", + "updatedAt": "2023-11-13T16:31:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": "xyz", + "finding_details": "xyz", + "ccis": ["CCI-001453"] + }, + { + "uuid": "2f7281f8-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207192", + "rule_id": "SV-207192r916146", + "rule_id_src": "SV-207192r916146_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000063-VPN-000220", + "group_title": "SRG-NET-000063", + "rule_title": "The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.", + "fix_text": "Configure the VPN Gateway to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.", + "false_positives": null, + "false_negatives": null, + "discussion": "Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nSHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. DOD systems must not be configured to use SHA-1 for integrity of remote access sessions. \n\nThe remote access VPN provides access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.", + "check_content": "Verify the VPN Gateway uses IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.\n\nIf the VPN Gateway does not use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { "href": "", "name": "M" }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207192", + "title": "SRG-NET-000063", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": ["CCI-001453"] + }, + { + "uuid": "2f7281f9-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207193", + "rule_id": "SV-207193r916149", + "rule_id_src": "SV-207193r916149_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "SRG-NET-000074-VPN-000250", + "group_title": "SRG-NET-000074", + "rule_title": "The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.", + "fix_text": "Configure the IPsec VPN to use the DH Group of 16 or greater for IKE Phase 1.", + "false_positives": null, + "false_negatives": null, + "discussion": "Use of an approved DH algorithm ensures the IKE (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be.", + "check_content": "Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1.\n\nView the IKE options dh-group option.\n\nIf the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { "href": "", "name": "M" }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207193", + "title": "SRG-NET-000074", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": ["CCI-000068"] + } + ] + } + ] +} diff --git a/WATCHER-test-files/WATCHER/cklb/Asset_a-multi-stig.cklb b/WATCHER-test-files/WATCHER/cklb/Asset_a-multi-stig.cklb new file mode 100644 index 0000000..5ae6219 --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/Asset_a-multi-stig.cklb @@ -0,0 +1,1570 @@ +{ + "title": "", + "id": "4f05ef00-8244-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Non-Computing", + "host_name": "Asset_aaaaaaaaaa", + "ip_address": "", + "mac_address": "", + "fqdn": "", + "comments": "", + "role": "None", + "is_web_database": false, + "technology_area": "", + "web_db_site": "", + "web_db_instance": "" + }, + "stigs": [ + { + "stig_name": "Red Hat Enterprise Linux 8 TRUNCATED", + "display_name": "Red Hat Enterprise Linux 8 TRUNCATED", + "stig_id": "RHEL_8_TRUNCATED", + "version": 1, + "release_info": "Release: 12 Benchmark Date: 25 Oct 2023", + "uuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "4f074e90-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230221", + "rule_id": "SV-230221r858734", + "rule_id_src": "SV-230221r858734_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "RHEL-08-010000", + "group_title": "SRG-OS-000480-GPOS-00227", + "rule_title": "RHEL 8 must be a vendor-supported release.", + "fix_text": "Upgrade to a supported version of RHEL 8.", + "false_positives": null, + "false_negatives": null, + "discussion": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRed Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/.\nNote: The life-cycle time spans and dates are subject to adjustment.", + "check_content": "Verify the version of the operating system is vendor supported.\n\nNote: The lifecycle time spans and dates are subject to adjustment.\n\nCheck the version of the operating system with the following command:\n\n$ sudo cat /etc/redhat-release\n\nRed Hat Enterprise Linux Server release 8.6 (Ootpa)\n\nCurrent End of Extended Update Support for RHEL 8.1 is 30 November 2021.\n\nCurrent End of Extended Update Support for RHEL 8.2 is 30 April 2022.\n\nCurrent End of Extended Update Support for RHEL 8.4 is 31 May 2023.\n\nCurrent End of Maintenance Support for RHEL 8.5 is 31 May 2022.\n\nCurrent End of Extended Update Support for RHEL 8.6 is 31 May 2024.\n\nCurrent End of Maintenance Support for RHEL 8.7 is 31 May 2023.\n\nCurrent End of Extended Update Support for RHEL 8.8 is 31 May 2025.\n\nCurrent End of Maintenance Support for RHEL 8.9 is 31 May 2024.\n\nCurrent End of Maintenance Support for RHEL 8.10 is 31 May 2029.\n\nIf the release is not supported by the vendor, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230221", + "title": "SRG-OS-000480-GPOS-00227", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366" + ] + }, + { + "uuid": "4f074e91-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230222", + "rule_id": "SV-230222r627750", + "rule_id_src": "SV-230222r627750_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-08-010010", + "group_title": "SRG-OS-000480-GPOS-00227", + "rule_title": "RHEL 8 vendor packaged system security patches and updates must be installed and up to date.", + "fix_text": "Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.", + "false_positives": null, + "false_negatives": null, + "discussion": "Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.", + "check_content": "Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO).\n\nObtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.\n\nCheck that the available package security updates have been installed on the system with the following command:\n\n$ sudo yum history list | more\n\nLoaded plugins: langpacks, product-id, subscription-manager\nID | Command line | Date and time | Action(s) | Altered\n-------------------------------------------------------------------------------\n70 | install aide | 2020-03-05 10:58 | Install | 1 \n69 | update -y | 2020-03-04 14:34 | Update | 18 EE\n68 | install vlc | 2020-02-21 17:12 | Install | 21 \n67 | update -y | 2020-02-21 17:04 | Update | 7 EE\n\nIf package updates have not been performed on the system within the timeframe the site/program documentation requires, this is a finding.\n\nTypical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\nIf the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230222", + "title": "SRG-OS-000480-GPOS-00227", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366" + ] + }, + { + "uuid": "4f074e92-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230223", + "rule_id": "SV-230223r928585", + "rule_id_src": "SV-230223r928585_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "RHEL-08-010020", + "group_title": "SRG-OS-000033-GPOS-00014", + "rule_title": "RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.", + "fix_text": "Configure the operating system to implement DOD-approved encryption by following the steps below:\n\nTo enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.\n\nEnable FIPS mode after installation (not strict FIPS-compliant) with the following command:\n\n $ sudo fips-mode-setup --enable\n\nReboot the system for the changes to take effect.", + "false_positives": null, + "false_negatives": null, + "discussion": "Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nRHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the \"kernelopts\" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command \"fips-mode-setup\" modifies the \"kernelopts\" variable, which in turn updates all kernel boot entries. \n\nThe fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key.\n\nSatisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223", + "check_content": "Verify the operating system implements DOD-approved encryption to protect the confidentiality of remote access sessions.\n\nCheck to see if FIPS mode is enabled with the following command:\n\n $ fips-mode-setup --check\n FIPS mode is enabled\n\nIf FIPS mode is \"enabled\", check to see if the kernel boot parameter is configured for FIPS mode with the following command:\n\n $ sudo grub2-editenv list | grep fips\n kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the kernel boot parameter is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command:\n\n $ sudo cat /proc/sys/crypto/fips_enabled\n 1\n\nIf FIPS mode is not \"on\", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of \"1\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230223", + "title": "SRG-OS-000033-GPOS-00014", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000068" + ] + }, + { + "uuid": "4f074e93-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230224", + "rule_id": "SV-230224r917864", + "rule_id_src": "SV-230224r917864_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-08-010030", + "group_title": "SRG-OS-000185-GPOS-00079", + "rule_title": "All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.", + "fix_text": "Configure RHEL 8 to prevent unauthorized modification of all information at rest by using disk encryption. \n\nEncrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.", + "false_positives": null, + "false_negatives": null, + "discussion": "RHEL 8 systems handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).\n\nSatisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184", + "check_content": "Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. \n\nIf there is a documented and approved reason for not having data-at-rest encryption at the operating system level, such as encryption provided by a hypervisor or a disk storage array in a virtualized environment, this requirement is not applicable.\n\nVerify all system partitions are encrypted with the following command:\n\n $ sudo blkid\n\n /dev/mapper/rhel-root: UUID=\"67b7d7fe-de60-6fd0-befb-e6748cf97743\" TYPE=\"crypto_LUKS\"\n\nEvery persistent disk partition present must be of type \"crypto_LUKS\". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type \"crypto_LUKS\", ask the administrator to indicate how the partitions are encrypted. \n\nIf there is no evidence that these partitions are encrypted, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230224", + "title": "SRG-OS-000185-GPOS-00079", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-001199" + ] + }, + { + "uuid": "4f074e94-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230225", + "rule_id": "SV-230225r858694", + "rule_id_src": "SV-230225r858694_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-08-010040", + "group_title": "SRG-OS-000023-GPOS-00006", + "rule_title": "RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.", + "fix_text": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is:\n\nbanner /etc/issue\n\nEither create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD-required text is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nThe SSH service must be restarted for changes to take effect.", + "false_positives": null, + "false_negatives": null, + "discussion": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088", + "check_content": "Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nCheck for the location of the banner file being used with the following command:\n\n$ sudo grep -ir banner /etc/ssh/sshd_config*\n\nbanner /etc/issue\n\nThis command will return the banner keyword and the name of the file that contains the ssh banner (in this case \"/etc/issue\").\n\nIf the line is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.\n\nView the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.\n\nIf the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230225", + "title": "SRG-OS-000023-GPOS-00006", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000048" + ] + }, + { + "uuid": "4f074e95-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230226", + "rule_id": "SV-230226r743916", + "rule_id_src": "SV-230226r743916_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-08-010050", + "group_title": "SRG-OS-000023-GPOS-00006", + "rule_title": "RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.", + "fix_text": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nAdd the following lines to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\nbanner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nRun the following command to update the database:\n\n$ sudo dconf update", + "false_positives": null, + "false_negatives": null, + "discussion": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088", + "check_content": "Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. \n\nCheck that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command:\n\n$ sudo grep banner-message-text /etc/dconf/db/local.d/*\n\nbanner-message-text=\n'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nIf the banner does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230226", + "title": "SRG-OS-000023-GPOS-00006", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000048" + ] + }, + { + "uuid": "4f074e96-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230227", + "rule_id": "SV-230227r627750", + "rule_id_src": "SV-230227r627750_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-08-010060", + "group_title": "SRG-OS-000023-GPOS-00006", + "rule_title": "RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.", + "fix_text": "Configure RHEL 8 to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via command line logon.\n\nEdit the \"/etc/issue\" file to replace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD-required text is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", + "false_positives": null, + "false_negatives": null, + "discussion": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088", + "check_content": "Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon.\n\nCheck that RHEL 8 displays a banner at the command line login screen with the following command:\n\n$ sudo cat /etc/issue\n\nIf the banner is set correctly it will return the following text:\n\n“You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.”\n\nIf the banner text does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230227", + "title": "SRG-OS-000023-GPOS-00006", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000048" + ] + }, + { + "uuid": "4f074e97-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230228", + "rule_id": "SV-230228r627750", + "rule_id_src": "SV-230228r627750_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-08-010070", + "group_title": "SRG-OS-000032-GPOS-00013", + "rule_title": "All RHEL 8 remote access methods must be monitored.", + "fix_text": "Configure RHEL 8 to monitor all remote access methods by installing rsyslog with the following command:\n\n$ sudo yum install rsyslog\n\nThen add or update the following lines to the \"/etc/rsyslog.conf\" file:\n\nauth.*;authpriv.*;daemon.* /var/log/secure\n\nThe \"rsyslog\" service must be restarted for the changes to take effect. To restart the \"rsyslog\" service, run the following command:\n\n$ sudo systemctl restart rsyslog.service", + "false_positives": null, + "false_negatives": null, + "discussion": "Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyber attacks and ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).", + "check_content": "Verify that RHEL 8 monitors all remote access methods.\n\nCheck that remote access methods are being logged by running the following command:\n\n$ sudo grep -E '(auth.*|authpriv.*|daemon.*)' /etc/rsyslog.conf\n\nauth.*;authpriv.*;daemon.* /var/log/secure\n\nIf \"auth.*\", \"authpriv.*\" or \"daemon.*\" are not configured to be logged, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230228", + "title": "SRG-OS-000032-GPOS-00013", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000067" + ] + }, + { + "uuid": "4f074e98-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230229", + "rule_id": "SV-230229r858739", + "rule_id_src": "SV-230229r858739_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-08-010090", + "group_title": "SRG-OS-000066-GPOS-00034", + "rule_title": "RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.", + "fix_text": "Configure RHEL 8, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nObtain a valid copy of the DoD root CA file from the PKI CA certificate bundle at cyber.mil and copy into the following file:\n\n/etc/sssd/pki/sssd_auth_ca_db.pem", + "false_positives": null, + "false_negatives": null, + "discussion": "Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.\n\nA trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.\n\nSatisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167", + "check_content": "Verify RHEL 8 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\nCheck that the system has a valid DoD root CA installed with the following command:\n\n$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem\n\nCertificate:\n Data:\n Version: 3 (0x2)\n Serial Number: 1 (0x1)\n Signature Algorithm: sha256WithRSAEncryption\n Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3\n Validity\n Not Before: Mar 20 18:46:41 2012 GMT\n Not After : Dec 30 18:46:41 2029 GMT\n Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3\n Subject Public Key Info:\n Public Key Algorithm: rsaEncryption\n\nIf the root ca file is not a DoD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230229", + "title": "SRG-OS-000066-GPOS-00034", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000185" + ] + }, + { + "uuid": "4f074e99-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230230", + "rule_id": "SV-230230r627750", + "rule_id_src": "SV-230230r627750_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-08-010100", + "group_title": "SRG-OS-000067-GPOS-00035", + "rule_title": "RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.", + "fix_text": "Create a new private and public key pair that utilizes a passcode with the following command:\n\n$ sudo ssh-keygen -n [passphrase]", + "false_positives": null, + "false_negatives": null, + "discussion": "If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed.", + "check_content": "Verify the SSH private key files have a passcode.\n\nFor each private key stored on the system, use the following command:\n\n$ sudo ssh-keygen -y -f /path/to/file\n\nIf the contents of the key are displayed, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230230", + "title": "SRG-OS-000067-GPOS-00035", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f06b250-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000186" + ] + } + ] + }, + { + "stig_name": "Red Hat Enterprise Linux 9 TRUNCATED", + "display_name": "Red Hat Enterprise Linux 9 TRUNCATED", + "stig_id": "RHEL_9_TRUNCATED", + "version": 1, + "release_info": "Release: 1 Benchmark Date: 22 Sep 2023", + "uuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "4f0838f0-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257777", + "rule_id": "SV-257777r925318", + "rule_id_src": "SV-257777r925318_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "RHEL-09-211010", + "group_title": "SRG-OS-000480-GPOS-00227", + "rule_title": "RHEL 9 must be a vendor-supported release.", + "fix_text": "Upgrade to a supported version of RHEL 9.", + "false_positives": null, + "false_negatives": null, + "discussion": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRed Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period.", + "check_content": "Verify that the version or RHEL 9 is vendor supported with the following command:\n\n$ cat /etc/redhat-release \n\nRed Hat Enterprise Linux release 9.2 (Plow)\n\nIf the installed version of RHEL 9 is not supported, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257777", + "title": "SRG-OS-000480-GPOS-00227", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366" + ] + }, + { + "uuid": "4f0838f1-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257778", + "rule_id": "SV-257778r925321", + "rule_id_src": "SV-257778r925321_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211015", + "group_title": "SRG-OS-000480-GPOS-00227", + "rule_title": "RHEL 9 vendor packaged system security patches and updates must be installed and up to date.", + "fix_text": "Install RHEL 9 security patches and updates at the organizationally defined frequency. If system updates are installed via a centralized repository that is configured on the system, all updates can be installed with the following command:\n\n$ sudo dnf update", + "false_positives": null, + "false_negatives": null, + "discussion": "Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.", + "check_content": "Verify RHEL 9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy.\n\nObtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.\n\nCheck that the available package security updates have been installed on the system with the following command:\n\n$ dnf history list | more\n\n ID | Command line | Date and time | Action(s) | Altered \n------------------------------------------------------------------------------- \n 70 | install aide | 2023-03-05 10:58 | Install | 1 \n 69 | update -y | 2023-03-04 14:34 | Update | 18 EE \n 68 | install vlc | 2023-02-21 17:12 | Install | 21 \n 67 | update -y | 2023-02-21 17:04 | Update | 7 EE \n\nTypical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\nIf the system is in noncompliance with the organizational patching policy, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257778", + "title": "SRG-OS-000480-GPOS-00227", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366" + ] + }, + { + "uuid": "4f0838f2-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257779", + "rule_id": "SV-257779r925324", + "rule_id_src": "SV-257779r925324_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211020", + "group_title": "SRG-OS-000023-GPOS-00006", + "rule_title": "RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.", + "fix_text": "Configure RHEL 9 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via command line logon.\n\nEdit the \"/etc/issue\" file to replace the default text with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", + "false_positives": null, + "false_negatives": null, + "discussion": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088", + "check_content": "Verify RHEL 9 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a command line user logon.\n\nCheck that a banner is displayed at the command line login screen with the following command:\n\n$ sudo cat /etc/issue\n\nIf the banner is set correctly it will return the following text:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the banner text does not match the Standard Mandatory DOD Notice and Consent Banner exactly, or the line is commented out, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257779", + "title": "SRG-OS-000023-GPOS-00006", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000048", + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" + ] + }, + { + "uuid": "4f0838f3-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257780", + "rule_id": "SV-257780r925327", + "rule_id_src": "SV-257780r925327_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211025", + "group_title": "SRG-OS-000191-GPOS-00080", + "rule_title": "RHEL 9 must implement the Endpoint Security for Linux Threat Prevention tool.", + "fix_text": "Install and enable the latest McAfee ENSLTP package.", + "false_positives": null, + "false_negatives": null, + "discussion": "Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws.\n\nTo support this requirement, the operating system may have an integrated solution incorporating continuous scanning using ESS and periodic scanning using other tools, as specified in the requirement.", + "check_content": "Verify that RHEL 9 has implemented the Endpoint Security for Linux Threat Prevention tool.\n\nCheck that the following package has been installed:\n\n$ sudo rpm -qa | grep -i mcafeetp\n\nIf the \"mcafeetp\" package is not installed, this is a finding.\n\nVerify that the daemon is running:\n\n$ sudo ps -ef | grep -i mfetpd\n\nIf the daemon is not running, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257780", + "title": "SRG-OS-000191-GPOS-00080", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-001233" + ] + }, + { + "uuid": "4f0838f4-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257781", + "rule_id": "SV-257781r925330", + "rule_id_src": "SV-257781r925330_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211030", + "group_title": "SRG-OS-000480-GPOS-00227", + "rule_title": "The graphical display manager must not be the default target on RHEL 9 unless approved.", + "fix_text": "Document the requirement for a graphical user interface with the ISSO or set the default target to multi-user with the following command:\n\n$ sudo systemctl set-default multi-user.target", + "false_positives": null, + "false_negatives": null, + "discussion": "Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.", + "check_content": "Verify that RHEL 9 is configured to boot to the command line:\n\n$ systemctl get-default\n\nmulti-user.target\n\nIf the system default target is not set to \"multi-user.target\" and the information system security officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257781", + "title": "SRG-OS-000480-GPOS-00227", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366" + ] + }, + { + "uuid": "4f0838f5-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257782", + "rule_id": "SV-257782r925333", + "rule_id_src": "SV-257782r925333_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "low", + "rule_version": "RHEL-09-211035", + "group_title": "SRG-OS-000480-GPOS-00227", + "rule_title": "RHEL 9 must enable the hardware random number generator entropy gatherer service.", + "fix_text": "Install the rng-tools package with the following command:\n\n$ sudo dnf install rng-tools\n\nThen enable the rngd service run the following command:\n\n$ sudo systemctl enable --now rngd", + "false_positives": null, + "false_negatives": null, + "discussion": "The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. \n\nThe rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers).", + "check_content": "Verify that RHEL 9 has enabled the hardware random number generator entropy gatherer service with the following command:\n\n$ systemctl is-active rngd\n\nactive\n\nIf the \"rngd\" service is not active, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257782", + "title": "SRG-OS-000480-GPOS-00227", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366" + ] + }, + { + "uuid": "4f0838f6-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257783", + "rule_id": "SV-257783r925336", + "rule_id_src": "SV-257783r925336_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211040", + "group_title": "SRG-OS-000269-GPOS-00103", + "rule_title": "RHEL 9 systemd-journald service must be enabled.", + "fix_text": "To enable the systemd-journald service, run the following command:\n\n$ sudo systemctl enable --now systemd-journald", + "false_positives": null, + "false_negatives": null, + "discussion": "In the event of a system failure, RHEL 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.", + "check_content": "Verify that \"systemd-journald\" is active with the following command:\n\n$ systemctl is-active systemd-journald\n\nactive\n\nIf the systemd-journald service is not active, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257783", + "title": "SRG-OS-000269-GPOS-00103", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-001665" + ] + }, + { + "uuid": "4f0838f7-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257784", + "rule_id": "SV-257784r925339", + "rule_id_src": "SV-257784r925339_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "RHEL-09-211045", + "group_title": "SRG-OS-000324-GPOS-00125", + "rule_title": "The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.", + "fix_text": "Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the \"/etc/systemd/system.conf\" configuration file:\n\nCtrlAltDelBurstAction=none\n\nReload the daemon for this change to take effect.\n\n$ sudo systemctl daemon-reload", + "false_positives": null, + "false_negatives": null, + "discussion": "A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.\n\nSatisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227", + "check_content": "Verify RHEL 9 is configured to not reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command:\n\n$ grep -i ctrl /etc/systemd/system.conf\n\nCtrlAltDelBurstAction=none\n\nIf the \"CtrlAltDelBurstAction\" is not set to \"none\", commented out, or is missing, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257784", + "title": "SRG-OS-000324-GPOS-00125", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366", + "CCI-002235" + ] + }, + { + "uuid": "4f0838f8-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257785", + "rule_id": "SV-257785r925342", + "rule_id_src": "SV-257785r925342_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "RHEL-09-211050", + "group_title": "SRG-OS-000324-GPOS-00125", + "rule_title": "The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.", + "fix_text": "Configure RHEL 9 to disable the ctrl-alt-del.target with the following command:\n\n$ sudo systemctl disable --now ctrl-alt-del.target\n$ sudo systemctl mask --now ctrl-alt-del.target", + "false_positives": null, + "false_negatives": null, + "discussion": "A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.\n\nSatisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227", + "check_content": "Verify RHEL 9 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command:\n\n$ sudo systemctl status ctrl-alt-del.target\n\nctrl-alt-del.target\nLoaded: masked (Reason: Unit ctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \"ctrl-alt-del.target\" is loaded and not masked, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257785", + "title": "SRG-OS-000324-GPOS-00125", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366", + "CCI-002235" + ] + }, + { + "uuid": "4f0838f9-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257786", + "rule_id": "SV-257786r925345", + "rule_id_src": "SV-257786r925345_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211055", + "group_title": "SRG-OS-000324-GPOS-00125", + "rule_title": "RHEL 9 debug-shell systemd service must be disabled.", + "fix_text": "Configure RHEL 9 to mask the debug-shell systemd service with the following command:\n\n$ sudo systemctl disable --now debug-shell.target\n$ sudo systemctl mask --now debug-shell.target", + "false_positives": null, + "false_negatives": null, + "discussion": "The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.\n\nSatisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227", + "check_content": "Verify RHEL 9 is configured to mask the debug-shell systemd service with the following command:\n\n$ sudo systemctl status debug-shell.service\n\ndebug-shell.service\nLoaded: masked (Reason: Unit debug-shell.service is masked.)\nActive: inactive (dead)\n\nIf the \"debug-shell.service\" is loaded and not masked, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257786", + "title": "SRG-OS-000324-GPOS-00125", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f079cb0-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366", + "CCI-002235" + ] + } + ] + }, + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "4f097170-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-207184r695317", + "rule_id_src": "SV-207184r695317_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:36:35.000Z", + "updatedAt": "2023-11-13T16:36:35.000Z", + "STIGUuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": "", + "finding_details": "xyz", + "ccis": [ + "CCI-001414" + ] + }, + { + "uuid": "4f097171-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207185", + "rule_id": "SV-207185r608988", + "rule_id_src": "SV-207185r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000041-VPN-000110", + "group_title": "SRG-NET-000041", + "rule_title": "The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network.", + "fix_text": "Configure the Remote Access VPN to display the Standard Mandatory DoD Notice and Consent Banner in accordance with DoD policy before granting access to the device. Use the following verbiage for applications that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\"I've read & consent to terms in IS user agreem't.\"", + "false_positives": null, + "false_negatives": null, + "discussion": "Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nIn most VPN implementations, the banner is configured in the management backplane (NDM SRG) and serves as the presentation for the VPN client connection as well as for administrator logon to the device management tool/backplane.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n \nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"", + "check_content": "If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable.\n\nDetermine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DoD policy. \n\nIf the Remote Access VPN Gateway or VPN client does not display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207185", + "title": "SRG-NET-000041", + "description": "" + } + ], + "createdAt": "2023-11-13T16:36:35.000Z", + "updatedAt": "2023-11-13T16:36:35.000Z", + "STIGUuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": "", + "finding_details": "xyz", + "ccis": [ + "CCI-000048" + ] + }, + { + "uuid": "4f097172-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207186", + "rule_id": "SV-207186r608988", + "rule_id_src": "SV-207186r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000042-VPN-000120", + "group_title": "SRG-NET-000042", + "rule_title": "The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.", + "fix_text": "Configure the Remote Access VPN Gateway and/or client to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.", + "false_positives": null, + "false_negatives": null, + "discussion": "The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. \n\nThe banner is usually configured in NDM for client presentation as well as local logon.\n\nTo establish acceptance of the application usage policy, a click-through banner at application logon is required. The VPN gateway must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\". \n\nThis applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary.", + "check_content": "If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable.\n\nVerify the ALG retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access.\n\nIf the Remote Access VPN Gateway and/or client does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207186", + "title": "SRG-NET-000042", + "description": "" + } + ], + "createdAt": "2023-11-13T16:36:35.000Z", + "updatedAt": "2023-11-13T16:36:35.000Z", + "STIGUuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "status": "not_applicable", + "overrides": {}, + "comments": "", + "finding_details": "xyz", + "ccis": [ + "CCI-000050" + ] + }, + { + "uuid": "4f097173-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207187", + "rule_id": "SV-207187r608988", + "rule_id_src": "SV-207187r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000043-VPN-000130", + "group_title": "SRG-NET-000043", + "rule_title": "The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.", + "fix_text": "Configure the publicly accessible VPN Gateway to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.", + "false_positives": null, + "false_negatives": null, + "discussion": "Display of a standardized and approved use notification before granting access to the publicly accessible VPN gateway ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway.\n\nThe banner must be formatted in accordance with DTM-08-060. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"", + "check_content": "Verify the publicly accessible VPN Gateway displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routicednely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nIf the publicly accessible VPN Gateway does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207187", + "title": "SRG-NET-000043", + "description": "" + } + ], + "createdAt": "2023-11-13T16:36:35.000Z", + "updatedAt": "2023-11-13T16:36:35.000Z", + "STIGUuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "xyz", + "ccis": [ + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" + ] + }, + { + "uuid": "4f097174-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207188", + "rule_id": "SV-207188r608988", + "rule_id_src": "SV-207188r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "low", + "rule_version": "SRG-NET-000049-VPN-000150", + "group_title": "SRG-NET-000049", + "rule_title": "The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).", + "fix_text": "Configure the VPN Gateway to notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).", + "false_positives": null, + "false_negatives": null, + "discussion": "Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.\n\nThis applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary.", + "check_content": "Determine if the VPN Gateway is either configured to notify the administrator of the number of unsuccessful login attempts since the last successful login or configured to use an authentication server which would perform this function. If the administrator is not notified of the number of unsuccessful login attempts since the last successful login, this is a finding.\n\nIf the VPN Gateway does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207188", + "title": "SRG-NET-000049", + "description": "" + } + ], + "createdAt": "2023-11-13T16:36:35.000Z", + "updatedAt": "2023-11-13T16:36:35.000Z", + "STIGUuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": "", + "finding_details": "xyz", + "ccis": [ + "CCI-000053" + ] + }, + { + "uuid": "4f099880-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207189", + "rule_id": "SV-207189r608988", + "rule_id_src": "SV-207189r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000053-VPN-000170", + "group_title": "SRG-NET-000053", + "rule_title": "The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number.", + "fix_text": "Configure the VPN Gateway to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, as documented in the SSP.", + "false_positives": null, + "false_negatives": null, + "discussion": "VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.\n\nThe intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited.", + "check_content": "Inspect the VPN Gateway configuration. Verify the number of concurrent sessions for user accounts to 1 or to an organization-defined number (defined in the SSP).\n\nIf the VPN Gateway does not limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207189", + "title": "SRG-NET-000053", + "description": "" + } + ], + "createdAt": "2023-11-13T16:36:35.000Z", + "updatedAt": "2023-11-13T16:36:35.000Z", + "STIGUuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "xyz", + "ccis": [ + "CCI-000054" + ] + }, + { + "uuid": "4f099881-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207190", + "rule_id": "SV-207190r803417", + "rule_id_src": "SV-207190r803417_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "SRG-NET-000062-VPN-000200", + "group_title": "SRG-NET-000062", + "rule_title": "The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections.", + "fix_text": "Configure the TLS VPN Gateway to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data for transmission.", + "false_positives": null, + "false_negatives": null, + "discussion": "Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.\n\nNIST SP 800-52 Rev2 provides guidance for client negotiation on either DoD-only or public-facing servers.", + "check_content": "Verify the TLS VPN Gateway is configured to use TLS 1.2 or higher to protect the confidentiality of sensitive data during transmission.\n\nIf the TLS VPN Gateway does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207190", + "title": "SRG-NET-000062", + "description": "" + } + ], + "createdAt": "2023-11-13T16:36:35.000Z", + "updatedAt": "2023-11-13T16:36:35.000Z", + "STIGUuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": "", + "finding_details": "xyz", + "ccis": [ + "CCI-000068" + ] + }, + { + "uuid": "4f099882-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207191", + "rule_id": "SV-207191r803418", + "rule_id_src": "SV-207191r803418_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000063-VPN-000210", + "group_title": "SRG-NET-000063", + "rule_title": "The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions.", + "fix_text": "Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.", + "false_positives": null, + "false_negatives": null, + "discussion": "Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless.\n\nIntegrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function.", + "check_content": "Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.\n\nIf the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207191", + "title": "SRG-NET-000063", + "description": "" + } + ], + "createdAt": "2023-11-13T16:36:35.000Z", + "updatedAt": "2023-11-13T16:36:35.000Z", + "STIGUuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": "xyz", + "finding_details": "xyz", + "ccis": [ + "CCI-001453" + ] + }, + { + "uuid": "4f099883-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207192", + "rule_id": "SV-207192r916146", + "rule_id_src": "SV-207192r916146_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000063-VPN-000220", + "group_title": "SRG-NET-000063", + "rule_title": "The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.", + "fix_text": "Configure the VPN Gateway to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.", + "false_positives": null, + "false_negatives": null, + "discussion": "Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nSHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. DOD systems must not be configured to use SHA-1 for integrity of remote access sessions. \n\nThe remote access VPN provides access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.", + "check_content": "Verify the VPN Gateway uses IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.\n\nIf the VPN Gateway does not use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207192", + "title": "SRG-NET-000063", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-001453" + ] + }, + { + "uuid": "4f099884-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207193", + "rule_id": "SV-207193r916149", + "rule_id_src": "SV-207193r916149_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "SRG-NET-000074-VPN-000250", + "group_title": "SRG-NET-000074", + "rule_title": "The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.", + "fix_text": "Configure the IPsec VPN to use the DH Group of 16 or greater for IKE Phase 1.", + "false_positives": null, + "false_negatives": null, + "discussion": "Use of an approved DH algorithm ensures the IKE (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be.", + "check_content": "Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1.\n\nView the IKE options dh-group option.\n\nIf the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207193", + "title": "SRG-NET-000074", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "4f08ae20-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000068" + ] + } + ] + } + ] +} diff --git a/WATCHER-test-files/WATCHER/cklb/Asset_aaaaaaaaaa-RHEL_9_TRUNCATED-V1R1-no-reviews.cklb b/WATCHER-test-files/WATCHER/cklb/Asset_aaaaaaaaaa-RHEL_9_TRUNCATED-V1R1-no-reviews.cklb new file mode 100644 index 0000000..3348dd6 --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/Asset_aaaaaaaaaa-RHEL_9_TRUNCATED-V1R1-no-reviews.cklb @@ -0,0 +1,542 @@ +{ + "title": "Asset_aaaaaaaaaa-RHEL_9_TRUNCATED-V1R1", + "id": "7e41c2d0-8244-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Non-Computing", + "host_name": "Asset_aaaaaaaaaa", + "ip_address": "", + "mac_address": "", + "fqdn": "", + "comments": "", + "role": "None", + "is_web_database": false, + "technology_area": "", + "web_db_site": "", + "web_db_instance": "" + }, + "stigs": [ + { + "stig_name": "Red Hat Enterprise Linux 9 TRUNCATED", + "display_name": "Red Hat Enterprise Linux 9 TRUNCATED", + "stig_id": "RHEL_9_TRUNCATED", + "version": 1, + "release_info": "Release: 1 Benchmark Date: 22 Sep 2023", + "uuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "7e432260-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257777", + "rule_id": "SV-257777r925318", + "rule_id_src": "SV-257777r925318_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "RHEL-09-211010", + "group_title": "SRG-OS-000480-GPOS-00227", + "rule_title": "RHEL 9 must be a vendor-supported release.", + "fix_text": "Upgrade to a supported version of RHEL 9.", + "false_positives": null, + "false_negatives": null, + "discussion": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRed Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period.", + "check_content": "Verify that the version or RHEL 9 is vendor supported with the following command:\n\n$ cat /etc/redhat-release \n\nRed Hat Enterprise Linux release 9.2 (Plow)\n\nIf the installed version of RHEL 9 is not supported, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257777", + "title": "SRG-OS-000480-GPOS-00227", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366" + ] + }, + { + "uuid": "7e432261-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257778", + "rule_id": "SV-257778r925321", + "rule_id_src": "SV-257778r925321_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211015", + "group_title": "SRG-OS-000480-GPOS-00227", + "rule_title": "RHEL 9 vendor packaged system security patches and updates must be installed and up to date.", + "fix_text": "Install RHEL 9 security patches and updates at the organizationally defined frequency. If system updates are installed via a centralized repository that is configured on the system, all updates can be installed with the following command:\n\n$ sudo dnf update", + "false_positives": null, + "false_negatives": null, + "discussion": "Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.", + "check_content": "Verify RHEL 9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy.\n\nObtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.\n\nCheck that the available package security updates have been installed on the system with the following command:\n\n$ dnf history list | more\n\n ID | Command line | Date and time | Action(s) | Altered \n------------------------------------------------------------------------------- \n 70 | install aide | 2023-03-05 10:58 | Install | 1 \n 69 | update -y | 2023-03-04 14:34 | Update | 18 EE \n 68 | install vlc | 2023-02-21 17:12 | Install | 21 \n 67 | update -y | 2023-02-21 17:04 | Update | 7 EE \n\nTypical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\nIf the system is in noncompliance with the organizational patching policy, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257778", + "title": "SRG-OS-000480-GPOS-00227", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366" + ] + }, + { + "uuid": "7e432262-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257779", + "rule_id": "SV-257779r925324", + "rule_id_src": "SV-257779r925324_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211020", + "group_title": "SRG-OS-000023-GPOS-00006", + "rule_title": "RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.", + "fix_text": "Configure RHEL 9 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via command line logon.\n\nEdit the \"/etc/issue\" file to replace the default text with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", + "false_positives": null, + "false_negatives": null, + "discussion": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088", + "check_content": "Verify RHEL 9 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a command line user logon.\n\nCheck that a banner is displayed at the command line login screen with the following command:\n\n$ sudo cat /etc/issue\n\nIf the banner is set correctly it will return the following text:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the banner text does not match the Standard Mandatory DOD Notice and Consent Banner exactly, or the line is commented out, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257779", + "title": "SRG-OS-000023-GPOS-00006", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000048", + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" + ] + }, + { + "uuid": "7e432263-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257780", + "rule_id": "SV-257780r925327", + "rule_id_src": "SV-257780r925327_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211025", + "group_title": "SRG-OS-000191-GPOS-00080", + "rule_title": "RHEL 9 must implement the Endpoint Security for Linux Threat Prevention tool.", + "fix_text": "Install and enable the latest McAfee ENSLTP package.", + "false_positives": null, + "false_negatives": null, + "discussion": "Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws.\n\nTo support this requirement, the operating system may have an integrated solution incorporating continuous scanning using ESS and periodic scanning using other tools, as specified in the requirement.", + "check_content": "Verify that RHEL 9 has implemented the Endpoint Security for Linux Threat Prevention tool.\n\nCheck that the following package has been installed:\n\n$ sudo rpm -qa | grep -i mcafeetp\n\nIf the \"mcafeetp\" package is not installed, this is a finding.\n\nVerify that the daemon is running:\n\n$ sudo ps -ef | grep -i mfetpd\n\nIf the daemon is not running, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257780", + "title": "SRG-OS-000191-GPOS-00080", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-001233" + ] + }, + { + "uuid": "7e432264-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257781", + "rule_id": "SV-257781r925330", + "rule_id_src": "SV-257781r925330_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211030", + "group_title": "SRG-OS-000480-GPOS-00227", + "rule_title": "The graphical display manager must not be the default target on RHEL 9 unless approved.", + "fix_text": "Document the requirement for a graphical user interface with the ISSO or set the default target to multi-user with the following command:\n\n$ sudo systemctl set-default multi-user.target", + "false_positives": null, + "false_negatives": null, + "discussion": "Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.", + "check_content": "Verify that RHEL 9 is configured to boot to the command line:\n\n$ systemctl get-default\n\nmulti-user.target\n\nIf the system default target is not set to \"multi-user.target\" and the information system security officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257781", + "title": "SRG-OS-000480-GPOS-00227", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366" + ] + }, + { + "uuid": "7e432265-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257782", + "rule_id": "SV-257782r925333", + "rule_id_src": "SV-257782r925333_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "low", + "rule_version": "RHEL-09-211035", + "group_title": "SRG-OS-000480-GPOS-00227", + "rule_title": "RHEL 9 must enable the hardware random number generator entropy gatherer service.", + "fix_text": "Install the rng-tools package with the following command:\n\n$ sudo dnf install rng-tools\n\nThen enable the rngd service run the following command:\n\n$ sudo systemctl enable --now rngd", + "false_positives": null, + "false_negatives": null, + "discussion": "The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. \n\nThe rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers).", + "check_content": "Verify that RHEL 9 has enabled the hardware random number generator entropy gatherer service with the following command:\n\n$ systemctl is-active rngd\n\nactive\n\nIf the \"rngd\" service is not active, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257782", + "title": "SRG-OS-000480-GPOS-00227", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366" + ] + }, + { + "uuid": "7e432266-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257783", + "rule_id": "SV-257783r925336", + "rule_id_src": "SV-257783r925336_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211040", + "group_title": "SRG-OS-000269-GPOS-00103", + "rule_title": "RHEL 9 systemd-journald service must be enabled.", + "fix_text": "To enable the systemd-journald service, run the following command:\n\n$ sudo systemctl enable --now systemd-journald", + "false_positives": null, + "false_negatives": null, + "discussion": "In the event of a system failure, RHEL 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.", + "check_content": "Verify that \"systemd-journald\" is active with the following command:\n\n$ systemctl is-active systemd-journald\n\nactive\n\nIf the systemd-journald service is not active, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257783", + "title": "SRG-OS-000269-GPOS-00103", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-001665" + ] + }, + { + "uuid": "7e432267-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257784", + "rule_id": "SV-257784r925339", + "rule_id_src": "SV-257784r925339_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "RHEL-09-211045", + "group_title": "SRG-OS-000324-GPOS-00125", + "rule_title": "The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.", + "fix_text": "Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the \"/etc/systemd/system.conf\" configuration file:\n\nCtrlAltDelBurstAction=none\n\nReload the daemon for this change to take effect.\n\n$ sudo systemctl daemon-reload", + "false_positives": null, + "false_negatives": null, + "discussion": "A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.\n\nSatisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227", + "check_content": "Verify RHEL 9 is configured to not reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command:\n\n$ grep -i ctrl /etc/systemd/system.conf\n\nCtrlAltDelBurstAction=none\n\nIf the \"CtrlAltDelBurstAction\" is not set to \"none\", commented out, or is missing, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257784", + "title": "SRG-OS-000324-GPOS-00125", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366", + "CCI-002235" + ] + }, + { + "uuid": "7e432268-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257785", + "rule_id": "SV-257785r925342", + "rule_id_src": "SV-257785r925342_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "RHEL-09-211050", + "group_title": "SRG-OS-000324-GPOS-00125", + "rule_title": "The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.", + "fix_text": "Configure RHEL 9 to disable the ctrl-alt-del.target with the following command:\n\n$ sudo systemctl disable --now ctrl-alt-del.target\n$ sudo systemctl mask --now ctrl-alt-del.target", + "false_positives": null, + "false_negatives": null, + "discussion": "A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.\n\nSatisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227", + "check_content": "Verify RHEL 9 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command:\n\n$ sudo systemctl status ctrl-alt-del.target\n\nctrl-alt-del.target\nLoaded: masked (Reason: Unit ctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \"ctrl-alt-del.target\" is loaded and not masked, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257785", + "title": "SRG-OS-000324-GPOS-00125", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366", + "CCI-002235" + ] + }, + { + "uuid": "7e432269-8244-11ee-8b44-13c1c13d16bb", + "stig_uuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257786", + "rule_id": "SV-257786r925345", + "rule_id_src": "SV-257786r925345_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211055", + "group_title": "SRG-OS-000324-GPOS-00125", + "rule_title": "RHEL 9 debug-shell systemd service must be disabled.", + "fix_text": "Configure RHEL 9 to mask the debug-shell systemd service with the following command:\n\n$ sudo systemctl disable --now debug-shell.target\n$ sudo systemctl mask --now debug-shell.target", + "false_positives": null, + "false_negatives": null, + "discussion": "The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.\n\nSatisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227", + "check_content": "Verify RHEL 9 is configured to mask the debug-shell systemd service with the following command:\n\n$ sudo systemctl status debug-shell.service\n\ndebug-shell.service\nLoaded: masked (Reason: Unit debug-shell.service is masked.)\nActive: inactive (dead)\n\nIf the \"debug-shell.service\" is loaded and not masked, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257786", + "title": "SRG-OS-000324-GPOS-00125", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "7e428620-8244-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366", + "CCI-002235" + ] + } + ] + } + ] +} diff --git a/WATCHER-test-files/WATCHER/cklb/Asset_b-multi-stig.cklb b/WATCHER-test-files/WATCHER/cklb/Asset_b-multi-stig.cklb new file mode 100644 index 0000000..218d0b7 --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/Asset_b-multi-stig.cklb @@ -0,0 +1,1570 @@ +{ + "title": "", + "id": "b0a58000-8243-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Computing", + "host_name": "Asset_bbbbbbbbb", + "ip_address": "", + "mac_address": "", + "fqdn": "", + "comments": "", + "role": "None", + "is_web_database": false, + "technology_area": "", + "web_db_site": "", + "web_db_instance": "" + }, + "stigs": [ + { + "stig_name": "Red Hat Enterprise Linux 8 TRUNCATED", + "display_name": "Red Hat Enterprise Linux 8 TRUNCATED", + "stig_id": "RHEL_8_TRUNCATED", + "version": 1, + "release_info": "Release: 12 Benchmark Date: 25 Oct 2023", + "uuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "b0a7c9f0-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230221", + "rule_id": "SV-230221r858734", + "rule_id_src": "SV-230221r858734_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "RHEL-08-010000", + "group_title": "SRG-OS-000480-GPOS-00227", + "rule_title": "RHEL 8 must be a vendor-supported release.", + "fix_text": "Upgrade to a supported version of RHEL 8.", + "false_positives": null, + "false_negatives": null, + "discussion": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRed Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/.\nNote: The life-cycle time spans and dates are subject to adjustment.", + "check_content": "Verify the version of the operating system is vendor supported.\n\nNote: The lifecycle time spans and dates are subject to adjustment.\n\nCheck the version of the operating system with the following command:\n\n$ sudo cat /etc/redhat-release\n\nRed Hat Enterprise Linux Server release 8.6 (Ootpa)\n\nCurrent End of Extended Update Support for RHEL 8.1 is 30 November 2021.\n\nCurrent End of Extended Update Support for RHEL 8.2 is 30 April 2022.\n\nCurrent End of Extended Update Support for RHEL 8.4 is 31 May 2023.\n\nCurrent End of Maintenance Support for RHEL 8.5 is 31 May 2022.\n\nCurrent End of Extended Update Support for RHEL 8.6 is 31 May 2024.\n\nCurrent End of Maintenance Support for RHEL 8.7 is 31 May 2023.\n\nCurrent End of Extended Update Support for RHEL 8.8 is 31 May 2025.\n\nCurrent End of Maintenance Support for RHEL 8.9 is 31 May 2024.\n\nCurrent End of Maintenance Support for RHEL 8.10 is 31 May 2029.\n\nIf the release is not supported by the vendor, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230221", + "title": "SRG-OS-000480-GPOS-00227", + "description": "" + } + ], + "createdAt": "2023-11-13T16:39:57.000Z", + "updatedAt": "2023-11-13T16:39:57.000Z", + "STIGUuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": "", + "finding_details": "xxxxxxxxxxxxxxxxxxxxxxxxxxx", + "ccis": [ + "CCI-000366" + ] + }, + { + "uuid": "b0a7c9f1-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230222", + "rule_id": "SV-230222r627750", + "rule_id_src": "SV-230222r627750_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-08-010010", + "group_title": "SRG-OS-000480-GPOS-00227", + "rule_title": "RHEL 8 vendor packaged system security patches and updates must be installed and up to date.", + "fix_text": "Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.", + "false_positives": null, + "false_negatives": null, + "discussion": "Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.", + "check_content": "Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO).\n\nObtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.\n\nCheck that the available package security updates have been installed on the system with the following command:\n\n$ sudo yum history list | more\n\nLoaded plugins: langpacks, product-id, subscription-manager\nID | Command line | Date and time | Action(s) | Altered\n-------------------------------------------------------------------------------\n70 | install aide | 2020-03-05 10:58 | Install | 1 \n69 | update -y | 2020-03-04 14:34 | Update | 18 EE\n68 | install vlc | 2020-02-21 17:12 | Install | 21 \n67 | update -y | 2020-02-21 17:04 | Update | 7 EE\n\nIf package updates have not been performed on the system within the timeframe the site/program documentation requires, this is a finding.\n\nTypical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\nIf the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230222", + "title": "SRG-OS-000480-GPOS-00227", + "description": "" + } + ], + "createdAt": "2023-11-13T16:40:04.000Z", + "updatedAt": "2023-11-13T16:40:04.000Z", + "STIGUuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "status": "not_applicable", + "overrides": {}, + "comments": "", + "finding_details": "xxxxxxxxxxxxxxxxxxxxx", + "ccis": [ + "CCI-000366" + ] + }, + { + "uuid": "b0a7c9f2-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230223", + "rule_id": "SV-230223r928585", + "rule_id_src": "SV-230223r928585_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "RHEL-08-010020", + "group_title": "SRG-OS-000033-GPOS-00014", + "rule_title": "RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.", + "fix_text": "Configure the operating system to implement DOD-approved encryption by following the steps below:\n\nTo enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.\n\nEnable FIPS mode after installation (not strict FIPS-compliant) with the following command:\n\n $ sudo fips-mode-setup --enable\n\nReboot the system for the changes to take effect.", + "false_positives": null, + "false_negatives": null, + "discussion": "Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.\n\nRHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the \"kernelopts\" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command \"fips-mode-setup\" modifies the \"kernelopts\" variable, which in turn updates all kernel boot entries. \n\nThe fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key.\n\nSatisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223", + "check_content": "Verify the operating system implements DOD-approved encryption to protect the confidentiality of remote access sessions.\n\nCheck to see if FIPS mode is enabled with the following command:\n\n $ fips-mode-setup --check\n FIPS mode is enabled\n\nIf FIPS mode is \"enabled\", check to see if the kernel boot parameter is configured for FIPS mode with the following command:\n\n $ sudo grub2-editenv list | grep fips\n kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82\n\nIf the kernel boot parameter is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command:\n\n $ sudo cat /proc/sys/crypto/fips_enabled\n 1\n\nIf FIPS mode is not \"on\", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of \"1\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230223", + "title": "SRG-OS-000033-GPOS-00014", + "description": "" + } + ], + "createdAt": "2023-11-13T16:40:11.000Z", + "updatedAt": "2023-11-13T16:40:11.000Z", + "STIGUuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": "", + "finding_details": "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy", + "ccis": [ + "CCI-000068" + ] + }, + { + "uuid": "b0a7c9f3-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230224", + "rule_id": "SV-230224r917864", + "rule_id_src": "SV-230224r917864_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-08-010030", + "group_title": "SRG-OS-000185-GPOS-00079", + "rule_title": "All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.", + "fix_text": "Configure RHEL 8 to prevent unauthorized modification of all information at rest by using disk encryption. \n\nEncrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.", + "false_positives": null, + "false_negatives": null, + "discussion": "RHEL 8 systems handling data requiring \"data at rest\" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.\n\nSelection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).\n\nSatisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184", + "check_content": "Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. \n\nIf there is a documented and approved reason for not having data-at-rest encryption at the operating system level, such as encryption provided by a hypervisor or a disk storage array in a virtualized environment, this requirement is not applicable.\n\nVerify all system partitions are encrypted with the following command:\n\n $ sudo blkid\n\n /dev/mapper/rhel-root: UUID=\"67b7d7fe-de60-6fd0-befb-e6748cf97743\" TYPE=\"crypto_LUKS\"\n\nEvery persistent disk partition present must be of type \"crypto_LUKS\". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type \"crypto_LUKS\", ask the administrator to indicate how the partitions are encrypted. \n\nIf there is no evidence that these partitions are encrypted, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230224", + "title": "SRG-OS-000185-GPOS-00079", + "description": "" + } + ], + "createdAt": "2023-11-13T16:40:25.000Z", + "updatedAt": "2023-11-13T16:40:25.000Z", + "STIGUuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": "zzzzzzzzzzzzzzzzzzzzzzzzzzzzz", + "finding_details": "yyyyyyyyyyyyyyyyyyyyyy", + "ccis": [ + "CCI-001199" + ] + }, + { + "uuid": "b0a7c9f4-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230225", + "rule_id": "SV-230225r858694", + "rule_id_src": "SV-230225r858694_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-08-010040", + "group_title": "SRG-OS-000023-GPOS-00006", + "rule_title": "RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.", + "fix_text": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh.\n\nEdit the \"/etc/ssh/sshd_config\" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is:\n\nbanner /etc/issue\n\nEither create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD-required text is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nThe SSH service must be restarted for changes to take effect.", + "false_positives": null, + "false_negatives": null, + "discussion": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088", + "check_content": "Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nCheck for the location of the banner file being used with the following command:\n\n$ sudo grep -ir banner /etc/ssh/sshd_config*\n\nbanner /etc/issue\n\nThis command will return the banner keyword and the name of the file that contains the ssh banner (in this case \"/etc/issue\").\n\nIf the line is commented out, this is a finding.\nIf conflicting results are returned, this is a finding.\n\nView the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.\n\nIf the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230225", + "title": "SRG-OS-000023-GPOS-00006", + "description": "" + } + ], + "createdAt": "2023-11-13T16:40:30.000Z", + "updatedAt": "2023-11-13T16:40:30.000Z", + "STIGUuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "xxxxxxxxxxxxxxxxxxxxxxx", + "ccis": [ + "CCI-000048" + ] + }, + { + "uuid": "b0a7c9f5-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230226", + "rule_id": "SV-230226r743916", + "rule_id_src": "SV-230226r743916_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-08-010050", + "group_title": "SRG-OS-000023-GPOS-00006", + "rule_title": "RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.", + "fix_text": "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.\n\nNote: If the system does not have a graphical user interface installed, this requirement is Not Applicable.\n\nAdd the following lines to the [org/gnome/login-screen] section of the \"/etc/dconf/db/local.d/01-banner-message\":\n\nbanner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nRun the following command to update the database:\n\n$ sudo dconf update", + "false_positives": null, + "false_negatives": null, + "discussion": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088", + "check_content": "Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.\n\nNote: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. \n\nCheck that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command:\n\n$ sudo grep banner-message-text /etc/dconf/db/local.d/*\n\nbanner-message-text=\n'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n-At any time, the USG may inspect and seize data stored on this IS.\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '\n\nNote: The \"\\n \" characters are for formatting only. They will not be displayed on the graphical interface.\n\nIf the banner does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230226", + "title": "SRG-OS-000023-GPOS-00006", + "description": "" + } + ], + "createdAt": "2023-11-13T16:40:36.000Z", + "updatedAt": "2023-11-13T16:40:36.000Z", + "STIGUuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", + "ccis": [ + "CCI-000048" + ] + }, + { + "uuid": "b0a7c9f6-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230227", + "rule_id": "SV-230227r627750", + "rule_id_src": "SV-230227r627750_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-08-010060", + "group_title": "SRG-OS-000023-GPOS-00006", + "rule_title": "RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.", + "fix_text": "Configure RHEL 8 to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via command line logon.\n\nEdit the \"/etc/issue\" file to replace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD-required text is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", + "false_positives": null, + "false_negatives": null, + "discussion": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088", + "check_content": "Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon.\n\nCheck that RHEL 8 displays a banner at the command line login screen with the following command:\n\n$ sudo cat /etc/issue\n\nIf the banner is set correctly it will return the following text:\n\n“You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.”\n\nIf the banner text does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230227", + "title": "SRG-OS-000023-GPOS-00006", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000048" + ] + }, + { + "uuid": "b0a7c9f7-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230228", + "rule_id": "SV-230228r627750", + "rule_id_src": "SV-230228r627750_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-08-010070", + "group_title": "SRG-OS-000032-GPOS-00013", + "rule_title": "All RHEL 8 remote access methods must be monitored.", + "fix_text": "Configure RHEL 8 to monitor all remote access methods by installing rsyslog with the following command:\n\n$ sudo yum install rsyslog\n\nThen add or update the following lines to the \"/etc/rsyslog.conf\" file:\n\nauth.*;authpriv.*;daemon.* /var/log/secure\n\nThe \"rsyslog\" service must be restarted for the changes to take effect. To restart the \"rsyslog\" service, run the following command:\n\n$ sudo systemctl restart rsyslog.service", + "false_positives": null, + "false_negatives": null, + "discussion": "Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.\n\nRemote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.\n\nAutomated monitoring of remote access sessions allows organizations to detect cyber attacks and ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).", + "check_content": "Verify that RHEL 8 monitors all remote access methods.\n\nCheck that remote access methods are being logged by running the following command:\n\n$ sudo grep -E '(auth.*|authpriv.*|daemon.*)' /etc/rsyslog.conf\n\nauth.*;authpriv.*;daemon.* /var/log/secure\n\nIf \"auth.*\", \"authpriv.*\" or \"daemon.*\" are not configured to be logged, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230228", + "title": "SRG-OS-000032-GPOS-00013", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000067" + ] + }, + { + "uuid": "b0a7c9f8-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230229", + "rule_id": "SV-230229r858739", + "rule_id_src": "SV-230229r858739_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-08-010090", + "group_title": "SRG-OS-000066-GPOS-00034", + "rule_title": "RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.", + "fix_text": "Configure RHEL 8, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nObtain a valid copy of the DoD root CA file from the PKI CA certificate bundle at cyber.mil and copy into the following file:\n\n/etc/sssd/pki/sssd_auth_ca_db.pem", + "false_positives": null, + "false_negatives": null, + "discussion": "Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted.\n\nA trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC.\n\nWhen there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA.\n\nThis requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.\n\nSatisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167", + "check_content": "Verify RHEL 8 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.\n\nNote: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.\n\nCheck that the system has a valid DoD root CA installed with the following command:\n\n$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem\n\nCertificate:\n Data:\n Version: 3 (0x2)\n Serial Number: 1 (0x1)\n Signature Algorithm: sha256WithRSAEncryption\n Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3\n Validity\n Not Before: Mar 20 18:46:41 2012 GMT\n Not After : Dec 30 18:46:41 2029 GMT\n Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3\n Subject Public Key Info:\n Public Key Algorithm: rsaEncryption\n\nIf the root ca file is not a DoD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230229", + "title": "SRG-OS-000066-GPOS-00034", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000185" + ] + }, + { + "uuid": "b0a7c9f9-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-230230", + "rule_id": "SV-230230r627750", + "rule_id_src": "SV-230230r627750_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-08-010100", + "group_title": "SRG-OS-000067-GPOS-00035", + "rule_title": "RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.", + "fix_text": "Create a new private and public key pair that utilizes a passcode with the following command:\n\n$ sudo ssh-keygen -n [passphrase]", + "false_positives": null, + "false_negatives": null, + "discussion": "If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed.", + "check_content": "Verify the SSH private key files have a passcode.\n\nFor each private key stored on the system, use the following command:\n\n$ sudo ssh-keygen -y -f /path/to/file\n\nIf the contents of the key are displayed, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-230230", + "title": "SRG-OS-000067-GPOS-00035", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "b0a69170-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000186" + ] + } + ] + }, + { + "stig_name": "Red Hat Enterprise Linux 9 TRUNCATED", + "display_name": "Red Hat Enterprise Linux 9 TRUNCATED", + "stig_id": "RHEL_9_TRUNCATED", + "version": 1, + "release_info": "Release: 1 Benchmark Date: 22 Sep 2023", + "uuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "b0a95090-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257777", + "rule_id": "SV-257777r925318", + "rule_id_src": "SV-257777r925318_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "RHEL-09-211010", + "group_title": "SRG-OS-000480-GPOS-00227", + "rule_title": "RHEL 9 must be a vendor-supported release.", + "fix_text": "Upgrade to a supported version of RHEL 9.", + "false_positives": null, + "false_negatives": null, + "discussion": "An operating system release is considered \"supported\" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.\n\nRed Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period.", + "check_content": "Verify that the version or RHEL 9 is vendor supported with the following command:\n\n$ cat /etc/redhat-release \n\nRed Hat Enterprise Linux release 9.2 (Plow)\n\nIf the installed version of RHEL 9 is not supported, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257777", + "title": "SRG-OS-000480-GPOS-00227", + "description": "" + } + ], + "createdAt": "2023-11-13T16:41:49.000Z", + "updatedAt": "2023-11-13T16:41:49.000Z", + "STIGUuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": "", + "finding_details": "xxxxxxxxxxxxxxxxxxxxxxxx", + "ccis": [ + "CCI-000366" + ] + }, + { + "uuid": "b0a95091-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257778", + "rule_id": "SV-257778r925321", + "rule_id_src": "SV-257778r925321_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211015", + "group_title": "SRG-OS-000480-GPOS-00227", + "rule_title": "RHEL 9 vendor packaged system security patches and updates must be installed and up to date.", + "fix_text": "Install RHEL 9 security patches and updates at the organizationally defined frequency. If system updates are installed via a centralized repository that is configured on the system, all updates can be installed with the following command:\n\n$ sudo dnf update", + "false_positives": null, + "false_negatives": null, + "discussion": "Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.", + "check_content": "Verify RHEL 9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy.\n\nObtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.\n\nCheck that the available package security updates have been installed on the system with the following command:\n\n$ dnf history list | more\n\n ID | Command line | Date and time | Action(s) | Altered \n------------------------------------------------------------------------------- \n 70 | install aide | 2023-03-05 10:58 | Install | 1 \n 69 | update -y | 2023-03-04 14:34 | Update | 18 EE \n 68 | install vlc | 2023-02-21 17:12 | Install | 21 \n 67 | update -y | 2023-02-21 17:04 | Update | 7 EE \n\nTypical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.\n\nIf the system is in noncompliance with the organizational patching policy, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257778", + "title": "SRG-OS-000480-GPOS-00227", + "description": "" + } + ], + "createdAt": "2023-11-13T16:41:53.000Z", + "updatedAt": "2023-11-13T16:41:53.000Z", + "STIGUuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "status": "not_applicable", + "overrides": {}, + "comments": "", + "finding_details": "xxxxxxxxxxxxxxxxxxxxxxxxxx", + "ccis": [ + "CCI-000366" + ] + }, + { + "uuid": "b0a95092-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257779", + "rule_id": "SV-257779r925324", + "rule_id_src": "SV-257779r925324_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211020", + "group_title": "SRG-OS-000023-GPOS-00006", + "rule_title": "RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.", + "fix_text": "Configure RHEL 9 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via command line logon.\n\nEdit the \"/etc/issue\" file to replace the default text with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"", + "false_positives": null, + "false_negatives": null, + "discussion": "Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.\n\nSatisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088", + "check_content": "Verify RHEL 9 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a command line user logon.\n\nCheck that a banner is displayed at the command line login screen with the following command:\n\n$ sudo cat /etc/issue\n\nIf the banner is set correctly it will return the following text:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nIf the banner text does not match the Standard Mandatory DOD Notice and Consent Banner exactly, or the line is commented out, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257779", + "title": "SRG-OS-000023-GPOS-00006", + "description": "" + } + ], + "createdAt": "2023-11-13T16:41:59.000Z", + "updatedAt": "2023-11-13T16:41:59.000Z", + "STIGUuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": "", + "finding_details": "yyyyyyyyyyyyyyyyyyyyyyy", + "ccis": [ + "CCI-000048", + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" + ] + }, + { + "uuid": "b0a95093-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257780", + "rule_id": "SV-257780r925327", + "rule_id_src": "SV-257780r925327_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211025", + "group_title": "SRG-OS-000191-GPOS-00080", + "rule_title": "RHEL 9 must implement the Endpoint Security for Linux Threat Prevention tool.", + "fix_text": "Install and enable the latest McAfee ENSLTP package.", + "false_positives": null, + "false_negatives": null, + "discussion": "Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws.\n\nTo support this requirement, the operating system may have an integrated solution incorporating continuous scanning using ESS and periodic scanning using other tools, as specified in the requirement.", + "check_content": "Verify that RHEL 9 has implemented the Endpoint Security for Linux Threat Prevention tool.\n\nCheck that the following package has been installed:\n\n$ sudo rpm -qa | grep -i mcafeetp\n\nIf the \"mcafeetp\" package is not installed, this is a finding.\n\nVerify that the daemon is running:\n\n$ sudo ps -ef | grep -i mfetpd\n\nIf the daemon is not running, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257780", + "title": "SRG-OS-000191-GPOS-00080", + "description": "" + } + ], + "createdAt": "2023-11-13T16:42:08.000Z", + "updatedAt": "2023-11-13T16:42:08.000Z", + "STIGUuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": "zzzzzzzzzzzzzzzzzzzzzzzzzz", + "finding_details": "yyyyyyyyyyyyyyyyyyyyyyy", + "ccis": [ + "CCI-001233" + ] + }, + { + "uuid": "b0a95094-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257781", + "rule_id": "SV-257781r925330", + "rule_id_src": "SV-257781r925330_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211030", + "group_title": "SRG-OS-000480-GPOS-00227", + "rule_title": "The graphical display manager must not be the default target on RHEL 9 unless approved.", + "fix_text": "Document the requirement for a graphical user interface with the ISSO or set the default target to multi-user with the following command:\n\n$ sudo systemctl set-default multi-user.target", + "false_positives": null, + "false_negatives": null, + "discussion": "Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.", + "check_content": "Verify that RHEL 9 is configured to boot to the command line:\n\n$ systemctl get-default\n\nmulti-user.target\n\nIf the system default target is not set to \"multi-user.target\" and the information system security officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257781", + "title": "SRG-OS-000480-GPOS-00227", + "description": "" + } + ], + "createdAt": "2023-11-13T16:42:14.000Z", + "updatedAt": "2023-11-13T16:42:14.000Z", + "STIGUuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "xxxxxxxxxxxxxxxxxxxxxxxxx", + "ccis": [ + "CCI-000366" + ] + }, + { + "uuid": "b0a95095-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257782", + "rule_id": "SV-257782r925333", + "rule_id_src": "SV-257782r925333_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "low", + "rule_version": "RHEL-09-211035", + "group_title": "SRG-OS-000480-GPOS-00227", + "rule_title": "RHEL 9 must enable the hardware random number generator entropy gatherer service.", + "fix_text": "Install the rng-tools package with the following command:\n\n$ sudo dnf install rng-tools\n\nThen enable the rngd service run the following command:\n\n$ sudo systemctl enable --now rngd", + "false_positives": null, + "false_negatives": null, + "discussion": "The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. \n\nThe rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers).", + "check_content": "Verify that RHEL 9 has enabled the hardware random number generator entropy gatherer service with the following command:\n\n$ systemctl is-active rngd\n\nactive\n\nIf the \"rngd\" service is not active, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257782", + "title": "SRG-OS-000480-GPOS-00227", + "description": "" + } + ], + "createdAt": "2023-11-13T16:42:21.000Z", + "updatedAt": "2023-11-13T16:42:21.000Z", + "STIGUuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "xxxxxxxxxxxxxxxxxxxxxxxxx", + "ccis": [ + "CCI-000366" + ] + }, + { + "uuid": "b0a95096-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257783", + "rule_id": "SV-257783r925336", + "rule_id_src": "SV-257783r925336_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211040", + "group_title": "SRG-OS-000269-GPOS-00103", + "rule_title": "RHEL 9 systemd-journald service must be enabled.", + "fix_text": "To enable the systemd-journald service, run the following command:\n\n$ sudo systemctl enable --now systemd-journald", + "false_positives": null, + "false_negatives": null, + "discussion": "In the event of a system failure, RHEL 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.", + "check_content": "Verify that \"systemd-journald\" is active with the following command:\n\n$ systemctl is-active systemd-journald\n\nactive\n\nIf the systemd-journald service is not active, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257783", + "title": "SRG-OS-000269-GPOS-00103", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-001665" + ] + }, + { + "uuid": "b0a95097-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257784", + "rule_id": "SV-257784r925339", + "rule_id_src": "SV-257784r925339_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "RHEL-09-211045", + "group_title": "SRG-OS-000324-GPOS-00125", + "rule_title": "The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.", + "fix_text": "Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the \"/etc/systemd/system.conf\" configuration file:\n\nCtrlAltDelBurstAction=none\n\nReload the daemon for this change to take effect.\n\n$ sudo systemctl daemon-reload", + "false_positives": null, + "false_negatives": null, + "discussion": "A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.\n\nSatisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227", + "check_content": "Verify RHEL 9 is configured to not reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command:\n\n$ grep -i ctrl /etc/systemd/system.conf\n\nCtrlAltDelBurstAction=none\n\nIf the \"CtrlAltDelBurstAction\" is not set to \"none\", commented out, or is missing, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257784", + "title": "SRG-OS-000324-GPOS-00125", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366", + "CCI-002235" + ] + }, + { + "uuid": "b0a977a0-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257785", + "rule_id": "SV-257785r925342", + "rule_id_src": "SV-257785r925342_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "RHEL-09-211050", + "group_title": "SRG-OS-000324-GPOS-00125", + "rule_title": "The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.", + "fix_text": "Configure RHEL 9 to disable the ctrl-alt-del.target with the following command:\n\n$ sudo systemctl disable --now ctrl-alt-del.target\n$ sudo systemctl mask --now ctrl-alt-del.target", + "false_positives": null, + "false_negatives": null, + "discussion": "A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.\n\nSatisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227", + "check_content": "Verify RHEL 9 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command:\n\n$ sudo systemctl status ctrl-alt-del.target\n\nctrl-alt-del.target\nLoaded: masked (Reason: Unit ctrl-alt-del.target is masked.)\nActive: inactive (dead)\n\nIf the \"ctrl-alt-del.target\" is loaded and not masked, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257785", + "title": "SRG-OS-000324-GPOS-00125", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366", + "CCI-002235" + ] + }, + { + "uuid": "b0a977a1-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-257786", + "rule_id": "SV-257786r925345", + "rule_id_src": "SV-257786r925345_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "RHEL-09-211055", + "group_title": "SRG-OS-000324-GPOS-00125", + "rule_title": "RHEL 9 debug-shell systemd service must be disabled.", + "fix_text": "Configure RHEL 9 to mask the debug-shell systemd service with the following command:\n\n$ sudo systemctl disable --now debug-shell.target\n$ sudo systemctl mask --now debug-shell.target", + "false_positives": null, + "false_negatives": null, + "discussion": "The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted.\n\nSatisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227", + "check_content": "Verify RHEL 9 is configured to mask the debug-shell systemd service with the following command:\n\n$ sudo systemctl status debug-shell.service\n\ndebug-shell.service\nLoaded: masked (Reason: Unit debug-shell.service is masked.)\nActive: inactive (dead)\n\nIf the \"debug-shell.service\" is loaded and not masked, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-257786", + "title": "SRG-OS-000324-GPOS-00125", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "b0a83f20-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000366", + "CCI-002235" + ] + } + ] + }, + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "b0abc190-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-207184r695317", + "rule_id_src": "SV-207184r695317_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:39:07.000Z", + "updatedAt": "2023-11-13T16:39:07.000Z", + "STIGUuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": "", + "finding_details": "xxxxxxxxxxxx", + "ccis": [ + "CCI-001414" + ] + }, + { + "uuid": "b0abc191-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207185", + "rule_id": "SV-207185r608988", + "rule_id_src": "SV-207185r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000041-VPN-000110", + "group_title": "SRG-NET-000041", + "rule_title": "The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network.", + "fix_text": "Configure the Remote Access VPN to display the Standard Mandatory DoD Notice and Consent Banner in accordance with DoD policy before granting access to the device. Use the following verbiage for applications that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\"I've read & consent to terms in IS user agreem't.\"", + "false_positives": null, + "false_negatives": null, + "discussion": "Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nIn most VPN implementations, the banner is configured in the management backplane (NDM SRG) and serves as the presentation for the VPN client connection as well as for administrator logon to the device management tool/backplane.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n \nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"", + "check_content": "If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable.\n\nDetermine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DoD policy. \n\nIf the Remote Access VPN Gateway or VPN client does not display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207185", + "title": "SRG-NET-000041", + "description": "" + } + ], + "createdAt": "2023-11-13T16:39:12.000Z", + "updatedAt": "2023-11-13T16:39:12.000Z", + "STIGUuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "status": "not_applicable", + "overrides": {}, + "comments": "", + "finding_details": "xxxxxxxxxxxxxxx", + "ccis": [ + "CCI-000048" + ] + }, + { + "uuid": "b0abc192-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207186", + "rule_id": "SV-207186r608988", + "rule_id_src": "SV-207186r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000042-VPN-000120", + "group_title": "SRG-NET-000042", + "rule_title": "The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.", + "fix_text": "Configure the Remote Access VPN Gateway and/or client to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.", + "false_positives": null, + "false_negatives": null, + "discussion": "The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. \n\nThe banner is usually configured in NDM for client presentation as well as local logon.\n\nTo establish acceptance of the application usage policy, a click-through banner at application logon is required. The VPN gateway must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\". \n\nThis applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary.", + "check_content": "If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable.\n\nVerify the ALG retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access.\n\nIf the Remote Access VPN Gateway and/or client does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207186", + "title": "SRG-NET-000042", + "description": "" + } + ], + "createdAt": "2023-11-13T16:39:23.000Z", + "updatedAt": "2023-11-13T16:39:23.000Z", + "STIGUuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": "", + "finding_details": "yyyyyyyyyyyyyyyyyyyyyy", + "ccis": [ + "CCI-000050" + ] + }, + { + "uuid": "b0abc193-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207187", + "rule_id": "SV-207187r608988", + "rule_id_src": "SV-207187r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000043-VPN-000130", + "group_title": "SRG-NET-000043", + "rule_title": "The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.", + "fix_text": "Configure the publicly accessible VPN Gateway to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.", + "false_positives": null, + "false_negatives": null, + "discussion": "Display of a standardized and approved use notification before granting access to the publicly accessible VPN gateway ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway.\n\nThe banner must be formatted in accordance with DTM-08-060. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"", + "check_content": "Verify the publicly accessible VPN Gateway displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nIf the publicly accessible VPN Gateway does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207187", + "title": "SRG-NET-000043", + "description": "" + } + ], + "createdAt": "2023-11-13T16:39:31.000Z", + "updatedAt": "2023-11-13T16:39:31.000Z", + "STIGUuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": "zzzzzzzzzzzzzzzzzzzzzzzzzzz", + "finding_details": "yyyyyyyyyyyyyyyyyyyyyyy", + "ccis": [ + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" + ] + }, + { + "uuid": "b0abc194-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207188", + "rule_id": "SV-207188r608988", + "rule_id_src": "SV-207188r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "low", + "rule_version": "SRG-NET-000049-VPN-000150", + "group_title": "SRG-NET-000049", + "rule_title": "The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).", + "fix_text": "Configure the VPN Gateway to notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).", + "false_positives": null, + "false_negatives": null, + "discussion": "Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.\n\nThis applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary.", + "check_content": "Determine if the VPN Gateway is either configured to notify the administrator of the number of unsuccessful login attempts since the last successful login or configured to use an authentication server which would perform this function. If the administrator is not notified of the number of unsuccessful login attempts since the last successful login, this is a finding.\n\nIf the VPN Gateway does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207188", + "title": "SRG-NET-000049", + "description": "" + } + ], + "createdAt": "2023-11-13T16:39:36.000Z", + "updatedAt": "2023-11-13T16:39:36.000Z", + "STIGUuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "xxxxxxxxxxxxxxxxxxxxxxxxxxx", + "ccis": [ + "CCI-000053" + ] + }, + { + "uuid": "b0abc195-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207189", + "rule_id": "SV-207189r608988", + "rule_id_src": "SV-207189r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000053-VPN-000170", + "group_title": "SRG-NET-000053", + "rule_title": "The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number.", + "fix_text": "Configure the VPN Gateway to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, as documented in the SSP.", + "false_positives": null, + "false_negatives": null, + "discussion": "VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.\n\nThe intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited.", + "check_content": "Inspect the VPN Gateway configuration. Verify the number of concurrent sessions for user accounts to 1 or to an organization-defined number (defined in the SSP).\n\nIf the VPN Gateway does not limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207189", + "title": "SRG-NET-000053", + "description": "" + } + ], + "createdAt": "2023-11-13T16:39:42.000Z", + "updatedAt": "2023-11-13T16:39:42.000Z", + "STIGUuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "xxxxxxxxxxxxxxxxxxxxxxxxx", + "ccis": [ + "CCI-000054" + ] + }, + { + "uuid": "b0abc196-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207190", + "rule_id": "SV-207190r803417", + "rule_id_src": "SV-207190r803417_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "SRG-NET-000062-VPN-000200", + "group_title": "SRG-NET-000062", + "rule_title": "The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections.", + "fix_text": "Configure the TLS VPN Gateway to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data for transmission.", + "false_positives": null, + "false_negatives": null, + "discussion": "Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.\n\nNIST SP 800-52 Rev2 provides guidance for client negotiation on either DoD-only or public-facing servers.", + "check_content": "Verify the TLS VPN Gateway is configured to use TLS 1.2 or higher to protect the confidentiality of sensitive data during transmission.\n\nIf the TLS VPN Gateway does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207190", + "title": "SRG-NET-000062", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000068" + ] + }, + { + "uuid": "b0abc197-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207191", + "rule_id": "SV-207191r803418", + "rule_id_src": "SV-207191r803418_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000063-VPN-000210", + "group_title": "SRG-NET-000063", + "rule_title": "The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions.", + "fix_text": "Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.", + "false_positives": null, + "false_negatives": null, + "discussion": "Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless.\n\nIntegrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function.", + "check_content": "Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.\n\nIf the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207191", + "title": "SRG-NET-000063", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-001453" + ] + }, + { + "uuid": "b0abc198-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207192", + "rule_id": "SV-207192r916146", + "rule_id_src": "SV-207192r916146_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000063-VPN-000220", + "group_title": "SRG-NET-000063", + "rule_title": "The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.", + "fix_text": "Configure the VPN Gateway to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.", + "false_positives": null, + "false_negatives": null, + "discussion": "Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nSHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. DOD systems must not be configured to use SHA-1 for integrity of remote access sessions. \n\nThe remote access VPN provides access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.", + "check_content": "Verify the VPN Gateway uses IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.\n\nIf the VPN Gateway does not use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207192", + "title": "SRG-NET-000063", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-001453" + ] + }, + { + "uuid": "b0abc199-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207193", + "rule_id": "SV-207193r916149", + "rule_id_src": "SV-207193r916149_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "SRG-NET-000074-VPN-000250", + "group_title": "SRG-NET-000074", + "rule_title": "The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.", + "fix_text": "Configure the IPsec VPN to use the DH Group of 16 or greater for IKE Phase 1.", + "false_positives": null, + "false_negatives": null, + "discussion": "Use of an approved DH algorithm ensures the IKE (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be.", + "check_content": "Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1.\n\nView the IKE options dh-group option.\n\nIf the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207193", + "title": "SRG-NET-000074", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "b0aad730-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000068" + ] + } + ] + } + ] +} diff --git a/WATCHER-test-files/WATCHER/cklb/Asset_bbbbbbbbb-VPN_TRUNCATED-V2R5.cklb b/WATCHER-test-files/WATCHER/cklb/Asset_bbbbbbbbb-VPN_TRUNCATED-V2R5.cklb new file mode 100644 index 0000000..1216861 --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/Asset_bbbbbbbbb-VPN_TRUNCATED-V2R5.cklb @@ -0,0 +1,538 @@ +{ + "title": "Asset_bbbbbbbbb-VPN_TRUNCATED-V2R5", + "id": "d6c887f0-8243-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Computing", + "host_name": "Asset_bbbbbbbbb", + "ip_address": "", + "mac_address": "", + "fqdn": "", + "comments": "", + "role": "None", + "is_web_database": false, + "technology_area": "", + "web_db_site": "", + "web_db_instance": "" + }, + "stigs": [ + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "d6c9e780-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-207184r695317", + "rule_id_src": "SV-207184r695317_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:39:07.000Z", + "updatedAt": "2023-11-13T16:39:07.000Z", + "STIGUuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": "", + "finding_details": "xxxxxxxxxxxx", + "ccis": [ + "CCI-001414" + ] + }, + { + "uuid": "d6c9e781-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207185", + "rule_id": "SV-207185r608988", + "rule_id_src": "SV-207185r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000041-VPN-000110", + "group_title": "SRG-NET-000041", + "rule_title": "The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network.", + "fix_text": "Configure the Remote Access VPN to display the Standard Mandatory DoD Notice and Consent Banner in accordance with DoD policy before granting access to the device. Use the following verbiage for applications that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\"I've read & consent to terms in IS user agreem't.\"", + "false_positives": null, + "false_negatives": null, + "discussion": "Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nIn most VPN implementations, the banner is configured in the management backplane (NDM SRG) and serves as the presentation for the VPN client connection as well as for administrator logon to the device management tool/backplane.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway.\n\nThe banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n \nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"", + "check_content": "If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable.\n\nDetermine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DoD policy. \n\nIf the Remote Access VPN Gateway or VPN client does not display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207185", + "title": "SRG-NET-000041", + "description": "" + } + ], + "createdAt": "2023-11-13T16:39:12.000Z", + "updatedAt": "2023-11-13T16:39:12.000Z", + "STIGUuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "status": "not_applicable", + "overrides": {}, + "comments": "", + "finding_details": "xxxxxxxxxxxxxxx", + "ccis": [ + "CCI-000048" + ] + }, + { + "uuid": "d6c9e782-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207186", + "rule_id": "SV-207186r608988", + "rule_id_src": "SV-207186r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000042-VPN-000120", + "group_title": "SRG-NET-000042", + "rule_title": "The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.", + "fix_text": "Configure the Remote Access VPN Gateway and/or client to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.", + "false_positives": null, + "false_negatives": null, + "discussion": "The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. \n\nThe banner is usually configured in NDM for client presentation as well as local logon.\n\nTo establish acceptance of the application usage policy, a click-through banner at application logon is required. The VPN gateway must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating \"OK\". \n\nThis applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary.", + "check_content": "If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable.\n\nVerify the ALG retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access.\n\nIf the Remote Access VPN Gateway and/or client does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207186", + "title": "SRG-NET-000042", + "description": "" + } + ], + "createdAt": "2023-11-13T16:39:23.000Z", + "updatedAt": "2023-11-13T16:39:23.000Z", + "STIGUuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": "", + "finding_details": "yyyyyyyyyyyyyyyyyyyyyy", + "ccis": [ + "CCI-000050" + ] + }, + { + "uuid": "d6c9e783-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207187", + "rule_id": "SV-207187r608988", + "rule_id_src": "SV-207187r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000043-VPN-000130", + "group_title": "SRG-NET-000043", + "rule_title": "The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.", + "fix_text": "Configure the publicly accessible VPN Gateway to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.", + "false_positives": null, + "false_negatives": null, + "discussion": "Display of a standardized and approved use notification before granting access to the publicly accessible VPN gateway ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.\n\nSystem use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway.\n\nThe banner must be formatted in accordance with DTM-08-060. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"", + "check_content": "Verify the publicly accessible VPN Gateway displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters:\n\n\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\"\n\nUse the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:\n\n\"I've read & consent to terms in IS user agreem't.\"\n\nIf the publicly accessible VPN Gateway does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207187", + "title": "SRG-NET-000043", + "description": "" + } + ], + "createdAt": "2023-11-13T16:39:31.000Z", + "updatedAt": "2023-11-13T16:39:31.000Z", + "STIGUuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": "zzzzzzzzzzzzzzzzzzzzzzzzzzz", + "finding_details": "yyyyyyyyyyyyyyyyyyyyyyy", + "ccis": [ + "CCI-001384", + "CCI-001385", + "CCI-001386", + "CCI-001387", + "CCI-001388" + ] + }, + { + "uuid": "d6c9e784-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207188", + "rule_id": "SV-207188r608988", + "rule_id_src": "SV-207188r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "low", + "rule_version": "SRG-NET-000049-VPN-000150", + "group_title": "SRG-NET-000049", + "rule_title": "The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).", + "fix_text": "Configure the VPN Gateway to notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).", + "false_positives": null, + "false_negatives": null, + "discussion": "Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.\n\nThis applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary.", + "check_content": "Determine if the VPN Gateway is either configured to notify the administrator of the number of unsuccessful login attempts since the last successful login or configured to use an authentication server which would perform this function. If the administrator is not notified of the number of unsuccessful login attempts since the last successful login, this is a finding.\n\nIf the VPN Gateway does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207188", + "title": "SRG-NET-000049", + "description": "" + } + ], + "createdAt": "2023-11-13T16:39:36.000Z", + "updatedAt": "2023-11-13T16:39:36.000Z", + "STIGUuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "xxxxxxxxxxxxxxxxxxxxxxxxxxx", + "ccis": [ + "CCI-000053" + ] + }, + { + "uuid": "d6c9e785-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207189", + "rule_id": "SV-207189r608988", + "rule_id_src": "SV-207189r608988_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000053-VPN-000170", + "group_title": "SRG-NET-000053", + "rule_title": "The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number.", + "fix_text": "Configure the VPN Gateway to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, as documented in the SSP.", + "false_positives": null, + "false_negatives": null, + "discussion": "VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks.\n\nThis requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.\n\nThe intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited.", + "check_content": "Inspect the VPN Gateway configuration. Verify the number of concurrent sessions for user accounts to 1 or to an organization-defined number (defined in the SSP).\n\nIf the VPN Gateway does not limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207189", + "title": "SRG-NET-000053", + "description": "" + } + ], + "createdAt": "2023-11-13T16:39:42.000Z", + "updatedAt": "2023-11-13T16:39:42.000Z", + "STIGUuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "xxxxxxxxxxxxxxxxxxxxxxxxx", + "ccis": [ + "CCI-000054" + ] + }, + { + "uuid": "d6c9e786-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207190", + "rule_id": "SV-207190r803417", + "rule_id_src": "SV-207190r803417_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "SRG-NET-000062-VPN-000200", + "group_title": "SRG-NET-000062", + "rule_title": "The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections.", + "fix_text": "Configure the TLS VPN Gateway to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data for transmission.", + "false_positives": null, + "false_negatives": null, + "discussion": "Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.\n\nNIST SP 800-52 Rev2 provides guidance for client negotiation on either DoD-only or public-facing servers.", + "check_content": "Verify the TLS VPN Gateway is configured to use TLS 1.2 or higher to protect the confidentiality of sensitive data during transmission.\n\nIf the TLS VPN Gateway does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207190", + "title": "SRG-NET-000062", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000068" + ] + }, + { + "uuid": "d6ca0e90-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207191", + "rule_id": "SV-207191r803418", + "rule_id_src": "SV-207191r803418_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000063-VPN-000210", + "group_title": "SRG-NET-000063", + "rule_title": "The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions.", + "fix_text": "Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.", + "false_positives": null, + "false_negatives": null, + "discussion": "Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded.\n\nRemote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless.\n\nIntegrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function.", + "check_content": "Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.\n\nIf the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207191", + "title": "SRG-NET-000063", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-001453" + ] + }, + { + "uuid": "d6ca0e91-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207192", + "rule_id": "SV-207192r916146", + "rule_id_src": "SV-207192r916146_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000063-VPN-000220", + "group_title": "SRG-NET-000063", + "rule_title": "The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.", + "fix_text": "Configure the VPN Gateway to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.", + "false_positives": null, + "false_negatives": null, + "discussion": "Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection.\n\nSHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. DOD systems must not be configured to use SHA-1 for integrity of remote access sessions. \n\nThe remote access VPN provides access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.", + "check_content": "Verify the VPN Gateway uses IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.\n\nIf the VPN Gateway does not use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207192", + "title": "SRG-NET-000063", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-001453" + ] + }, + { + "uuid": "d6ca0e92-8243-11ee-8b44-13c1c13d16bb", + "stig_uuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207193", + "rule_id": "SV-207193r916149", + "rule_id_src": "SV-207193r916149_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "high", + "rule_version": "SRG-NET-000074-VPN-000250", + "group_title": "SRG-NET-000074", + "rule_title": "The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.", + "fix_text": "Configure the IPsec VPN to use the DH Group of 16 or greater for IKE Phase 1.", + "false_positives": null, + "false_negatives": null, + "discussion": "Use of an approved DH algorithm ensures the IKE (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be.", + "check_content": "Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1.\n\nView the IKE options dh-group option.\n\nIf the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding.", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207193", + "title": "SRG-NET-000074", + "description": "" + } + ], + "createdAt": null, + "updatedAt": null, + "STIGUuid": "d6c94b40-8243-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "", + "finding_details": "", + "ccis": [ + "CCI-000068" + ] + } + ] + } + ] +} diff --git a/WATCHER-test-files/WATCHER/cklb/GoodStatistics.cklb b/WATCHER-test-files/WATCHER/cklb/GoodStatistics.cklb new file mode 100644 index 0000000..5937276 --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/GoodStatistics.cklb @@ -0,0 +1,435 @@ +{ + "title": "Asset-VPN_TRUNCATED-V2R5", + "id": "2f6fe9e0-8242-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Non-Computing", + "host_name": "Asset", + "ip_address": "1.1.1.1", + "mac_address": "00:00:00:00:00:00", + "fqdn": "asset.com", + "comments": "xyz", + "role": null, + "is_web_database": false, + "technology_area": null, + "web_db_site": null, + "web_db_instance": null + }, + "stigs": [ + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-1", + "rule_id_src": "SV-1", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": null, + "finding_details": "xyz", + "ccis": [ + "CCI-001414" + ] + }, + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-2", + "rule_id_src": "SV-2", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": null, + "finding_details": null, + "ccis": [ + "CCI-001414" + ] + }, + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-3", + "rule_id_src": "SV-3", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": null, + "finding_details": "xyz", + "ccis": [ + "CCI-001414" + ] + }, + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-4", + "rule_id_src": "SV-4", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": null, + "finding_details": null, + "ccis": [ + "CCI-001414" + ] + }, + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-5", + "rule_id_src": "SV-5", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": null, + "finding_details": "XYZ", + "ccis": [ + "CCI-001414" + ] + }, + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-6", + "rule_id_src": "SV-6", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": null, + "finding_details": null, + "ccis": [ + "CCI-001414" + ] + }, + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-7", + "rule_id_src": "SV-7", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_applicable", + "overrides": {}, + "comments": null, + "finding_details": null, + "ccis": [ + "CCI-001414" + ] + }, + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-8", + "rule_id_src": "SV-8", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_applicable", + "overrides": {}, + "comments": null, + "finding_details": null, + "ccis": [ + "CCI-001414" + ] + } + ] + } + ] + } + \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/cklb/MultiStig-Simple.cklb b/WATCHER-test-files/WATCHER/cklb/MultiStig-Simple.cklb new file mode 100644 index 0000000..077404a --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/MultiStig-Simple.cklb @@ -0,0 +1,3 @@ +{ + +} \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/cklb/NoASSETelement.cklb b/WATCHER-test-files/WATCHER/cklb/NoASSETelement.cklb new file mode 100644 index 0000000..077404a --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/NoASSETelement.cklb @@ -0,0 +1,3 @@ +{ + +} \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/cklb/NoResult.cklb b/WATCHER-test-files/WATCHER/cklb/NoResult.cklb new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/NoResult.cklb @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/cklb/NoRuleId.cklb b/WATCHER-test-files/WATCHER/cklb/NoRuleId.cklb new file mode 100644 index 0000000..9e26dfe --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/NoRuleId.cklb @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/cklb/NoStigsArray.cklb b/WATCHER-test-files/WATCHER/cklb/NoStigsArray.cklb new file mode 100644 index 0000000..c1a3d16 --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/NoStigsArray.cklb @@ -0,0 +1,436 @@ +{ + + "title": "Asset-VPN_TRUNCATED-V2R5", + "id": "2f6fe9e0-8242-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Non-Computing", + "host_name": "Asset", + "ip_address": "1.1.1.1", + "mac_address": "00:00:00:00:00:00", + "fqdn": "asset.com", + "comments": "xyz", + "role": null, + "is_web_database": false, + "technology_area": null, + "web_db_site": null, + "web_db_instance": null + }, + "NotStigs": [ + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-1", + "rule_id_src": "SV-1", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": null, + "finding_details": "xyz", + "ccis": [ + "CCI-001414" + ] + }, + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-2", + "rule_id_src": "SV-2", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": null, + "finding_details": null, + "ccis": [ + "CCI-001414" + ] + }, + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-3", + "rule_id_src": "SV-3", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": null, + "finding_details": "xyz", + "ccis": [ + "CCI-001414" + ] + }, + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-4", + "rule_id_src": "SV-4", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": null, + "finding_details": null, + "ccis": [ + "CCI-001414" + ] + }, + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-5", + "rule_id_src": "SV-5", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": null, + "finding_details": "XYZ", + "ccis": [ + "CCI-001414" + ] + }, + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-6", + "rule_id_src": "SV-6", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": null, + "finding_details": null, + "ccis": [ + "CCI-001414" + ] + }, + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-7", + "rule_id_src": "SV-7", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_applicable", + "overrides": {}, + "comments": null, + "finding_details": null, + "ccis": [ + "CCI-001414" + ] + }, + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-8", + "rule_id_src": "SV-8", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_applicable", + "overrides": {}, + "comments": null, + "finding_details": null, + "ccis": [ + "CCI-001414" + ] + } + ] + } + ] + } + \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/cklb/NoTargetHostName.cklb b/WATCHER-test-files/WATCHER/cklb/NoTargetHostName.cklb new file mode 100644 index 0000000..85d1c18 --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/NoTargetHostName.cklb @@ -0,0 +1,85 @@ +{ + "title": "Asset-VPN_TRUNCATED-V2R5", + "id": "2f6fe9e0-8242-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Non-Computing", + "host_name": null, + "ip_address": "1.1.1.1", + "mac_address": "00:00:00:00:00:00", + "fqdn": "asset.com", + "comments": "xyz", + "role": null, + "is_web_database": false, + "technology_area": null, + "web_db_site": null, + "web_db_instance": null + }, + "stigs": [ + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-207191r803417", + "rule_id_src": "SV-207191r803417_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": null, + "finding_details": "xyz", + "ccis": [ + "CCI-001414" + ] + } + ] + } + ] + } + \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/cklb/Single-Vuln-Long-CommentDetail.cklb b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-Long-CommentDetail.cklb new file mode 100644 index 0000000..ff925bd --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-Long-CommentDetail.cklb @@ -0,0 +1,85 @@ +{ + "title": "Asset-VPN_TRUNCATED-V2R5", + "id": "2f6fe9e0-8242-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Non-Computing", + "host_name": "Asset", + "ip_address": "1.1.1.1", + "mac_address": "00:00:00:00:00:00", + "fqdn": "asset.com", + "comments": "xyz", + "role": null, + "is_web_database": false, + "technology_area": null, + "web_db_site": null, + "web_db_instance": null + }, + "stigs": [ + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-207184r695317", + "rule_id_src": "SV-257777r925317_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "finding_details": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", + "ccis": [ + "CCI-001414" + ] + } + ] + } + ] + } + \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-Empty-CommentDetail.cklb b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-Empty-CommentDetail.cklb new file mode 100644 index 0000000..f59ddd2 --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-Empty-CommentDetail.cklb @@ -0,0 +1,84 @@ +{ + "title": "Asset-VPN_TRUNCATED-V2R5", + "id": "2f6fe9e0-8242-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Non-Computing", + "host_name": "Asset", + "ip_address": "1.1.1.1", + "mac_address": "00:00:00:00:00:00", + "fqdn": "asset.com", + "comments": "xyz", + "role": null, + "is_web_database": false, + "technology_area": null, + "web_db_site": null, + "web_db_instance": null + }, + "stigs": [ + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-207184r695317", + "rule_id_src": "SV-257777r925317_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": null, + "finding_details": null, + "ccis": [ + "CCI-001414" + ] + } + ] + } + ] +} diff --git a/WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-With-Comment.cklb b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-With-Comment.cklb new file mode 100644 index 0000000..4505b31 --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-With-Comment.cklb @@ -0,0 +1,84 @@ +{ + "title": "Asset-VPN_TRUNCATED-V2R5", + "id": "2f6fe9e0-8242-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Non-Computing", + "host_name": "Asset", + "ip_address": "1.1.1.1", + "mac_address": "00:00:00:00:00:00", + "fqdn": "asset.com", + "comments": "xyz", + "role": null, + "is_web_database": false, + "technology_area": null, + "web_db_site": null, + "web_db_instance": null + }, + "stigs": [ + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-207191r803417", + "rule_id_src": "SV-207191r803417_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": "xyz", + "finding_details": null, + "ccis": [ + "CCI-001414" + ] + } + ] + } + ] +} diff --git a/WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-With-Detail.cklb b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-With-Detail.cklb new file mode 100644 index 0000000..161cb54 --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-With-Detail.cklb @@ -0,0 +1,84 @@ +{ + "title": "Asset-VPN_TRUNCATED-V2R5", + "id": "2f6fe9e0-8242-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Non-Computing", + "host_name": "Asset", + "ip_address": "1.1.1.1", + "mac_address": "00:00:00:00:00:00", + "fqdn": "asset.com", + "comments": "xyz", + "role": null, + "is_web_database": false, + "technology_area": null, + "web_db_site": null, + "web_db_instance": null + }, + "stigs": [ + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-207191r803417", + "rule_id_src": "SV-207191r803417_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": null, + "finding_details": "xyz", + "ccis": [ + "CCI-001414" + ] + } + ] + } + ] +} diff --git a/WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-Empty-CommentDetail.cklb b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-Empty-CommentDetail.cklb new file mode 100644 index 0000000..d318ae0 --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-Empty-CommentDetail.cklb @@ -0,0 +1,84 @@ +{ + "title": "Asset-VPN_TRUNCATED-V2R5", + "id": "2f6fe9e0-8242-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Non-Computing", + "host_name": "Asset", + "ip_address": "1.1.1.1", + "mac_address": "00:00:00:00:00:00", + "fqdn": "asset.com", + "comments": "xyz", + "role": null, + "is_web_database": false, + "technology_area": null, + "web_db_site": null, + "web_db_instance": null + }, + "stigs": [ + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-207191r803417", + "rule_id_src": "SV-207191r803417_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": null, + "finding_details": null, + "ccis": [ + "CCI-001414" + ] + } + ] + } + ] +} diff --git a/WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-With-Detail.cklb b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-With-Detail.cklb new file mode 100644 index 0000000..5e794fa --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-With-Detail.cklb @@ -0,0 +1,84 @@ +{ + "title": "Asset-VPN_TRUNCATED-V2R5", + "id": "2f6fe9e0-8242-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Non-Computing", + "host_name": "Asset", + "ip_address": "1.1.1.1", + "mac_address": "00:00:00:00:00:00", + "fqdn": "asset.com", + "comments": "xyz", + "role": null, + "is_web_database": false, + "technology_area": null, + "web_db_site": null, + "web_db_instance": null + }, + "stigs": [ + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-207191r803417", + "rule_id_src": "SV-207191r803417_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": null, + "finding_details": "xyz", + "ccis": [ + "CCI-001414" + ] + } + ] + } + ] +} diff --git a/WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-with-Comment.cklb b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-with-Comment.cklb new file mode 100644 index 0000000..d6d9a86 --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-with-Comment.cklb @@ -0,0 +1,84 @@ +{ + "title": "Asset-VPN_TRUNCATED-V2R5", + "id": "2f6fe9e0-8242-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Non-Computing", + "host_name": "Asset", + "ip_address": "1.1.1.1", + "mac_address": "00:00:00:00:00:00", + "fqdn": "asset.com", + "comments": "xyz", + "role": null, + "is_web_database": false, + "technology_area": null, + "web_db_site": null, + "web_db_instance": null + }, + "stigs": [ + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-207191r803417", + "rule_id_src": "SV-207191r803417_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "open", + "overrides": {}, + "comments": "xyz", + "finding_details": null, + "ccis": [ + "CCI-001414" + ] + } + ] + } + ] +} diff --git a/WATCHER-test-files/WATCHER/cklb/Single-Vuln-notReviewed-Commented-Detailed.cklb b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-notReviewed-Commented-Detailed.cklb new file mode 100644 index 0000000..bad8741 --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-notReviewed-Commented-Detailed.cklb @@ -0,0 +1,84 @@ +{ + "title": "Asset-VPN_TRUNCATED-V2R5", + "id": "2f6fe9e0-8242-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Non-Computing", + "host_name": "Asset", + "ip_address": "1.1.1.1", + "mac_address": "00:00:00:00:00:00", + "fqdn": "asset.com", + "comments": "xyz", + "role": null, + "is_web_database": false, + "technology_area": null, + "web_db_site": null, + "web_db_instance": null + }, + "stigs": [ + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-207184r695317", + "rule_id_src": "SV-257777r925317_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": "xyz", + "finding_details": "xyz", + "ccis": [ + "CCI-001414" + ] + } + ] + } + ] +} diff --git a/WATCHER-test-files/WATCHER/cklb/Single-Vuln-notReviewed-Empty-CommentDetail.cklb b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-notReviewed-Empty-CommentDetail.cklb new file mode 100644 index 0000000..25a7a2e --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/Single-Vuln-notReviewed-Empty-CommentDetail.cklb @@ -0,0 +1,84 @@ +{ + "title": "Asset-VPN_TRUNCATED-V2R5", + "id": "2f6fe9e0-8242-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Non-Computing", + "host_name": "Asset", + "ip_address": "1.1.1.1", + "mac_address": "00:00:00:00:00:00", + "fqdn": "asset.com", + "comments": "xyz", + "role": null, + "is_web_database": false, + "technology_area": null, + "web_db_site": null, + "web_db_instance": null + }, + "stigs": [ + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-207184r695317", + "rule_id_src": "SV-257777r925317_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_reviewed", + "overrides": {}, + "comments": null, + "finding_details": null, + "ccis": [ + "CCI-001414" + ] + } + ] + } + ] +} diff --git a/WATCHER-test-files/WATCHER/cklb/TargetObjectBasic.cklb b/WATCHER-test-files/WATCHER/cklb/TargetObjectBasic.cklb new file mode 100644 index 0000000..369c62f --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/TargetObjectBasic.cklb @@ -0,0 +1,84 @@ +{ + "title": "Asset-VPN_TRUNCATED-V2R5", + "id": "2f6fe9e0-8242-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": "Non-Computing", + "host_name": "Asset", + "ip_address": "1.1.1.1", + "mac_address": "00:00:00:00:00:00", + "fqdn": "asset.com", + "comments": "xyz", + "role": null, + "is_web_database": false, + "technology_area": null, + "web_db_site": null, + "web_db_instance": null + }, + "stigs": [ + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-207184r695317", + "rule_id_src": "SV-257777r925317_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": "", + "finding_details": "xyz", + "ccis": [ + "CCI-001414" + ] + } + ] + } + ] +} diff --git a/WATCHER-test-files/WATCHER/cklb/TargetObjectMetaData.cklb b/WATCHER-test-files/WATCHER/cklb/TargetObjectMetaData.cklb new file mode 100644 index 0000000..4e0fc31 --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/TargetObjectMetaData.cklb @@ -0,0 +1,84 @@ +{ + "title": "Asset-VPN_TRUNCATED-V2R5", + "id": "2f6fe9e0-8242-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": null, + "host_name": "Asset", + "ip_address": null, + "mac_address": null, + "fqdn": null, + "comments": "xyz", + "role": "TestRole", + "is_web_database": true, + "technology_area": "TestTechArea", + "web_db_site": "TestWebDBSite", + "web_db_instance": "TestWebDBInstance" + }, + "stigs": [ + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-207184r695317", + "rule_id_src": "SV-257777r925317_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": "", + "finding_details": "xyz", + "ccis": [ + "CCI-001414" + ] + } + ] + } + ] +} diff --git a/WATCHER-test-files/WATCHER/cklb/TargetObjectMinimal.cklb b/WATCHER-test-files/WATCHER/cklb/TargetObjectMinimal.cklb new file mode 100644 index 0000000..a28f6f2 --- /dev/null +++ b/WATCHER-test-files/WATCHER/cklb/TargetObjectMinimal.cklb @@ -0,0 +1,84 @@ +{ + "title": "Asset-VPN_TRUNCATED-V2R5", + "id": "2f6fe9e0-8242-11ee-8b44-13c1c13d16bb", + "active": false, + "mode": 1, + "has_path": true, + "target_data": { + "target_type": null, + "host_name": "Asset", + "ip_address": null, + "mac_address": null, + "fqdn": null, + "comments": null, + "role": null, + "is_web_database": false, + "technology_area": null, + "web_db_site": null, + "web_db_instance": null + }, + "stigs": [ + { + "stig_name": "Virtual Private Network (VPN) TRUNCATED", + "display_name": "Virtual Private Network (VPN) TRUNCATED", + "stig_id": "VPN_TRUNCATED", + "version": 2, + "release_info": "Release: 5 Benchmark Date: 07 Jun 2023", + "uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "reference_identifier": "0000", + "size": 10, + "rules": [ + { + "uuid": "2f7281f0-8242-11ee-8b44-13c1c13d16bb", + "stig_uuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "target_key": null, + "stig_ref": null, + "group_id": "V-207184", + "rule_id": "SV-207184r695317", + "rule_id_src": "SV-257777r925317_rule", + "weight": "10.0", + "classification": "NONE", + "severity": "medium", + "rule_version": "SRG-NET-000019-VPN-000040", + "group_title": "SRG-NET-000019", + "rule_title": "The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.", + "fix_text": "Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.", + "false_positives": null, + "false_negatives": null, + "discussion": "Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources.\n\nVPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.", + "check_content": "Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration).\n\nReview network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network.\n\nIf the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,", + "documentable": "false", + "mitigations": null, + "potential_impacts": null, + "third_party_tools": null, + "mitigation_control": null, + "responsibility": null, + "security_override_guidance": null, + "ia_controls": null, + "check_content_ref": { + "href": "", + "name": "M" + }, + "legacy_ids": [], + "group_tree": [ + { + "id": "V-207184", + "title": "SRG-NET-000019", + "description": "" + } + ], + "createdAt": "2023-11-13T16:30:36.000Z", + "updatedAt": "2023-11-13T16:30:36.000Z", + "STIGUuid": "2f714970-8242-11ee-8b44-13c1c13d16bb", + "status": "not_a_finding", + "overrides": {}, + "comments": "", + "finding_details": "xyz", + "ccis": [ + "CCI-001414" + ] + } + ] + } + ] +} diff --git a/WATCHER-test-files/WATCHER/stigs/U_RHEL_8_STIG_V1R12_Manual-xccdf-truncated.xml b/WATCHER-test-files/WATCHER/stigs/U_RHEL_8_STIG_V1R12_Manual-xccdf-truncated.xml new file mode 100644 index 0000000..3c26ba6 --- /dev/null +++ b/WATCHER-test-files/WATCHER/stigs/U_RHEL_8_STIG_V1R12_Manual-xccdf-truncated.xml @@ -0,0 +1,340 @@ +acceptedRed Hat Enterprise Linux 8 TRUNCATEDThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 12 Benchmark Date: 25 Oct 20233.4.1.229161.10.01SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010000RHEL 8 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + +Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. The RHEL 8 minor releases eligible for EUS are 8.1, 8.2, 8.4, 8.6, and 8.8. Each RHEL 8 EUS stream is available for 24 months from the availability of the minor release. RHEL 8.10 will be the final minor release overall. For more details on the Red Hat Enterprise Linux Life Cycle visit https://access.redhat.com/support/policy/updates/errata/. +Note: The life-cycle time spans and dates are subject to adjustment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Upgrade to a supported version of RHEL 8.Verify the version of the operating system is vendor supported. + +Note: The lifecycle time spans and dates are subject to adjustment. + +Check the version of the operating system with the following command: + +$ sudo cat /etc/redhat-release + +Red Hat Enterprise Linux Server release 8.6 (Ootpa) + +Current End of Extended Update Support for RHEL 8.1 is 30 November 2021. + +Current End of Extended Update Support for RHEL 8.2 is 30 April 2022. + +Current End of Extended Update Support for RHEL 8.4 is 31 May 2023. + +Current End of Maintenance Support for RHEL 8.5 is 31 May 2022. + +Current End of Extended Update Support for RHEL 8.6 is 31 May 2024. + +Current End of Maintenance Support for RHEL 8.7 is 31 May 2023. + +Current End of Extended Update Support for RHEL 8.8 is 31 May 2025. + +Current End of Maintenance Support for RHEL 8.9 is 31 May 2024. + +Current End of Maintenance Support for RHEL 8.10 is 31 May 2029. + +If the release is not supported by the vendor, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-08-010010RHEL 8 vendor packaged system security patches and updates must be installed and up to date.<VulnDiscussion>Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000366Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). + +Obtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. + +Check that the available package security updates have been installed on the system with the following command: + +$ sudo yum history list | more + +Loaded plugins: langpacks, product-id, subscription-manager +ID | Command line | Date and time | Action(s) | Altered +------------------------------------------------------------------------------- +70 | install aide | 2020-03-05 10:58 | Install | 1 +69 | update -y | 2020-03-04 14:34 | Update | 18 EE +68 | install vlc | 2020-02-21 17:12 | Install | 21 +67 | update -y | 2020-02-21 17:04 | Update | 7 EE + +If package updates have not been performed on the system within the timeframe the site/program documentation requires, this is a finding. + +Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. + +If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.SRG-OS-000033-GPOS-00014<GroupDescription></GroupDescription>RHEL-08-010020RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + +RHEL 8 utilizes GRUB 2 as the default bootloader. Note that GRUB 2 command-line parameters are defined in the "kernelopts" variable of the /boot/grub2/grubenv file for all kernel boot entries. The command "fips-mode-setup" modifies the "kernelopts" variable, which in turn updates all kernel boot entries. + +The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users must also ensure the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a nonunique key. + +Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000068Configure the operating system to implement DOD-approved encryption by following the steps below: + +To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. + +Enable FIPS mode after installation (not strict FIPS-compliant) with the following command: + + $ sudo fips-mode-setup --enable + +Reboot the system for the changes to take effect.Verify the operating system implements DOD-approved encryption to protect the confidentiality of remote access sessions. + +Check to see if FIPS mode is enabled with the following command: + + $ fips-mode-setup --check + FIPS mode is enabled + +If FIPS mode is "enabled", check to see if the kernel boot parameter is configured for FIPS mode with the following command: + + $ sudo grub2-editenv list | grep fips + kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 + +If the kernel boot parameter is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command: + + $ sudo cat /proc/sys/crypto/fips_enabled + 1 + +If FIPS mode is not "on", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of "1" for "fips_enabled" in "/proc/sys/crypto", this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>RHEL-08-010030All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.<VulnDiscussion>RHEL 8 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). + +Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-001199Configure RHEL 8 to prevent unauthorized modification of all information at rest by using disk encryption. + +Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. + +If there is a documented and approved reason for not having data-at-rest encryption at the operating system level, such as encryption provided by a hypervisor or a disk storage array in a virtualized environment, this requirement is not applicable. + +Verify all system partitions are encrypted with the following command: + + $ sudo blkid + + /dev/mapper/rhel-root: UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS" + +Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. + +If there is no evidence that these partitions are encrypted, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-08-010040RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000048Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh. + +Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is: + +banner /etc/issue + +Either create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD-required text is: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +The SSH service must be restarted for changes to take effect.Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + +Check for the location of the banner file being used with the following command: + +$ sudo grep -ir banner /etc/ssh/sshd_config* + +banner /etc/issue + +This command will return the banner keyword and the name of the file that contains the ssh banner (in this case "/etc/issue"). + +If the line is commented out, this is a finding. +If conflicting results are returned, this is a finding. + +View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding. + +If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-08-010050RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000048Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + +Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. + +Add the following lines to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message": + +banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ' + +Note: The "\n " characters are for formatting only. They will not be displayed on the graphical interface. + +Run the following command to update the database: + +$ sudo dconf updateVerify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. + +Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. + +Check that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command: + +$ sudo grep banner-message-text /etc/dconf/db/local.d/* + +banner-message-text= +'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ' + +Note: The "\n " characters are for formatting only. They will not be displayed on the graphical interface. + +If the banner does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-08-010060RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000048Configure RHEL 8 to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via command line logon. + +Edit the "/etc/issue" file to replace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD-required text is: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon. + +Check that RHEL 8 displays a banner at the command line login screen with the following command: + +$ sudo cat /etc/issue + +If the banner is set correctly it will return the following text: + +“You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.” + +If the banner text does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.SRG-OS-000032-GPOS-00013<GroupDescription></GroupDescription>RHEL-08-010070All RHEL 8 remote access methods must be monitored.<VulnDiscussion>Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. + +Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + +Automated monitoring of remote access sessions allows organizations to detect cyber attacks and ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000067Configure RHEL 8 to monitor all remote access methods by installing rsyslog with the following command: + +$ sudo yum install rsyslog + +Then add or update the following lines to the "/etc/rsyslog.conf" file: + +auth.*;authpriv.*;daemon.* /var/log/secure + +The "rsyslog" service must be restarted for the changes to take effect. To restart the "rsyslog" service, run the following command: + +$ sudo systemctl restart rsyslog.serviceVerify that RHEL 8 monitors all remote access methods. + +Check that remote access methods are being logged by running the following command: + +$ sudo grep -E '(auth.*|authpriv.*|daemon.*)' /etc/rsyslog.conf + +auth.*;authpriv.*;daemon.* /var/log/secure + +If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged, this is a finding.SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>RHEL-08-010090RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.<VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. + +A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. + +When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. + +This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. + +Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000185Configure RHEL 8, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. + +Obtain a valid copy of the DoD root CA file from the PKI CA certificate bundle at cyber.mil and copy into the following file: + +/etc/sssd/pki/sssd_auth_ca_db.pemVerify RHEL 8 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor. + +Note: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. + +Check that the system has a valid DoD root CA installed with the following command: + +$ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem + +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 + Validity + Not Before: Mar 20 18:46:41 2012 GMT + Not After : Dec 30 18:46:41 2029 GMT + Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + +If the root ca file is not a DoD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding.SRG-OS-000067-GPOS-00035<GroupDescription></GroupDescription>RHEL-08-010100RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.<VulnDiscussion>If an unauthorized user obtains access to a private key without a passcode, that user would have unauthorized access to any system where the associated public key has been installed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 8DISADPMS TargetRed Hat Enterprise Linux 82921CCI-000186Create a new private and public key pair that utilizes a passcode with the following command: + +$ sudo ssh-keygen -n [passphrase]Verify the SSH private key files have a passcode. + +For each private key stored on the system, use the following command: + +$ sudo ssh-keygen -y -f /path/to/file + +If the contents of the key are displayed, this is a finding. \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/stigs/U_RHEL_9_STIG_V1R1_Manual-xccdf-truncated.xml b/WATCHER-test-files/WATCHER/stigs/U_RHEL_9_STIG_V1R1_Manual-xccdf-truncated.xml new file mode 100644 index 0000000..6807e2e --- /dev/null +++ b/WATCHER-test-files/WATCHER/stigs/U_RHEL_9_STIG_V1R1_Manual-xccdf-truncated.xml @@ -0,0 +1,154 @@ +acceptedRed Hat Enterprise Linux 9 TRUNCATEDThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 22 Sep 20233.4.1.229161.10.01SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-211010RHEL 9 must be a vendor-supported release.<VulnDiscussion>An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + +Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Upgrade to a supported version of RHEL 9.Verify that the version or RHEL 9 is vendor supported with the following command: + +$ cat /etc/redhat-release + +Red Hat Enterprise Linux release 9.2 (Plow) + +If the installed version of RHEL 9 is not supported, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-211015RHEL 9 vendor packaged system security patches and updates must be installed and up to date.<VulnDiscussion>Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Install RHEL 9 security patches and updates at the organizationally defined frequency. If system updates are installed via a centralized repository that is configured on the system, all updates can be installed with the following command: + +$ sudo dnf updateVerify RHEL 9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy. + +Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. + +Check that the available package security updates have been installed on the system with the following command: + +$ dnf history list | more + + ID | Command line | Date and time | Action(s) | Altered +------------------------------------------------------------------------------- + 70 | install aide | 2023-03-05 10:58 | Install | 1 + 69 | update -y | 2023-03-04 14:34 | Update | 18 EE + 68 | install vlc | 2023-02-21 17:12 | Install | 21 + 67 | update -y | 2023-02-21 17:04 | Update | 7 EE + +Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. + +If the system is in noncompliance with the organizational patching policy, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>RHEL-09-211020RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. + +Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000048CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure RHEL 9 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via command line logon. + +Edit the "/etc/issue" file to replace the default text with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."Verify RHEL 9 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a command line user logon. + +Check that a banner is displayed at the command line login screen with the following command: + +$ sudo cat /etc/issue + +If the banner is set correctly it will return the following text: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +If the banner text does not match the Standard Mandatory DOD Notice and Consent Banner exactly, or the line is commented out, this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>RHEL-09-211025RHEL 9 must implement the Endpoint Security for Linux Threat Prevention tool.<VulnDiscussion>Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. + +To support this requirement, the operating system may have an integrated solution incorporating continuous scanning using ESS and periodic scanning using other tools, as specified in the requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001233Install and enable the latest McAfee ENSLTP package.Verify that RHEL 9 has implemented the Endpoint Security for Linux Threat Prevention tool. + +Check that the following package has been installed: + +$ sudo rpm -qa | grep -i mcafeetp + +If the "mcafeetp" package is not installed, this is a finding. + +Verify that the daemon is running: + +$ sudo ps -ef | grep -i mfetpd + +If the daemon is not running, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-211030The graphical display manager must not be the default target on RHEL 9 unless approved.<VulnDiscussion>Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Document the requirement for a graphical user interface with the ISSO or set the default target to multi-user with the following command: + +$ sudo systemctl set-default multi-user.targetVerify that RHEL 9 is configured to boot to the command line: + +$ systemctl get-default + +multi-user.target + +If the system default target is not set to "multi-user.target" and the information system security officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>RHEL-09-211035RHEL 9 must enable the hardware random number generator entropy gatherer service.<VulnDiscussion>The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. + +The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366Install the rng-tools package with the following command: + +$ sudo dnf install rng-tools + +Then enable the rngd service run the following command: + +$ sudo systemctl enable --now rngdVerify that RHEL 9 has enabled the hardware random number generator entropy gatherer service with the following command: + +$ systemctl is-active rngd + +active + +If the "rngd" service is not active, this is a finding.SRG-OS-000269-GPOS-00103<GroupDescription></GroupDescription>RHEL-09-211040RHEL 9 systemd-journald service must be enabled.<VulnDiscussion>In the event of a system failure, RHEL 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-001665To enable the systemd-journald service, run the following command: + +$ sudo systemctl enable --now systemd-journaldVerify that "systemd-journald" is active with the following command: + +$ systemctl is-active systemd-journald + +active + +If the systemd-journald service is not active, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-09-211045The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366CCI-002235Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file: + +CtrlAltDelBurstAction=none + +Reload the daemon for this change to take effect. + +$ sudo systemctl daemon-reloadVerify RHEL 9 is configured to not reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command: + +$ grep -i ctrl /etc/systemd/system.conf + +CtrlAltDelBurstAction=none + +If the "CtrlAltDelBurstAction" is not set to "none", commented out, or is missing, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-09-211050The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. + +Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366CCI-002235Configure RHEL 9 to disable the ctrl-alt-del.target with the following command: + +$ sudo systemctl disable --now ctrl-alt-del.target +$ sudo systemctl mask --now ctrl-alt-del.targetVerify RHEL 9 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: + +$ sudo systemctl status ctrl-alt-del.target + +ctrl-alt-del.target +Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) +Active: inactive (dead) + +If the "ctrl-alt-del.target" is loaded and not masked, this is a finding.SRG-OS-000324-GPOS-00125<GroupDescription></GroupDescription>RHEL-09-211055RHEL 9 debug-shell systemd service must be disabled.<VulnDiscussion>The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. + +Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat Enterprise Linux 9DISADPMS TargetRed Hat Enterprise Linux 95551CCI-000366CCI-002235Configure RHEL 9 to mask the debug-shell systemd service with the following command: + +$ sudo systemctl disable --now debug-shell.target +$ sudo systemctl mask --now debug-shell.targetVerify RHEL 9 is configured to mask the debug-shell systemd service with the following command: + +$ sudo systemctl status debug-shell.service + +debug-shell.service +Loaded: masked (Reason: Unit debug-shell.service is masked.) +Active: inactive (dead) + +If the "debug-shell.service" is loaded and not masked, this is a finding. \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/stigs/U_VPN_SRG_V2R5_Manual-xccdf-truncated.xml b/WATCHER-test-files/WATCHER/stigs/U_VPN_SRG_V2R5_Manual-xccdf-truncated.xml new file mode 100644 index 0000000..2e221f4 --- /dev/null +++ b/WATCHER-test-files/WATCHER/stigs/U_VPN_SRG_V2R5_Manual-xccdf-truncated.xml @@ -0,0 +1,129 @@ +acceptedVirtual Private Network (VPN) TRUNCATEDThis Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 5 Benchmark Date: 07 Jun 20233.4.0.342221.10.02SRG-NET-000019<GroupDescription></GroupDescription>SRG-NET-000019-VPN-000040The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies.<VulnDiscussion>Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth and other resources. + +VPN traffic received from another enclave with different security policy or level of trust must not bypass be inspected by the firewall before being forwarded to the private network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97041SV-106179CCI-001414Configure the VPN Gateway to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies (e.g., IPsec policy configuration). Also, configure the VPN gateway to forward encapsulated or encrypted traffic received from other enclaves with different security policies to the perimeter firewall and IDPS before traffic is passed to the private network.Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration). + +Review network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network. + +If the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding,SRG-NET-000041<GroupDescription></GroupDescription>SRG-NET-000041-VPN-000110The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +In most VPN implementations, the banner is configured in the management backplane (NDM SRG) and serves as the presentation for the VPN client connection as well as for administrator logon to the device management tool/backplane. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway. + +The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97043SV-106181CCI-000048Configure the Remote Access VPN to display the Standard Mandatory DoD Notice and Consent Banner in accordance with DoD policy before granting access to the device. Use the following verbiage for applications that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +-At any time, the USG may inspect and seize data stored on this IS. +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: +"I've read & consent to terms in IS user agreem't."If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. + +Determine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DoD policy. + +If the Remote Access VPN Gateway or VPN client does not display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network, this is a finding.SRG-NET-000042<GroupDescription></GroupDescription>SRG-NET-000042-VPN-000120The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.<VulnDiscussion>The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. + +The banner is usually configured in NDM for client presentation as well as local logon. + +To establish acceptance of the application usage policy, a click-through banner at application logon is required. The VPN gateway must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK". + +This applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97045SV-106183CCI-000050Configure the Remote Access VPN Gateway and/or client to retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access.If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. + +Verify the ALG retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access. + +If the Remote Access VPN Gateway and/or client does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding.SRG-NET-000043<GroupDescription></GroupDescription>SRG-NET-000043-VPN-000130The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the publicly accessible VPN gateway ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. + +System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. This requirement applies to VPN gateways that have the concept of a user account and have the logon function residing on the VPN gateway. + +The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for VPN gateways that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97047SV-106185CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Configure the publicly accessible VPN Gateway to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.Verify the publicly accessible VPN Gateway displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +If the publicly accessible VPN Gateway does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding.SRG-NET-000049<GroupDescription></GroupDescription>SRG-NET-000049-VPN-000150The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).<VulnDiscussion>Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. + +This applies to gateways that have the concept of a user account and have the login function residing on the gateway or the gateway acts as a user intermediary.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97049SV-106187CCI-000053Configure the VPN Gateway to notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access).Determine if the VPN Gateway is either configured to notify the administrator of the number of unsuccessful login attempts since the last successful login or configured to use an authentication server which would perform this function. If the administrator is not notified of the number of unsuccessful login attempts since the last successful login, this is a finding. + +If the VPN Gateway does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding.SRG-NET-000053<GroupDescription></GroupDescription>SRG-NET-000053-VPN-000170The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number.<VulnDiscussion>VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in limiting risks related to DoS attacks. + +This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system. + +The intent of this policy is to ensure the number of concurrent sessions is deliberately set to a number based on the site's mission and not left unlimited.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97051SV-106189CCI-000054Configure the VPN Gateway to limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, as documented in the SSP.Inspect the VPN Gateway configuration. Verify the number of concurrent sessions for user accounts to 1 or to an organization-defined number (defined in the SSP). + +If the VPN Gateway does not limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding.SRG-NET-000062<GroupDescription></GroupDescription>SRG-NET-000062-VPN-000200The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections.<VulnDiscussion>Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol. + +NIST SP 800-52 Rev2 provides guidance for client negotiation on either DoD-only or public-facing servers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97053SV-106191CCI-000068Configure the TLS VPN Gateway to use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data for transmission.Verify the TLS VPN Gateway is configured to use TLS 1.2 or higher to protect the confidentiality of sensitive data during transmission. + +If the TLS VPN Gateway does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission, this is a finding.SRG-NET-000063<GroupDescription></GroupDescription>SRG-NET-000063-VPN-000210The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions.<VulnDiscussion>Without integrity protection, unauthorized changes may be made to the log files and reliable forensic analysis and discovery of the source of malicious system activity may be degraded. + +Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include broadband and wireless. + +Integrity checks include cryptographic checksums, digital signatures, or hash functions. Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard (DSS), specifies three NIST-approved algorithms: DSA, RSA, and ECDSA. All three are used to generate and verify digital signatures in conjunction with an approved hash function.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920V-97055SV-106193CCI-001453Configure the remote access VPN Gateway to use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions.Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding.SRG-NET-000063<GroupDescription></GroupDescription>SRG-NET-000063-VPN-000220The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.<VulnDiscussion>Without strong cryptographic integrity protections, information can be altered by unauthorized users without detection. + +SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. DOD systems must not be configured to use SHA-1 for integrity of remote access sessions. + +The remote access VPN provides access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106195V-97057CCI-001453Configure the VPN Gateway to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions.Verify the VPN Gateway uses IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + +If the VPN Gateway does not use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions, this is a finding.SRG-NET-000074<GroupDescription></GroupDescription>SRG-NET-000074-VPN-000250The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1.<VulnDiscussion>Use of an approved DH algorithm ensures the IKE (Phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm from which the key was derived. Hence, the larger the modulus, the more secure the generated key is considered to be.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Virtual Private Network (VPN)DISADPMS TargetVirtual Private Network (VPN)2920SV-106197V-97059CCI-000068Configure the IPsec VPN to use the DH Group of 16 or greater for IKE Phase 1.Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1. + +View the IKE options dh-group option. + +If the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding. \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/xccdf/Asset_a-RHEL_9_TRUNCATED-V1R1-xccdf-no-reviews.xml b/WATCHER-test-files/WATCHER/xccdf/Asset_a-RHEL_9_TRUNCATED-V1R1-xccdf-no-reviews.xml new file mode 100644 index 0000000..aa86f28 --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/Asset_a-RHEL_9_TRUNCATED-V1R1-xccdf-no-reviews.xml @@ -0,0 +1,270 @@ + + + + + accepted + Red Hat Enterprise Linux 9 TRUNCATED + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + V1R1 + + DISA + STIG Manager OSS + + + SRG-OS-000480-GPOS-00227 + + RHEL 9 must be a vendor-supported release. + + Verify that the version or RHEL 9 is vendor supported with the following command: + +$ cat /etc/redhat-release + +Red Hat Enterprise Linux release 9.2 (Plow) + +If the installed version of RHEL 9 is not supported, this is a finding. + + + + + SRG-OS-000480-GPOS-00227 + + RHEL 9 vendor packaged system security patches and updates must be installed and up to date. + + Verify RHEL 9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy. + +Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. + +Check that the available package security updates have been installed on the system with the following command: + +$ dnf history list | more + + ID | Command line | Date and time | Action(s) | Altered +------------------------------------------------------------------------------- + 70 | install aide | 2023-03-05 10:58 | Install | 1 + 69 | update -y | 2023-03-04 14:34 | Update | 18 EE + 68 | install vlc | 2023-02-21 17:12 | Install | 21 + 67 | update -y | 2023-02-21 17:04 | Update | 7 EE + +Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. + +If the system is in noncompliance with the organizational patching policy, this is a finding. + + + + + SRG-OS-000023-GPOS-00006 + + RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. + + Verify RHEL 9 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a command line user logon. + +Check that a banner is displayed at the command line login screen with the following command: + +$ sudo cat /etc/issue + +If the banner is set correctly it will return the following text: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +If the banner text does not match the Standard Mandatory DOD Notice and Consent Banner exactly, or the line is commented out, this is a finding. + + + + + SRG-OS-000191-GPOS-00080 + + RHEL 9 must implement the Endpoint Security for Linux Threat Prevention tool. + + Verify that RHEL 9 has implemented the Endpoint Security for Linux Threat Prevention tool. + +Check that the following package has been installed: + +$ sudo rpm -qa | grep -i mcafeetp + +If the "mcafeetp" package is not installed, this is a finding. + +Verify that the daemon is running: + +$ sudo ps -ef | grep -i mfetpd + +If the daemon is not running, this is a finding. + + + + + SRG-OS-000480-GPOS-00227 + + The graphical display manager must not be the default target on RHEL 9 unless approved. + + Verify that RHEL 9 is configured to boot to the command line: + +$ systemctl get-default + +multi-user.target + +If the system default target is not set to "multi-user.target" and the information system security officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding. + + + + + SRG-OS-000480-GPOS-00227 + + RHEL 9 must enable the hardware random number generator entropy gatherer service. + + Verify that RHEL 9 has enabled the hardware random number generator entropy gatherer service with the following command: + +$ systemctl is-active rngd + +active + +If the "rngd" service is not active, this is a finding. + + + + + SRG-OS-000269-GPOS-00103 + + RHEL 9 systemd-journald service must be enabled. + + Verify that "systemd-journald" is active with the following command: + +$ systemctl is-active systemd-journald + +active + +If the systemd-journald service is not active, this is a finding. + + + + + SRG-OS-000324-GPOS-00125 + + The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled. + + Verify RHEL 9 is configured to not reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command: + +$ grep -i ctrl /etc/systemd/system.conf + +CtrlAltDelBurstAction=none + +If the "CtrlAltDelBurstAction" is not set to "none", commented out, or is missing, this is a finding. + + + + + SRG-OS-000324-GPOS-00125 + + The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9. + + Verify RHEL 9 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: + +$ sudo systemctl status ctrl-alt-del.target + +ctrl-alt-del.target +Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) +Active: inactive (dead) + +If the "ctrl-alt-del.target" is loaded and not masked, this is a finding. + + + + + SRG-OS-000324-GPOS-00125 + + RHEL 9 debug-shell systemd service must be disabled. + + Verify RHEL 9 is configured to mask the debug-shell systemd service with the following command: + +$ sudo systemctl status debug-shell.service + +debug-shell.service +Loaded: masked (Reason: Unit debug-shell.service is masked.) +Active: inactive (dead) + +If the "debug-shell.service" is loaded and not masked, this is a finding. + + + + + + Asset_aaaaaaaaaa + + + Asset_aaaaaaaaaa + true + + + notchecked + + + + + + notchecked + + + + + + notchecked + + + + + + notchecked + + + + + + notchecked + + + + + + notchecked + + + + + + notchecked + + + + + + notchecked + + + + + + notchecked + + + + + + notchecked + + + + + 1.0 + + diff --git a/WATCHER-test-files/WATCHER/xccdf/Asset_a-VPN_TRUNCATED-V2R5-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/Asset_a-VPN_TRUNCATED-V2R5-xccdf.xml new file mode 100644 index 0000000..9e71909 --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/Asset_a-VPN_TRUNCATED-V2R5-xccdf.xml @@ -0,0 +1,236 @@ + + + + + accepted + Virtual Private Network (VPN) TRUNCATED + This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + V2R5 + + DISA + STIG Manager OSS + + + SRG-NET-000019 + + The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. + + Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration). + +Review network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network. + +If the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding, + + + + + SRG-NET-000041 + + The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network. + + If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. + +Determine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DoD policy. + +If the Remote Access VPN Gateway or VPN client does not display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network, this is a finding. + + + + + SRG-NET-000042 + + The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. + + If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. + +Verify the ALG retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access. + +If the Remote Access VPN Gateway and/or client does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding. + + + + + SRG-NET-000043 + + The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + + Verify the publicly accessible VPN Gateway displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +If the publicly accessible VPN Gateway does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding. + + + + + SRG-NET-000049 + + The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). + + Determine if the VPN Gateway is either configured to notify the administrator of the number of unsuccessful login attempts since the last successful login or configured to use an authentication server which would perform this function. If the administrator is not notified of the number of unsuccessful login attempts since the last successful login, this is a finding. + +If the VPN Gateway does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding. + + + + + SRG-NET-000053 + + The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number. + + Inspect the VPN Gateway configuration. Verify the number of concurrent sessions for user accounts to 1 or to an organization-defined number (defined in the SSP). + +If the VPN Gateway does not limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding. + + + + + SRG-NET-000062 + + The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections. + + Verify the TLS VPN Gateway is configured to use TLS 1.2 or higher to protect the confidentiality of sensitive data during transmission. + +If the TLS VPN Gateway does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission, this is a finding. + + + + + SRG-NET-000063 + + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + + + SRG-NET-000063 + + The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + + Verify the VPN Gateway uses IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + +If the VPN Gateway does not use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions, this is a finding. + + + + + SRG-NET-000074 + + The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1. + + Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1. + +View the IKE options dh-group option. + +If the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding. + + + + + + Asset_a + + + Asset_aaaaaaaaaa + true + + + pass + + + xyz + + + + + fail + + + xyz + + + + + notapplicable + + + xyz + + + + + informational + + + xyz + + + + + pass + + + xyz + + + + + notchecked + + + xyz + + + + + pass + + + xyz + + + + + fail + + + xyz + xyz + + + + + notchecked + + + + + + notchecked + + + + + 1.0 + + diff --git a/WATCHER-test-files/WATCHER/xccdf/Asset_b-RHEL_8_TRUNCATED-V1R12-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/Asset_b-RHEL_8_TRUNCATED-V1R12-xccdf.xml new file mode 100644 index 0000000..649f614 --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/Asset_b-RHEL_8_TRUNCATED-V1R12-xccdf.xml @@ -0,0 +1,386 @@ + + + + + accepted + Red Hat Enterprise Linux 8 TRUNCATED + This Security Technical Implementation Guide is published as a tool to improve the + security of Department of Defense (DOD) information systems. The requirements are derived from + the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments + or proposed revisions to this document should be sent via email to the following address: + disa.stig_spt@mail.mil. + V1R12 + + DISA + STIG Manager OSS + + + SRG-OS-000480-GPOS-00227 + + RHEL 8 must be a vendor-supported release. + + Verify the version of the operating system is vendor supported. + + If the release is not supported by the vendor, this is a finding. + + + + + SRG-OS-000480-GPOS-00227 + + RHEL 8 vendor packaged system security patches and updates must be installed and up to + date. + + V + If the operatit (IAVM) process, this is a finding. + + + + + SRG-OS-000033-GPOS-00014 + + RHEL 8 muds. + + Verify the operating system implements DOD-approved encryption to protect the + confidentiality of remote access sessions. + + + "/proc/sys/crypto", this is a finding. + + + + + SRG-OS-000185-GPOS-00079 + + All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent + unauthorized disclosure or modification of all information that requires at rest protection. + + Verify RHEL 8 prevents unauthorized disclosure or modification of all + information requiring at-rest protection by using disk encryption. + + If there is a documented and approved reason for not having data-at-rest encryption at the + operating system level, such as encryption provided by a hypervisor or a disk storage + array in a virtualized environment, this requirement is not applicable. + + Verify al + $ sudo blkid + + /dev/mapper/rhel-root: UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" + TYPE="crypto_LUKS" + + Every persistent disk partition present must be of type "crypto_LUKS". If any + partitions other than the boot partition or pseudo file systems (such as /proc or /sys) + are not type "crypto_LUKS", ask the administrator to indicate how the partitions + are encrypted. + + If there is no evidence that these partitions are encrypted, this is a finding. + + + + + SRG-OS-000023-GPOS-00006 + + RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before + granting local or remote access to the system via a ssh logon. + + Verify any publicly accessible connection to the operating system displays + the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + Check for the location of the banner file being used with the following command: + + $ sudo grep -ir banner /etc/ssh/sshd_config* + + banner /etc/issue + + This command will return the banner keyword and the name of the file that contains the ssh + banner (in this case "/etc/issue"). + + If the line is commented out, this is a finding. + If conflicting results are returned, this is a finding. + + View the file specified by the banner keyword to check that it matches the text of the + Standard Mandatory DoD Notice and Consent Banner: + + "You are accessing a U.S. Government (USG) Information System (IS) that is provided + for USG-authorized use only. By using this IS (which includes any device attached to this + IS), you consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for purposes + including, but not limited to, penetration testing, COMSEC monitoring, network operations + and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) + investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are subject to routine + monitoring, interception, and search, and may be disclosed or used for any USG-authorized + purpose. + + -This IS includes security measures (e.g., authentication and access controls) to protect + USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI + investigative searching or monitoring of the content of privileged communications, or work + product, related to personal representation or services by attorneys, psychotherapists, or + clergy, and their assistants. Such communications and work product are private and + confidential. See User Agreement for details." + + If the system does not display a graphical logon banner or the banner does not match the + Standard Mandatory DoD Notice and Consent Banner, this is a finding. + + If the text in the file does not match the Standard Mandatory DoD Notice and Consent + Banner, this is a finding. + + + + + SRG-OS-000023-GPOS-00006 + + RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before + granting local or remote access to the system via a graphical user logon. + + Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner + before granting access to the operating system via a graphical user logon. + + Note: This requirement assumes the use of the RHEL 8 default graphical user interface, + Gnome Shell. If the system does not have any graphical user interface installed, this + requirement is Not Applicable. + + Check that the operating system displays the exact Standard Mandatory DoD Notice and + Consent Banner text with the command: + + $ sudo grep banner-message-text /etc/dconf/db/local.d/* + + banner-message-text= + 'You are accessing a U.S. Government (USG) Information System (IS) that is provided + for USG-authorized use only.\nBy using this IS (which includes any device attached to this + IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors + communications on this IS for purposes including, but not limited to, penetration testing, + COMSEC monitoring, network operations and defense, personnel misconduct (PM), law + enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may + inspect and seize data stored on this IS.\n-Communications using, or data stored on, this + IS are not private, are subject to routine monitoring, interception, and search, and may + be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures + (e.g., authentication and access controls) to protect USG interests--not for your personal + benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent + to PM, LE or CI investigative searching or monitoring of the content of privileged + communications, or work product, related to personal representation or services by + attorneys, psychotherapists, or clergy, and their assistants. Such communications and work + product are private and confidential. See User Agreement for details. ' + + Note: The "\n " characters are for formatting only. They will not be displayed + on the graphical interface. + + If the banner does not match the Standard Mandatory DoD Notice and Consent Banner exactly, + this is a finding. + + + + + SRG-OS-000023-GPOS-00006 + + RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before + granting local or remote access to the system via a command line user logon. + + Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner + before granting access to the operating system via a command line user logon. + + Check that RHEL 8 displays a banner at the command line login screen with the following + command: + + $ sudo cat /etc/issue + + If the banner is set correctly it will return the following text: + + “You are accessing a U.S. Government (USG) Information System (IS) that is provided for + USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you consent to the + following conditions: + + -The USG routinely intercepts and monitors communications on this IS for purposes + including, but not limited to, penetration testing, COMSEC monitoring, network operations + and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) + investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are subject to routine + monitoring, interception, and search, and may be disclosed or used for any USG-authorized + purpose. + + -This IS includes security measures (e.g., authentication and access controls) to protect + USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI + investigative searching or monitoring of the content of privileged communications, or work + product, related to personal representation or services by attorneys, psychotherapists, or + clergy, and their assistants. Such communications and work product are private and + confidential. See User Agreement for details.” + + If the banner text does not match the Standard Mandatory DoD Notice and Consent Banner + exactly, this is a finding. + + + + + SRG-OS-000032-GPOS-00013 + + All RHEL 8 remote access methods must be monitored. + + Verify that RHEL 8 monitors all remote access methods. + + Check that remote access methods are being logged by running the following command: + + $ sudo grep -E '(auth.*|authpriv.*|daemon.*)' /etc/rsyslog.conf + auth.*;authpriv.*;daemon.* /var/log/secure + + If "auth.*", "authpriv.*" or "daemon.*" are not configured + to be logged, this is a finding. + + + + + SRG-OS-000066-GPOS-00034 + + RHEL 8, for PKI-based authentication, must validate certificates by constructing a + certification path (which includes status information) to an accepted trust anchor. + + Verify RHEL 8 for PKI-based authentication has valid certificates by + constructing a certification path (which includes status information) to an accepted trust + anchor. + + Note: If the System Administrator demonstrates the use of an approved alternate + multifactor authentication method, this requirement is not applicable. + + Check that the system has a valid DoD root CA installed with the following command: + + $ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem + + Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 + Validity + Not Before: Mar 20 18:46:41 2012 GMT + Not After : Dec 30 18:46:41 2029 GMT + Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + + If the root ca file is not a DoD-issued certificate with a valid date and installed in the + /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding. + + + + + SRG-OS-000067-GPOS-00035 + + RHEL 8, for certificate-based authentication, must enforce authorized access to the + corresponding private key. + + Verify the SSH private key files have a passcode. + + For each private key stored on the system, use the following command: + + $ sudo ssh-keygen -y -f /path/to/file + + If the contents of the key are displayed, this is a finding. + + + + + + Asset_bbbbbbbbb + + + + Asset_bbbbbbbbb + + + pass + + + xxxxxxxxxxxxxxxxxxxxxxxxxxx + + + + + notapplicable + + + xxxxxxxxxxxxxxxxxxxxx + + + + + fail + + + yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy + + + + + fail + + + yyyyyyyyyyyyyyyyyyyyyy + zzzzzzzzzzzzzzzzzzzzzzzzzzzzz + + + + + informational + + + xxxxxxxxxxxxxxxxxxxxxxx + + + + + notchecked + + + xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + + + + + notchecked + + + + + + notchecked + + + + + + notchecked + + + + + + notchecked + + + + + 1.0 + + \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/xccdf/Asset_b-RHEL_9_TRUNCATED-V1R1-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/Asset_b-RHEL_9_TRUNCATED-V1R1-xccdf.xml new file mode 100644 index 0000000..db02c32 --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/Asset_b-RHEL_9_TRUNCATED-V1R1-xccdf.xml @@ -0,0 +1,282 @@ + + + + + accepted + Red Hat Enterprise Linux 9 TRUNCATED + This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + V1R1 + + DISA + STIG Manager OSS + + + SRG-OS-000480-GPOS-00227 + + RHEL 9 must be a vendor-supported release. + + Verify that the version or RHEL 9 is vendor supported with the following command: + +$ cat /etc/redhat-release + +Red Hat Enterprise Linux release 9.2 (Plow) + +If the installed version of RHEL 9 is not supported, this is a finding. + + + + + SRG-OS-000480-GPOS-00227 + + RHEL 9 vendor packaged system security patches and updates must be installed and up to date. + + Verify RHEL 9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy. + +Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. + +Check that the available package security updates have been installed on the system with the following command: + +$ dnf history list | more + + ID | Command line | Date and time | Action(s) | Altered +------------------------------------------------------------------------------- + 70 | install aide | 2023-03-05 10:58 | Install | 1 + 69 | update -y | 2023-03-04 14:34 | Update | 18 EE + 68 | install vlc | 2023-02-21 17:12 | Install | 21 + 67 | update -y | 2023-02-21 17:04 | Update | 7 EE + +Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. + +If the system is in noncompliance with the organizational patching policy, this is a finding. + + + + + SRG-OS-000023-GPOS-00006 + + RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. + + Verify RHEL 9 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a command line user logon. + +Check that a banner is displayed at the command line login screen with the following command: + +$ sudo cat /etc/issue + +If the banner is set correctly it will return the following text: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +If the banner text does not match the Standard Mandatory DOD Notice and Consent Banner exactly, or the line is commented out, this is a finding. + + + + + SRG-OS-000191-GPOS-00080 + + RHEL 9 must implement the Endpoint Security for Linux Threat Prevention tool. + + Verify that RHEL 9 has implemented the Endpoint Security for Linux Threat Prevention tool. + +Check that the following package has been installed: + +$ sudo rpm -qa | grep -i mcafeetp + +If the "mcafeetp" package is not installed, this is a finding. + +Verify that the daemon is running: + +$ sudo ps -ef | grep -i mfetpd + +If the daemon is not running, this is a finding. + + + + + SRG-OS-000480-GPOS-00227 + + The graphical display manager must not be the default target on RHEL 9 unless approved. + + Verify that RHEL 9 is configured to boot to the command line: + +$ systemctl get-default + +multi-user.target + +If the system default target is not set to "multi-user.target" and the information system security officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding. + + + + + SRG-OS-000480-GPOS-00227 + + RHEL 9 must enable the hardware random number generator entropy gatherer service. + + Verify that RHEL 9 has enabled the hardware random number generator entropy gatherer service with the following command: + +$ systemctl is-active rngd + +active + +If the "rngd" service is not active, this is a finding. + + + + + SRG-OS-000269-GPOS-00103 + + RHEL 9 systemd-journald service must be enabled. + + Verify that "systemd-journald" is active with the following command: + +$ systemctl is-active systemd-journald + +active + +If the systemd-journald service is not active, this is a finding. + + + + + SRG-OS-000324-GPOS-00125 + + The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled. + + Verify RHEL 9 is configured to not reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command: + +$ grep -i ctrl /etc/systemd/system.conf + +CtrlAltDelBurstAction=none + +If the "CtrlAltDelBurstAction" is not set to "none", commented out, or is missing, this is a finding. + + + + + SRG-OS-000324-GPOS-00125 + + The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9. + + Verify RHEL 9 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: + +$ sudo systemctl status ctrl-alt-del.target + +ctrl-alt-del.target +Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) +Active: inactive (dead) + +If the "ctrl-alt-del.target" is loaded and not masked, this is a finding. + + + + + SRG-OS-000324-GPOS-00125 + + RHEL 9 debug-shell systemd service must be disabled. + + Verify RHEL 9 is configured to mask the debug-shell systemd service with the following command: + +$ sudo systemctl status debug-shell.service + +debug-shell.service +Loaded: masked (Reason: Unit debug-shell.service is masked.) +Active: inactive (dead) + +If the "debug-shell.service" is loaded and not masked, this is a finding. + + + + + + Asset_bbbbbbbbb + + + Asset_bbbbbbbbb + + + pass + + + xxxxxxxxxxxxxxxxxxxxxxxx + + + + + notapplicable + + + xxxxxxxxxxxxxxxxxxxxxxxxxx + + + + + fail + + + yyyyyyyyyyyyyyyyyyyyyyy + + + + + fail + + + yyyyyyyyyyyyyyyyyyyyyyy + zzzzzzzzzzzzzzzzzzzzzzzzzz + + + + + informational + + + xxxxxxxxxxxxxxxxxxxxxxxxx + + + + + notchecked + + + xxxxxxxxxxxxxxxxxxxxxxxxx + + + + + notchecked + + + + + + notchecked + + + + + + notchecked + + + + + + notchecked + + + + + 1.0 + + diff --git a/WATCHER-test-files/WATCHER/xccdf/Asset_b-VPN_TRUNCATED-V2R5-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/Asset_b-VPN_TRUNCATED-V2R5-xccdf.xml new file mode 100644 index 0000000..a463861 --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/Asset_b-VPN_TRUNCATED-V2R5-xccdf.xml @@ -0,0 +1,231 @@ + + + + + accepted + Virtual Private Network (VPN) TRUNCATED + This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. + V2R5 + + DISA + STIG Manager OSS + + + SRG-NET-000019 + + The VPN Gateway must ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. + + Verify the VPN Gateway has an inbound and outbound traffic security policy which is in compliance with information flow control policies (e.g., IPsec policy configuration). + +Review network device configurations and topology diagrams. Verify encapsulated or encrypted traffic received from other enclaves with different security policies terminate at the perimeter for filtering and content inspection by a firewall and IDPS before gaining access to the private network. + +If the IPsec VPN Gateway does not use Encapsulating Security Payload (ESP) in tunnel mode for establishing secured paths to transport traffic between the organizations sites or between a gateway and remote end-stations, this is a finding, + + + + + SRG-NET-000041 + + The Remote Access VPN Gateway and/or client must display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network. + + If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. + +Determine if the network device is configured to present a DoD-approved banner that is formatted in accordance with DoD policy. + +If the Remote Access VPN Gateway or VPN client does not display the Standard Mandatory DoD Notice and Consent Banner before granting remote access to the network, this is a finding. + + + + + SRG-NET-000042 + + The Remote Access VPN Gateway and/or client must enforce a policy to retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. + + If the user/remote client connection banner is the same as the banner configured as part of the NDM SRG, then this is not applicable. + +Verify the ALG retains the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and takes explicit actions to log on for further access. + +If the Remote Access VPN Gateway and/or client does not retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access, this is a finding. + + + + + SRG-NET-000043 + + The publicly accessible VPN Gateway must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. + + Verify the publicly accessible VPN Gateway displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. The banner must be formatted in accordance with DTM-08-060. Use the following verbiage for network elements that can accommodate banners of 1300 characters: + +"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + +By using this IS (which includes any device attached to this IS), you consent to the following conditions: + +-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + +-At any time, the USG may inspect and seize data stored on this IS. + +-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + +-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + +-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." + +Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: + +"I've read & consent to terms in IS user agreem't." + +If the publicly accessible VPN Gateway does not display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system, this is a finding. + + + + + SRG-NET-000049 + + The VPN Gateway must notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access). + + Determine if the VPN Gateway is either configured to notify the administrator of the number of unsuccessful login attempts since the last successful login or configured to use an authentication server which would perform this function. If the administrator is not notified of the number of unsuccessful login attempts since the last successful login, this is a finding. + +If the VPN Gateway does not notify the user, upon successful logon (access), of the number of unsuccessful logon (access) attempts since the last successful logon (access), this is a finding. + + + + + SRG-NET-000053 + + The VPN Gateway must limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number. + + Inspect the VPN Gateway configuration. Verify the number of concurrent sessions for user accounts to 1 or to an organization-defined number (defined in the SSP). + +If the VPN Gateway does not limit the number of concurrent sessions for user accounts to 1 or to an organization-defined number, this is a finding. + + + + + SRG-NET-000062 + + The TLS VPN Gateway must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission for remote access connections. + + Verify the TLS VPN Gateway is configured to use TLS 1.2 or higher to protect the confidentiality of sensitive data during transmission. + +If the TLS VPN Gateway does not use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during transmission, this is a finding. + + + + + SRG-NET-000063 + + The remote access VPN Gateway must use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of TLS remote access sessions. + + Verify the remote access VPN Gateway uses a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions. + +If the remote access VPN Gateway does not use a digital signature generated using FIPS-validated algorithms and an approved hash function to protect the integrity of remote access sessions, this is a finding. + + + + + SRG-NET-000063 + + The VPN Gateway must be configured to use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + + Verify the VPN Gateway uses IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions. + +If the VPN Gateway does not use IPsec with SHA-2 at 384 bits or greater for hashing to protect the integrity of remote access sessions, this is a finding. + + + + + SRG-NET-000074 + + The IPSec VPN must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1. + + Verify all IKE proposals are set to use DH Group of 16 or greater for IKE Phase 1. + +View the IKE options dh-group option. + +If the IKE option is not set to use DH Group of 16 or greater for IKE Phase 1, this is a finding. + + + + + + Asset_bbbbbbbbb + + + Asset_bbbbbbbbb + + + pass + + + xxxxxxxxxxxx + + + + + notapplicable + + + xxxxxxxxxxxxxxx + + + + + fail + + + yyyyyyyyyyyyyyyyyyyyyy + + + + + fail + + + yyyyyyyyyyyyyyyyyyyyyyy + zzzzzzzzzzzzzzzzzzzzzzzzzzz + + + + + informational + + + xxxxxxxxxxxxxxxxxxxxxxxxxxx + + + + + notchecked + + + xxxxxxxxxxxxxxxxxxxxxxxxx + + + + + notchecked + + + + + + notchecked + + + + + + notchecked + + + + + + notchecked + + + + + 1.0 + + diff --git a/WATCHER-test-files/WATCHER/xccdf/GoodStatistics-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/GoodStatistics-xccdf.xml new file mode 100644 index 0000000..274b5c3 --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/GoodStatistics-xccdf.xml @@ -0,0 +1,163 @@ + + + + + accepted + MyStigTitle + Test Description + V1R1 + + DISA + STIG Manager OSS + + + Group1 + + Rule1 + + Check1 + + + + + Group2 + + Rule2 + + Check2 + + + + + Group3 + + Rule3 + + Check3 + + + + + Group4 + + Rule4 + + Check4 + + + + + Group5 + + Rule5 + + Check5 + + + + + Group6 + + Rule6 + + Check6 + + + + + Group7 + + Rule7 + + Check7 + + + + + Group8 + + Rule8 + + Check8 + + + + + + MyAsset + + + + pass + + + + PassWithDetail + + + + + pass + + + + + + + + + + fail + + + + failwithdetail + + + + + fail + + + + + + + + notchecked + + + + notcheckedwithdetail + + + + + notchecked + + + + + + + + notapplicable + + + + + + + + notapplicable + + + + + + + 1.0 + + \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/xccdf/NoBenchMarkElement.xml b/WATCHER-test-files/WATCHER/xccdf/NoBenchMarkElement.xml new file mode 100644 index 0000000..ff8e4c7 --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/NoBenchMarkElement.xml @@ -0,0 +1,41 @@ + + + + + + accepted + MyStigTitle + Test Description + V2R5 + + DISA + STIG Manager OSS + + + MyStigGroup + + MyRuleTitle + + MyCheckContent + + + + + + MyAsset + + + + + notchecked + + + + + + 1.0 + + \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/xccdf/NoRuleResultElement-xccdf..xml b/WATCHER-test-files/WATCHER/xccdf/NoRuleResultElement-xccdf..xml new file mode 100644 index 0000000..38896d1 --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/NoRuleResultElement-xccdf..xml @@ -0,0 +1,34 @@ + + + + + accepted + MyStigTitle + Test Description + V2R5 + + DISA + STIG Manager OSS + + + MyStigGroup + + MyRuleTitle + + MyCheckContent + + + + + + MyAsset + + + + + 1.0 + + \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/xccdf/NoTargetElement-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/NoTargetElement-xccdf.xml new file mode 100644 index 0000000..bf39e23 --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/NoTargetElement-xccdf.xml @@ -0,0 +1,40 @@ + + + + + accepted + MyStigTitle + Test Description + V2R5 + + DISA + STIG Manager OSS + + + MyStigGroup + + MyRuleTitle + + MyCheckContent + + + + + + MyAsset + + + + + notchecked + + + + + + 1.0 + + \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/xccdf/NoTestResult-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/NoTestResult-xccdf.xml new file mode 100644 index 0000000..b2a456c --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/NoTestResult-xccdf.xml @@ -0,0 +1,40 @@ + + + + + accepted + MyStigTitle + Test Description + V2R5 + + DISA + STIG Manager OSS + + + MyStigGroup + + MyRuleTitle + + MyCheckContent + + + + + + MyAsset + + + + + notchecked + + + + + + 1.0 + + \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/xccdf/ReviewOverrides-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/ReviewOverrides-xccdf.xml new file mode 100644 index 0000000..2fe41bf --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/ReviewOverrides-xccdf.xml @@ -0,0 +1,46 @@ + + + + + accepted + MyStigTitle + Test Description + V1R1 + + DISA + STIG Manager OSS + + + MyStigGroup + + MyRuleTitle + + MyCheckContent + + + + + + MyAsset + + + + pass + + + + xyz + + + + + Authority1 + pass + fail + Some remark + + + + 1.0 + + diff --git a/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-Pass-With-Comment-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-Pass-With-Comment-xccdf.xml new file mode 100644 index 0000000..cfbdb03 --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-Pass-With-Comment-xccdf.xml @@ -0,0 +1,39 @@ + + + + + accepted + MyStigTitle + Test Description + V1R1 + + DISA + STIG Manager OSS + + + MyStigGroup + + MyRuleTitle + + MyCheckContent + + + + + + MyAsset + + + + pass + + + + xyz + + + + + 1.0 + + diff --git a/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-Pass-With-Detail-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-Pass-With-Detail-xccdf.xml new file mode 100644 index 0000000..42f66f8 --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-Pass-With-Detail-xccdf.xml @@ -0,0 +1,38 @@ + + + + + accepted + MyStigTitle + Test Description + V1R1 + + DISA + STIG Manager OSS + + + MyStigGroup + + MyRuleTitle + + MyCheckContent + + + + + + MyAsset + + + + pass + + + + xyz + + + + 1.0 + + diff --git a/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-Empty-CommentDetail-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-Empty-CommentDetail-xccdf.xml new file mode 100644 index 0000000..22596ec --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-Empty-CommentDetail-xccdf.xml @@ -0,0 +1,38 @@ + + + + + accepted + MyStigTitle + Test Description + V1R1 + + DISA + STIG Manager OSS + + + MyStigGroup + + MyRuleTitle + + MyCheckContent + + + + + + MyAsset + + + + fail + + + + + + + + 1.0 + + diff --git a/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-With-Detail-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-With-Detail-xccdf.xml new file mode 100644 index 0000000..3cfae64 --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-With-Detail-xccdf.xml @@ -0,0 +1,38 @@ + + + + + accepted + MyStigTitle + Test Description + V1R1 + + DISA + STIG Manager OSS + + + MyStigGroup + + MyRuleTitle + + MyCheckContent + + + + + + MyAsset + + + + fail + + + + xyz + + + + 1.0 + + diff --git a/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-with-Comment-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-with-Comment-xccdf.xml new file mode 100644 index 0000000..1c31096 --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-with-Comment-xccdf.xml @@ -0,0 +1,38 @@ + + + + + accepted + MyStigTitle + Test Description + V1R1 + + DISA + STIG Manager OSS + + + MyStigGroup + + MyRuleTitle + + MyCheckContent + + + + + + MyAsset + + + + fail + + + + xyz + + + + 1.0 + + diff --git a/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-notReviewed-Commented-Detailed-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-notReviewed-Commented-Detailed-xccdf.xml new file mode 100644 index 0000000..94c9e9b --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-notReviewed-Commented-Detailed-xccdf.xml @@ -0,0 +1,42 @@ + + + + + accepted + MyStigTitle + Test Description + V2R5 + + DISA + STIG Manager OSS + + + MyStigGroup + + MyRuleTitle + + MyCheckContent + + + + + + MyAsset + + + + + notchecked + + + xyz + xyz + + + + 1.0 + + \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-notReviewed-Empty-CommentDetail-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-notReviewed-Empty-CommentDetail-xccdf.xml new file mode 100644 index 0000000..db70f02 --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/Single-Vuln-notReviewed-Empty-CommentDetail-xccdf.xml @@ -0,0 +1,40 @@ + + + + + accepted + MyStigTitle + Test Description + V2R5 + + DISA + STIG Manager OSS + + + MyStigGroup + + MyRuleTitle + + MyCheckContent + + + + + + MyAsset + + + + + notchecked + + + + + + 1.0 + + \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/xccdf/TargetObjectBasic-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/TargetObjectBasic-xccdf.xml new file mode 100644 index 0000000..d8c5539 --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/TargetObjectBasic-xccdf.xml @@ -0,0 +1,55 @@ + + + + + + accepted + MyStigTitle + Test Description + V1R1 + + DISA + STIG Manager OSS + + + MyStigGroup + + MyRuleTitle + + MyCheckContent + + + + + MyTitleForTestResult + MyAsset + + + + + MyAsset + Description + + MyAsset.domain.com + + 1.1.1.1 + + fe80::8c33:57ff:fe94:2b33 + false + + + pass + + + + + + + 1.0 + + \ No newline at end of file diff --git a/WATCHER-test-files/WATCHER/xccdf/TargetObjectMetaData-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/TargetObjectMetaData-xccdf.xml new file mode 100644 index 0000000..855a710 --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/TargetObjectMetaData-xccdf.xml @@ -0,0 +1,44 @@ + + + + + accepted + MyStigTitle + Test Description + V1R1 + + DISA + STIG Manager OSS + + + MyStigGroup + + MyRuleTitle + + MyCheckContent + + + + + + MyAsset + + + MyAsset + Description + MyAsset.domain.com + 1.1.1.1 + fe80::8c33:57ff:fe94:2b33 + false + + + pass + + + + + + + 1.0 + + diff --git a/WATCHER-test-files/WATCHER/xccdf/TargetObjectMinimal-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/TargetObjectMinimal-xccdf.xml new file mode 100644 index 0000000..05466ac --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/TargetObjectMinimal-xccdf.xml @@ -0,0 +1,35 @@ + + + + + accepted + MyStigTitle + Test Description + V1R1 + + DISA + STIG Manager OSS + + + MyStigGroup + + MyRuleTitle + + MyCheckContent + + + + + + MyAsset + + + pass + + + + + + 1.0 + + diff --git a/WATCHER-test-files/WATCHER/xccdf/scc_scan-xccdf.xml b/WATCHER-test-files/WATCHER/xccdf/scc_scan-xccdf.xml new file mode 100644 index 0000000..7f61a25 --- /dev/null +++ b/WATCHER-test-files/WATCHER/xccdf/scc_scan-xccdf.xml @@ -0,0 +1,3836 @@ + + + + + accepted + Mozilla Firefox for Linux STIG SCAP Benchmark - NIWC Enhanced with Manual Questions + This Security Technical Implementation Guide is published as a tool to improve + the security of Department of Defense (DoD) information systems. The requirements are + derived from the National Institute of Standards and Technology (NIST) 800-53 and related + documents. Comments or proposed revisions to this document should be sent via email to the + following address: disa.stig_spt@mail.mil. + Portions of this document were developed at Naval Information + Warfare Center Atlantic by employees of the Federal Government in the course of their + official duties. Pursuant to title 17 Section 105 of the United States Code this software is + not subject to copyright protection and is in the public domain. The Government assumes no + responsibility whatsoever for its use by other parties, and the software is provided "AS IS" + without warranty or guarantee of any kind, express or implied, including, but not limited + to, the warranties of merchantability and of fitness for a particular purpose. In no event + shall the Government be liable for any claim, damages or other liability, whether in an + action of contract, tort or other dealings in the software. The Government has no obligation + hereunder to provide maintenance, support, updates, enhancements, or modifications. We would + appreciate acknowledgement if the software is used. This software can be redistributed + and/or modified freely provided that any derivative works bear some notice that they are + derived from it, and any modified versions bear some notice that they have been modified. + This content stream was enhanced with OCIL manual questions derived from the + STIG Manual by the NIWC SCC team. Timestamp: 2023-08-04T14:43:15 Tool Version: 1.0 STIG + Manual Version: 6.5 SCAP Benchmark Version: 6.3 DISA Automated rules added: 29 NIWC + Automated rules added: 0 Manual rules added: 5 + This data is metadata to be used for the creation of CKL reports. version:--:6 + classification:--:UNCLASSIFIED customname:--: stigid:--:MOZ_Firefox_STIG description:--:This + Security Technical Implementation Guide is published as a tool to improve the security of + Department of Defense (DOD) information systems. The requirements are derived from the + National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments + or proposed revisions to this document should be sent via email to the following address: + disa.stig_spt@mail.mil. filename:--:U_MOZ_Firefox_Linux_V6R5_STIG_Manual-xccdf.xml + releaseinfo:--:Release: 5 Benchmark Date: 26 Jul 2023 title:--:Mozilla Firefox Security + Technical Implementation Guide uuid:--: notice:--: source:--:STIG.DOD.MIL + + DISA+NIWC + STIG.DOD.MIL + + Enhanced Content 6.3.3 Date: 2023-08-04, based on Release: 6.3 Benchmark Date: 27 Oct 2022 + 3.4.0.34222 + 1.10.0 + + 6.3.3 + + DISA + DISA + DISA + STIG.DOD.MIL + + + I - Mission Critical Classified + <ProfileDescription></ProfileDescription> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + I - Mission Critical Public + <ProfileDescription></ProfileDescription> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + I - Mission Critical Sensitive + <ProfileDescription></ProfileDescription> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + II - Mission Support Classified + <ProfileDescription></ProfileDescription> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + II - Mission Support Public + <ProfileDescription></ProfileDescription> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + II - Mission Support Sensitive + <ProfileDescription></ProfileDescription> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + III - Administrative Classified + <ProfileDescription></ProfileDescription> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + III - Administrative Public + <ProfileDescription></ProfileDescription> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + III - Administrative Sensitive + <ProfileDescription></ProfileDescription> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + CAT I Only + This profile only includes rules that are Severity Category I. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SRG-APP-000456 + <GroupDescription></GroupDescription> + + FFOX-00-000001 + The installed version of Firefox must be supported. + + <VulnDiscussion>Using versions of an application that are not + supported by the vendor is not permitted. Vendors respond to security flaws with + updates and patches. These updates are not available for unsupported versions, which + can leave the application vulnerable to + attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-002605 + Upgrade the version of the browser to an + approved version by obtaining software from the vendor or other trusted source. + + + + Run Firefox. Click the ellipsis button >> Help >> + About Firefox, and view the version number. If the Firefox version is not a + supported version, this is a finding. + + + + + + + + SRG-APP-000560 + <GroupDescription></GroupDescription> + + FFOX-00-000002 + Firefox must be configured to allow only TLS 1.2 or above. + + <VulnDiscussion>Use of versions prior to TLS 1.2 are not + permitted. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions + must be disabled in compliance with the Network Infrastructure and Secure Remote + Computing + STIGs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-001453 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Minimum SSL + version enabled Policy State: Enabled Policy Value: TLS 1.2 (or TLS 1.3) macOS + "plist" file: Add the following: <key>SSLVersionMin</key> + <string>tls1.2</string> (or <string>tls1.3</string>) Linux + "policies.json" file: Add the following in the policies section: "SSLVersionMin": + "tls1.2" or ("SSLVersionMin": "tls1.3") + + + + Type "about:policies" in the browser window. If "SSLVersionMin" + is not displayed under Policy Name or the Policy Value is not "tls1.2" or + "tls1.3", this is a finding. + + + + + + + + + + + SRG-APP-000177 + <GroupDescription></GroupDescription> + + FFOX-00-000003 + Firefox must be configured to ask which certificate to present to a website + when a certificate is required. + + <VulnDiscussion>When a website asks for a certificate for user + authentication, Firefox must be configured to have the user choose which certificate + to present. Websites within DoD require user authentication for access, which + increases security for DoD information. Access will be denied to the user if + certificate management is not + configured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000187 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Preferences + Policy State: Enabled Policy Value: { "security.default_personal_cert": { "Value": + "Ask Every Time", "Status": "locked" } } macOS "plist" file: Add the following: + <key>Preferences</key> <dict> + <key>security.default_personal_cert</key> <dict> + <key>Value</key> <string>Ask Every Time</string> + <key>Status</key> <string>locked</string> </dict> + </dict> Linux "policies.json" file: Add the following in the policies section: + "Preferences": { "security.default_personal_cert": { "Value": "Ask Every Time", + "Status": "locked" } } + + + + Type "about:policies" in the browser address bar. If + "security.default_personal_cert" is not displayed with a value of "Ask Every + Time", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000004 + Firefox must be configured to not automatically check for updated versions of + installed search plugins. + + <VulnDiscussion>Updates must be controlled and installed from + authorized and trusted servers. This setting overrides a number of other settings + that may direct the application to access external + URLs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Preferences + Policy State: Enabled Policy Value: { "browser.search.update": { "Value": false, + "Status": "locked" } } macOS "plist" file: Add the following: + <key>Preferences</key> <dict> + <key>browser.search.update</key> <dict> + <key>Value</key> <false/> <key>Status</key> + <string>locked</string> </dict> </dict> Linux + "policies.json" file: Add the following in the policies section: "Preferences": { + "browser.search.update": { "Value": false, "Status": "locked" } } + + + + Type "about:policies" in the browser address bar. If + "browser.search.update" is not displayed with a value of "false", this is a + finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000005 + Firefox must be configured to not automatically update installed add-ons and + plugins. + + <VulnDiscussion>Set this to false to disable checking for updated + versions of the Extensions/Themes. Automatic updates from untrusted sites puts the + enclave at risk of attack and may override security + settings.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\Extensions Policy Name: + Extension Update Policy State: Disabled macOS "plist" file: Add the following: + <key>ExtensionUpdate</key> <false/> Linux "policies.json" file: + Add the following in the policies section: "ExtensionUpdate": false + + + + Type "about:policies" in the browser window. If "ExtensionUpdate" + is not displayed under Policy Name or the Policy Value is not "false", this is a + finding. + + + + + + + + + + + SRG-APP-000278 + <GroupDescription></GroupDescription> + + FFOX-00-000006 + Firefox must be configured to not automatically execute or download MIME + types that are not authorized for auto-download. + + <VulnDiscussion>Some files can be downloaded or execute without + user interaction. This setting ensures these files are not downloaded and + executed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-001242 + Remove any unauthorized extensions from the + auto-download list. + + + + Type "about:preferences" in the browser address bar. Type + "Applications" in the Find bar in the upper-right corner. Determine if any of + the following file extensions are listed: HTA, JSE, JS, MOCHA, SHS, VBE, VBS, + SCT, WSC, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, DOS, BAT, PS, EPS, WCH, WCM, WB1, + WB3, WCH, WCM, AD. If the entry exists and the "Action" is "Save File" or + "Always Ask", this is not a finding. If an extension exists and the entry in the + Action column is associated with an application that does/can execute the code, + this is a finding. + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000007 + Firefox must be configured to disable form fill assistance. + + <VulnDiscussion>To protect privacy and sensitive data, Firefox + provides the ability to configure the program so that data entered into forms is not + saved. This mitigates the risk of a website gleaning private information from + prefilled + information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Disable Form + History Policy State: Enabled macOS "plist" file: Add the following: + <key>DisableFormHistory</key> <true/> Linux "policies.json" file: + Add the following in the policies section: "DisableFormHistory": true + + + + Type "about:policies" in the browser window. If + "DisableFormHistory" is not displayed under Policy Name or the Policy Value is + not "true", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000008 + Firefox must be configured to not use a password store with or without a + master password. + + <VulnDiscussion>Firefox can be set to store passwords for sites + visited by the user. These individual passwords are stored in a file and can be + protected by a master password. Autofill of the password can then be enabled when + the site is visited. This feature could also be used to autofill the certificate + PIN, which could lead to compromise of DoD + information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox Policy Name: PasswordManager + Policy State: Disabled macOS "plist" file: Add the following: + <key>PasswordManagerEnabled</key> <false/> Linux "policies.json" + file: Add the following in the policies section: "PasswordManagerEnabled": false + + + + Type "about:policies" in the browser window. If + "PasswordManagerEnabled" is not displayed under Policy Name or the Policy Value + is not "false", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000009 + Firefox must be configured to block pop-up windows. + + <VulnDiscussion>Pop-up windows may be used to launch an attack + within a new browser window with altered settings. This setting blocks pop-up + windows created while the page is + loading.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\Popups Policy Name: Block + pop-ups from websites Policy State: Enabled Policy Name: Do not allow preferences to + be changed Policy State: Enabled Optional: Policy Name: Allowed Sites Policy State: + Enabled Click "Show..." and enter a list of websites to be allowlisted. macOS + "plist" file: Add the following: <key>PopupBlocking</key> <dict> + <key>Allow</key> <array> + <string>http://example.mil</string> + <string>http://example.gov</string> </array> + <key>Default</key> <true/> <key>Locked</key> + <true/> </dict> Linux "policies.json" file: Add the following in the + policies section: "PopupBlocking": { "Allow": ["http://example.mil/", + "http://example.gov/"], "Default": true, "Locked": true} + + + + Type "about:policies" in the browser address bar. If + "PopupBlocking" is not displayed under Policy Name or the Policy Value is not + "Default" "true", this is a finding. If "PopupBlocking" is not displayed under + Policy Name or the Policy Value is not "Locked" "true", this is a finding. + "PopupBlocking" "Enabled" may be used to specify an allowlist of sites where + pop-ups are desired, this is optional. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000010 + Firefox must be configured to prevent JavaScript from moving or resizing + windows. + + <VulnDiscussion>JavaScript can make changes to the browser's + appearance. This activity can help disguise an attack taking place in a minimized + background window. Configure the browser setting to prevent scripts on visited + websites from moving and resizing browser + windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Preferences + Policy State: Enabled Policy Value: { "dom.disable_window_move_resize": { "Value": + true, "Status": "locked" } } macOS "plist" file: Add the following: + <key>Preferences</key> <dict> + <key>dom.disable_window_move_resize</key> <dict> + <key>Value</key> <true/> <key>Status</key> + <string>locked</string> </dict> </dict> Linux + "policies.json" file: Add the following in the policies section: "Preferences": { + "dom.disable_window_move_resize": { "Value": true, "Status": "locked" } } + + + + Type "about:policies" in the browser address bar. If + "dom.disable_window_move_resize" is not displayed with a value of "true", this + is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000011 + Firefox must be configured to prevent JavaScript from raising or lowering + windows. + + <VulnDiscussion>JavaScript can raise and lower browser windows to + cause improper input. Configure the browser setting to prevent scripts on visited + websites from raising and lowering browser + windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Preferences + Policy State: Enabled Policy Value: { "dom.disable_window_flip": { "Value": true, + "Status": "locked" } } macOS "plist" file: Add the following: + <key>Preferences</key> <dict> + <key>dom.disable_window_flip</key> <dict> + <key>Value</key> <true/> <key>Status</key> + <string>locked</string> </dict> </dict> Linux + "policies.json" file: Add the following in the policies section: "Preferences": { + "dom.disable_window_flip": { "Value": true, "Status": "locked" } } + + + + Type "about:policies" in the browser address bar. If + "dom.disable_window_flip" is not displayed with a value of "true", this is a + finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000013 + Firefox must be configured to disable the installation of extensions. + + <VulnDiscussion>A browser extension is a program that has been + installed into the browser to add functionality. Where a plug-in interacts only with + a web page and usually a third-party external application (e.g., Flash, Adobe + Reader), an extension interacts with the browser program itself. Extensions are not + embedded in web pages and must be downloaded and installed in order to work. + Extensions allow browsers to avoid restrictions that apply to web pages. For + example, an extension can be written to combine data from multiple domains and + present it when a certain page is accessed, which can be considered cross-site + scripting. If a browser is configured to allow unrestricted use of extensions, + plug-ins can be loaded and installed from malicious sources and used on the + browser.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\Addons Policy Name: Allow + add-on installs from websites Policy State: Disabled macOS "plist" file: Add the + following: <key>InstallAddonsPermission</key> <false/> Linux + "policies.json" file: Add the following in the policies section: + "InstallAddonsPermission": { "Default": false } + + + + Type "about:policies" in the browser address bar. If + "InstallAddonsPermission" is not displayed under Policy Name or the Policy Value + is not "Default" "false", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000014 + Background submission of information to Mozilla must be disabled. + + <VulnDiscussion>Firefox by default sends information about + Firefox to Mozilla servers. There should be no background submission of technical + and other information from DoD computers to Mozilla with portions posted + publicly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Disable + Telemetry Policy State: Enabled macOS "plist" file: Add the following: + <key>DisableTelemetry</key> <true/> Linux "policies.json" file: + Add the following in the policies section: "DisableTelemetry": true + + + + Type "about:policies" in the browser window. If + "DisableTelemetry" is not displayed under Policy Name or the Policy Value is not + "true", this is a finding. + + + + + + + + + + + SRG-APP-000266 + <GroupDescription></GroupDescription> + + FFOX-00-000015 + Firefox development tools must be disabled. + + <VulnDiscussion>Information needed by an attacker to begin + looking for possible vulnerabilities in a web browser includes any information about + the web browser and plug-ins or modules being used. When debugging or trace + information is enabled in a production web browser, information about the web + browser, such as web browser type, version, patches installed, plug-ins and modules + installed, type of code being used by the hosted application, and any back ends + being used for data storage may be displayed. Because this information may be placed + in logs and general messages during normal operation of the web browser, an attacker + does not have to cause an error condition to gain this + information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-001312 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Disable + Developer Tools Policy State: Enabled macOS "plist" file: Add the following: + <key>DisableDeveloperTools</key> <true/> Linux "policies.json" + file: Add the following in the policies section: "DisableDeveloperTools": true + + + + Type "about:policies" in the browser window. If + "DisableDeveloperTools" is not displayed under Policy Name or the Policy Value + is not "true", this is a finding. + + + + + + + + + + + SRG-APP-000175 + <GroupDescription></GroupDescription> + + FFOX-00-000016 + Firefox must have the DOD root certificates installed. + + <VulnDiscussion>The DOD root certificates will ensure that the + trust chain is established for server certificates issued from the DOD Certificate + Authority + (CA).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000185 + Install the DOD root certificates. Other + AO-approved certificates may also be used. Certificates designed for SIPRNet may be + used as appropriate. On Windows, import certificates from the operating system by + using Certificates >> Import Enterprise Roots (Certificates) via policy or + Group Policy Object (GPO). + + + + Type "about:preferences#privacy" in the browser window. Scroll + down to the bottom and select "View Certificates...". In the Certificate Manager + window, select the "Authorities" tab. Scroll through the Certificate Name list + to the U.S. Government heading. Look for the entries for DOD Root CA 2, DOD Root + CA 3, DOD Root CA 4, and DOD Root CA 5. If there are entries for DOD Root CA 2, + DOD Root CA 3, DOD Root CA 4, and DOD Root CA 5, select them individually. Click + the "View" button. Verify the publishing organization is "US Government". If + there are no entries for the appropriate DOD root certificates, this is a + finding. If other AO-approved certificates are used, this is not a finding. If + SIPRNet-specific certificates are used, this is not a finding. Note: In a + Windows environment, use of policy setting + "security.enterprise_roots.enabled=true" will point Firefox to the Windows + Trusted Root Certification Authority Store. This is not a finding. It may also + be set via the policy Certificates >> ImportEnterpriseRoots, which can be + verified via "about:policies". + + + + + + + + SRG-APP-000326 + <GroupDescription></GroupDescription> + + FFOX-00-000018 + Firefox must prevent the user from quickly deleting data. + + <VulnDiscussion>There should not be an option for a user to + "forget" work they have done. This is required to meet non-repudiation + controls.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-002355 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Disable Forget + Button Policy State: Enabled macOS "plist" file: Add the following: + <key>DisableForgetButton</key> <true/> Linux "policies.json" file: + Add the following in the policies section: "DisableForgetButton": true + + + + Type "about:policies" in the browser address bar. If + "DisableForgetButton" is not displayed under Policy Name or the Policy Value is + not "true", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000019 + Firefox private browsing must be disabled. + + <VulnDiscussion>Private browsing allows the user to browse the + internet without recording their browsing history/activity. From a forensics + perspective, this is unacceptable. Best practice requires that browser history is + retained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Disable Private + Browsing Policy State: Enabled macOS "plist" file: Add the following: + <key>DisablePrivateBrowsing</key> <true/> Linux "policies.json" + file: Add the following in the policies section: "DisablePrivateBrowsing": true + + + + Type "about:policies" in the browser window. If + "DisablePrivateBrowsing" is not displayed under Policy Name or the Policy Value + is not "true", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000020 + Firefox search suggestions must be disabled. + + <VulnDiscussion>Search suggestions must be disabled as this could + lead to searches being conducted that were never intended to be + made.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\Search Policy Name: Search + Suggestions Policy State: Disabled macOS "plist" file: Add the following: + <key>SearchSuggestEnabled</key> <false/> Linux "policies.json" + file: Add the following in the policies section: "SearchSuggestEnabled": false + + + + Type "about:policies" in the browser window. If + "SearchSuggestEnabled" is not displayed under Policy Name or the Policy Value is + not "false", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000021 + Firefox autoplay must be disabled. + + <VulnDiscussion>Autoplay allows the user to control whether + videos can play automatically (without user consent) with audio content. The user + must be able to select content that is run within the browser + window.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\Permissions\Autoplay Policy + Name: Default autoplay level Policy State: Enabled Policy Value: Block Audio and + Video macOS "plist" file: Add the following: <key>Permissions</key> + <dict> <key>Autoplay</key> <dict> + <string>block-audio-video</string> </dict> </dict> Linux + "policies.json" file: Add the following in the policies section: "Permissions": { + "Autoplay": { "Default": "block-audio-video" } } + + + + Type "about:policies" in the browser address bar. If + "Permissions" is not displayed under Policy Name or the Policy Value is not + "Autoplay" with a value of "Default" and "Block-audio-video", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000022 + Firefox network prediction must be disabled. + + <VulnDiscussion>If network prediction is enabled, requests to + URLs are made without user consent. The browser should always make a direct DNS + request without prefetching + occurring.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Network + Prediction Policy State: Disabled macOS "plist" file: Add the following: + <key>NetworkPrediction</key> <false/> Linux "policies.json" file: + Add the following in the policies section: "NetworkPrediction": false + + + + Type "about:policies" in the browser window. If + "NetworkPrediction" is not displayed under Policy Name or the Policy Value is + not "false", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000023 + Firefox fingerprinting protection must be enabled. + + <VulnDiscussion>The Content Blocking/Tracking Protection feature + stops Firefox from loading content from malicious sites. The content might be a + script or an image, for example. If a site is on one of the tracker lists that + Firefox is set to use, the fingerprinting script (or other tracking script/image) + will not be loaded from that site. Fingerprinting scripts collect information about + browser and device configuration, such as operating system, screen resolution, and + other settings. By compiling these pieces of data, fingerprinters create a unique + profile that can be used to track the user around the + web.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\Tracking Protection Policy + Name: Fingerprinting Policy State: Enabled macOS "plist" file: Add the following: + <key>EnableTrackingProtection</key> <dict> + <key>Fingerprinting</key> <true/> </dict> Linux + "policies.json" file: Add the following in the policies section: + "EnableTrackingProtection": { "Fingerprinting": true } + + + + Type "about:policies" in the browser address bar. If + "EnableTrackingProtection" is not displayed under Policy Name or the Policy + Value is not "Fingerprinting" with a value of "true", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000024 + Firefox cryptomining protection must be enabled. + + <VulnDiscussion>The Content Blocking/Tracking Protection feature + stops Firefox from loading content from malicious sites. The content might be a + script or an image, for example. If a site is on one of the tracker lists that + Firefox is set to use, the fingerprinting script (or other tracking script/image) + will not be loaded from that site. Cryptomining scripts use a computer's central + processing unit to invisibly mine + cryptocurrency.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\Tracking Protection Policy + Name: Cryptomining Policy State: Enabled macOS "plist" file: Add the following: + <key>EnableTrackingProtection</key> <dict> + <key>Cryptomining</key> <true/> </dict> Linux + "policies.json" file: Add the following in the policies section: + "EnableTrackingProtection": { "Cryptomining": true } + + + + Type "about:policies" in the browser address bar. If + "EnableTrackingProtection" is not displayed under Policy Name or the Policy + Value is not "Cryptomining" with a value of "true", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000025 + Firefox Enhanced Tracking Protection must be enabled. + + <VulnDiscussion>Tracking generally refers to content, cookies, or + scripts that can collect browsing data across multiple sites. It is detrimental for + applications to provide, or install by default, functionality exceeding requirements + or mission objectives. These unnecessary capabilities or services are often + overlooked and therefore may remain unsecured. They increase the risk to the + platform by providing additional attack vectors. Applications are capable of + providing a wide variety of functions and services. Some of the functions and + services, provided by default, may not be necessary to support essential + organizational operations (e.g., key missions, functions). Examples of non-essential + capabilities include but are not limited to advertising software or browser plug-ins + that are not related to requirements or provide a wide array of functionality not + required for every mission but that cannot be + disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Preferences + Policy State: Enabled Policy Value: { "browser.contentblocking.category": { "Value": + "strict", "Status": "locked" } } macOS "plist" file: Add the following: + <key>Preferences</key> <dict> + <key>browser.contentblocking.category</key> <dict> + <key>Value</key> <string>strict</string> + <key>Status</key> <string>locked</string> </dict> + </dict> Linux "policies.json" file: Add the following in the policies section: + "Preferences": { "browser.contentblocking.category": { "Value": "strict", "Status": + "locked" } } + + + + Type "about:policies" in the browser address bar. If + "browser.contentblocking.category" is not displayed with a value of "strict", + this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000026 + Firefox extension recommendations must be disabled. + + <VulnDiscussion>The Recommended Extensions program makes it + easier for users to discover extensions that have been reviewed for security, + functionality, and user experience. Allowed extensions are to be centrally + managed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Preferences + Policy State: Enabled Policy Value: { + "extensions.htmlaboutaddons.recommendations.enabled": { "Value": false, "Status": + "locked" } } macOS "plist" file: Add the following: + <key>Preferences</key> <dict> + <key>extensions.htmlaboutaddons.recommendations.enabled</key> + <dict> <key>Value</key> <false/> + <key>Status</key> <string>locked</string> </dict> + </dict> Linux "policies.json" file: Add the following in the policies section: + "Preferences": { "extensions.htmlaboutaddons.recommendations.enabled": { "Value": + false, "Status": "locked" }, + + + + Type "about:policies" in the browser address bar. If + "extensions.htmlaboutaddons.recommendations.enabled" is not displayed with a + value of "false", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000027 + Firefox deprecated ciphers must be disabled. + + <VulnDiscussion>A weak cipher is defined as an + encryption/decryption algorithm that uses a key of insufficient length. Using an + insufficient length for a key in an encryption/decryption algorithm opens up the + possibility (or probability) that the encryption scheme could be + broken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\Disabled Ciphers Policy Name: + TLS_RSA_WITH_3DES_EDE_CBC_SHA Policy State: Enabled macOS "plist" file: Add the + following: <key>DisabledCiphers</key> <dict> + <key>TLS_RSA_WITH_3DES_EDE_CBC_SHA</key> <true/> </dict> + Linux "policies.json" file: Add the following in the policies section: + "DisabledCiphers": { "TLS_RSA_WITH_3DES_EDE_CBC_SHA": true } + + + + Type "about:policies" in the browser address bar. If + "DisabledCiphers" is not displayed under Policy Name or the Policy Value is not + "TLS_RSA_WITH_3DES_EDE_CBC_SHA" with a value of "true", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000028 + Firefox must not recommend extensions as the user is using the browser. + + <VulnDiscussion>The Recommended Extensions program recommends + extensions to users as they surf the web. The user must not be encouraged to install + extensions from the websites they visit. Allowed extensions are to be centrally + managed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\User Messaging Policy Name: + Extension Recommendations Policy State: Disabled macOS "plist" file: Add the + following: <key>UserMessaging</key> <dict> + <key>ExtensionRecommendations</key> <false/> </dict> Linux + "policies.json" file: Add the following in the policies section: "UserMessaging": { + "ExtensionRecommendations": false } + + + + Type "about:policies" in the browser address bar. If + "UserMessaging" is not displayed under Policy Name or the Policy Value is not + "ExtensionRecommendations" with a value of "false", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000029 + The Firefox New Tab page must not show Top Sites, Sponsored Top Sites, Pocket + Recommendations, Sponsored Pocket Stories, Searches, Highlights, or Snippets. + + <VulnDiscussion>The New Tab page by default shows a list of + built-in top sites, as well as the top sites the user has visited. It is detrimental + for applications to provide, or install by default, functionality exceeding + requirements or mission objectives. These unnecessary capabilities or services are + often overlooked and therefore may remain unsecured. They increase the risk to the + platform by providing additional attack vectors. Applications are capable of + providing a wide variety of functions and services. Some of the functions and + services, provided by default, may not be necessary to support essential + organizational operations (e.g., key missions, functions). Examples of non-essential + capabilities include but are not limited to advertising software or browser plug-ins + that are not related to requirements or provide a wide array of functionality not + required for every mission but that cannot be disabled. The new tab page must not + actively show user + activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Customize + Firefox Home Policy State: Enabled Policy Value: Uncheck "Search" Policy Value: + Uncheck "Top Sites" Policy Value: Uncheck "Sponsored Top Sites" Policy Value: + Uncheck "Recommended by Pocket" Policy Value: Uncheck "Sponsored Pocket Stories" + Policy Value: Uncheck "Download History" Policy Value: Uncheck "Snippets" Policy + Value: Check "Do not allow settings to be changed" macOS "plist" file: Add the + following: <key>FirefoxHome</key> <dict> + <key>Search</key> <false/> <key>TopSites</key> + <false/> <key>SponsoredTopSites</key> <false/> + <key>Pocket</key> <false/> <key>SponsoredPocket</key> + <false/> <key>Highlights</key> <false/> + <key>Snippets</key> <false/> <key>Locked</key> + <true/> </dict> Linux "policies.json" file: Add the following in the + policies section: "FirefoxHome": { "Search": false, "TopSites": false, + "SponsoredTopSites": false, "Pocket": false, "SponsoredPocket": false, "Highlights": + false, "Snippets": false, "locked": true } + + + + Type "about:policies" in the browser address bar. If + "FirefoxHome" is not displayed under Policy Name or the Policy Value does not + have "Search" with a value of "false", this is a finding. If "FirefoxHome" is + not displayed under Policy Name or the Policy Value does not have "TopSites" + with a value of "false", this is a finding. If "FirefoxHome" is not displayed + under Policy Name or the Policy Value does not have "SponsoredTopSites" with a + value of "false", this is a finding. If "FirefoxHome" is not displayed under + Policy Name or the Policy Value does not have "Pocket" with a value of "false", + this is a finding. If "FirefoxHome" is not displayed under Policy Name or the + Policy Value does not have "SponsoredPocket" with a value of "false", this is a + finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value + does not have "Highlights" with a value of "false", this is a finding. If + "FirefoxHome" is not displayed under Policy Name or the Policy Value does not + have "Snippets" with a value of "false", this is a finding. If "FirefoxHome" is + not displayed under Policy Name or the Policy Value does not have "Locked" with + a value of "true", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000033 + Firefox must be configured so that DNS over HTTPS is disabled. + + <VulnDiscussion>DNS over HTTPS has generally not been adopted in + the DoD. DNS is tightly controlled. It is detrimental for applications to provide, + or install by default, functionality exceeding requirements or mission objectives. + These unnecessary capabilities or services are often overlooked and therefore may + remain unsecured. They increase the risk to the platform by providing additional + attack vectors. Applications are capable of providing a wide variety of functions + and services. Some of the functions and services, provided by default, may not be + necessary to support essential organizational operations (e.g., key missions, + functions). Examples of non-essential capabilities include, but are not limited to, + advertising software or browser plug-ins not related to requirements or providing a + wide array of functionality not required for every mission, but cannot be + disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\DNS Over HTTPS Policy Name: + Enabled Policy State: Disabled macOS "plist" file: + <key>DNSOverHTTPS</key> <dict> <key>Enabled</key> + <false/> Linux "policies.json" file: Add the following in the policies + section: "DNSOverHTTPS": {"Enabled": false} + + + + Type "about:policies" in the browser address bar. If + "DNSOverHTTPS" is not displayed under Policy Name or the Policy Value does not + have "Enabled" with a value of "false", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000034 + Firefox accounts must be disabled. + + <VulnDiscussion>Disable Firefox Accounts integration (Sync). It + is detrimental for applications to provide, or install by default, functionality + exceeding requirements or mission objectives. These unnecessary capabilities or + services are often overlooked and therefore may remain unsecured. They increase the + risk to the platform by providing additional attack vectors. Applications are + capable of providing a wide variety of functions and services. Some of the functions + and services, provided by default, may not be necessary to support essential + organizational operations (e.g., key missions, functions). Examples of non-essential + capabilities include but are not limited to advertising software or browser plug-ins + that are not related to requirements or provide a wide array of functionality not + required for every mission but that cannot be + disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Disable Firefox + Accounts Policy State: Enabled macOS "plist" file: + <key>DisableFirefoxAccounts</key> <true/> Linux "policies.json" + file: Add the following in the policies section: "DisableFirefoxAccounts": true + + + + Type "about:policies" in the browser address bar. If + "DisableFirefoxAccounts" is not displayed under Policy Name or the Policy Value + is not "true", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000036 + Firefox feedback reporting must be disabled. + + <VulnDiscussion>Disable the menus for reporting sites (Submit + Feedback, Report Deceptive Site). It is detrimental for applications to provide, or + install by default, functionality exceeding requirements or mission objectives. + These unnecessary capabilities or services are often overlooked and therefore may + remain unsecured. They increase the risk to the platform by providing additional + attack vectors. Applications are capable of providing a wide variety of functions + and services. Some of the functions and services, provided by default, may not be + necessary to support essential organizational operations (e.g., key missions, + functions). Examples of non-essential capabilities include but are not limited to + advertising software or browser plug-ins that are not related to requirements or + provide a wide array of functionality not required for every mission but that cannot + be + disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\ Policy Name: Disable + Feedback Commands Policy State: Enabled macOS "plist" file: + <key>DisableFeedbackCommands</key> <true/> Linux "policies.json" + file: Add the following in the policies section: "DisableFeedbackCommands": true + + + + Type "about:policies" in the browser address bar. If + "DisableFeedbackCommands" is not displayed under Policy Name or the Policy Value + is not "true", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000037 + Firefox encrypted media extensions must be disabled. + + <VulnDiscussion>Enable or disable Encrypted Media Extensions and + optionally lock it. If "Enabled" is set to "false", Firefox does not download + encrypted media extensions (such as Widevine) unless the user consents to installing + them. If "Locked" is set to "true" and "Enabled" is set to "false", Firefox will not + download encrypted media extensions (such as Widevine) or ask the user to install + them. It is detrimental for applications to provide, or install by default, + functionality exceeding requirements or mission objectives. These unnecessary + capabilities or services are often overlooked and therefore may remain unsecured. + They increase the risk to the platform by providing additional attack vectors. + Applications are capable of providing a wide variety of functions and services. Some + of the functions and services, provided by default, may not be necessary to support + essential organizational operations (e.g., key missions, functions). Examples of + non-essential capabilities include but are not limited to advertising software or + browser plug-ins that are not related to requirements or provide a wide array of + functionality not required for every mission but that cannot be + disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\Encrypted Media Extensions + Policy Name: Enable Encrypted Media Extensions Policy State: Disabled Policy Name: + Lock Encrypted Media Extensions Policy State: Enabled macOS "plist" file: + <key>EncryptedMediaExtensions</key> <dict> + <key>Enabled</key> <false/> <key>Locked</key> + <true/> Linux "policies.json" file: Add the following in the policies section: + "EncryptedMediaExtensions": { "Enabled": false, "Locked": true } + + + + Type "about:policies" in the browser address bar. If + "EncryptedMediaExtensions" is not displayed under Policy Name or the Policy + Value does not have "Enabled" set to "false" or the Policy Value does not have + "Locked" set to "true", this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000017 + Firefox must be configured to not delete data upon shutdown. + + <VulnDiscussion>For diagnostic purposes, data must remain behind + when the browser is closed. This is required to meet non-repudiation + controls.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox\Clear data when browser is + closed Policy Name: Cache, Cookies, Download History, Form & Search History, + Browsing History, Active Logins, Site Preferences, Offline Website Data Policy + State: Disabled Policy Name: Locked Policy State: Enabled macOS "plist" file: Add + the following: <key>SanitizeOnShutdown</key> <dict> + <key>Cache</key> <false/> <key>Cookies</key> + <false/> <key>Downloads</key> <false/> + <key>FormData</key> <false/> <key>History</key> + <false/> <key>Sessions</key> <false/> + <key>SiteSettings</key> <false/> + <key>OfflineApps</key> <false/> <key>Locked</key> + <true/> </dict> Linux "policies.json" file: Add the following in the + policies section: "SanitizeOnShutdown": { "Cache": false, "Cookies": false, + "Downloads": false, "FormData": false, "History": false, "Sessions": false, + "SiteSettings": false, "OfflineApps": false, "Locked": true } + + + + Type "about:policies" in the browser address bar. If + "SanitizeOnShutdown" is not displayed under Policy Name or the Policy Value does + not have + {"Cache":false,"Cookies":false,"Downloads":false,"FormData":false,"Sessions":false,"History":false,"OfflineApps":false,"SiteSettings":false,"Locked":true}, + this is a finding. + + + + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000038 + Pocket must be disabled. + + <VulnDiscussion>Pocket, previously known as Read It Later, is a + social bookmarking service for storing, sharing, and discovering web bookmarks. Data + gathering cloud services such as this are generally disabled in the + DoD.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Disable Pocket + Policy State: Enabled macOS "plist" file: <key>DisablePocket</key> + <true/> Linux "policies.json" file: Add the following in the policies section: + "DisablePocket": true + + + + Type "about:policies" in the browser address bar. If + "DisablePocket" is not displayed under Policy Name or the Policy Value does not + have a value of "true", this is a finding. + + + + + + + + SRG-APP-000141 + <GroupDescription></GroupDescription> + + FFOX-00-000039 + Firefox Studies must be disabled. + + <VulnDiscussion>Studies try out different features and ideas + before they are released to all Firefox users. Testing beta software is not in the + DoD user's + mission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DISA + 5446 + DPMS + Target + + CCI-000381 + Windows group policy: 1. Open the group policy + editor tool with "gpedit.msc". 2. Navigate to Policy Path: Computer + Configuration\Administrative Templates\Mozilla\Firefox Policy Name: Disable Firefox + Studies Policy State: Enabled macOS "plist" file: + <key>DisableFirefoxStudies</key> <true/> Linux "policies.json" + file: Add the following in the policies section: "DisableFirefoxStudies": true + + + + Type "about:policies" in the browser address bar. If + "DisableFirefoxStudies" is not displayed under Policy Name or the Policy Value + does not have a value of "true", this is a finding. + + + + + + + + + NIWC Atlantic + root + + WORK-UBUNTU + 127.0.0.1 + ::1/128 + 192.168.0.183 + fe80::2a6e:7350:8774:e140/64 + 172.18.0.1 + + WORK-UBUNTU + . + WORK-UBUNTU.. + Ubuntu + 22.04 + Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz + x86_64 + 3434 + 15938 + System manufacturer + System Serial Number + 0610 + System Product Name + + enp3s0 + 192.168.0.183 + fe80::2a6e:7350:8774:e140/64 + 30:85:a9:9c:7f:7c + lo + 127.0.0.1 + ::1/128 + 00:00:00:00:00:00 + br-8ff80a1c4936 + 172.18.0.1 + 02:42:00:3f:97:52 + + + + + fail + CCI-002605 + +--- + +Title : CAT I, V-251545, SV-251545r879827, SRG-APP-000456 +Test Action ID : ocil:navy.navwar.niwcatlantic.scc.firefox.linux:testaction:1 +Question : Run Firefox. Click the ellipsis button >> Help >> About Firefox, and view the version number. + : + : If the Firefox version is not a supported version, this is a finding. + : + : References: + : CCI-002605 +Answer : Finding +Artifact Ref : ocil:root:artifact:1 +Artifact Data : + : sdwwad + : + : +Result : FAIL + + + + + Run Firefox. Click the ellipsis button >> Help >> + About Firefox, and view the version number. If the Firefox version is not a + supported version, this is a finding. + + + + fail + CCI-001453 + Result : false +Tests : false (All child checks must be true.) + : false (SSLVersionMin is set to tls1.2 or tls1.3) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:10100 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="SSLVersionMin")"SSLVersionMin":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:10100 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern '"tls1\.[23]"' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser window. If "SSLVersionMin" + is not displayed under Policy Name or the Policy Value is not "tls1.2" or + "tls1.3", this is a finding. + + + + fail + CCI-000187 + Result : false +Tests : false (All child checks must be true.) + : false (security.default_personal_cert Value set to Ask Every Time) + : false (security.default_personal_cert Status set to locked) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:10200 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="Preferences")"Preferences":\s*\{[\s\S]*?(?="security\.default_personal_cert")"security\.default_personal_cert":\s*\{\s*[^}]+(?=[^"])Value":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:10200 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern '"Ask Every Time"' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:10201 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="Preferences")"Preferences":\s*\{[\s\S]*?(?="security\.default_personal_cert")"security\.default_personal_cert":\s*\{\s*[^}]+(?=[^"])Status":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:3 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern '"locked"' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "security.default_personal_cert" is not displayed with a value of "Ask Every + Time", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (browser.search.update Value set to false) + : false (browser.search.update Status set to locked) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:10300 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="Preferences")"Preferences":\s*\{[\s\S]*?(?="browser\.search\.update")"browser\.search\.update":\s*\{\s*[^}]+(?=[^"])Value":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:10301 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="Preferences")"Preferences":\s*\{[\s\S]*?(?="browser\.search\.update")"browser\.search\.update":\s*\{\s*[^}]+(?=[^"])Status":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:3 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern '"locked"' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "browser.search.update" is not displayed with a value of "false", this is a + finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (ExtensionUpdate is set false) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:10400 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="ExtensionUpdate")"ExtensionUpdate":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser window. If "ExtensionUpdate" + is not displayed under Policy Name or the Policy Value is not "false", this is a + finding. + + + + pass + CCI-001242 + +--- + +Title : CAT II, V-251550, SV-251550r879664, SRG-APP-000278 +Test Action ID : ocil:navy.navwar.niwcatlantic.scc.firefox.linux:testaction:101 +Question : Type "about:preferences" in the browser address bar. + : + : Type "Applications" in the Find bar in the upper-right corner. + : + : Determine if any of the following file extensions are listed: HTA, JSE, JS, MOCHA, SHS, VBE, VBS, SCT, WSC, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, DOS, BAT, PS, EPS, WCH, WCM, WB1, WB3, WCH, WCM, AD. + : + : If the entry exists and the "Action" is "Save File" or "Always Ask", this is not a finding. + : + : If an extension exists and the entry in the Action column is associated with an application that does/can execute the code, this is a finding. + : + : References: + : CCI-001242 +Answer : Not a Finding +Artifact Ref : ocil:root:artifact:2 +Artifact Data : + : awdawd + : + : +Result : PASS + + + + + Type "about:preferences" in the browser address bar. Type + "Applications" in the Find bar in the upper-right corner. Determine if any of + the following file extensions are listed: HTA, JSE, JS, MOCHA, SHS, VBE, VBS, + SCT, WSC, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, DOS, BAT, PS, EPS, WCH, WCM, WB1, + WB3, WCH, WCM, AD. If the entry exists and the "Action" is "Save File" or + "Always Ask", this is not a finding. If an extension exists and the entry in the + Action column is associated with an application that does/can execute the code, + this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (DisableFormHistory is set to true) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:10600 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="DisableFormHistory")"DisableFormHistory":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:1 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'true' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser window. If + "DisableFormHistory" is not displayed under Policy Name or the Policy Value is + not "true", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (PasswordManagerEnabled is set to false) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:10700 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="PasswordManagerEnabled")"PasswordManagerEnabled":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser window. If + "PasswordManagerEnabled" is not displayed under Policy Name or the Policy Value + is not "false", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (PopupBlocking Default is set to true) + : false (PopupBlocking Locked is set to true) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:10800 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="PopupBlocking")"PopupBlocking":\s*\{\s*[^}]+?(?=[^"])Default":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:1 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'true' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:10801 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="PopupBlocking")"PopupBlocking":\s*\{\s*[^}]+?(?=[^"])Locked":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:1 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'true' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "PopupBlocking" is not displayed under Policy Name or the Policy Value is not + "Default" "true", this is a finding. If "PopupBlocking" is not displayed under + Policy Name or the Policy Value is not "Locked" "true", this is a finding. + "PopupBlocking" "Enabled" may be used to specify an allowlist of sites where + pop-ups are desired, this is optional. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (dom.disable_window_move_resize Value set to true) + : false (dom.disable_window_move_resize Status set to locked) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:10900 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="Preferences")"Preferences":\s*\{[\s\S]*?(?="dom\.disable_window_move_resize")"dom\.disable_window_move_resize":\s*\{\s*[^}]+(?=[^"])Value":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:1 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'true' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:10901 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="Preferences")"Preferences":\s*\{[\s\S]*?(?="dom\.disable_window_move_resize")"dom\.disable_window_move_resize":\s*\{\s*[^}]+(?=[^"])Status":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:3 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern '"locked"' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "dom.disable_window_move_resize" is not displayed with a value of "true", this + is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (dom.disable_window_flip Value set to true) + : false (dom.disable_window_flip Status set to locked) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:11000 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="Preferences")"Preferences":\s*\{[\s\S]*?(?="dom\.disable_window_flip")"dom\.disable_window_flip":\s*\{\s*[^}]+(?=[^"])Value":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:1 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'true' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:11001 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="Preferences")"Preferences":\s*\{[\s\S]*?(?="dom\.disable_window_flip")"dom\.disable_window_flip":\s*\{\s*[^}]+(?=[^"])Status":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:3 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern '"locked"' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "dom.disable_window_flip" is not displayed with a value of "true", this is a + finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (InstallAddonsPermission Default set to false) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:11200 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="InstallAddonsPermission")"InstallAddonsPermission":\s*\{\s*[^}]+?(?=[^"])Default":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "InstallAddonsPermission" is not displayed under Policy Name or the Policy Value + is not "Default" "false", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (DisableTelemetry is set to true) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:11300 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="DisableTelemetry")"DisableTelemetry":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:1 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'true' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser window. If + "DisableTelemetry" is not displayed under Policy Name or the Policy Value is not + "true", this is a finding. + + + + fail + CCI-001312 + Result : false +Tests : false (All child checks must be true.) + : false (DisableDeveloperTools is set to true) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:11400 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="DisableDeveloperTools")"DisableDeveloperTools":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:1 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'true' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser window. If + "DisableDeveloperTools" is not displayed under Policy Name or the Policy Value + is not "true", this is a finding. + + + + notchecked + CCI-000185 + +--- + +Title : CAT II, V-251560, SV-251560r918133, SRG-APP-000175 +Test Action ID : ocil:navy.navwar.niwcatlantic.scc.firefox.linux:testaction:281 +Question : Type "about:preferences#privacy" in the browser window. + : + : Scroll down to the bottom and select "View Certificates...". + : + : In the Certificate Manager window, select the "Authorities" tab. + : + : Scroll through the Certificate Name list to the U.S. Government heading. Look for the entries for DOD Root CA 2, DOD Root CA 3, DOD Root CA 4, and DOD Root CA 5. + : + : If there are entries for DOD Root CA 2, DOD Root CA 3, DOD Root CA 4, and DOD Root CA 5, select them individually. + : + : Click the "View" button. + : + : Verify the publishing organization is "US Government". + : + : If there are no entries for the appropriate DOD root certificates, this is a finding. If other AO-approved certificates are used, this is not a finding. If SIPRNet-specific certificates are used, this is not a finding. + : + : Note: In a Windows environment, use of policy setting "security.enterprise_roots.enabled=true" will point Firefox to the Windows Trusted Root Certification Authority Store. This is not a finding. It may also be set via the policy Certificates >> ImportEnterpriseRoots, which can be verified via "about:policies". + : + : References: + : CCI-000185 +Result : NOT_TESTED + + + + + Type "about:preferences#privacy" in the browser window. Scroll + down to the bottom and select "View Certificates...". In the Certificate Manager + window, select the "Authorities" tab. Scroll through the Certificate Name list + to the U.S. Government heading. Look for the entries for DOD Root CA 2, DOD Root + CA 3, DOD Root CA 4, and DOD Root CA 5. If there are entries for DOD Root CA 2, + DOD Root CA 3, DOD Root CA 4, and DOD Root CA 5, select them individually. Click + the "View" button. Verify the publishing organization is "US Government". If + there are no entries for the appropriate DOD root certificates, this is a + finding. If other AO-approved certificates are used, this is not a finding. If + SIPRNet-specific certificates are used, this is not a finding. Note: In a + Windows environment, use of policy setting + "security.enterprise_roots.enabled=true" will point Firefox to the Windows + Trusted Root Certification Authority Store. This is not a finding. It may also + be set via the policy Certificates >> ImportEnterpriseRoots, which can be + verified via "about:policies". + + + + fail + CCI-002355 + Result : false +Tests : false (All child checks must be true.) + : false (DisableForgetButton is set to true) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:11700 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="DisableForgetButton")"DisableForgetButton":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:1 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'true' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "DisableForgetButton" is not displayed under Policy Name or the Policy Value is + not "true", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (DisablePrivateBrowsing is set to true) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:11800 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="DisablePrivateBrowsing")"DisablePrivateBrowsing":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:1 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'true' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser window. If + "DisablePrivateBrowsing" is not displayed under Policy Name or the Policy Value + is not "true", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (SearchSuggestEnabled is set to false) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:11900 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="SearchSuggestEnabled")"SearchSuggestEnabled":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser window. If + "SearchSuggestEnabled" is not displayed under Policy Name or the Policy Value is + not "false", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (Autoplay Default is set to block-audio-video) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12000 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="Permissions")"Permissions":\s*\{[\s\S]*?(?="Autoplay")"Autoplay":\s*\{\s*[^}]+(?=[^"])Default":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:12000 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern '"block-audio-video"' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "Permissions" is not displayed under Policy Name or the Policy Value is not + "Autoplay" with a value of "Default" and "Block-audio-video", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (NetworkPrediction is set to false) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12100 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="NetworkPrediction")"NetworkPrediction":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser window. If + "NetworkPrediction" is not displayed under Policy Name or the Policy Value is + not "false", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (EnableTrackingProtection Fingerprinting set to true) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12200 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="EnableTrackingProtection")"EnableTrackingProtection":\s*\{\s*[^}]+?(?=[^"])Fingerprinting":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:1 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'true' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "EnableTrackingProtection" is not displayed under Policy Name or the Policy + Value is not "Fingerprinting" with a value of "true", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (EnableTrackingProtection Cryptomining set to true) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12300 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="EnableTrackingProtection")"EnableTrackingProtection":\s*\{\s*[^}]+?(?=[^"])Cryptomining":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:1 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'true' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "EnableTrackingProtection" is not displayed under Policy Name or the Policy + Value is not "Cryptomining" with a value of "true", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (browser.contentblocking.category Value set to strict) + : false (browser.contentblocking.category Status set to locked) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12400 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="Preferences")"Preferences":\s*\{[\s\S]*?(?="browser\.contentblocking\.category")"browser\.contentblocking\.category":\s*\{\s*[^}]+(?=[^"])Value":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:12400 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern '"strict"' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12401 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="Preferences")"Preferences":\s*\{[\s\S]*?(?="browser\.contentblocking\.category")"browser\.contentblocking\.category":\s*\{\s*[^}]+(?=[^"])Status":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:3 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern '"locked"' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "browser.contentblocking.category" is not displayed with a value of "strict", + this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (extensions.htmlaboutaddons.recommendations.enabled Value set to false) + : false (extensions.htmlaboutaddons.recommendations.enabled Status set to locked) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12500 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="Preferences")"Preferences":\s*\{[\s\S]*?(?="extensions\.htmlaboutaddons\.recommendations\.enabled")"extensions\.htmlaboutaddons\.recommendations\.enabled":\s*\{\s*[^}]+(?=[^"])Value":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12501 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="Preferences")"Preferences":\s*\{[\s\S]*?(?="extensions\.htmlaboutaddons\.recommendations\.enabled")"extensions\.htmlaboutaddons\.recommendations\.enabled":\s*\{\s*[^}]+(?=[^"])Status":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:3 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern '"locked"' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "extensions.htmlaboutaddons.recommendations.enabled" is not displayed with a + value of "false", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (DisabledCiphers TLS_RSA_WITH_3DES_EDE_CBC_SHA set to true) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12600 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="DisabledCiphers")"DisabledCiphers":\s*\{\s*[^}]+?(?=[^"])TLS_RSA_WITH_3DES_EDE_CBC_SHA":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:1 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'true' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "DisabledCiphers" is not displayed under Policy Name or the Policy Value is not + "TLS_RSA_WITH_3DES_EDE_CBC_SHA" with a value of "true", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (UserMessaging ExtensionRecommendations set to false) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12700 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="UserMessaging")"UserMessaging":\s*\{\s*[^}]+?(?=[^"])ExtensionRecommendations":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "UserMessaging" is not displayed under Policy Name or the Policy Value is not + "ExtensionRecommendations" with a value of "false", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (FirefoxHome TopSites set to false) + : false (FirefoxHome SponsoredTopSites set to false) + : false (FirefoxHome Pocket set to false) + : false (FirefoxHome SponsoredPocket set to false) + : false (FirefoxHome Highlights set to false) + : false (FirefoxHome Snippets set to false) + : false (FirefoxHome Locked set to true) + : false (FirefoxHome Search set to false) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12800 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="FirefoxHome")"FirefoxHome":\s*\{\s*[^}]+?(?=[^"])TopSites":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12801 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="FirefoxHome")"FirefoxHome":\s*\{\s*[^}]+?(?=[^"])SponsoredTopSites":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12802 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="FirefoxHome")"FirefoxHome":\s*\{\s*[^}]+?(?=[^"])Pocket":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12803 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="FirefoxHome")"FirefoxHome":\s*\{\s*[^}]+?(?=[^"])SponsoredPocket":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12804 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="FirefoxHome")"FirefoxHome":\s*\{\s*[^}]+?(?=[^"])Highlights":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12805 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="FirefoxHome")"FirefoxHome":\s*\{\s*[^}]+?(?=[^"])Snippets":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12806 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="FirefoxHome")"FirefoxHome":\s*\{\s*[^}]+?(?=[^"])Locked":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:1 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'true' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:12807 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="FirefoxHome")"FirefoxHome":\s*\{\s*[^}]+?(?=[^"])Search":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "FirefoxHome" is not displayed under Policy Name or the Policy Value does not + have "Search" with a value of "false", this is a finding. If "FirefoxHome" is + not displayed under Policy Name or the Policy Value does not have "TopSites" + with a value of "false", this is a finding. If "FirefoxHome" is not displayed + under Policy Name or the Policy Value does not have "SponsoredTopSites" with a + value of "false", this is a finding. If "FirefoxHome" is not displayed under + Policy Name or the Policy Value does not have "Pocket" with a value of "false", + this is a finding. If "FirefoxHome" is not displayed under Policy Name or the + Policy Value does not have "SponsoredPocket" with a value of "false", this is a + finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value + does not have "Highlights" with a value of "false", this is a finding. If + "FirefoxHome" is not displayed under Policy Name or the Policy Value does not + have "Snippets" with a value of "false", this is a finding. If "FirefoxHome" is + not displayed under Policy Name or the Policy Value does not have "Locked" with + a value of "true", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (DNSOverHTTPS Enabled set to false) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:13200 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="DNSOverHTTPS")"DNSOverHTTPS":\s*\{\s*[^}]+?(?=[^"])Enabled":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "DNSOverHTTPS" is not displayed under Policy Name or the Policy Value does not + have "Enabled" with a value of "false", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (DisableFirefoxAccounts set to true) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:13300 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="DisableFirefoxAccounts")"DisableFirefoxAccounts":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:1 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'true' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "DisableFirefoxAccounts" is not displayed under Policy Name or the Policy Value + is not "true", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (DisableFeedbackCommands set to true) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:13500 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="DisableFeedbackCommands")"DisableFeedbackCommands":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:1 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'true' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "DisableFeedbackCommands" is not displayed under Policy Name or the Policy Value + is not "true", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (EncryptedMediaExtensions Enabled is set to false) + : false (EncryptedMediaExtensions Locked is set to true) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:13600 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="EncryptedMediaExtensions")"EncryptedMediaExtensions":\s*\{\s*[^}]+?(?=[^"])Enabled":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:13601 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="EncryptedMediaExtensions")"EncryptedMediaExtensions":\s*\{\s*[^}]+?(?=[^"])Locked":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:1 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'true' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "EncryptedMediaExtensions" is not displayed under Policy Name or the Policy + Value does not have "Enabled" set to "false" or the Policy Value does not have + "Locked" set to "true", this is a finding. + + + + fail + CCI-000381 + Result : false +Tests : false (All child checks must be true.) + : false (SanitizeOnShutdown Cache is set to false) + : false (SanitizeOnShutdown Cookies is set to false) + : false (SanitizeOnShutdown Downloads is set to false) + : false (SanitizeOnShutdown FormData is set to false) + : false (SanitizeOnShutdown History is set to false) + : false (SanitizeOnShutdown Sessions is set to false) + : false (SanitizeOnShutdown SiteSettings is set to false) + : false (SanitizeOnShutdown OfflineApps is set to false) + : false (SanitizeOnShutdown Locked is set to true) + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:11600 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="SanitizeOnShutdown")"SanitizeOnShutdown":\s*\{\s*[^}]+?(?=[^"])Cache":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:11601 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="SanitizeOnShutdown")"SanitizeOnShutdown":\s*\{\s*[^}]+?(?=[^"])Cookies":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:11602 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="SanitizeOnShutdown")"SanitizeOnShutdown":\s*\{\s*[^}]+?(?=[^"])Downloads":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:11603 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="SanitizeOnShutdown")"SanitizeOnShutdown":\s*\{\s*[^}]+?(?=[^"])FormData":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:11604 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="SanitizeOnShutdown")"SanitizeOnShutdown":\s*\{\s*[^}]+?(?=[^"])History":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:11605 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="SanitizeOnShutdown")"SanitizeOnShutdown":\s*\{\s*[^}]+?(?=[^"])Sessions":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:11606 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="SanitizeOnShutdown")"SanitizeOnShutdown":\s*\{\s*[^}]+?(?=[^"])SiteSettings":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:11607 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="SanitizeOnShutdown")"SanitizeOnShutdown":\s*\{\s*[^}]+?(?=[^"])OfflineApps":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:2 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'false' +Additional Information : Collected Item did not meet the check existence requirement. + +--- + +Test ID : oval:mil.disa.stig.firefox.linux:tst:11608 (textfilecontent54_test) +Result : false +Check Existence : One or more collected items must exist. +Check : All collected items must match the given state(s). +Object Requirement : for path, at least one of the following must be true: +Object Requirement : path must be equal to '/etc/firefox/policies' +Object Requirement : path must be equal to '/distribution' +Object Requirement : filename must be equal to 'policies.json' +Object Requirement : pattern must match the pattern '^(?i)\{\s*"policies":\s*\{[\s\S]*?(?="SanitizeOnShutdown")"SanitizeOnShutdown":\s*\{\s*[^}]+?(?=[^"])Locked":\s*([^,}]+),*?\s*' +Object Requirement : instance must be equal to '1' +State ID : oval:mil.disa.stig.firefox.linux:ste:1 (textfilecontent54_state) +State Requirement : check_existence = 'at_least_one_exists', subexpression must match the pattern 'true' +Additional Information : Collected Item did not meet the check existence requirement. + + + + + Type "about:policies" in the browser address bar. If + "SanitizeOnShutdown" is not displayed under Policy Name or the Policy Value does + not have + {"Cache":false,"Cookies":false,"Downloads":false,"FormData":false,"Sessions":false,"History":false,"OfflineApps":false,"SiteSettings":false,"Locked":true}, + this is a finding. + + + + notchecked + CCI-000381 + +--- + +Title : CAT II, V-252908, SV-252908r879587, SRG-APP-000141 +Test Action ID : ocil:navy.navwar.niwcatlantic.scc.firefox.linux:testaction:641 +Question : Type "about:policies" in the browser address bar. + : + : If "DisablePocket" is not displayed under Policy Name or the Policy Value does not have a value of "true", this is a finding. + : + : References: + : CCI-000381 +Result : NOT_TESTED + + + + + Type "about:policies" in the browser address bar. If + "DisablePocket" is not displayed under Policy Name or the Policy Value does not + have a value of "true", this is a finding. + + + + notapplicable + CCI-000381 + +--- + +Title : CAT II, V-252909, SV-252909r879587, SRG-APP-000141 +Test Action ID : ocil:navy.navwar.niwcatlantic.scc.firefox.linux:testaction:661 +Question : Type "about:policies" in the browser address bar. + : + : If "DisableFirefoxStudies" is not displayed under Policy Name or the Policy Value does not have a value of "true", this is a finding. + : + : References: + : CCI-000381 +Answer : Not Applicable +Artifact Ref : ocil:root:artifact:3 +Artifact Data : + : awdawd + : + : +Result : NOT_APPLICABLE + + + + + Type "about:policies" in the browser address bar. If + "DisableFirefoxStudies" is not displayed under Policy Name or the Policy Value + does not have a value of "true", this is a finding. + + + 3.23 + 3.23 + 3.2258064516129 + 10 + 1 + 0 + + \ No newline at end of file diff --git a/index.d.ts b/index.d.ts new file mode 100644 index 0000000..194d499 --- /dev/null +++ b/index.d.ts @@ -0,0 +1,2 @@ +declare module 'stig-manager-client-modules'; + diff --git a/index.js b/index.js new file mode 100644 index 0000000..198e537 --- /dev/null +++ b/index.js @@ -0,0 +1,10 @@ +import {reviewsFromCkl, reviewsFromCklb, reviewsFromXccdf, reviewsFromScc} from './ReviewParser.js' +import TaskObject from './TaskObject.js' + +export { + reviewsFromCkl, + reviewsFromCklb, + reviewsFromXccdf, + reviewsFromScc, + TaskObject +} \ No newline at end of file diff --git a/package-lock.json b/package-lock.json new file mode 100644 index 0000000..ccea5bc --- /dev/null +++ b/package-lock.json @@ -0,0 +1,1603 @@ +{ + "name": "stig-manager-client-modules", + "version": "1.0.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "stig-manager-client-modules", + "version": "1.0.0", + "license": "MIT", + "dependencies": { + "fast-xml-parser": "^4.3.2" + }, + "devDependencies": { + "c8": "^8.0.1", + "chai": "^4.3.10", + "mocha": "^10.2.0", + "rollup": "^4.8.0" + } + }, + "node_modules/@bcoe/v8-coverage": { + "version": "0.2.3", + "resolved": "https://registry.npmjs.org/@bcoe/v8-coverage/-/v8-coverage-0.2.3.tgz", + "integrity": "sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==", + "dev": true + }, + "node_modules/@istanbuljs/schema": { + "version": "0.1.3", + "resolved": "https://registry.npmjs.org/@istanbuljs/schema/-/schema-0.1.3.tgz", + "integrity": "sha512-ZXRY4jNvVgSVQ8DL3LTcakaAtXwTVUxE81hslsyD2AtoXW/wVob10HkOJ1X/pAlcI7D+2YoZKg5do8G/w6RYgA==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/@jridgewell/resolve-uri": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.1.tgz", + "integrity": "sha512-dSYZh7HhCDtCKm4QakX0xFpsRDqjjtZf/kjI/v3T3Nwt5r8/qz/M19F9ySyOqU94SXBmeG9ttTul+YnR4LOxFA==", + "dev": true, + "engines": { + "node": ">=6.0.0" + } + }, + "node_modules/@jridgewell/sourcemap-codec": { + "version": "1.4.15", + "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.4.15.tgz", + "integrity": "sha512-eF2rxCRulEKXHTRiDrDy6erMYWqNw4LPdQ8UQA4huuxaQsVeRPFl2oM8oDGxMFhJUWZf9McpLtJasDDZb/Bpeg==", + "dev": true + }, + "node_modules/@jridgewell/trace-mapping": { + "version": "0.3.20", + "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.20.tgz", + "integrity": "sha512-R8LcPeWZol2zR8mmH3JeKQ6QRCFb7XgUhV9ZlGhHLGyg4wpPiPZNQOOWhFZhxKw8u//yTbNGI42Bx/3paXEQ+Q==", + "dev": true, + "dependencies": { + "@jridgewell/resolve-uri": "^3.1.0", + "@jridgewell/sourcemap-codec": "^1.4.14" + } + }, + "node_modules/@rollup/rollup-android-arm-eabi": { + "version": "4.9.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.9.0.tgz", + "integrity": "sha512-+1ge/xmaJpm1KVBuIH38Z94zj9fBD+hp+/5WLaHgyY8XLq1ibxk/zj6dTXaqM2cAbYKq8jYlhHd6k05If1W5xA==", + "cpu": [ + "arm" + ], + "dev": true, + "optional": true, + "os": [ + "android" + ] + }, + "node_modules/@rollup/rollup-android-arm64": { + "version": "4.9.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.9.0.tgz", + "integrity": "sha512-im6hUEyQ7ZfoZdNvtwgEJvBWZYauC9KVKq1w58LG2Zfz6zMd8gRrbN+xCVoqA2hv/v6fm9lp5LFGJ3za8EQH3A==", + "cpu": [ + "arm64" + ], + "dev": true, + "optional": true, + "os": [ + "android" + ] + }, + "node_modules/@rollup/rollup-darwin-arm64": { + "version": "4.9.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.9.0.tgz", + "integrity": "sha512-u7aTMskN6Dmg1lCT0QJ+tINRt+ntUrvVkhbPfFz4bCwRZvjItx2nJtwJnJRlKMMaQCHRjrNqHRDYvE4mBm3DlQ==", + "cpu": [ + "arm64" + ], + "dev": true, + "optional": true, + "os": [ + "darwin" + ] + }, + "node_modules/@rollup/rollup-darwin-x64": { + "version": "4.9.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.9.0.tgz", + "integrity": "sha512-8FvEl3w2ExmpcOmX5RJD0yqXcVSOqAJJUJ29Lca29Ik+3zPS1yFimr2fr5JSZ4Z5gt8/d7WqycpgkX9nocijSw==", + "cpu": [ + "x64" + ], + "dev": true, + "optional": true, + "os": [ + "darwin" + ] + }, + "node_modules/@rollup/rollup-linux-arm-gnueabihf": { + "version": "4.9.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.9.0.tgz", + "integrity": "sha512-lHoKYaRwd4gge+IpqJHCY+8Vc3hhdJfU6ukFnnrJasEBUvVlydP8PuwndbWfGkdgSvZhHfSEw6urrlBj0TSSfg==", + "cpu": [ + "arm" + ], + "dev": true, + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-arm64-gnu": { + "version": "4.9.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.9.0.tgz", + "integrity": "sha512-JbEPfhndYeWHfOSeh4DOFvNXrj7ls9S/2omijVsao+LBPTPayT1uKcK3dHW3MwDJ7KO11t9m2cVTqXnTKpeaiw==", + "cpu": [ + "arm64" + ], + "dev": true, + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-arm64-musl": { + "version": "4.9.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.9.0.tgz", + "integrity": "sha512-ahqcSXLlcV2XUBM3/f/C6cRoh7NxYA/W7Yzuv4bDU1YscTFw7ay4LmD7l6OS8EMhTNvcrWGkEettL1Bhjf+B+w==", + "cpu": [ + "arm64" + ], + "dev": true, + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-riscv64-gnu": { + "version": "4.9.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.9.0.tgz", + "integrity": "sha512-uwvOYNtLw8gVtrExKhdFsYHA/kotURUmZYlinH2VcQxNCQJeJXnkmWgw2hI9Xgzhgu7J9QvWiq9TtTVwWMDa+w==", + "cpu": [ + "riscv64" + ], + "dev": true, + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-x64-gnu": { + "version": "4.9.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.9.0.tgz", + "integrity": "sha512-m6pkSwcZZD2LCFHZX/zW2aLIISyzWLU3hrLLzQKMI12+OLEzgruTovAxY5sCZJkipklaZqPy/2bEEBNjp+Y7xg==", + "cpu": [ + "x64" + ], + "dev": true, + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-linux-x64-musl": { + "version": "4.9.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.9.0.tgz", + "integrity": "sha512-VFAC1RDRSbU3iOF98X42KaVicAfKf0m0OvIu8dbnqhTe26Kh6Ym9JrDulz7Hbk7/9zGc41JkV02g+p3BivOdAg==", + "cpu": [ + "x64" + ], + "dev": true, + "optional": true, + "os": [ + "linux" + ] + }, + "node_modules/@rollup/rollup-win32-arm64-msvc": { + "version": "4.9.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.9.0.tgz", + "integrity": "sha512-9jPgMvTKXARz4inw6jezMLA2ihDBvgIU9Ml01hjdVpOcMKyxFBJrn83KVQINnbeqDv0+HdO1c09hgZ8N0s820Q==", + "cpu": [ + "arm64" + ], + "dev": true, + "optional": true, + "os": [ + "win32" + ] + }, + "node_modules/@rollup/rollup-win32-ia32-msvc": { + "version": "4.9.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.9.0.tgz", + "integrity": "sha512-WE4pT2kTXQN2bAv40Uog0AsV7/s9nT9HBWXAou8+++MBCnY51QS02KYtm6dQxxosKi1VIz/wZIrTQO5UP2EW+Q==", + "cpu": [ + "ia32" + ], + "dev": true, + "optional": true, + "os": [ + "win32" + ] + }, + "node_modules/@rollup/rollup-win32-x64-msvc": { + "version": "4.9.0", + "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.9.0.tgz", + "integrity": "sha512-aPP5Q5AqNGuT0tnuEkK/g4mnt3ZhheiXrDIiSVIHN9mcN21OyXDVbEMqmXPE7e2OplNLDkcvV+ZoGJa2ZImFgw==", + "cpu": [ + "x64" + ], + "dev": true, + "optional": true, + "os": [ + "win32" + ] + }, + "node_modules/@types/istanbul-lib-coverage": { + "version": "2.0.6", + "resolved": "https://registry.npmjs.org/@types/istanbul-lib-coverage/-/istanbul-lib-coverage-2.0.6.tgz", + "integrity": "sha512-2QF/t/auWm0lsy8XtKVPG19v3sSOQlJe/YHZgfjb/KBBHOGSV+J2q/S671rcq9uTBrLAXmZpqJiaQbMT+zNU1w==", + "dev": true + }, + "node_modules/ansi-colors": { + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/ansi-colors/-/ansi-colors-4.1.1.tgz", + "integrity": "sha512-JoX0apGbHaUJBNl6yF+p6JAFYZ666/hhCGKN5t9QFjbJQKUU/g8MNbFDbvfrgKXvI1QpZplPOnwIo99lX/AAmA==", + "dev": true, + "engines": { + "node": ">=6" + } + }, + "node_modules/ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/ansi-styles": { + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz", + "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==", + "dev": true, + "dependencies": { + "color-convert": "^2.0.1" + }, + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/anymatch": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz", + "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==", + "dev": true, + "dependencies": { + "normalize-path": "^3.0.0", + "picomatch": "^2.0.4" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/argparse": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz", + "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==", + "dev": true + }, + "node_modules/assertion-error": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/assertion-error/-/assertion-error-1.1.0.tgz", + "integrity": "sha512-jgsaNduz+ndvGyFt3uSuWqvy4lCnIJiovtouQN5JZHOKCS2QuhEdbcQHFhVksz2N2U9hXJo8odG7ETyWlEeuDw==", + "dev": true, + "engines": { + "node": "*" + } + }, + "node_modules/balanced-match": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", + "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", + "dev": true + }, + "node_modules/binary-extensions": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.2.0.tgz", + "integrity": "sha512-jDctJ/IVQbZoJykoeHbhXpOlNBqGNcwXJKJog42E5HDPUwQTSdjCHdihjj0DlnheQ7blbT6dHOafNAiS8ooQKA==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/brace-expansion": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz", + "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==", + "dev": true, + "dependencies": { + "balanced-match": "^1.0.0" + } + }, + "node_modules/braces": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz", + "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==", + "dev": true, + "dependencies": { + "fill-range": "^7.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/browser-stdout": { + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/browser-stdout/-/browser-stdout-1.3.1.tgz", + "integrity": "sha512-qhAVI1+Av2X7qelOfAIYwXONood6XlZE/fXaBSmW/T5SzLAmCgzi+eiWE7fUvbHaeNBQH13UftjpXxsfLkMpgw==", + "dev": true + }, + "node_modules/c8": { + "version": "8.0.1", + "resolved": "https://registry.npmjs.org/c8/-/c8-8.0.1.tgz", + "integrity": "sha512-EINpopxZNH1mETuI0DzRA4MZpAUH+IFiRhnmFD3vFr3vdrgxqi3VfE3KL0AIL+zDq8rC9bZqwM/VDmmoe04y7w==", + "dev": true, + "dependencies": { + "@bcoe/v8-coverage": "^0.2.3", + "@istanbuljs/schema": "^0.1.3", + "find-up": "^5.0.0", + "foreground-child": "^2.0.0", + "istanbul-lib-coverage": "^3.2.0", + "istanbul-lib-report": "^3.0.1", + "istanbul-reports": "^3.1.6", + "rimraf": "^3.0.2", + "test-exclude": "^6.0.0", + "v8-to-istanbul": "^9.0.0", + "yargs": "^17.7.2", + "yargs-parser": "^21.1.1" + }, + "bin": { + "c8": "bin/c8.js" + }, + "engines": { + "node": ">=12" + } + }, + "node_modules/c8/node_modules/cliui": { + "version": "8.0.1", + "resolved": "https://registry.npmjs.org/cliui/-/cliui-8.0.1.tgz", + "integrity": "sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==", + "dev": true, + "dependencies": { + "string-width": "^4.2.0", + "strip-ansi": "^6.0.1", + "wrap-ansi": "^7.0.0" + }, + "engines": { + "node": ">=12" + } + }, + "node_modules/c8/node_modules/yargs": { + "version": "17.7.2", + "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.7.2.tgz", + "integrity": "sha512-7dSzzRQ++CKnNI/krKnYRV7JKKPUXMEh61soaHKg9mrWEhzFWhFnxPxGl+69cD1Ou63C13NUPCnmIcrvqCuM6w==", + "dev": true, + "dependencies": { + "cliui": "^8.0.1", + "escalade": "^3.1.1", + "get-caller-file": "^2.0.5", + "require-directory": "^2.1.1", + "string-width": "^4.2.3", + "y18n": "^5.0.5", + "yargs-parser": "^21.1.1" + }, + "engines": { + "node": ">=12" + } + }, + "node_modules/c8/node_modules/yargs-parser": { + "version": "21.1.1", + "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-21.1.1.tgz", + "integrity": "sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==", + "dev": true, + "engines": { + "node": ">=12" + } + }, + "node_modules/chai": { + "version": "4.3.10", + "resolved": "https://registry.npmjs.org/chai/-/chai-4.3.10.tgz", + "integrity": "sha512-0UXG04VuVbruMUYbJ6JctvH0YnC/4q3/AkT18q4NaITo91CUm0liMS9VqzT9vZhVQ/1eqPanMWjBM+Juhfb/9g==", + "dev": true, + "dependencies": { + "assertion-error": "^1.1.0", + "check-error": "^1.0.3", + "deep-eql": "^4.1.3", + "get-func-name": "^2.0.2", + "loupe": "^2.3.6", + "pathval": "^1.1.1", + "type-detect": "^4.0.8" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/chalk": { + "version": "4.1.2", + "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz", + "integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==", + "dev": true, + "dependencies": { + "ansi-styles": "^4.1.0", + "supports-color": "^7.1.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/chalk?sponsor=1" + } + }, + "node_modules/chalk/node_modules/supports-color": { + "version": "7.2.0", + "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz", + "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==", + "dev": true, + "dependencies": { + "has-flag": "^4.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/check-error": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/check-error/-/check-error-1.0.3.tgz", + "integrity": "sha512-iKEoDYaRmd1mxM90a2OEfWhjsjPpYPuQ+lMYsoxB126+t8fw7ySEO48nmDg5COTjxDI65/Y2OWpeEHk3ZOe8zg==", + "dev": true, + "dependencies": { + "get-func-name": "^2.0.2" + }, + "engines": { + "node": "*" + } + }, + "node_modules/chokidar": { + "version": "3.5.3", + "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.5.3.tgz", + "integrity": "sha512-Dr3sfKRP6oTcjf2JmUmFJfeVMvXBdegxB0iVQ5eb2V10uFJUCAS8OByZdVAyVb8xXNz3GjjTgj9kLWsZTqE6kw==", + "dev": true, + "funding": [ + { + "type": "individual", + "url": "https://paulmillr.com/funding/" + } + ], + "dependencies": { + "anymatch": "~3.1.2", + "braces": "~3.0.2", + "glob-parent": "~5.1.2", + "is-binary-path": "~2.1.0", + "is-glob": "~4.0.1", + "normalize-path": "~3.0.0", + "readdirp": "~3.6.0" + }, + "engines": { + "node": ">= 8.10.0" + }, + "optionalDependencies": { + "fsevents": "~2.3.2" + } + }, + "node_modules/cliui": { + "version": "7.0.4", + "resolved": "https://registry.npmjs.org/cliui/-/cliui-7.0.4.tgz", + "integrity": "sha512-OcRE68cOsVMXp1Yvonl/fzkQOyjLSu/8bhPDfQt0e0/Eb283TKP20Fs2MqoPsr9SwA595rRCA+QMzYc9nBP+JQ==", + "dev": true, + "dependencies": { + "string-width": "^4.2.0", + "strip-ansi": "^6.0.0", + "wrap-ansi": "^7.0.0" + } + }, + "node_modules/color-convert": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz", + "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==", + "dev": true, + "dependencies": { + "color-name": "~1.1.4" + }, + "engines": { + "node": ">=7.0.0" + } + }, + "node_modules/color-name": { + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz", + "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==", + "dev": true + }, + "node_modules/concat-map": { + "version": "0.0.1", + "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", + "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==", + "dev": true + }, + "node_modules/cross-spawn": { + "version": "7.0.3", + "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz", + "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==", + "dev": true, + "dependencies": { + "path-key": "^3.1.0", + "shebang-command": "^2.0.0", + "which": "^2.0.1" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/debug": { + "version": "4.3.4", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz", + "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==", + "dev": true, + "dependencies": { + "ms": "2.1.2" + }, + "engines": { + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } + } + }, + "node_modules/debug/node_modules/ms": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", + "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==", + "dev": true + }, + "node_modules/deep-eql": { + "version": "4.1.3", + "resolved": "https://registry.npmjs.org/deep-eql/-/deep-eql-4.1.3.tgz", + "integrity": "sha512-WaEtAOpRA1MQ0eohqZjpGD8zdI0Ovsm8mmFhaDN8dvDZzyoUMcYDnf5Y6iu7HTXxf8JDS23qWa4a+hKCDyOPzw==", + "dev": true, + "dependencies": { + "type-detect": "^4.0.0" + }, + "engines": { + "node": ">=6" + } + }, + "node_modules/diff": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/diff/-/diff-5.0.0.tgz", + "integrity": "sha512-/VTCrvm5Z0JGty/BWHljh+BAiw3IK+2j87NGMu8Nwc/f48WoDAC395uomO9ZD117ZOBaHmkX1oyLvkVM/aIT3w==", + "dev": true, + "engines": { + "node": ">=0.3.1" + } + }, + "node_modules/emoji-regex": { + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "dev": true + }, + "node_modules/escalade": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.1.1.tgz", + "integrity": "sha512-k0er2gUkLf8O0zKJiAhmkTnJlTvINGv7ygDNPbeIsX/TJjGJZHuh9B2UxbsaEkmlEo9MfhrSzmhIlhRlI2GXnw==", + "dev": true, + "engines": { + "node": ">=6" + } + }, + "node_modules/escape-string-regexp": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-4.0.0.tgz", + "integrity": "sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA==", + "dev": true, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/fast-xml-parser": { + "version": "4.3.2", + "resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-4.3.2.tgz", + "integrity": "sha512-rmrXUXwbJedoXkStenj1kkljNF7ugn5ZjR9FJcwmCfcCbtOMDghPajbc+Tck6vE6F5XsDmx+Pr2le9fw8+pXBg==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/NaturalIntelligence" + }, + { + "type": "paypal", + "url": "https://paypal.me/naturalintelligence" + } + ], + "dependencies": { + "strnum": "^1.0.5" + }, + "bin": { + "fxparser": "src/cli/cli.js" + } + }, + "node_modules/fill-range": { + "version": "7.0.1", + "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz", + "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==", + "dev": true, + "dependencies": { + "to-regex-range": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/find-up": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/find-up/-/find-up-5.0.0.tgz", + "integrity": "sha512-78/PXT1wlLLDgTzDs7sjq9hzz0vXD+zn+7wypEe4fXQxCmdmqfGsEPQxmiCSQI3ajFV91bVSsvNtrJRiW6nGng==", + "dev": true, + "dependencies": { + "locate-path": "^6.0.0", + "path-exists": "^4.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/flat": { + "version": "5.0.2", + "resolved": "https://registry.npmjs.org/flat/-/flat-5.0.2.tgz", + "integrity": "sha512-b6suED+5/3rTpUBdG1gupIl8MPFCAMA0QXwmljLhvCUKcUvdE4gWky9zpuGCcXHOsz4J9wPGNWq6OKpmIzz3hQ==", + "dev": true, + "bin": { + "flat": "cli.js" + } + }, + "node_modules/foreground-child": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-2.0.0.tgz", + "integrity": "sha512-dCIq9FpEcyQyXKCkyzmlPTFNgrCzPudOe+mhvJU5zAtlBnGVy2yKxtfsxK2tQBThwq225jcvBjpw1Gr40uzZCA==", + "dev": true, + "dependencies": { + "cross-spawn": "^7.0.0", + "signal-exit": "^3.0.2" + }, + "engines": { + "node": ">=8.0.0" + } + }, + "node_modules/fs.realpath": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", + "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==", + "dev": true + }, + "node_modules/fsevents": { + "version": "2.3.3", + "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz", + "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==", + "dev": true, + "hasInstallScript": true, + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": "^8.16.0 || ^10.6.0 || >=11.0.0" + } + }, + "node_modules/get-caller-file": { + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz", + "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==", + "dev": true, + "engines": { + "node": "6.* || 8.* || >= 10.*" + } + }, + "node_modules/get-func-name": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/get-func-name/-/get-func-name-2.0.2.tgz", + "integrity": "sha512-8vXOvuE167CtIc3OyItco7N/dpRtBbYOsPsXCz7X/PMnlGjYjSGuZJgM1Y7mmew7BKf9BqvLX2tnOVy1BBUsxQ==", + "dev": true, + "engines": { + "node": "*" + } + }, + "node_modules/glob": { + "version": "7.2.0", + "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.0.tgz", + "integrity": "sha512-lmLf6gtyrPq8tTjSmrO94wBeQbFR3HbLHbuyD69wuyQkImp2hWqMGB47OX65FBkPffO641IP9jWa1z4ivqG26Q==", + "dev": true, + "dependencies": { + "fs.realpath": "^1.0.0", + "inflight": "^1.0.4", + "inherits": "2", + "minimatch": "^3.0.4", + "once": "^1.3.0", + "path-is-absolute": "^1.0.0" + }, + "engines": { + "node": "*" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/glob-parent": { + "version": "5.1.2", + "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz", + "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==", + "dev": true, + "dependencies": { + "is-glob": "^4.0.1" + }, + "engines": { + "node": ">= 6" + } + }, + "node_modules/glob/node_modules/brace-expansion": { + "version": "1.1.11", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", + "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "dev": true, + "dependencies": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "node_modules/glob/node_modules/minimatch": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", + "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "dev": true, + "dependencies": { + "brace-expansion": "^1.1.7" + }, + "engines": { + "node": "*" + } + }, + "node_modules/has-flag": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz", + "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/he": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/he/-/he-1.2.0.tgz", + "integrity": "sha512-F/1DnUGPopORZi0ni+CvrCgHQ5FyEAHRLSApuYWMmrbSwoN2Mn/7k+Gl38gJnR7yyDZk6WLXwiGod1JOWNDKGw==", + "dev": true, + "bin": { + "he": "bin/he" + } + }, + "node_modules/html-escaper": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz", + "integrity": "sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg==", + "dev": true + }, + "node_modules/inflight": { + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", + "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", + "dev": true, + "dependencies": { + "once": "^1.3.0", + "wrappy": "1" + } + }, + "node_modules/inherits": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", + "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==", + "dev": true + }, + "node_modules/is-binary-path": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz", + "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==", + "dev": true, + "dependencies": { + "binary-extensions": "^2.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/is-extglob": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz", + "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/is-fullwidth-code-point": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", + "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/is-glob": { + "version": "4.0.3", + "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz", + "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==", + "dev": true, + "dependencies": { + "is-extglob": "^2.1.1" + }, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/is-number": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz", + "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==", + "dev": true, + "engines": { + "node": ">=0.12.0" + } + }, + "node_modules/is-plain-obj": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/is-plain-obj/-/is-plain-obj-2.1.0.tgz", + "integrity": "sha512-YWnfyRwxL/+SsrWYfOpUtz5b3YD+nyfkHvjbcanzk8zgyO4ASD67uVMRt8k5bM4lLMDnXfriRhOpemw+NfT1eA==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/is-unicode-supported": { + "version": "0.1.0", + "resolved": "https://registry.npmjs.org/is-unicode-supported/-/is-unicode-supported-0.1.0.tgz", + "integrity": "sha512-knxG2q4UC3u8stRGyAVJCOdxFmv5DZiRcdlIaAQXAbSfJya+OhopNotLQrstBhququ4ZpuKbDc/8S6mgXgPFPw==", + "dev": true, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/isexe": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", + "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==", + "dev": true + }, + "node_modules/istanbul-lib-coverage": { + "version": "3.2.2", + "resolved": "https://registry.npmjs.org/istanbul-lib-coverage/-/istanbul-lib-coverage-3.2.2.tgz", + "integrity": "sha512-O8dpsF+r0WV/8MNRKfnmrtCWhuKjxrq2w+jpzBL5UZKTi2LeVWnWOmWRxFlesJONmc+wLAGvKQZEOanko0LFTg==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/istanbul-lib-report": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/istanbul-lib-report/-/istanbul-lib-report-3.0.1.tgz", + "integrity": "sha512-GCfE1mtsHGOELCU8e/Z7YWzpmybrx/+dSTfLrvY8qRmaY6zXTKWn6WQIjaAFw069icm6GVMNkgu0NzI4iPZUNw==", + "dev": true, + "dependencies": { + "istanbul-lib-coverage": "^3.0.0", + "make-dir": "^4.0.0", + "supports-color": "^7.1.0" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/istanbul-lib-report/node_modules/lru-cache": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz", + "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==", + "dev": true, + "dependencies": { + "yallist": "^4.0.0" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/istanbul-lib-report/node_modules/make-dir": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/make-dir/-/make-dir-4.0.0.tgz", + "integrity": "sha512-hXdUTZYIVOt1Ex//jAQi+wTZZpUpwBj/0QsOzqegb3rGMMeJiSEu5xLHnYfBrRV4RH2+OCSOO95Is/7x1WJ4bw==", + "dev": true, + "dependencies": { + "semver": "^7.5.3" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/istanbul-lib-report/node_modules/semver": { + "version": "7.5.4", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz", + "integrity": "sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==", + "dev": true, + "dependencies": { + "lru-cache": "^6.0.0" + }, + "bin": { + "semver": "bin/semver.js" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/istanbul-lib-report/node_modules/supports-color": { + "version": "7.2.0", + "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz", + "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==", + "dev": true, + "dependencies": { + "has-flag": "^4.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/istanbul-lib-report/node_modules/yallist": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz", + "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==", + "dev": true + }, + "node_modules/istanbul-reports": { + "version": "3.1.6", + "resolved": "https://registry.npmjs.org/istanbul-reports/-/istanbul-reports-3.1.6.tgz", + "integrity": "sha512-TLgnMkKg3iTDsQ9PbPTdpfAK2DzjF9mqUG7RMgcQl8oFjad8ob4laGxv5XV5U9MAfx8D6tSJiUyuAwzLicaxlg==", + "dev": true, + "dependencies": { + "html-escaper": "^2.0.0", + "istanbul-lib-report": "^3.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/js-yaml": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz", + "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==", + "dev": true, + "dependencies": { + "argparse": "^2.0.1" + }, + "bin": { + "js-yaml": "bin/js-yaml.js" + } + }, + "node_modules/locate-path": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-6.0.0.tgz", + "integrity": "sha512-iPZK6eYjbxRu3uB4/WZ3EsEIMJFMqAoopl3R+zuq0UjcAm/MO6KCweDgPfP3elTztoKP3KtnVHxTn2NHBSDVUw==", + "dev": true, + "dependencies": { + "p-locate": "^5.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/log-symbols": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/log-symbols/-/log-symbols-4.1.0.tgz", + "integrity": "sha512-8XPvpAA8uyhfteu8pIvQxpJZ7SYYdpUivZpGy6sFsBuKRY/7rQGavedeB8aK+Zkyq6upMFVL/9AW6vOYzfRyLg==", + "dev": true, + "dependencies": { + "chalk": "^4.1.0", + "is-unicode-supported": "^0.1.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/loupe": { + "version": "2.3.7", + "resolved": "https://registry.npmjs.org/loupe/-/loupe-2.3.7.tgz", + "integrity": "sha512-zSMINGVYkdpYSOBmLi0D1Uo7JU9nVdQKrHxC8eYlV+9YKK9WePqAlL7lSlorG/U2Fw1w0hTBmaa/jrQ3UbPHtA==", + "dev": true, + "dependencies": { + "get-func-name": "^2.0.1" + } + }, + "node_modules/minimatch": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.0.1.tgz", + "integrity": "sha512-nLDxIFRyhDblz3qMuq+SoRZED4+miJ/G+tdDrjkkkRnjAsBexeGpgjLEQ0blJy7rHhR2b93rhQY4SvyWu9v03g==", + "dev": true, + "dependencies": { + "brace-expansion": "^2.0.1" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/mocha": { + "version": "10.2.0", + "resolved": "https://registry.npmjs.org/mocha/-/mocha-10.2.0.tgz", + "integrity": "sha512-IDY7fl/BecMwFHzoqF2sg/SHHANeBoMMXFlS9r0OXKDssYE1M5O43wUY/9BVPeIvfH2zmEbBfseqN9gBQZzXkg==", + "dev": true, + "dependencies": { + "ansi-colors": "4.1.1", + "browser-stdout": "1.3.1", + "chokidar": "3.5.3", + "debug": "4.3.4", + "diff": "5.0.0", + "escape-string-regexp": "4.0.0", + "find-up": "5.0.0", + "glob": "7.2.0", + "he": "1.2.0", + "js-yaml": "4.1.0", + "log-symbols": "4.1.0", + "minimatch": "5.0.1", + "ms": "2.1.3", + "nanoid": "3.3.3", + "serialize-javascript": "6.0.0", + "strip-json-comments": "3.1.1", + "supports-color": "8.1.1", + "workerpool": "6.2.1", + "yargs": "16.2.0", + "yargs-parser": "20.2.4", + "yargs-unparser": "2.0.0" + }, + "bin": { + "_mocha": "bin/_mocha", + "mocha": "bin/mocha.js" + }, + "engines": { + "node": ">= 14.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/mochajs" + } + }, + "node_modules/ms": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", + "dev": true + }, + "node_modules/nanoid": { + "version": "3.3.3", + "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.3.tgz", + "integrity": "sha512-p1sjXuopFs0xg+fPASzQ28agW1oHD7xDsd9Xkf3T15H3c/cifrFHVwrh74PdoklAPi+i7MdRsE47vm2r6JoB+w==", + "dev": true, + "bin": { + "nanoid": "bin/nanoid.cjs" + }, + "engines": { + "node": "^10 || ^12 || ^13.7 || ^14 || >=15.0.1" + } + }, + "node_modules/normalize-path": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz", + "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "dev": true, + "dependencies": { + "wrappy": "1" + } + }, + "node_modules/p-limit": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-3.1.0.tgz", + "integrity": "sha512-TYOanM3wGwNGsZN2cVTYPArw454xnXj5qmWF1bEoAc4+cU/ol7GVh7odevjp1FNHduHc3KZMcFduxU5Xc6uJRQ==", + "dev": true, + "dependencies": { + "yocto-queue": "^0.1.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/p-locate": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-5.0.0.tgz", + "integrity": "sha512-LaNjtRWUBY++zB5nE/NwcaoMylSPk+S+ZHNB1TzdbMJMny6dynpAGt7X/tl/QYq3TIeE6nxHppbo2LGymrG5Pw==", + "dev": true, + "dependencies": { + "p-limit": "^3.0.2" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/path-exists": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz", + "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/path-is-absolute": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", + "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/path-key": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz", + "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/pathval": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/pathval/-/pathval-1.1.1.tgz", + "integrity": "sha512-Dp6zGqpTdETdR63lehJYPeIOqpiNBNtc7BpWSLrOje7UaIsE5aY92r/AunQA7rsXvet3lrJ3JnZX29UPTKXyKQ==", + "dev": true, + "engines": { + "node": "*" + } + }, + "node_modules/picomatch": { + "version": "2.3.1", + "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz", + "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==", + "dev": true, + "engines": { + "node": ">=8.6" + }, + "funding": { + "url": "https://github.com/sponsors/jonschlinkert" + } + }, + "node_modules/randombytes": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz", + "integrity": "sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==", + "dev": true, + "dependencies": { + "safe-buffer": "^5.1.0" + } + }, + "node_modules/readdirp": { + "version": "3.6.0", + "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz", + "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==", + "dev": true, + "dependencies": { + "picomatch": "^2.2.1" + }, + "engines": { + "node": ">=8.10.0" + } + }, + "node_modules/require-directory": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz", + "integrity": "sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==", + "dev": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/rimraf": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz", + "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==", + "dev": true, + "dependencies": { + "glob": "^7.1.3" + }, + "bin": { + "rimraf": "bin.js" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/rollup": { + "version": "4.9.0", + "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.9.0.tgz", + "integrity": "sha512-bUHW/9N21z64gw8s6tP4c88P382Bq/L5uZDowHlHx6s/QWpjJXivIAbEw6LZthgSvlEizZBfLC4OAvWe7aoF7A==", + "dev": true, + "bin": { + "rollup": "dist/bin/rollup" + }, + "engines": { + "node": ">=18.0.0", + "npm": ">=8.0.0" + }, + "optionalDependencies": { + "@rollup/rollup-android-arm-eabi": "4.9.0", + "@rollup/rollup-android-arm64": "4.9.0", + "@rollup/rollup-darwin-arm64": "4.9.0", + "@rollup/rollup-darwin-x64": "4.9.0", + "@rollup/rollup-linux-arm-gnueabihf": "4.9.0", + "@rollup/rollup-linux-arm64-gnu": "4.9.0", + "@rollup/rollup-linux-arm64-musl": "4.9.0", + "@rollup/rollup-linux-riscv64-gnu": "4.9.0", + "@rollup/rollup-linux-x64-gnu": "4.9.0", + "@rollup/rollup-linux-x64-musl": "4.9.0", + "@rollup/rollup-win32-arm64-msvc": "4.9.0", + "@rollup/rollup-win32-ia32-msvc": "4.9.0", + "@rollup/rollup-win32-x64-msvc": "4.9.0", + "fsevents": "~2.3.2" + } + }, + "node_modules/safe-buffer": { + "version": "5.2.1", + "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", + "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==", + "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ] + }, + "node_modules/serialize-javascript": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.0.tgz", + "integrity": "sha512-Qr3TosvguFt8ePWqsvRfrKyQXIiW+nGbYpy8XK24NQHE83caxWt+mIymTT19DGFbNWNLfEwsrkSmN64lVWB9ag==", + "dev": true, + "dependencies": { + "randombytes": "^2.1.0" + } + }, + "node_modules/shebang-command": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz", + "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==", + "dev": true, + "dependencies": { + "shebang-regex": "^3.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/shebang-regex": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz", + "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==", + "dev": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/signal-exit": { + "version": "3.0.7", + "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.7.tgz", + "integrity": "sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==", + "dev": true + }, + "node_modules/string-width": { + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "dev": true, + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/strip-ansi": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "dev": true, + "dependencies": { + "ansi-regex": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/strip-json-comments": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz", + "integrity": "sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==", + "dev": true, + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/strnum": { + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/strnum/-/strnum-1.0.5.tgz", + "integrity": "sha512-J8bbNyKKXl5qYcR36TIO8W3mVGVHrmmxsd5PAItGkmyzwJvybiw2IVq5nqd0i4LSNSkB/sx9VHllbfFdr9k1JA==" + }, + "node_modules/supports-color": { + "version": "8.1.1", + "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-8.1.1.tgz", + "integrity": "sha512-MpUEN2OodtUzxvKQl72cUF7RQ5EiHsGvSsVG0ia9c5RbWGL2CI4C7EpPS8UTBIplnlzZiNuV56w+FuNxy3ty2Q==", + "dev": true, + "dependencies": { + "has-flag": "^4.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/supports-color?sponsor=1" + } + }, + "node_modules/test-exclude": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/test-exclude/-/test-exclude-6.0.0.tgz", + "integrity": "sha512-cAGWPIyOHU6zlmg88jwm7VRyXnMN7iV68OGAbYDk/Mh/xC/pzVPlQtY6ngoIH/5/tciuhGfvESU8GrHrcxD56w==", + "dev": true, + "dependencies": { + "@istanbuljs/schema": "^0.1.2", + "glob": "^7.1.4", + "minimatch": "^3.0.4" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/test-exclude/node_modules/brace-expansion": { + "version": "1.1.11", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", + "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "dev": true, + "dependencies": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "node_modules/test-exclude/node_modules/minimatch": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", + "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "dev": true, + "dependencies": { + "brace-expansion": "^1.1.7" + }, + "engines": { + "node": "*" + } + }, + "node_modules/to-regex-range": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz", + "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==", + "dev": true, + "dependencies": { + "is-number": "^7.0.0" + }, + "engines": { + "node": ">=8.0" + } + }, + "node_modules/type-detect": { + "version": "4.0.8", + "resolved": "https://registry.npmjs.org/type-detect/-/type-detect-4.0.8.tgz", + "integrity": "sha512-0fr/mIH1dlO+x7TlcMy+bIDqKPsw/70tVyeHW787goQjhmqaZe10uwLujubK9q9Lg6Fiho1KUKDYz0Z7k7g5/g==", + "dev": true, + "engines": { + "node": ">=4" + } + }, + "node_modules/v8-to-istanbul": { + "version": "9.2.0", + "resolved": "https://registry.npmjs.org/v8-to-istanbul/-/v8-to-istanbul-9.2.0.tgz", + "integrity": "sha512-/EH/sDgxU2eGxajKdwLCDmQ4FWq+kpi3uCmBGpw1xJtnAxEjlD8j8PEiGWpCIMIs3ciNAgH0d3TTJiUkYzyZjA==", + "dev": true, + "dependencies": { + "@jridgewell/trace-mapping": "^0.3.12", + "@types/istanbul-lib-coverage": "^2.0.1", + "convert-source-map": "^2.0.0" + }, + "engines": { + "node": ">=10.12.0" + } + }, + "node_modules/v8-to-istanbul/node_modules/convert-source-map": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-2.0.0.tgz", + "integrity": "sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==", + "dev": true + }, + "node_modules/which": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz", + "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==", + "dev": true, + "dependencies": { + "isexe": "^2.0.0" + }, + "bin": { + "node-which": "bin/node-which" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/workerpool": { + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/workerpool/-/workerpool-6.2.1.tgz", + "integrity": "sha512-ILEIE97kDZvF9Wb9f6h5aXK4swSlKGUcOEGiIYb2OOu/IrDU9iwj0fD//SsA6E5ibwJxpEvhullJY4Sl4GcpAw==", + "dev": true + }, + "node_modules/wrap-ansi": { + "version": "7.0.0", + "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", + "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", + "dev": true, + "dependencies": { + "ansi-styles": "^4.0.0", + "string-width": "^4.1.0", + "strip-ansi": "^6.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/wrap-ansi?sponsor=1" + } + }, + "node_modules/wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", + "dev": true + }, + "node_modules/y18n": { + "version": "5.0.8", + "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz", + "integrity": "sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==", + "dev": true, + "engines": { + "node": ">=10" + } + }, + "node_modules/yargs": { + "version": "16.2.0", + "resolved": "https://registry.npmjs.org/yargs/-/yargs-16.2.0.tgz", + "integrity": "sha512-D1mvvtDG0L5ft/jGWkLpG1+m0eQxOfaBvTNELraWj22wSVUMWxZUvYgJYcKh6jGGIkJFhH4IZPQhR4TKpc8mBw==", + "dev": true, + "dependencies": { + "cliui": "^7.0.2", + "escalade": "^3.1.1", + "get-caller-file": "^2.0.5", + "require-directory": "^2.1.1", + "string-width": "^4.2.0", + "y18n": "^5.0.5", + "yargs-parser": "^20.2.2" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/yargs-parser": { + "version": "20.2.4", + "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-20.2.4.tgz", + "integrity": "sha512-WOkpgNhPTlE73h4VFAFsOnomJVaovO8VqLDzy5saChRBFQFBoMYirowyW+Q9HB4HFF4Z7VZTiG3iSzJJA29yRA==", + "dev": true, + "engines": { + "node": ">=10" + } + }, + "node_modules/yargs-unparser": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/yargs-unparser/-/yargs-unparser-2.0.0.tgz", + "integrity": "sha512-7pRTIA9Qc1caZ0bZ6RYRGbHJthJWuakf+WmHK0rVeLkNrrGhfoabBNdue6kdINI6r4if7ocq9aD/n7xwKOdzOA==", + "dev": true, + "dependencies": { + "camelcase": "^6.0.0", + "decamelize": "^4.0.0", + "flat": "^5.0.2", + "is-plain-obj": "^2.1.0" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/yargs-unparser/node_modules/camelcase": { + "version": "6.3.0", + "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-6.3.0.tgz", + "integrity": "sha512-Gmy6FhYlCY7uOElZUSbxo2UCDH8owEk996gkbrpsgGtrJLM3J7jGxl9Ic7Qwwj4ivOE5AWZWRMecDdF7hqGjFA==", + "dev": true, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/yargs-unparser/node_modules/decamelize": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/decamelize/-/decamelize-4.0.0.tgz", + "integrity": "sha512-9iE1PgSik9HeIIw2JO94IidnE3eBoQrFJ3w7sFuzSX4DpmZ3v5sZpUiV5Swcf6mQEF+Y0ru8Neo+p+nyh2J+hQ==", + "dev": true, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/yocto-queue": { + "version": "0.1.0", + "resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz", + "integrity": "sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==", + "dev": true, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + } + } +} diff --git a/package.json b/package.json new file mode 100644 index 0000000..5a733f0 --- /dev/null +++ b/package.json @@ -0,0 +1,25 @@ +{ + "name": "stig-manager-client-modules", + "version": "1.0.0", + "description": "", + "main": "index.js", + "type": "module", + "scripts": { + "test": "c8 --reporter=html --reporter=text mocha './test/**/*.test.js'", + "install": "npx rollup index.js --file index.cjs --format cjs" + }, + "exports": { + "import": "./index.js", + "require": "./index.cjs" + }, + "license": "MIT", + "devDependencies": { + "c8": "^8.0.1", + "chai": "^4.3.10", + "mocha": "^10.2.0", + "rollup": "^4.8.0" + }, + "dependencies": { + "fast-xml-parser": "^4.3.2" + } +} diff --git a/test/CKLBReviewParserChecklistArray.test.js b/test/CKLBReviewParserChecklistArray.test.js new file mode 100644 index 0000000..1117d4c --- /dev/null +++ b/test/CKLBReviewParserChecklistArray.test.js @@ -0,0 +1,124 @@ +import chai from 'chai' +import { reviewsFromCklb } from '../ReviewParser.js' +import fs from 'fs/promises' + +const expect = chai.expect + +// Create a helper function to read the file and generate the review object +async function generateReviewObject ( + filePath, + importOptions, + fieldSettings, + allowAccept +) { + const data = await fs.readFile(filePath, 'utf8') + return reviewsFromCklb({ + data, + fieldSettings, + allowAccept, + importOptions + }) +} + +describe('CKLB Checklist tests', () => { + it("testing that 'checklist' elements benchmarkId and revisionStr are parsed", async () => { + // TEST: ensure that the checklist array is populated with the correct benchmarkId and revisionStr + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'always' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Asset_a-VPN_TRUNCATED-V2R5.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + // console.log(JSON.stringify(review, null, 2)) + + expect(review.checklists).to.be.an('array') + expect(review.checklists.length).to.equal(1) + expect(review.checklists[0].benchmarkId).to.equal('VPN_TRUNCATED') + expect(review.checklists[0].revisionStr).to.equal('V0R5') + }) + + it('A multi-stig Checklist array testing for correct benchmarkId and revisionStr', async () => { + // TEST: ensure that the checklist array is populated with the correct benchmarkId and revisionStr + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'always' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/cklb/Asset_b-multi-stig.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedChecklists = [ + { + benchmarkId: 'RHEL_8_TRUNCATED', + revisionStr: 'V0R12' + }, + { + benchmarkId: 'RHEL_9_TRUNCATED', + revisionStr: 'V0R1' + }, + { + benchmarkId: 'VPN_TRUNCATED', + revisionStr: 'V0R5' + } + ] + + expect(review.checklists).to.be.an('array') + expect(review.checklists.length).to.equal(expectedChecklists.length) + + for (const [index, expected] of expectedChecklists.entries()) { + expect(review.checklists[index].benchmarkId).to.equal( + expected.benchmarkId + ) + expect(review.checklists[index].revisionStr).to.equal( + expected.revisionStr + ) + } + }) +}) diff --git a/test/CKLBReviewParserError.test.js b/test/CKLBReviewParserError.test.js new file mode 100644 index 0000000..f36a5ae --- /dev/null +++ b/test/CKLBReviewParserError.test.js @@ -0,0 +1,132 @@ +import chai from 'chai'; +import { reviewsFromCklb } from '../ReviewParser.js'; +import fs from 'fs/promises'; + +const expect = chai.expect; + + +// Create a helper function to read the file and generate the review object +async function generateReviewObject ( + filePath, + importOptions, + fieldSettings, + allowAccept +) { + const data = await fs.readFile(filePath, 'utf8') + return reviewsFromCklb({ + data, + importOptions, + fieldSettings, + allowAccept, + + }) +} + + +describe('testing cklb errors', () => { + it('Giving the parser "bad" json', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const data = 'This is not JSON!'; + + expect(() => + reviewsFromCklb({ + data, + importOptions, + fieldSettings, + allowAccept, + + }) + ).to.throw('Cannot parse as JSON') + }) + it('Giving the parser json with no host name ', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const data = await fs.readFile('WATCHER-test-files/WATCHER/cklb/NoTargetHostName.cklb', 'utf8') + + expect(() => + reviewsFromCklb({ + data, + importOptions, + fieldSettings, + allowAccept, + }) + ).to.throw('Invalid CKLB object: No target_data.host_name found') + }) + it('Giving the parser json with no stigs array ', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const data = await fs.readFile('WATCHER-test-files/WATCHER/cklb/NoStigsArray.cklb', 'utf8') + + expect(() => + reviewsFromCklb({ + data, + importOptions, + fieldSettings, + allowAccept, + }) + ).to.throw('No stigs array found') + }) + + +}) diff --git a/test/CKLBReviewParserReviewObject.test.js b/test/CKLBReviewParserReviewObject.test.js new file mode 100644 index 0000000..62e7379 --- /dev/null +++ b/test/CKLBReviewParserReviewObject.test.js @@ -0,0 +1,1942 @@ +import chai from 'chai'; +import { reviewsFromCklb } from '../ReviewParser.js'; +import fs from 'fs/promises'; + + +const expect = chai.expect; + + + +// Create a helper function to read the file and generate the review object +async function generateReviewObject ( + filePath, + importOptions, + fieldSettings, + allowAccept +) { + const data = await fs.readFile(filePath, 'utf8') + return reviewsFromCklb({ + data, + fieldSettings, + allowAccept, + importOptions, + }) +} + + +describe('Import Options, allowAccept for a CKLb review object in non multi-stig', () => { + it('DEFAULT SETTINGS: Primarily testing review "status = saved"', async () => { + // Test: DEFAULT SETTINGS + // This test validates the behavior of the cklb parser function under default settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the review status to 'saved'. + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // These checks ensure that not only is the 'status' property set as expected, but also that + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-notReviewed-Commented-Detailed.cklb') to simulate a real-world scenario. + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-notReviewed-Commented-Detailed.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + + const expectedReview = { + ruleId: 'SV-257777r925317_rule', + status: 'saved', + result: 'informational', + comment: 'xyz', + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it('autoStatus = null (keep exisiting), testing that all review statuses do not exist', async () => { + // Test: autoStatus = null + // This test validates the behavior of the cklb parser function under the 'autoStatus = null' setting. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the review status to null (doesnt exist). + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'ruleId', 'result', 'comment', and 'detail'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-notReviewed-Commented-Detailed.cklb') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'null', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-notReviewed-Commented-Detailed.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-257777r925317_rule', + result: 'informational', + comment: 'xyz', + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + + expect(review.checklists[0].reviews[0].status).to.not.exist + }) + + it('autoStatus = submitted, testing if reviews are set to "submitted" if valid or "saved" if not valid. Determined by field settings and result', async () => { + // Test: autoStatus = submitted + // This test validates the behavior of the cklb parser function under the autoStatus = submitted setting coupled with out field settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the review status to 'submitted' if valid or 'saved' if not valid. + // Secondary Focus: + // - Verifying the accuracy of other review properties including ruleId 'result', 'comment', and 'detail'. + // These checks ensure that not only is the 'status' property set as expected, but also that + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-notReviewed-Commented-Detailed.cklb') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Asset_a-VPN_TRUNCATED-V2R5.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + // expected statuses for each rule + const expectedStatuses = { + 'SV-207184r695317_rule': 'submitted', + 'SV-207185r608988_rule': 'saved', + 'SV-207186r608988_rule': 'submitted', + 'SV-207187r608988_rule': 'saved', + 'SV-207188r608988_rule': 'submitted', + 'SV-207189r608988_rule': 'saved', + 'SV-207190r803417_rule': 'submitted', + 'SV-207191r803418_rule': 'submitted' + } + + const expectedComments = { + 'SV-207184r695317_rule': null, + 'SV-207185r608988_rule': null, + 'SV-207186r608988_rule': null, + 'SV-207187r608988_rule': null, + 'SV-207188r608988_rule': null, + 'SV-207189r608988_rule': null, + 'SV-207190r803417_rule': null, + 'SV-207191r803418_rule': 'xyz' + } + + const expectedDetails = { + 'SV-207184r695317_rule': 'xyz', + 'SV-207185r608988_rule': 'xyz', + 'SV-207186r608988_rule': 'xyz', + 'SV-207187r608988_rule': 'xyz', + 'SV-207188r608988_rule': 'xyz', + 'SV-207189r608988_rule': 'xyz', + 'SV-207190r803417_rule': 'xyz', + 'SV-207191r803418_rule': 'xyz' + } + + // ensuring that each review has a status that matches the expected status + for (const checklists of review.checklists) { + for (const reviewItem of checklists.reviews) { + const expectedStatus = expectedStatuses[reviewItem.ruleId] + const expectedComment = expectedComments[reviewItem.ruleId] + const expectedDetail = expectedDetails[reviewItem.ruleId] + expect(reviewItem.status).to.equal(expectedStatus) + expect(reviewItem.comment).to.equal(expectedComment) + expect(reviewItem.detail).to.equal(expectedDetail) + } + } + }) + + it('autoStatus = submitted, testing that we will set status to saved if does not meet field settings requirements', async () => { + // Test: autoStatus = submitted + // This test validates the behavior of the cklb parser function under the autoStatus = submitted setting coupled with our field settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the review status to 'saved' if not valid. + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail'. + // These checks ensure that not only is the 'status' property set as expected, but also that + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-notReviewed-Commented-Detailed.cklb') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-notReviewed-Commented-Detailed.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedReview = { + ruleId: 'SV-257777r925317_rule', + status: 'saved', + result: 'informational', + comment: 'xyz', + detail: 'xyz' + } + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it('(autoStatus = accepted, allowAccept = true) for permissions to use accepted status', async () => { + // Test: autoStatus = accepted, allowAccept = true + // This test validates the behavior of the cklb parser function under the autoStatus = accepted, allowAccept = true settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the review status to 'submitted' if the user does not have permissions + // or 'accepted' if the user does have permissions (permissions are determined by the 'allowAccept' option). + // note: if not accepted or submitted, it will be saved because review did not meet the field settings requirements + // note: in this test we will have permissions to accept reviews + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // These checks ensure that not only is the 'status' property set as expected, but also that + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Asset_a-VPN_TRUNCATED-V2R5.cklb'') to simulate a real-world scenario. + + const importOptions = { + autoStatus: 'accepted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + const filePath = + './WATCHER-test-files/WATCHER/cklb/Asset_a-VPN_TRUNCATED-V2R5.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + // expected statuses for each rule + const expectedStatuses = { + 'SV-207184r695317_rule': 'accepted', + 'SV-207185r608988_rule': 'saved', + 'SV-207186r608988_rule': 'accepted', + 'SV-207187r608988_rule': 'saved', + 'SV-207188r608988_rule': 'accepted', + 'SV-207189r608988_rule': 'saved', + 'SV-207190r803417_rule': 'accepted', + 'SV-207191r803418_rule': 'accepted' + } + const expectedComments = { + 'SV-207184r695317_rule': null, + 'SV-207185r608988_rule': null, + 'SV-207186r608988_rule': null, + 'SV-207187r608988_rule': null, + 'SV-207188r608988_rule': null, + 'SV-207189r608988_rule': null, + 'SV-207190r803417_rule': null, + 'SV-207191r803418_rule': 'xyz' + } + + const expectedDetails = { + 'SV-207184r695317_rule': 'xyz', + 'SV-207185r608988_rule': 'xyz', + 'SV-207186r608988_rule': 'xyz', + 'SV-207187r608988_rule': 'xyz', + 'SV-207188r608988_rule': 'xyz', + 'SV-207189r608988_rule': 'xyz', + 'SV-207190r803417_rule': 'xyz', + 'SV-207191r803418_rule': 'xyz' + } + + // ensuring that each review has a status that matches the expected status + for (const reviewItem of review.checklists[0].reviews) { + const expectedStatus = expectedStatuses[reviewItem.ruleId] + const expectedComment = expectedComments[reviewItem.ruleId] + const expectedDetail = expectedDetails[reviewItem.ruleId] + + expect(reviewItem).to.have.property('ruleId') + expect(expectedStatuses).to.have.property(reviewItem.ruleId) + expect(expectedComments).to.have.property(reviewItem.ruleId) + expect(expectedDetails).to.have.property(reviewItem.ruleId) + expect(reviewItem.status).to.equal(expectedStatus) + expect(reviewItem.comment).to.equal(expectedComment) + expect(reviewItem.detail).to.equal(expectedDetail) + } + }) + + it('(autoStatus = accepted allowAccept = false) for permissions to use submitted status', async () => { + // Test: autoStatus = accepted, allowAccept = false + // This test validates the behavior of the cklb parser function under the autoStatus = accepted, allowAccept = false settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the review status to 'submitted' if the user does not have permissions + // or 'accepted' if the user does have permissions (permissions are determined by the 'allowAccept' option). + // note: if not accepted or submitted, it will be saved because review did not meet the field settings requirements + // note: in this test we will NOT have permissions to accept reviews (we should see submitted) + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // These checks ensure that not only is the 'status' property set as expected, but also that + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Asset_a-VPN_TRUNCATED-V2R5.cklb'') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'accepted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = false + const filePath = + './WATCHER-test-files/WATCHER/cklb/Asset_a-VPN_TRUNCATED-V2R5.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + // expected statuses for each rule + const expectedStatuses = { + 'SV-207184r695317_rule': 'submitted', + 'SV-207185r608988_rule': 'saved', + 'SV-207186r608988_rule': 'submitted', + 'SV-207187r608988_rule': 'saved', + 'SV-207188r608988_rule': 'submitted', + 'SV-207189r608988_rule': 'saved', + 'SV-207190r803417_rule': 'submitted', + 'SV-207191r803418_rule': 'submitted' + } + const expectedComments = { + 'SV-207184r695317_rule': null, + 'SV-207185r608988_rule': null, + 'SV-207186r608988_rule': null, + 'SV-207187r608988_rule': null, + 'SV-207188r608988_rule': null, + 'SV-207189r608988_rule': null, + 'SV-207190r803417_rule': null, + 'SV-207191r803418_rule': 'xyz' + } + + const expectedDetails = { + 'SV-207184r695317_rule': 'xyz', + 'SV-207185r608988_rule': 'xyz', + 'SV-207186r608988_rule': 'xyz', + 'SV-207187r608988_rule': 'xyz', + 'SV-207188r608988_rule': 'xyz', + 'SV-207189r608988_rule': 'xyz', + 'SV-207190r803417_rule': 'xyz', + 'SV-207191r803418_rule': 'xyz' + } + + // ensuring that each review has a status that matches the expected status + for (const reviewItem of review.checklists[0].reviews) { + const expectedStatus = expectedStatuses[reviewItem.ruleId] + const expectedComment = expectedComments[reviewItem.ruleId] + const expectedDetail = expectedDetails[reviewItem.ruleId] + + expect(reviewItem).to.have.property('ruleId') + expect(expectedStatuses).to.have.property(reviewItem.ruleId) + expect(expectedComments).to.have.property(reviewItem.ruleId) + expect(expectedDetails).to.have.property(reviewItem.ruleId) + expect(reviewItem.status).to.equal(expectedStatus) + expect(reviewItem.comment).to.equal(expectedComment) + expect(reviewItem.detail).to.equal(expectedDetail) + } + }) + + it("'unreviewed = commented' testing that we only import unreviwred rules that contain a comment or detail ", async () => { + // Test: unreviewed = commented + // This test validates the behavior of the cklb parser function under the unreviewed = commented settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly imports only reviews with a non complience result that contain a comment and or detail. + // note this test will have a review with a comment and detail + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-notReviewed-Commented-Detailed.cklb') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-notReviewed-Commented-Detailed.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-257777r925317_rule', + status: 'saved', + result: 'informational', + comment: 'xyz', + detail: 'xyz' + } + // check that review has a comment or detail and exists + expect(review.checklists[0].reviews[0]).to.exist + expect( + review.checklists[0].reviews[0].detail || + review.checklists[0].reviews[0].comment + ).to.not.be.null + // secondary check that review matches expected review object + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'unreviewed = commented' testing that we only import unreviwred rules that contain a comment or detail but giving a review without either", async () => { + // Test: unreviewed = commented + // This test validates the behavior of the cklb parser function under the unreviewed = commented settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly imports only reviews with a non complience result that contain a comment and or detail. + // note this test will not have any reviews because there will be no comment/detail + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-notReviewed-Commented-Detailed.cklb') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-notReviewed-Empty-CommentDetail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + // check that review has a comment or detail and exisits + expect(review.checklists[0].reviews).to.be.empty + }) + + it("'unreviewed = always', testing that unreviewed always are import ", async () => { + // Test: unreviewed = always + // This test validates the behavior of the cklb parser function under the unreviewed = always settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly imports all reviews without a compliance result and if they have a comment + // or detail they will be labeled as informational. + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-notReviewed-Commented-Detailed.cklb') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'always', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-notReviewed-Commented-Detailed.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-257777r925317_rule', + status: 'saved', + result: 'informational', + comment: 'xyz', + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'unreviewed = always', testing that unreviewed always are import ", async () => { + // Test: unreviewed = always + // This test validates the behavior of the cklb parser function under the unreviewed = always settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly imports all reviews without a compliance result + // and without comment or detail to be labled as notchecked. + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // These checks ensure that not only is the 'status' property set as expected, but also that + // The test utilizes a sample CKLb file ('Single-Vuln-notReviewed-Empty-CommentDetail.cklb') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'always', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-notReviewed-Empty-CommentDetail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-257777r925317_rule', + status: 'saved', + result: 'notchecked', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it(" 'unreviewed = never' testing to never import an unreviewed item ", async () => { + // Test: unreviewed = never + // This test validates the behavior of the cklb parser function under the unreviewed = never settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' ignores reviews without a compliance result (Nf/na/o) + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-notReviewed-Empty-CommentDetail.cklb') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'never', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-notReviewed-Empty-CommentDetail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + expect(review.checklists[0].reviews).to.be.empty + }) + + it("'unreviewedComment = informational' testing that an unreviewed item with a comment has a result of informational", async () => { + // Test: unreviewedComment = informational + // This test validates the behavior of the cklb parser function under the unreviewedComment = informational settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly labels a review without a compliance result.. + // and with a comment or detail as informational. + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-notReviewed-Commented-Detailed.cklb') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-notReviewed-Commented-Detailed.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-257777r925317_rule', + status: 'saved', + result: 'informational', + comment: 'xyz', + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it(" 'unreviewedComment = notchecked'. testing that an unreviewed with a comment has a result of notchecked", async () => { + // Test: unreviewedComment = notchecked + // This test validates the behavior of the cklb parser function under the unreviewedComment = notchecked settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly labels a review without a compliance result.. + // and with a comment or detail as notchecked. + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-notReviewed-Commented-Detailed.cklb') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'notchecked', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-notReviewed-Commented-Detailed.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedReview = { + ruleId: 'SV-257777r925317_rule', + status: 'saved', + result: 'notchecked', + comment: 'xyz', + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'emptyDetail = replace' testing that if an item has an empty detail we will replace it with a static message", async () => { + // Test: emptyDetail = replace + // This test validates the behavior of the cklb parser function under the emptyDetail = replace settings. + // Primary Focus: + // - Ensuring that the 'emptyDetail' option in 'importOptions' correctly replaces an empty detail with a static message. "There is no detail provided for the assessment" + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-Pass-With-Comment.cklb') to simulate a real-world scenario. + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-With-Comment.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'saved', + result: 'pass', + comment: 'xyz', + detail: 'There is no detail provided for the assessment' + } + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("'emptyDetail = ignore' testing that if there is no detail provided it will retaing exisiting, if no exisitng then we will set to null", async () => { + // Test: emptyDetail = ignore + // This test validates the behavior of the cklb parser function under the emptyDetail = ignore settings. + // Primary Focus: + // - Ensuring that the 'emptyDetail' option in 'importOptions' correctly replaces an empty detail a null value + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-Pass-With-Comment.cklb') to simulate a real-world scenario. + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-With-Comment.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'saved', + result: 'pass', + comment: 'xyz', + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("'emptyDetail = import', testing empty detail will clear existing text (setting it to empty string)", async () => { + // Test: emptyDetail = import + // This test validates the behavior of the cklb parser function under the emptyDetail = import settings. + // Primary Focus: + // - Ensuring that the 'emptyDetail' option in 'importOptions' correctly replaces an empty detail an empty string if no detail is provided + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-Pass-With-Comment.cklb') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-With-Comment.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'saved', + result: 'pass', + comment: 'xyz', + detail: '' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it(" 'emptyDetail = import' testing that a review with a detail provided will be applied", async () => { + // Test: emptyDetail = import + // This test validates the behavior of the cklb parser function under the emptyDetail = import settings. + // Primary Focus: + // - Ensuring that the 'emptyDetail' option in 'importOptions' correctly uses the exisisitng detail if one is provided + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-Pass-With-Detail.cklb') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-With-Detail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'saved', + result: 'pass', + comment: null, + detail: 'xyz' + } + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'emptyComment = replace' testing that if an item has an empty comment we will replace it with a static message", async () => { + // Test: emptyComment = replace + // This test validates the behavior of the cklb parser function under the emptyComment = replace settings. + // Primary Focus: + // - Ensuring that the 'emptyComment' option in 'importOptions' correctly replaces an empty comment with a static message. "There is no comment provided for the assessment" + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-Pass-With-Detail.cklb') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'replace', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-With-Detail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'saved', + result: 'pass', + comment: 'There is no comment provided for the assessment', + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'emptyComment = ignore' testing that we will use exisitng text, if none use null", async () => { + // Test: emptyComment = ignore + // This test validates the behavior of the cklb parser function under the emptyComment = ignore settings. + // Primary Focus: + // - Ensuring that the 'emptyComment' option in 'importOptions' correctly replaces an empty comment a null value + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-Pass-With-Comment.cklb') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-With-Detail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'saved', + result: 'pass', + comment: null, + detail: 'xyz' + } + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'emptyComment = import', will clear eixsitng with an empty string if no comment given ", async () => { + // Test: emptyComment = import + // This test validates the behavior of the cklb parser function under the emptyComment = import settings. + // Primary Focus: + // - Ensuring that the 'emptyComment' option in 'importOptions' correctly replaces an empty comment an empty string: "" + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-Pass-With-Detail.cklb') + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'import', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-With-Detail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'saved', + result: 'pass', + comment: '', + detail: 'xyz' + } + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'emptyComment = import', testing a review with a comment provided in the cklb to make sure we get it back in the review ", async () => { + // Test: emptyComment = import + // This test validates the behavior of the cklb parser function under the emptyComment = import settings. + // Primary Focus: + // - Ensuring that the 'emptyComment' option in 'importOptions' correctly uses the exisisitng comment if one is provided + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-Pass-With-Detail.cklb') + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'import', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-With-Comment.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'saved', + result: 'pass', + comment: 'xyz', + detail: null + } + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) +}) + + describe('fieldSettings testing for a CKLb review object in non multi-stig', () => { + it("DEFAULT FIELD SETTINGS with allowAccept=true and a passing review, testing that it has a detail and is 'submitted'", async () => { + // Test: autostatus = submitted, default field settings. + // This test validates the behavior of the cklb parser function under the default field settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly ensures that a detail is required for a review to be submitted. + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-Pass-With-Detail.cklb') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'always' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-With-Detail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'submitted', + result: 'pass', + comment: '', + detail: 'xyz' + } + + // expected status is submitted for the rule that has a detail + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it('DEFAULT FIELD SETTINGS with allowAccept=true and a failing review with no detail.', async () => { + //autostatus = submitted, testing default field settings with allowAccept=true + // This test validates the behavior of the cklb parser function under the default field setting with a fail and a no detail. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a detail is always required for submission for a review. + // Test that with a failing review and no detail exisiting and it will be set to 'saved' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-fail-With-Detail.cklb') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-Empty-CommentDetail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'saved', + result: 'fail', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it('fieldSettings.detail.required = findings with allowAccept=true with a failing review containing a detail', async () => { + // Test: autostatus = submitted, default field settings. + // This test validates the behavior of the cklb parser function under the fieldSettings.detail.required = findings field settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly ensures that a detail is required for a review that has findings to be submitted. + // Test that a failing review with a detail will be submitted + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-Pass-With-Detail.cklb') + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'findings' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-With-Detail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'submitted', + result: 'fail', + comment: '', + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("'fieldSettings.detail.required = findings' with allowAccept=true with a fail and no detail or comment", async () => { + // Test: autostatus = submitted, testing 'fieldSettings.detail.required = findings' allowAccept=true + // This test validates the behavior of the cklb parser function under the fieldSettings.detail.required = findings field setting with a fail and no detail or comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a detail is required for a review that has findings to be submitted if not we will save. + // Test that no detail exisitng and it will be set to 'saved' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-fail-Empty-CommentDetail.cklb') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'findings' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-Empty-CommentDetail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'saved', + result: 'fail', + comment: null, + detail: null + } + + // console.log(JSON.stringify(review, null, 2)) + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'fieldSettings.detail.required = optional' with allowAccept=true with a fail and no detail or comment, testing that it does not have a detail and is submitted ", async () => { + // TEST: autostatus = submitted, testing 'fieldSettings.detail.required = optional' with allowAccept=true + // This test validates the behavior of the cklb parser function under the fieldSettings.detail.required = optional field setting with a fail and no detail or comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a detail is optional for submission for a review that has findings. + // Test that no detail exisitng and it will be set to 'submitted' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-fail-Empty-CommentDetail.cklb') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'optional' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-Empty-CommentDetail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'submitted', + result: 'fail', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("fieldSettings.detail.required = optional' with allowAccept=true with a fail and detail testing it has a detail and is submitted", async () => { + // autostatus = submitted, 'fieldSettings.detail.required = optional' with allowAccept=true + // This test validates the behavior of the cklb parser function under the fieldSettings.detail.required = optional field setting with a fail and a detail. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a detail is optional for submission for a review that has findings. + // Test that with detail exisitng and it will be set to 'submitted' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-fail-With-Detail.cklb') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'optional' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-With-Detail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'submitted', + result: 'fail', + comment: null, + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it('DEFAULT FIELD SETTINGS with allowAccept=true and a passing review testing that it has a comment and is submitted', async () => { + //autostatus = submitted, testing default field settings with allowAccept=true + // This test validates the behavior of the cklb parser function under the default field setting with a pass and a comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is always required for submission for a review. + // Test that witha passing review and a comment exisiting and it will be set to 'submitted' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-fail-With-Detail.cklb') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-Pass-With-Comment.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'submitted', + result: 'pass', + comment: 'xyz', + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it('DEFAULT FIELD SETTINGS with allowAccept=true and a failing review with no comment.', async () => { + //autostatus = submitted, testing default field settings with allowAccept=true + // This test validates the behavior of the cklb parser function under the default field setting with a fail and a no comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is always required for submission for a review. + // Test that with a failing review and no comment exisiting and it will be set to 'saved' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-fail-With-Detail.cklb') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-Empty-CommentDetail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'saved', + result: 'fail', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it('fieldSettings.comment.required = findings with allowAccept=true with a fail and comment testing that it has a comment and is submitted', async () => { + // TEST: autostatus = submitted, fieldSettings.comment.required = findings with allowAccept=true + // This test validates the behavior of the cklb parser function under the fieldSettings.comment.required = findings field setting with a fail and a comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is always required for submission for a review that contains a finding. + // Test that with a failed review and a comment exisitng and it will be set to 'submitted' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-fail-with-Comment.cklb') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-with-Comment.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'submitted', + result: 'fail', + comment: 'xyz', + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("'fieldSettings.comment.required = findings' with allowAccept=true with a fail and no detail or comment, testing that it does not have a comment and is 'saved' ", async () => { + // TEST: autostatus = submitted, testing 'fieldSettings.comment.required = findings' with allowAccept=true + // This test validates the behavior of the cklb parser function under the fieldSettings.comment.required = findings field setting with a fail and no comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is always required for submission for a review that contains a finding. + // Test that with a failed review and no comment will be set to 'saved' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-fail-Empty-CommentDetail.cklb') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-Empty-CommentDetail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'saved', + result: 'fail', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'fieldSettings.comment.required = optional' with allowAccept=true with a fail and no detail or comment. testing that it doesnt have a comment and is submmited", async () => { + // TEST: autostatus = submitted, testing 'fieldSettings.comment.required = optional' with allowAccept=true + // This test validates the behavior of the cklb parser function under the fieldSettings.comment.required = optional field setting with a fail and no comment or detail . + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is optionally required for submission for a review that contains a finding. + // Test that with a failed review and no comment will be set to 'submitted' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-fail-Empty-CommentDetail.cklb') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-Empty-CommentDetail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'submitted', + result: 'fail', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("fieldSettings.comment.required = optional' with allowAccept=true with a fail and comment, testing thhat it has a comment and is submitted", async () => { + // TEST: autostatus = submitted, 'fieldSettings.comment.required = optional' with allowAccept=true + // This test validates the behavior of the cklb parser function under the fieldSettings.comment.required = optional field setting with a fail and a comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is optionally required for submission for a review that contains a finding. + // Test that with a failed review and a comment will be set to 'submitted' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-fail-with-Comment.cklb') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-fail-with-Comment.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803417_rule', + status: 'submitted', + result: 'fail', + comment: 'xyz', + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + }) + +describe(' CKLb Tests where fieldSettings and importOptions overlap. ', () => { + it("Testing where emptyDetail: 'ignore', emptyComment: 'ignore', aswell as requiring a comment and detail ", async () => { + // TEST: emptyDetail: 'ignore', emptyComment: 'ignore', fieldSettings.detail.required = always, fieldSettings.comment.required = always + // This test validates the behavior of the cklb parser function under above settings with a non compliance resilt and no comment or detail. + // Primary Focus: + // - ensuring that we will have no reviews because a brand new review will be created with "null" comment or detail with are both required. + // Test that with a failed review and a comment will be set to 'submitted' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKLb file ('Single-Vuln-fail-with-Comment.cklb') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'always' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-notReviewed-Empty-CommentDetail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + expect(review.checklists[0].reviews).to.be.empty + }) +}) + +describe('MISC CKLb. ', () => { + it('Testing that long comment.detail is truncated ', async () => { + // NOTE: the input comment and detail are '32768' characters long + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'always' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/Single-Vuln-Long-CommentDetail.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const maxLength = 32767 + + expect(review.checklists[0].reviews[0].detail).to.have.lengthOf(maxLength) + expect(review.checklists[0].reviews[0].comment).to.have.lengthOf(maxLength) + }) + +}) diff --git a/test/CKLBReviewParserTargetObject.test.js b/test/CKLBReviewParserTargetObject.test.js new file mode 100644 index 0000000..d698af8 --- /dev/null +++ b/test/CKLBReviewParserTargetObject.test.js @@ -0,0 +1,164 @@ +import chai from 'chai' +import { reviewsFromCklb } from '../ReviewParser.js' + +import fs from 'fs/promises' + +const expect = chai.expect + +// Create a helper function to read the file and generate the review object +async function generateReviewObject ( + filePath, + importOptions, + fieldSettings, + allowAccept +) { + const data = await fs.readFile(filePath, 'utf8') + return reviewsFromCklb({ + data, + + fieldSettings, + allowAccept, + importOptions + }) +} + +describe('Testing that the Target object returned by the cklb review parser is accurate', () => { + it('Testing a target asset with with a cklbRole and normal data', async () => { + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'always' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/cklb/TargetObjectBasic.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedTarget = { + name: 'Asset', + description: 'xyz', + ip: '1.1.1.1', + fqdn: 'asset.com', + mac: '00:00:00:00:00:00', + noncomputing: true, + metadata: {} + } + + expect(review.target).to.deep.equal(expectedTarget) + }) + + it('testing a target asset with the minimum amount of fields', async () => { + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'always' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/TargetObjectMinimal.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedTarget = { + name: 'Asset', + description: null, + ip: null, + fqdn: null, + mac: null, + noncomputing: false, + metadata: {} + } + + expect(review.target).to.deep.equal(expectedTarget) + }) + + it('testing a target asset with a complete set of metadata.', async () => { + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'always' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/cklb/TargetObjectMetaData.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedTarget = { + name: 'Asset', + description: 'xyz', + ip: null, + fqdn: null, + mac: null, + noncomputing: false, + metadata: { + cklHostName: 'Asset', + cklRole: 'TestRole', + cklTechArea: 'TestTechArea', + cklWebDbInstance: 'TestWebDBInstance', + cklWebDbSite: 'TestWebDBSite', + cklWebOrDatabase: 'true' + } + } + expect(review.target).to.deep.equal(expectedTarget) + }) +}) diff --git a/test/CKLBStatisticsObject.test.js b/test/CKLBStatisticsObject.test.js new file mode 100644 index 0000000..8c214df --- /dev/null +++ b/test/CKLBStatisticsObject.test.js @@ -0,0 +1,322 @@ +import chai from 'chai'; +import { reviewsFromCklb } from '../ReviewParser.js'; +import { XMLParser } from 'fast-xml-parser'; +import fs from 'fs/promises'; +import he from 'he'; +const expect = chai.expect +const valueProcessor = function ( + tagName, + tagValue, + jPath, + hasAttributes, + isLeafNode +) { + he.decode(tagValue) +} + +// Create a helper function to read the file and generate the review object +async function generateReviewObject ( + filePath, + importOptions, + fieldSettings, + allowAccept +) { + const data = await fs.readFile(filePath, 'utf8') + return reviewsFromCklb({ + data, + importOptions, + fieldSettings, + allowAccept, + valueProcessor, + XMLParser + }) +} + + +describe('Testing that the CKLb Review Parser will return the correct figures in the Statistics object', () => { + it('unreviewed: commented, unreviewedCommented: informational, has comments/detail', async () => { + // will import commented unreviewed findings as informational + // expecting to see 1 informational finding + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/cklb/GoodStatistics.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 0, + notselected: 0, + informational: 1, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) + + it('unreviewed: commented, unreviewedCommented: notchecked, has comments/detail', async () => { + // will import commented unreviewed findings as notchecked + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'notchecked', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/cklb/GoodStatistics.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 1, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) + + it('unreviewed: always, unreviewedCommented: informational, has comments/detail', async () => { + // will always import unreviewed findings and unreviewed with a commment/detail is informational + const importOptions = { + autoStatus: 'saved', + unreviewed: 'always', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/cklb/GoodStatistics.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 1, + notselected: 0, + informational: 1, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) + + it('unreviewed: always, unreviewedCommented: notchecked, has comments/detail', async () => { + // will always import unreviewed findings and unreviewed with a commment/detail is notchecked + const importOptions = { + autoStatus: 'saved', + unreviewed: 'always', + unreviewedCommented: 'notchecked', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/cklb/GoodStatistics.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 2, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) + + it(' unreviewed: never, unreviewedCommented: informational, has comments/detail', async () => { + // will never import unreviewed findings + const importOptions = { + autoStatus: 'saved', + unreviewed: 'never', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/cklb/GoodStatistics.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) + + it(' unreviewed: never, unreviewedCommented: notchecked', async () => { + // will never import unreviewed findings + const importOptions = { + autoStatus: 'saved', + unreviewed: 'never', + unreviewedCommented: 'notchecked', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/cklb/GoodStatistics.cklb' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) +}) diff --git a/test/CKLMultiStig.test.js b/test/CKLMultiStig.test.js new file mode 100644 index 0000000..d43c5dd --- /dev/null +++ b/test/CKLMultiStig.test.js @@ -0,0 +1,1038 @@ +import chai from 'chai'; +import { reviewsFromCkl } from '../ReviewParser.js'; +import { XMLParser } from 'fast-xml-parser'; +import fs from 'fs/promises'; +import he from 'he'; + +const expect = chai.expect; + +// Your valueProcessor function and generateReviewObject function remain the same + +// ... rest of the code ... + +const valueProcessor = function ( + tagName, + tagValue, + jPath, + hasAttributes, + isLeafNode +) { + he.decode(tagValue) +} + +// Create a helper function to read the file and generate the review object +async function generateReviewObject ( + filePath, + importOptions, + fieldSettings, + allowAccept +) { + const data = await fs.readFile(filePath, 'utf8') + return reviewsFromCkl({ + data, + importOptions, + fieldSettings, + allowAccept, + valueProcessor, + XMLParser + }) +} + + +describe('Object Value Testing CKL Review Objects with Multi-Stig. ', () => { + it('testing stats and review objects with default settings for object accuracy', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/MultiStig-Simple.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReviews = [ + { + ruleId: 'SV-5_rule', + result: 'pass', + detail: 'There is no detail provided for the assessment', + comment: 'xyz', + resultEngine: null, + status: 'saved' + }, + { + ruleId: 'SV-4_rule', + result: 'fail', + detail: 'There is no detail provided for the assessment', + comment: 'xyz', + resultEngine: null, + status: 'saved' + }, + { + ruleId: 'SV-3_rule', + result: 'notapplicable', + detail: 'There is no detail provided for the assessment', + comment: 'xyz', + resultEngine: null, + status: 'saved' + }, + undefined, + { + ruleId: 'SV-1_rule', + result: 'informational', + detail: 'There is no detail provided for the assessment', + comment: 'xyz', + resultEngine: null, + status: 'saved' + } + ] + + for (const [index, expected] of review.checklists.entries()) { + expect(expected.reviews[0]).to.deep.equal(expectedReviews[index]) + } + }) + + it('testing stats and review objects autoStatus = null for accuracy', async () => { + const importOptions = { + autoStatus: 'null', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/MultiStig-Simple.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReviews = [ + { + ruleId: 'SV-5_rule', + result: 'pass', + detail: 'There is no detail provided for the assessment', + comment: 'xyz', + resultEngine: null + }, + { + ruleId: 'SV-4_rule', + result: 'fail', + detail: 'There is no detail provided for the assessment', + comment: 'xyz', + resultEngine: null + }, + { + ruleId: 'SV-3_rule', + result: 'notapplicable', + detail: 'There is no detail provided for the assessment', + comment: 'xyz', + resultEngine: null + }, + undefined, + { + ruleId: 'SV-1_rule', + result: 'informational', + detail: 'There is no detail provided for the assessment', + comment: 'xyz', + resultEngine: null + } + ] + + for (const [index, expected] of review.checklists.entries()) { + expect(expected.reviews[0]).to.deep.equal(expectedReviews[index]) + } + }) + + it('testing stats and review objects autoStatus = submitted, testing object for accuracy', async () => { + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/MultiStig-Simple.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReviews = [ + { + ruleId: 'SV-5_rule', + result: 'pass', + detail: 'There is no detail provided for the assessment', + comment: 'xyz', + resultEngine: null, + status: 'submitted' + }, + { + ruleId: 'SV-4_rule', + result: 'fail', + detail: 'There is no detail provided for the assessment', + comment: 'xyz', + resultEngine: null, + status: 'submitted' + }, + { + ruleId: 'SV-3_rule', + result: 'notapplicable', + detail: 'There is no detail provided for the assessment', + comment: 'xyz', + resultEngine: null, + status: 'submitted' + }, + undefined, + { + ruleId: 'SV-1_rule', + result: 'informational', + detail: 'There is no detail provided for the assessment', + comment: 'xyz', + resultEngine: null, + status: 'saved' + } + ] + + for (const [index, expected] of review.checklists.entries()) { + expect(expected.reviews[0]).to.deep.equal(expectedReviews[index]) + } + }) + + it("testing stats and review objects 'unreviewed = commented' testing that we only import unreviwred rules that contain a comment or detail ", async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/MultiStig-Simple.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReviews = [ + { + ruleId: 'SV-5_rule', + result: 'pass', + detail: null, + comment: 'xyz', + resultEngine: null, + status: 'saved' + }, + { + ruleId: 'SV-4_rule', + result: 'fail', + detail: null, + comment: 'xyz', + resultEngine: null, + status: 'saved' + }, + { + ruleId: 'SV-3_rule', + result: 'notapplicable', + detail: null, + comment: 'xyz', + resultEngine: null, + status: 'saved' + }, + undefined, + { + ruleId: 'SV-1_rule', + result: 'informational', + detail: null, + comment: 'xyz', + resultEngine: null, + status: 'saved' + } + ] + + for (const [index, expected] of review.checklists.entries()) { + expect(expected.reviews[0]).to.deep.equal(expectedReviews[index]) + } + }) + + it(" testing stats and review objects'unreviewed = never' testing to never import an unreviewed item ", async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'never', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/MultiStig-Simple.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedReviews = [ + { + ruleId: 'SV-5_rule', + result: 'pass', + detail: null, + comment: 'xyz', + resultEngine: null, + status: 'saved' + }, + { + ruleId: 'SV-4_rule', + result: 'fail', + detail: null, + comment: 'xyz', + resultEngine: null, + status: 'saved' + }, + { + ruleId: 'SV-3_rule', + result: 'notapplicable', + detail: null, + comment: 'xyz', + resultEngine: null, + status: 'saved' + }, + undefined, + undefined + ] + + for (const [index, expected] of review.checklists.entries()) { + expect(expected.reviews[0]).to.deep.equal(expectedReviews[index]) + } + }) + + it(" testing stats and review objects 'unreviewedComment = informational' testing that an unreviewed item with a comment has a result of informational", async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/MultiStig-Simple.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReviews = [ + { + ruleId: 'SV-5_rule', + result: 'pass', + detail: null, + comment: 'xyz', + resultEngine: null, + status: 'saved' + }, + { + ruleId: 'SV-4_rule', + result: 'fail', + detail: null, + comment: 'xyz', + resultEngine: null, + status: 'saved' + }, + { + ruleId: 'SV-3_rule', + result: 'notapplicable', + detail: null, + comment: 'xyz', + resultEngine: null, + status: 'saved' + }, + undefined, + { + ruleId: 'SV-1_rule', + result: 'informational', + detail: null, + comment: 'xyz', + resultEngine: null, + status: 'saved' + } + ] + + for (const [index, expected] of review.checklists.entries()) { + expect(expected.reviews[0]).to.deep.equal(expectedReviews[index]) + } + }) +}) + +describe('Object Value Testing CKL Stats Objects with Multi-Stig. ', () => { + it('testing stats and review objects with default settings for object accuracy', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/MultiStig-Simple.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedStats = [ + { + pass: 1, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 1, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 1, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 1, + error: 0, + fixed: 0, + unknown: 0 + } + ] + + for (const [index, expected] of review.checklists.entries()) { + expect(expected.stats).to.deep.equal(expectedStats[index]) + } + }) + + it('testing stats and review objects autoStatus = null for accuracy', async () => { + const importOptions = { + autoStatus: 'null', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/MultiStig-Simple.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedStats = [ + { + pass: 1, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 1, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 1, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 1, + error: 0, + fixed: 0, + unknown: 0 + } + ] + + for (const [index, expected] of review.checklists.entries()) { + expect(expected.stats).to.deep.equal(expectedStats[index]) + } + }) + + it('testing stats and review objects autoStatus = submitted, testing object for accuracy', async () => { + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/MultiStig-Simple.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedStats = [ + { + pass: 1, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 1, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 1, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 1, + error: 0, + fixed: 0, + unknown: 0 + } + ] + + for (const [index, expected] of review.checklists.entries()) { + expect(expected.stats).to.deep.equal(expectedStats[index]) + } + }) + + it("testing stats and review objects 'unreviewed = commented' testing that we only import unreviwred rules that contain a comment or detail ", async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/MultiStig-Simple.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedStats = [ + { + pass: 1, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 1, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 1, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 1, + error: 0, + fixed: 0, + unknown: 0 + } + ] + + for (const [index, expected] of review.checklists.entries()) { + expect(expected.stats).to.deep.equal(expectedStats[index]) + } + }) + + it(" testing stats and review objects'unreviewed = never' testing to never import an unreviewed item ", async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'never', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/MultiStig-Simple.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedStats = [ + { + pass: 1, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 1, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 1, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + ] + + for (const [index, expected] of review.checklists.entries()) { + expect(expected.stats).to.deep.equal(expectedStats[index]) + } + }) + + it(" testing stats and review objects 'unreviewedComment = informational' testing that an unreviewed item with a comment has a result of informational", async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/MultiStig-Simple.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedStats = [ + { + pass: 1, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 1, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 1, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + }, + { + pass: 0, + fail: 0, + notapplicable: 0, + notchecked: 0, + notselected: 0, + informational: 1, + error: 0, + fixed: 0, + unknown: 0 + } + ] + + for (const [index, expected] of review.checklists.entries()) { + expect(expected.stats).to.deep.equal(expectedStats[index]) + } + }) +}) + \ No newline at end of file diff --git a/test/CKLReviewParserChecklistArray.test.js b/test/CKLReviewParserChecklistArray.test.js new file mode 100644 index 0000000..21340a8 --- /dev/null +++ b/test/CKLReviewParserChecklistArray.test.js @@ -0,0 +1,139 @@ +import chai from 'chai'; +import { reviewsFromCkl } from '../ReviewParser.js'; +import { XMLParser } from 'fast-xml-parser'; +import fs from 'fs/promises'; +import he from 'he'; + +const expect = chai.expect; + +const valueProcessor = function ( + tagName, + tagValue, + jPath, + hasAttributes, + isLeafNode +) { + he.decode(tagValue) +} + +// Create a helper function to read the file and generate the review object +async function generateReviewObject ( + filePath, + importOptions, + fieldSettings, + allowAccept +) { + const data = await fs.readFile(filePath, 'utf8') + return reviewsFromCkl({ + data, + importOptions, + fieldSettings, + allowAccept, + valueProcessor, + XMLParser + }) +} + + +describe('CKL Checklist array testing for correct benchmarkId and revisionStr', () => { + it("testing that 'checklist' xml elements benchmarkId and revisionStr are parsed", async () => { + // TEST: ensure that the checklist array is populated with the correct benchmarkId and revisionStr + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'always' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Asset_a-VPN_TRUNCATED-V2R5.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + // console.log(JSON.stringify(review, null, 2)) + + expect(review.checklists).to.be.an('array') + expect(review.checklists.length).to.equal(1) + expect(review.checklists[0].benchmarkId).to.equal('VPN_TRUNCATED') + expect(review.checklists[0].revisionStr).to.equal('V2R5') + }) + + it('A multi-stig Checklist array testing for correct benchmarkId and revisionStr', async () => { + // TEST: ensure that the checklist array is populated with the correct benchmarkId and revisionStr + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'always' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/Asset_b-multi-stig.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedChecklists = [ + { + benchmarkId: 'RHEL_8_TRUNCATED', + revisionStr: 'V1R12' + }, + { + benchmarkId: 'RHEL_9_TRUNCATED', + revisionStr: 'V1R1' + }, + { + benchmarkId: 'VPN_TRUNCATED', + revisionStr: 'V2R5' + } + ] + + expect(review.checklists).to.be.an('array') + expect(review.checklists.length).to.equal(expectedChecklists.length) + + for (const [index, expected] of expectedChecklists.entries()) { + expect(review.checklists[index].benchmarkId).to.equal( + expected.benchmarkId + ) + expect(review.checklists[index].revisionStr).to.equal( + expected.revisionStr + ) + } + }) +}) diff --git a/test/CKLReviewParserError.test.js b/test/CKLReviewParserError.test.js new file mode 100644 index 0000000..9dbccdd --- /dev/null +++ b/test/CKLReviewParserError.test.js @@ -0,0 +1,229 @@ +import chai from 'chai'; +import { reviewsFromCkl } from '../ReviewParser.js'; +import { XMLParser } from 'fast-xml-parser'; +import fs from 'fs/promises'; +import he from 'he'; + +const expect = chai.expect; + +const valueProcessor = function ( + tagName, + tagValue, + jPath, + hasAttributes, + isLeafNode +) { + he.decode(tagValue) +} + +// Create a helper function to read the file and generate the review object +async function generateReviewObject ( + filePath, + importOptions, + fieldSettings, + allowAccept +) { + const data = await fs.readFile(filePath, 'utf8') + return reviewsFromCkl({ + data, + importOptions, + fieldSettings, + allowAccept, + valueProcessor, + XMLParser + }) +} + + +describe('testing CKL XML element errors', () => { + it('XML with no "CHECKLIST, should throw "No CHECKLIST element"', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/NoCHECKLISTelement.ckl' + + const data = await fs.readFile(filePath, 'utf8') + + expect(() => + reviewsFromCkl({ + data, + importOptions, + fieldSettings, + allowAccept, + valueProcessor, + XMLParser + }) + ).to.throw('No CHECKLIST element') + }) + it('XML with no "ASSET", should throw "No ASSET element"', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/NoASSETelement.ckl' + + const data = await fs.readFile(filePath, 'utf8') + + expect(() => + reviewsFromCkl({ + data, + importOptions, + fieldSettings, + allowAccept, + valueProcessor, + XMLParser + }) + ).to.throw('No ASSET element') + }) + it('XML with no "STIGS", should throw "No STIGS element"', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/NoSTIGSelement.ckl' + + const data = await fs.readFile(filePath, 'utf8') + + expect(() => + reviewsFromCkl({ + data, + importOptions, + fieldSettings, + allowAccept, + valueProcessor, + XMLParser + }) + ).to.throw('No STIGS element') + }) + it('XML with no "host_name in ASSET", should throw "No host_name in ASSET"', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/noHost_NameElement.ckl' + + const data = await fs.readFile(filePath, 'utf8') + + expect(() => + reviewsFromCkl({ + data, + importOptions, + fieldSettings, + allowAccept, + valueProcessor, + XMLParser + }) + ).to.throw('No host_name in ASSET') + }) + it('XML with no "SI_DATA for SID_NAME = stigId", should throw "STIG_INFO element has no SI_DATA for SID_NAME == stigId"', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/NoSID_DATAforStigId.ckl' + + const data = await fs.readFile(filePath, 'utf8') + + expect(() => + reviewsFromCkl({ + data, + importOptions, + fieldSettings, + allowAccept, + valueProcessor, + XMLParser + }) + ).to.throw('STIG_INFO element has no SI_DATA for SID_NAME == stigId') + }) +}) diff --git a/test/CKLReviewParserReviewObject.test.js b/test/CKLReviewParserReviewObject.test.js new file mode 100755 index 0000000..2072570 --- /dev/null +++ b/test/CKLReviewParserReviewObject.test.js @@ -0,0 +1,2152 @@ +import chai from 'chai'; +import { reviewsFromCkl } from '../ReviewParser.js'; +import { XMLParser } from 'fast-xml-parser'; +import fs from 'fs/promises'; +import he from 'he'; + +const expect = chai.expect; + +const valueProcessor = function ( + tagName, + tagValue, + jPath, + hasAttributes, + isLeafNode +) { + he.decode(tagValue) +} + +// Create a helper function to read the file and generate the review object +async function generateReviewObject ( + filePath, + importOptions, + fieldSettings, + allowAccept +) { + const data = await fs.readFile(filePath, 'utf8') + return reviewsFromCkl({ + data, + importOptions, + fieldSettings, + allowAccept, + valueProcessor, + XMLParser + }) +} + + +describe('Import Options, allowAccept for a CKL review object in non multi-stig', () => { + it('DEFAULT SETTINGS: Primarily testing review "status = saved"', async () => { + // Test: DEFAULT SETTINGS + // This test validates the behavior of the ckl parser function under default settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the review status to 'saved'. + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // These checks ensure that not only is the 'status' property set as expected, but also that + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-notReviewed-Commented-Detailed.ckl') to simulate a real-world scenario. + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-notReviewed-Commented-Detailed.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-257777r925318_rule', + status: 'saved', + result: 'informational', + comment: 'xyz', + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it('autoStatus = null (keep exisiting), testing that all review statuses do not exist', async () => { + // Test: autoStatus = null + // This test validates the behavior of the ckl parser function under the 'autoStatus = null' setting. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the review status to null (doesnt exist). + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'ruleId', 'result', 'comment', and 'detail'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-notReviewed-Commented-Detailed.ckl') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'null', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-notReviewed-Commented-Detailed.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-257777r925318_rule', + result: 'informational', + comment: 'xyz', + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + + expect(review.checklists[0].reviews[0].status).to.not.exist + }) + + it('autoStatus = submitted, testing if reviews are set to "submitted" if valid or "saved" if not valid. Determined by field settings and result', async () => { + // Test: autoStatus = submitted + // This test validates the behavior of the ckl parser function under the autoStatus = submitted setting coupled with out field settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the review status to 'submitted' if valid or 'saved' if not valid. + // Secondary Focus: + // - Verifying the accuracy of other review properties including ruleId 'result', 'comment', and 'detail'. + // These checks ensure that not only is the 'status' property set as expected, but also that + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-notReviewed-Commented-Detailed.ckl') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Asset_a-VPN_TRUNCATED-V2R5.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + // expected statuses for each rule + const expectedStatuses = { + 'SV-207184r695317_rule': 'submitted', + 'SV-207185r608988_rule': 'saved', + 'SV-207186r608988_rule': 'submitted', + 'SV-207187r608988_rule': 'saved', + 'SV-207188r608988_rule': 'submitted', + 'SV-207189r608988_rule': 'saved', + 'SV-207190r803417_rule': 'submitted', + 'SV-207191r803418_rule': 'submitted' + } + + const expectedComments = { + 'SV-207184r695317_rule': null, + 'SV-207185r608988_rule': null, + 'SV-207186r608988_rule': null, + 'SV-207187r608988_rule': null, + 'SV-207188r608988_rule': null, + 'SV-207189r608988_rule': null, + 'SV-207190r803417_rule': null, + 'SV-207191r803418_rule': 'xyz' + } + + const expectedDetails = { + 'SV-207184r695317_rule': 'xyz', + 'SV-207185r608988_rule': 'xyz', + 'SV-207186r608988_rule': 'xyz', + 'SV-207187r608988_rule': 'xyz', + 'SV-207188r608988_rule': 'xyz', + 'SV-207189r608988_rule': 'xyz', + 'SV-207190r803417_rule': 'xyz', + 'SV-207191r803418_rule': 'xyz' + } + + // ensuring that each review has a status that matches the expected status + for (const checklist of review.checklists) { + for (const reviewItem of checklist.reviews) { + const expectedStatus = expectedStatuses[reviewItem.ruleId] + const expectedComment = expectedComments[reviewItem.ruleId] + const expectedDetail = expectedDetails[reviewItem.ruleId] + expect(reviewItem.status).to.equal(expectedStatus) + expect(reviewItem.comment).to.equal(expectedComment) + expect(reviewItem.detail).to.equal(expectedDetail) + } + } + }) + + it('autoStatus = submitted, testing that we will set status to saved if does not meet field settings requirements', async () => { + // Test: autoStatus = submitted + // This test validates the behavior of the ckl parser function under the autoStatus = submitted setting coupled with our field settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the review status to 'saved' if not valid. + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail'. + // These checks ensure that not only is the 'status' property set as expected, but also that + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-notReviewed-Commented-Detailed.ckl') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-notReviewed-Commented-Detailed.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedReview = { + ruleId: 'SV-257777r925318_rule', + status: 'saved', + result: 'informational', + comment: 'xyz', + detail: 'xyz' + } + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it('(autoStatus = accepted, allowAccept = true) for permissions to use accepted status', async () => { + // Test: autoStatus = accepted, allowAccept = true + // This test validates the behavior of the ckl parser function under the autoStatus = accepted, allowAccept = true settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the review status to 'submitted' if the user does not have permissions + // or 'accepted' if the user does have permissions (permissions are determined by the 'allowAccept' option). + // note: if not accepted or submitted, it will be saved because review did not meet the field settings requirements + // note: in this test we will have permissions to accept reviews + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // These checks ensure that not only is the 'status' property set as expected, but also that + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Asset_a-VPN_TRUNCATED-V2R5.ckl'') to simulate a real-world scenario. + + const importOptions = { + autoStatus: 'accepted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + const filePath = + './WATCHER-test-files/WATCHER/ckl/Asset_a-VPN_TRUNCATED-V2R5.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + // expected statuses for each rule + const expectedStatuses = { + 'SV-207184r695317_rule': 'accepted', + 'SV-207185r608988_rule': 'saved', + 'SV-207186r608988_rule': 'accepted', + 'SV-207187r608988_rule': 'saved', + 'SV-207188r608988_rule': 'accepted', + 'SV-207189r608988_rule': 'saved', + 'SV-207190r803417_rule': 'accepted', + 'SV-207191r803418_rule': 'accepted' + } + const expectedComments = { + 'SV-207184r695317_rule': null, + 'SV-207185r608988_rule': null, + 'SV-207186r608988_rule': null, + 'SV-207187r608988_rule': null, + 'SV-207188r608988_rule': null, + 'SV-207189r608988_rule': null, + 'SV-207190r803417_rule': null, + 'SV-207191r803418_rule': 'xyz' + } + + const expectedDetails = { + 'SV-207184r695317_rule': 'xyz', + 'SV-207185r608988_rule': 'xyz', + 'SV-207186r608988_rule': 'xyz', + 'SV-207187r608988_rule': 'xyz', + 'SV-207188r608988_rule': 'xyz', + 'SV-207189r608988_rule': 'xyz', + 'SV-207190r803417_rule': 'xyz', + 'SV-207191r803418_rule': 'xyz' + } + + // ensuring that each review has a status that matches the expected status + for (const reviewItem of review.checklists[0].reviews) { + const expectedStatus = expectedStatuses[reviewItem.ruleId] + const expectedComment = expectedComments[reviewItem.ruleId] + const expectedDetail = expectedDetails[reviewItem.ruleId] + + expect(reviewItem).to.have.property('ruleId') + expect(expectedStatuses).to.have.property(reviewItem.ruleId) + expect(expectedComments).to.have.property(reviewItem.ruleId) + expect(expectedDetails).to.have.property(reviewItem.ruleId) + expect(reviewItem.status).to.equal(expectedStatus) + expect(reviewItem.comment).to.equal(expectedComment) + expect(reviewItem.detail).to.equal(expectedDetail) + } + }) + it('(autoStatus = accepted allowAccept = false) for permissions to use submitted status', async () => { + // Test: autoStatus = accepted, allowAccept = false + // This test validates the behavior of the ckl parser function under the autoStatus = accepted, allowAccept = false settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the review status to 'submitted' if the user does not have permissions + // or 'accepted' if the user does have permissions (permissions are determined by the 'allowAccept' option). + // note: if not accepted or submitted, it will be saved because review did not meet the field settings requirements + // note: in this test we will NOT have permissions to accept reviews (we should see submitted) + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // These checks ensure that not only is the 'status' property set as expected, but also that + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Asset_a-VPN_TRUNCATED-V2R5.ckl'') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'accepted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = false + const filePath = + './WATCHER-test-files/WATCHER/ckl/Asset_a-VPN_TRUNCATED-V2R5.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + // expected statuses for each rule + const expectedStatuses = { + 'SV-207184r695317_rule': 'submitted', + 'SV-207185r608988_rule': 'saved', + 'SV-207186r608988_rule': 'submitted', + 'SV-207187r608988_rule': 'saved', + 'SV-207188r608988_rule': 'submitted', + 'SV-207189r608988_rule': 'saved', + 'SV-207190r803417_rule': 'submitted', + 'SV-207191r803418_rule': 'submitted' + } + const expectedComments = { + 'SV-207184r695317_rule': null, + 'SV-207185r608988_rule': null, + 'SV-207186r608988_rule': null, + 'SV-207187r608988_rule': null, + 'SV-207188r608988_rule': null, + 'SV-207189r608988_rule': null, + 'SV-207190r803417_rule': null, + 'SV-207191r803418_rule': 'xyz' + } + + const expectedDetails = { + 'SV-207184r695317_rule': 'xyz', + 'SV-207185r608988_rule': 'xyz', + 'SV-207186r608988_rule': 'xyz', + 'SV-207187r608988_rule': 'xyz', + 'SV-207188r608988_rule': 'xyz', + 'SV-207189r608988_rule': 'xyz', + 'SV-207190r803417_rule': 'xyz', + 'SV-207191r803418_rule': 'xyz' + } + + // ensuring that each review has a status that matches the expected status + for (const reviewItem of review.checklists[0].reviews) { + const expectedStatus = expectedStatuses[reviewItem.ruleId] + const expectedComment = expectedComments[reviewItem.ruleId] + const expectedDetail = expectedDetails[reviewItem.ruleId] + + expect(reviewItem).to.have.property('ruleId') + expect(expectedStatuses).to.have.property(reviewItem.ruleId) + expect(expectedComments).to.have.property(reviewItem.ruleId) + expect(expectedDetails).to.have.property(reviewItem.ruleId) + expect(reviewItem.status).to.equal(expectedStatus) + expect(reviewItem.comment).to.equal(expectedComment) + expect(reviewItem.detail).to.equal(expectedDetail) + } + }) + + it("'unreviewed = commented' testing that we only import unreviwred rules that contain a comment or detail ", async () => { + // Test: unreviewed = commented + // This test validates the behavior of the ckl parser function under the unreviewed = commented settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly imports only reviews with a non complience result that contain a comment and or detail. + // note this test will have a review with a comment and detail + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-notReviewed-Commented-Detailed.ckl') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-notReviewed-Commented-Detailed.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-257777r925318_rule', + status: 'saved', + result: 'informational', + comment: 'xyz', + detail: 'xyz' + } + // check that review has a comment or detail and exists + expect(review.checklists[0].reviews[0]).to.exist + expect( + review.checklists[0].reviews[0].detail || + review.checklists[0].reviews[0].comment + ).to.not.be.null + // secondary check that review matches expected review object + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'unreviewed = commented' testing that we only import unreviwred rules that contain a comment or detail but giving a review without either", async () => { + // Test: unreviewed = commented + // This test validates the behavior of the ckl parser function under the unreviewed = commented settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly imports only reviews with a non complience result that contain a comment and or detail. + // note this test will not have any reviews because there will be no comment/detail + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-notReviewed-Commented-Detailed.ckl') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-notReviewed-Empty-CommentDetail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + // check that review has a comment or detail and exisits + expect(review.checklists[0].reviews).to.be.empty + }) + + it("'unreviewed = always', testing that unreviewed always are import ", async () => { + // Test: unreviewed = always + // This test validates the behavior of the ckl parser function under the unreviewed = always settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly imports all reviews without a compliance result and if they have a comment + // or detail they will be labeled as informational. + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-notReviewed-Commented-Detailed.ckl') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'always', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-notReviewed-Commented-Detailed.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-257777r925318_rule', + status: 'saved', + result: 'informational', + comment: 'xyz', + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("'unreviewed = always', testing that unreviewed always are import ", async () => { + // Test: unreviewed = always + // This test validates the behavior of the ckl parser function under the unreviewed = always settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly imports all reviews without a compliance result + // and without comment or detail to be labled as notchecked. + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // These checks ensure that not only is the 'status' property set as expected, but also that + // The test utilizes a sample CKL file ('Single-Vuln-notReviewed-Empty-CommentDetail.ckl') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'always', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-notReviewed-Empty-CommentDetail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedReview = { + ruleId: 'SV-257777r925318_rule', + status: 'saved', + result: 'notchecked', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it(" 'unreviewed = never' testing to never import an unreviewed item ", async () => { + // Test: unreviewed = never + // This test validates the behavior of the ckl parser function under the unreviewed = never settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' ignores reviews without a compliance result (Nf/na/o) + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-notReviewed-Empty-CommentDetail.ckl') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'never', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-notReviewed-Empty-CommentDetail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + expect(review.checklists[0].reviews).to.be.empty + }) + + it("'unreviewedComment = informational' testing that an unreviewed item with a comment has a result of informational", async () => { + // Test: unreviewedComment = informational + // This test validates the behavior of the ckl parser function under the unreviewedComment = informational settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly labels a review without a compliance result.. + // and with a comment or detail as informational. + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-notReviewed-Commented-Detailed.ckl') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-notReviewed-Commented-Detailed.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-257777r925318_rule', + status: 'saved', + result: 'informational', + comment: 'xyz', + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it(" 'unreviewedComment = notchecked'. testing that an unreviewed with a comment has a result of notchecked", async () => { + // Test: unreviewedComment = notchecked + // This test validates the behavior of the ckl parser function under the unreviewedComment = notchecked settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly labels a review without a compliance result.. + // and with a comment or detail as notchecked. + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-notReviewed-Commented-Detailed.ckl') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'notchecked', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-notReviewed-Commented-Detailed.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedReview = { + ruleId: 'SV-257777r925318_rule', + status: 'saved', + result: 'notchecked', + comment: 'xyz', + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("'emptyDetail = replace' testing that if an item has an empty detail we will replace it with a static message", async () => { + // Test: emptyDetail = replace + // This test validates the behavior of the ckl parser function under the emptyDetail = replace settings. + // Primary Focus: + // - Ensuring that the 'emptyDetail' option in 'importOptions' correctly replaces an empty detail with a static message. "There is no detail provided for the assessment" + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-Pass-With-Comment.ckl') to simulate a real-world scenario. + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-With-Comment.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'saved', + result: 'pass', + comment: 'xyz', + detail: 'There is no detail provided for the assessment' + } + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("'emptyDetail = ignore' testing that if there is no detail provided it will retaing exisiting, if no exisitng then we will set to null", async () => { + // Test: emptyDetail = ignore + // This test validates the behavior of the ckl parser function under the emptyDetail = ignore settings. + // Primary Focus: + // - Ensuring that the 'emptyDetail' option in 'importOptions' correctly replaces an empty detail a null value + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-Pass-With-Comment.ckl') to simulate a real-world scenario. + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-With-Comment.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'saved', + result: 'pass', + comment: 'xyz', + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("'emptyDetail = import', testing empty detail will clear existing text (setting it to empty string)", async () => { + // Test: emptyDetail = import + // This test validates the behavior of the ckl parser function under the emptyDetail = import settings. + // Primary Focus: + // - Ensuring that the 'emptyDetail' option in 'importOptions' correctly replaces an empty detail an empty string if no detail is provided + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-Pass-With-Comment.ckl') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-With-Comment.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'saved', + result: 'pass', + comment: 'xyz', + detail: '' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it(" 'emptyDetail = import' testing that a review with a detail provided will be applied", async () => { + // Test: emptyDetail = import + // This test validates the behavior of the ckl parser function under the emptyDetail = import settings. + // Primary Focus: + // - Ensuring that the 'emptyDetail' option in 'importOptions' correctly uses the exisisitng detail if one is provided + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-Pass-With-Detail.ckl') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-With-Detail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'saved', + result: 'pass', + comment: null, + detail: 'xyz' + } + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'emptyComment = replace' testing that if an item has an empty comment we will replace it with a static message", async () => { + // Test: emptyComment = replace + // This test validates the behavior of the ckl parser function under the emptyComment = replace settings. + // Primary Focus: + // - Ensuring that the 'emptyComment' option in 'importOptions' correctly replaces an empty comment with a static message. "There is no comment provided for the assessment" + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-Pass-With-Detail.ckl') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'replace', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-With-Detail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'saved', + result: 'pass', + comment: 'There is no comment provided for the assessment', + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("'emptyComment = ignore' testing that we will use exisitng text, if none use null", async () => { + // Test: emptyComment = ignore + // This test validates the behavior of the ckl parser function under the emptyComment = ignore settings. + // Primary Focus: + // - Ensuring that the 'emptyComment' option in 'importOptions' correctly replaces an empty comment a null value + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-Pass-With-Comment.ckl') to simulate a real-world scenario. + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-With-Detail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'saved', + result: 'pass', + comment: null, + detail: 'xyz' + } + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("'emptyComment = import', will clear eixsitng with an empty string if no comment given ", async () => { + // Test: emptyComment = import + // This test validates the behavior of the ckl parser function under the emptyComment = import settings. + // Primary Focus: + // - Ensuring that the 'emptyComment' option in 'importOptions' correctly replaces an empty comment an empty string: "" + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-Pass-With-Detail.ckl') + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'import', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-With-Detail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'saved', + result: 'pass', + comment: '', + detail: 'xyz' + } + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("'emptyComment = import', testing a review with a comment provided in the ckl to make sure we get it back in the review ", async () => { + // Test: emptyComment = import + // This test validates the behavior of the ckl parser function under the emptyComment = import settings. + // Primary Focus: + // - Ensuring that the 'emptyComment' option in 'importOptions' correctly uses the exisisitng comment if one is provided + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-Pass-With-Detail.ckl') + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'import', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-With-Comment.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'saved', + result: 'pass', + comment: 'xyz', + detail: null + } + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) +}) + +describe('fieldSettings testing for a CKL review object in non multi-stig', () => { + it("DEFAULT FIELD SETTINGS with allowAccept=true and a passing review, testing that it has a detail and is 'submitted'", async () => { + // Test: autostatus = submitted, default field settings. + // This test validates the behavior of the ckl parser function under the default field settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly ensures that a detail is required for a review to be submitted. + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-Pass-With-Detail.ckl') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'always' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-With-Detail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'submitted', + result: 'pass', + comment: '', + detail: 'xyz' + } + + // expected status is submitted for the rule that has a detail + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it('DEFAULT FIELD SETTINGS with allowAccept=true and a failing review with no detail.', async () => { + //autostatus = submitted, testing default field settings with allowAccept=true + // This test validates the behavior of the ckl parser function under the default field setting with a fail and a no detail. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a detail is always required for submission for a review. + // Test that with a failing review and no detail exisiting and it will be set to 'saved' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-fail-With-Detail.ckl') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-Empty-CommentDetail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'saved', + result: 'fail', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it('fieldSettings.detail.required = findings with allowAccept=true with a failing review containing a detail', async () => { + // Test: autostatus = submitted, default field settings. + // This test validates the behavior of the ckl parser function under the fieldSettings.detail.required = findings field settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly ensures that a detail is required for a review that has findings to be submitted. + // Test that a failing review with a detail will be submitted + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-Pass-With-Detail.ckl') + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'findings' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-With-Detail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'submitted', + result: 'fail', + comment: '', + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("'fieldSettings.detail.required = findings' with allowAccept=true with a fail and no detail or comment", async () => { + // Test: autostatus = submitted, testing 'fieldSettings.detail.required = findings' allowAccept=true + // This test validates the behavior of the ckl parser function under the fieldSettings.detail.required = findings field setting with a fail and no detail or comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a detail is required for a review that has findings to be submitted if not we will save. + // Test that no detail exisitng and it will be set to 'saved' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-fail-Empty-CommentDetail.ckl') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'findings' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-Empty-CommentDetail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'saved', + result: 'fail', + comment: null, + detail: null + } + + // console.log(JSON.stringify(review, null, 2)) + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'fieldSettings.detail.required = optional' with allowAccept=true with a fail and no detail or comment, testing that it does not have a detail and is submitted ", async () => { + // TEST: autostatus = submitted, testing 'fieldSettings.detail.required = optional' with allowAccept=true + // This test validates the behavior of the ckl parser function under the fieldSettings.detail.required = optional field setting with a fail and no detail or comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a detail is optional for submission for a review that has findings. + // Test that no detail exisitng and it will be set to 'submitted' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-fail-Empty-CommentDetail.ckl') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'optional' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-Empty-CommentDetail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'submitted', + result: 'fail', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("fieldSettings.detail.required = optional' with allowAccept=true with a fail and detail testing it has a detail and is submitted", async () => { + // autostatus = submitted, 'fieldSettings.detail.required = optional' with allowAccept=true + // This test validates the behavior of the ckl parser function under the fieldSettings.detail.required = optional field setting with a fail and a detail. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a detail is optional for submission for a review that has findings. + // Test that with detail exisitng and it will be set to 'submitted' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-fail-With-Detail.ckl') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'optional' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-With-Detail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'submitted', + result: 'fail', + comment: null, + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it('DEFAULT FIELD SETTINGS with allowAccept=true and a passing review testing that it has a comment and is submitted', async () => { + //autostatus = submitted, testing default field settings with allowAccept=true + // This test validates the behavior of the ckl parser function under the default field setting with a pass and a comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is always required for submission for a review. + // Test that witha passing review and a comment exisiting and it will be set to 'submitted' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-fail-With-Detail.ckl') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-Pass-With-Comment.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'submitted', + result: 'pass', + comment: 'xyz', + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it('DEFAULT FIELD SETTINGS with allowAccept=true and a failing review with no comment.', async () => { + //autostatus = submitted, testing default field settings with allowAccept=true + // This test validates the behavior of the ckl parser function under the default field setting with a fail and a no comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is always required for submission for a review. + // Test that with a failing review and no comment exisiting and it will be set to 'saved' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-fail-With-Detail.ckl') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-Empty-CommentDetail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'saved', + result: 'fail', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it('fieldSettings.comment.required = findings with allowAccept=true with a fail and comment testing that it has a comment and is submitted', async () => { + // TEST: autostatus = submitted, fieldSettings.comment.required = findings with allowAccept=true + // This test validates the behavior of the ckl parser function under the fieldSettings.comment.required = findings field setting with a fail and a comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is always required for submission for a review that contains a finding. + // Test that with a failed review and a comment exisitng and it will be set to 'submitted' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-fail-with-Comment.ckl') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-with-Comment.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'submitted', + result: 'fail', + comment: 'xyz', + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("'fieldSettings.comment.required = findings' with allowAccept=true with a fail and no detail or comment, testing that it does not have a comment and is 'saved' ", async () => { + // TEST: autostatus = submitted, testing 'fieldSettings.comment.required = findings' with allowAccept=true + // This test validates the behavior of the ckl parser function under the fieldSettings.comment.required = findings field setting with a fail and no comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is always required for submission for a review that contains a finding. + // Test that with a failed review and no comment will be set to 'saved' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-fail-Empty-CommentDetail.ckl') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-Empty-CommentDetail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'saved', + result: 'fail', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'fieldSettings.comment.required = optional' with allowAccept=true with a fail and no detail or comment. testing that it doesnt have a comment and is submmited", async () => { + // TEST: autostatus = submitted, testing 'fieldSettings.comment.required = optional' with allowAccept=true + // This test validates the behavior of the ckl parser function under the fieldSettings.comment.required = optional field setting with a fail and no comment or detail . + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is optionally required for submission for a review that contains a finding. + // Test that with a failed review and no comment will be set to 'submitted' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-fail-Empty-CommentDetail.ckl') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-Empty-CommentDetail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'submitted', + result: 'fail', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("fieldSettings.comment.required = optional' with allowAccept=true with a fail and comment, testing thhat it has a comment and is submitted", async () => { + // TEST: autostatus = submitted, 'fieldSettings.comment.required = optional' with allowAccept=true + // This test validates the behavior of the ckl parser function under the fieldSettings.comment.required = optional field setting with a fail and a comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is optionally required for submission for a review that contains a finding. + // Test that with a failed review and a comment will be set to 'submitted' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-fail-with-Comment.ckl') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-fail-with-Comment.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-207191r803418_rule', + status: 'submitted', + result: 'fail', + comment: 'xyz', + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) +}) + +describe(' CKL Tests where fieldSettings and importOptions overlap. ', () => { + it("Testing where emptyDetail: 'ignore', emptyComment: 'ignore', aswell as requiring a comment and detail ", async () => { + // TEST: emptyDetail: 'ignore', emptyComment: 'ignore', fieldSettings.detail.required = always, fieldSettings.comment.required = always + // This test validates the behavior of the ckl parser function under above settings with a non compliance resilt and no comment or detail. + // Primary Focus: + // - ensuring that we will have no reviews because a brand new review will be created with "null" comment or detail with are both required. + // Test that with a failed review and a comment will be set to 'submitted' + // Secondary Focus: + // - Verifying the accuracy of other review properties including 'result', 'comment', and 'detail', 'ruleId'. + // other related properties in the review object reflect the correct values as per the given 'importOptions' and 'fieldSettings'. + // The test utilizes a sample CKL file ('Single-Vuln-fail-with-Comment.ckl') + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'always' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-notReviewed-Empty-CommentDetail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + expect(review.checklists[0].reviews).to.be.empty + }) +}) + +describe('MISC CKL. ', () => { + it('Testing that long comment.detail is truncated ', async () => { + // NOTE: the input comment and detail are '32768' characters long + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'always' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/Single-Vuln-Long-CommentDetail.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const maxLength = 32767 + + expect(review.checklists[0].reviews[0].detail).to.have.lengthOf(maxLength) + expect(review.checklists[0].reviews[0].comment).to.have.lengthOf(maxLength) + }) + it('Testing result engine ckl with an expression of the Eval STIG "module" that did the evaluation ', async () => { + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'always' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/ResultEngineWithEvalStigModuleAndOverride.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedResultEngine = { + type: 'script', + product: 'Evaluate-STIG', + version: '1.2204.1', + time: '2022-06-03T12:19:27.9454169-04:00', + checkContent: { + location: 'Scan-Windows10_Checks' + }, + overrides: [ + { + authority: 'MS_Windows_10_STIG_Answer_file.xml', + oldResult: 'unknown', + newResult: 'notapplicable', + remark: 'Evaluate-STIG Answer File' + } + ] + } + + expect(review.checklists[0].reviews[0].resultEngine).to.deep.equal( + expectedResultEngine + ) + }) + it('Testing result engine ckl with an Eval STIG individual answer file override', async () => { + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'always' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/ResultEngineWithEvalStigModule.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedResultEngine = { + type: 'script', + product: 'Evaluate-STIG', + version: '1.2204.1', + time: '2022-06-03T12:19:27.9454169-04:00', + checkContent: { + location: 'Scan-Windows10_Checks' + } + } + + expect(review.checklists[0].reviews[0].resultEngine).to.deep.equal( + expectedResultEngine + ) + }) + it('Testing result engine ckl with an Eval STIG individual answer file override that is incorrect', async () => { + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'always' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/ckl/ResultEngineInvalidComment.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + expect(review.checklists[0].reviews[0].resultEngine).to.be.null + }) + it('Testing no value in a ckl ', async () => { + // NOTE: the input comment and detail are '32768' characters long + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'always' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/NoResult.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + expect(review.checklists[0].reviews).to.be.empty + }) + it('Testing no RuleID value in a ckl ', async () => { + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'always' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/NoRuleId.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + expect(review.checklists[0].reviews).to.be.empty + }) +}) diff --git a/test/CKLReviewParserTargetObject.test.js b/test/CKLReviewParserTargetObject.test.js new file mode 100644 index 0000000..5a8c8ee --- /dev/null +++ b/test/CKLReviewParserTargetObject.test.js @@ -0,0 +1,181 @@ +import chai from 'chai'; +import { reviewsFromCkl } from '../ReviewParser.js'; +import { XMLParser } from 'fast-xml-parser'; +import fs from 'fs/promises'; +import he from 'he'; + +const expect = chai.expect; + +const valueProcessor = function ( + tagName, + tagValue, + jPath, + hasAttributes, + isLeafNode +) { + he.decode(tagValue) +} + +// Create a helper function to read the file and generate the review object +async function generateReviewObject ( + filePath, + importOptions, + fieldSettings, + allowAccept +) { + const data = await fs.readFile(filePath, 'utf8') + return reviewsFromCkl({ + data, + importOptions, + fieldSettings, + allowAccept, + valueProcessor, + XMLParser + }) +} + + +describe('Testing that the Target object returned by the ckl review parser is accurate', () => { + it('Testing a target asset with with a cklRole and normal data', async () => { + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'always' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/TargetObjectBasic.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedTarget = { + name: 'MyAsset', + description: null, + ip: '10.10.10.10', + fqdn: 'MyAsset.hello.world', + mac: '00:1A:2B:3C:4D:5E', + noncomputing: true, + metadata: { + cklRole: 'MyRole' + } + } + + expect(review.target).to.deep.equal(expectedTarget) + + }) + + it('testing a target asset with the minimum amount of fields', async () => { + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'always' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/TargetObjectMinimal.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedTarget = { + name: 'MyAsset', + description: null, + ip: null, + fqdn: null, + mac: null, + noncomputing: false, + metadata: {} + } + + expect(review.target).to.deep.equal(expectedTarget) + + + + }) + + it('testing a target asset with a complete set of metadata.', async () => { + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'always' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/TargetObjectMetaData.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedTarget = { + name: 'MyAsset', + description: null, + ip: '10.10.10.10', + fqdn: 'MyAsset.hello.world', + mac: '00:1A:2B:3C:4D:5E', + noncomputing: true, + metadata: { + cklHostName: 'MyAsset', + cklRole: 'MyRole', + cklTechArea: 'CyberSec', + cklWebDbInstance: 'AssetWebDBInstance', + cklWebDbSite: 'AssetDBSite', + cklWebOrDatabase: 'true' + } + } + expect(review.target).to.deep.equal(expectedTarget) + }) +}) diff --git a/test/CKLStatisticsObject.test.js b/test/CKLStatisticsObject.test.js new file mode 100644 index 0000000..737ed3c --- /dev/null +++ b/test/CKLStatisticsObject.test.js @@ -0,0 +1,322 @@ +import chai from 'chai'; +import { reviewsFromCkl } from '../ReviewParser.js'; +import { XMLParser } from 'fast-xml-parser'; +import fs from 'fs/promises'; +import he from 'he'; +const expect = chai.expect +const valueProcessor = function ( + tagName, + tagValue, + jPath, + hasAttributes, + isLeafNode +) { + he.decode(tagValue) +} + +// Create a helper function to read the file and generate the review object +async function generateReviewObject ( + filePath, + importOptions, + fieldSettings, + allowAccept +) { + const data = await fs.readFile(filePath, 'utf8') + return reviewsFromCkl({ + data, + importOptions, + fieldSettings, + allowAccept, + valueProcessor, + XMLParser + }) +} + + +describe('Testing that the CKL Review Parser will return the correct figures in the Statistics object', () => { + it('unreviewed: commented, unreviewedCommented: informational, has comments/detail', async () => { + // will import commented unreviewed findings as informational + // expecting to see 1 informational finding + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/GoodStatistics.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 0, + notselected: 0, + informational: 1, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) + + it('unreviewed: commented, unreviewedCommented: notchecked, has comments/detail', async () => { + // will import commented unreviewed findings as notchecked + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'notchecked', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/GoodStatistics.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 1, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) + + it('unreviewed: always, unreviewedCommented: informational, has comments/detail', async () => { + // will always import unreviewed findings and unreviewed with a commment/detail is informational + const importOptions = { + autoStatus: 'saved', + unreviewed: 'always', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/GoodStatistics.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 1, + notselected: 0, + informational: 1, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) + + it('unreviewed: always, unreviewedCommented: notchecked, has comments/detail', async () => { + // will always import unreviewed findings and unreviewed with a commment/detail is notchecked + const importOptions = { + autoStatus: 'saved', + unreviewed: 'always', + unreviewedCommented: 'notchecked', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/GoodStatistics.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 2, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) + + it(' unreviewed: never, unreviewedCommented: informational, has comments/detail', async () => { + // will never import unreviewed findings + const importOptions = { + autoStatus: 'saved', + unreviewed: 'never', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/GoodStatistics.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) + + it(' unreviewed: never, unreviewedCommented: notchecked', async () => { + // will never import unreviewed findings + const importOptions = { + autoStatus: 'saved', + unreviewed: 'never', + unreviewedCommented: 'notchecked', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/ckl/GoodStatistics.ckl' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) +}) diff --git a/test/XCCDFReviewParserError.test.js b/test/XCCDFReviewParserError.test.js new file mode 100644 index 0000000..8c2537b --- /dev/null +++ b/test/XCCDFReviewParserError.test.js @@ -0,0 +1,195 @@ +import chai from 'chai'; +import { reviewsFromXccdf } from '../ReviewParser.js'; +import { XMLParser } from 'fast-xml-parser'; +import fs from 'fs/promises'; +import he from 'he'; + +const expect = chai.expect +const valueProcessor = function ( + tagName, + tagValue, + jPath, + hasAttributes, + isLeafNode +) { + he.decode(tagValue) +} + +const dataArray = [ + { + scapBenchmarkId: 'CAN_Ubuntu_18-04_STIG', + benchmarkId: 'U_CAN_Ubuntu_18-04_STIG' + }, + { scapBenchmarkId: 'Mozilla_Firefox_RHEL', benchmarkId: 'Mozilla_Firefox' }, + { + scapBenchmarkId: 'Mozilla_Firefox_Windows', + benchmarkId: 'Mozilla_Firefox' + }, + { scapBenchmarkId: 'MOZ_Firefox_Linux', benchmarkId: 'MOZ_Firefox_STIG' }, + { scapBenchmarkId: 'MOZ_Firefox_Windows', benchmarkId: 'MOZ_Firefox_STIG' }, + { scapBenchmarkId: 'Solaris_10_X86_STIG', benchmarkId: 'Solaris_10_X86' } +] + +const scapBenchmarkMap = new Map( + dataArray.map(item => [item.scapBenchmarkId, item]) +) + +describe('Testing handled errors in reviewsFromXccdf()', () => { + it('should throw an error if there is no BenchMark xml element.', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/xccdf/NoBenchMarkElement.xml' + + const data = await fs.readFile(filePath, 'utf8') + + expect(() => + reviewsFromXccdf({ + data, + fieldSettings, + allowAccept, + importOptions, + valueProcessor, + scapBenchmarkMap, + XMLParser + }) + ).to.throw('No Benchmark or TestResult element') + }) + + it('should throw an error if there is no TestResult xml element.', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/xccdf/NoTestResult-xccdf.xml' + + const data = await fs.readFile(filePath, 'utf8') + + expect(() => + reviewsFromXccdf({ + data, + fieldSettings, + allowAccept, + importOptions, + valueProcessor, + scapBenchmarkMap, + XMLParser + }) + ).to.throw('No Benchmark.TestResult element') + }) + it('should throw an error if there is no Target xml element.', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/xccdf/NoTargetElement-xccdf.xml' + + const data = await fs.readFile(filePath, 'utf8') + + expect(() => + reviewsFromXccdf({ + data, + fieldSettings, + allowAccept, + importOptions, + valueProcessor, + scapBenchmarkMap, + XMLParser + }) + ).to.throw('No Benchmark.TestResult.target element') + }) + it('should throw an error if there is no Rule Result xml element.', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/xccdf/NoRuleResultElement-xccdf..xml' + + const data = await fs.readFile(filePath, 'utf8') + + expect(() => + reviewsFromXccdf({ + data, + fieldSettings, + allowAccept, + importOptions, + valueProcessor, + scapBenchmarkMap, + XMLParser + }) + ).to.throw('No Benchmark.TestResult.rule-result element') + }) +}) diff --git a/test/XCCDFReviewParserReviewObject.test.js b/test/XCCDFReviewParserReviewObject.test.js new file mode 100644 index 0000000..7f79066 --- /dev/null +++ b/test/XCCDFReviewParserReviewObject.test.js @@ -0,0 +1,1872 @@ +import chai from 'chai'; +import { reviewsFromXccdf } from '../ReviewParser.js'; +import { XMLParser } from 'fast-xml-parser'; +import fs from 'fs/promises'; +import he from 'he'; +const expect = chai.expect +const valueProcessor = function ( + tagName, + tagValue, + jPath, + hasAttributes, + isLeafNode +) { + he.decode(tagValue) +} + +const dataArray = [ + { + scapBenchmarkId: 'CAN_Ubuntu_18-04_STIG', + benchmarkId: 'U_CAN_Ubuntu_18-04_STIG' + }, + { scapBenchmarkId: 'Mozilla_Firefox_RHEL', benchmarkId: 'Mozilla_Firefox' }, + { + scapBenchmarkId: 'Mozilla_Firefox_Windows', + benchmarkId: 'Mozilla_Firefox' + }, + { scapBenchmarkId: 'MOZ_Firefox_Linux', benchmarkId: 'MOZ_Firefox_STIG' }, + { scapBenchmarkId: 'MOZ_Firefox_Windows', benchmarkId: 'MOZ_Firefox_STIG' }, + { scapBenchmarkId: 'Solaris_10_X86_STIG', benchmarkId: 'Solaris_10_X86' } +] + +const scapBenchmarkMap = new Map( + dataArray.map(item => [item.scapBenchmarkId, item]) +) + +// Create a helper function to read the file and generate the review object +async function generateReviewObject ( + filePath, + importOptions, + fieldSettings, + allowAccept +) { + const data = await fs.readFile(filePath, 'utf8') + return reviewsFromXccdf({ + data, + fieldSettings, + allowAccept, + importOptions, + valueProcessor, + scapBenchmarkMap, + XMLParser + }) +} + +describe('Testing permutations of Import Options for a review objects parsed by xccdf Review Parser.', () => { + it('DEFAULT SETTINGS: Primarily testing review "status = saved"', async () => { + // Test: DEFAULT SETTINGS + // This test validates the behavior of the xccdf parser function under default settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the reviews to be empty + + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'replace', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-notReviewed-Commented-Detailed-xccdf.xml' + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + expect(review.checklists[0].reviews).to.be.empty + }) + + it('autoStatus = null (keep exisiting), testing that all review statuses do not exist', async () => { + // Test: autoStatus = null + // This test validates the behavior of the xccdf parser function under the 'autoStatus = null' setting. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the review to be empty + + const importOptions = { + autoStatus: 'null', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-notReviewed-Commented-Detailed-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + expect(review.checklists[0].reviews).to.be.empty + }) + + it('autoStatus = submitted, testing if reviews are set to "submitted" if valid or "saved" if not valid. Determined by field settings and result', async () => { + // Test: autoStatus = submitted + // This test validates the behavior of the ckl parser function under the autoStatus = submitted setting coupled with out field settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the review status to 'submitted' if valid or 'saved' if not valid. + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Asset_a-VPN_TRUNCATED-V2R5-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + // expected statuses for each rule + const expectedStatuses = { + 'SV-207184r695317_rule': 'submitted', + 'SV-207185r608988_rule': 'saved', + 'SV-207186r608988_rule': 'submitted', + 'SV-207187r608988_rule': 'saved', + 'SV-207188r608988_rule': 'submitted', + 'SV-207189r608988_rule': 'saved', + 'SV-207190r803417_rule': 'submitted', + 'SV-207191r803418_rule': 'submitted' + } + + const expectedComments = { + 'SV-207184r695317_rule': null, + 'SV-207185r608988_rule': null, + 'SV-207186r608988_rule': null, + 'SV-207187r608988_rule': null, + 'SV-207188r608988_rule': null, + 'SV-207189r608988_rule': null, + 'SV-207190r803417_rule': null, + 'SV-207191r803418_rule': 'xyz' + } + + const expectedDetails = { + 'SV-207184r695317_rule': 'xyz', + 'SV-207185r608988_rule': 'xyz', + 'SV-207186r608988_rule': 'xyz', + 'SV-207187r608988_rule': 'xyz', + 'SV-207188r608988_rule': 'xyz', + 'SV-207189r608988_rule': 'xyz', + 'SV-207190r803417_rule': 'xyz', + 'SV-207191r803418_rule': 'xyz' + } + + // ensuring that each review has a status that matches the expected status + for (const checklist of review.checklists) { + for (const reviewItem of checklist.reviews) { + const expectedStatus = expectedStatuses[reviewItem.ruleId] + const expectedComment = expectedComments[reviewItem.ruleId] + const expectedDetail = expectedDetails[reviewItem.ruleId] + expect(reviewItem.status).to.equal(expectedStatus) + expect(reviewItem.comment).to.equal(expectedComment) + expect(reviewItem.detail).to.equal(expectedDetail) + } + } + }) + + it('autoStatus = submitted, testing that status is set to saved if does not meet field settings requirements', async () => { + // Test: autoStatus = submitted + // This test validates the behavior of the xccdf parser function under the autoStatus = submitted setting coupled with our field settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the review to be empty + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-notReviewed-Commented-Detailed-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + expect(review.checklists[0].reviews).to.be.empty + }) + + it('(autoStatus = accepted, allowAccept = true) for permissions to use accepted status', async () => { + // Test: autoStatus = accepted, allowAccept = true + // This test validates the behavior of the xccdf parser function under the autoStatus = accepted, allowAccept = true settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the review status to 'submitted' if the user does not have permissions + // or 'accepted' if the user does have permissions (permissions are determined by the 'allowAccept' option). + // note: if not accepted or submitted, it will be saved because review did not meet the field settings requirements + // note: in this test we will have permissions to accept reviews + + + const importOptions = { + autoStatus: 'accepted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Asset_a-VPN_TRUNCATED-V2R5-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + // expected statuses for each rule + const expectedStatuses = { + 'SV-207184r695317_rule': 'accepted', + 'SV-207185r608988_rule': 'saved', + 'SV-207186r608988_rule': 'accepted', + 'SV-207187r608988_rule': 'saved', + 'SV-207188r608988_rule': 'accepted', + 'SV-207189r608988_rule': 'saved', + 'SV-207190r803417_rule': 'accepted', + 'SV-207191r803418_rule': 'accepted' + } + const expectedComments = { + 'SV-207184r695317_rule': null, + 'SV-207185r608988_rule': null, + 'SV-207186r608988_rule': null, + 'SV-207187r608988_rule': null, + 'SV-207188r608988_rule': null, + 'SV-207189r608988_rule': null, + 'SV-207190r803417_rule': null, + 'SV-207191r803418_rule': 'xyz' + } + + const expectedDetails = { + 'SV-207184r695317_rule': 'xyz', + 'SV-207185r608988_rule': 'xyz', + 'SV-207186r608988_rule': 'xyz', + 'SV-207187r608988_rule': 'xyz', + 'SV-207188r608988_rule': 'xyz', + 'SV-207189r608988_rule': 'xyz', + 'SV-207190r803417_rule': 'xyz', + 'SV-207191r803418_rule': 'xyz' + } + + // ensuring that each review has a status that matches the expected status + for (const reviewItem of review.checklists[0].reviews) { + const expectedStatus = expectedStatuses[reviewItem.ruleId] + const expectedComment = expectedComments[reviewItem.ruleId] + const expectedDetail = expectedDetails[reviewItem.ruleId] + + expect(reviewItem).to.have.property('ruleId') + expect(expectedStatuses).to.have.property(reviewItem.ruleId) + expect(expectedComments).to.have.property(reviewItem.ruleId) + expect(expectedDetails).to.have.property(reviewItem.ruleId) + expect(reviewItem.status).to.equal(expectedStatus) + expect(reviewItem.comment).to.equal(expectedComment) + expect(reviewItem.detail).to.equal(expectedDetail) + } + }) + + it('(autoStatus = accepted allowAccept = false) for permissions to use submitted status', async () => { + // Test: autoStatus = accepted, allowAccept = false + // This test validates the behavior of the xccdf parser function under the autoStatus = accepted, allowAccept = false settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly sets the review status to 'submitted' if the user does not have permissions + // or 'accepted' if the user does have permissions (permissions are determined by the 'allowAccept' option). + // note: if not accepted or submitted, it will be saved because review did not meet the field settings requirements + // note: in this test we will NOT have permissions to accept reviews (we should see submitted) + + const importOptions = { + autoStatus: 'accepted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = false + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Asset_a-VPN_TRUNCATED-V2R5-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + // expected statuses for each rule + const expectedStatuses = { + 'SV-207184r695317_rule': 'submitted', + 'SV-207185r608988_rule': 'saved', + 'SV-207186r608988_rule': 'submitted', + 'SV-207187r608988_rule': 'saved', + 'SV-207188r608988_rule': 'submitted', + 'SV-207189r608988_rule': 'saved', + 'SV-207190r803417_rule': 'submitted', + 'SV-207191r803418_rule': 'submitted' + } + const expectedComments = { + 'SV-207184r695317_rule': null, + 'SV-207185r608988_rule': null, + 'SV-207186r608988_rule': null, + 'SV-207187r608988_rule': null, + 'SV-207188r608988_rule': null, + 'SV-207189r608988_rule': null, + 'SV-207190r803417_rule': null, + 'SV-207191r803418_rule': 'xyz' + } + + const expectedDetails = { + 'SV-207184r695317_rule': 'xyz', + 'SV-207185r608988_rule': 'xyz', + 'SV-207186r608988_rule': 'xyz', + 'SV-207187r608988_rule': 'xyz', + 'SV-207188r608988_rule': 'xyz', + 'SV-207189r608988_rule': 'xyz', + 'SV-207190r803417_rule': 'xyz', + 'SV-207191r803418_rule': 'xyz' + } + + // ensuring that each review has a status that matches the expected status + for (const reviewItem of review.checklists[0].reviews) { + const expectedStatus = expectedStatuses[reviewItem.ruleId] + const expectedComment = expectedComments[reviewItem.ruleId] + const expectedDetail = expectedDetails[reviewItem.ruleId] + + expect(reviewItem).to.have.property('ruleId') + expect(expectedStatuses).to.have.property(reviewItem.ruleId) + expect(expectedComments).to.have.property(reviewItem.ruleId) + expect(expectedDetails).to.have.property(reviewItem.ruleId) + expect(reviewItem.status).to.equal(expectedStatus) + expect(reviewItem.comment).to.equal(expectedComment) + expect(reviewItem.detail).to.equal(expectedDetail) + } + }) + + it("'unreviewed = commented' testing that we ignore unreviewed reviews even if they have commment/detail ", async () => { + // Test: unreviewed = commented + // This test validates the behavior of the xccdf parser function under the unreviewed = commented settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly ignores reviews that are unreviewed and have a comment or detail. + // note this test will have a review with a comment and detail + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-notReviewed-Commented-Detailed-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + expect(review.checklists[0].reviews).to.be.empty + }) + + it("'unreviewed = commented' testing that we do not import unreviwred rules that contain a comment or detail but giving a review without either", async () => { + // Test: unreviewed = commented + // This test validates the behavior of the xccdf parser function under the unreviewed = commented settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly imports only reviews with a non complience result that contain a comment and or detail. + // note this test will not have any reviews because there will be no comment/detail + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-notReviewed-Empty-CommentDetail-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + // check that review has a comment or detail and exisits + expect(review.checklists[0].reviews).to.be.empty + }) + + it("'unreviewed = always', testing that unreviewed always are import and result is 'notchecked' ", async () => { + // Test: unreviewed = always + // This test validates the behavior of the xccdf parser function under the unreviewed = always settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly imports all reviews without a compliance result and if they have a comment + // or detail they will be labeled as notchecked. + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'always', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-notReviewed-Commented-Detailed-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'saved', + result: 'notchecked', + comment: 'xyz', + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'unreviewed = always', testing that unreviewed always are imported ", async () => { + // Test: unreviewed = always + // This test validates the behavior of the xccdf parser function under the unreviewed = always settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly imports all reviews without a compliance result + // and without comment or detail to be labled as notchecked. + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'always', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-notReviewed-Empty-CommentDetail-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedReview = { + ruleId: 'SV-2', + status: 'saved', + result: 'notchecked', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it(" 'unreviewed = never' testing to never import an unreviewed item ", async () => { + // Test: unreviewed = never + // This test validates the behavior of the xccdf parser function under the unreviewed = never settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' ignores reviews without a compliance result (Nf/na/o) + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'never', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-notReviewed-Empty-CommentDetail-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + expect(review.checklists[0].reviews).to.be.empty + }) + + it("'unreviewedComment = informational' testing that an unreviewed item with a comment is an empty review ", async () => { + // Test: unreviewedComment = informational + // This test validates the behavior of the xccdf parser function under the unreviewedComment = informational settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly does not import the review. + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-notReviewed-Commented-Detailed-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + expect(review.checklists[0].reviews).to.be.empty + }) + + it(" 'unreviewedComment = notchecked'. testing that an unreviewed with a comment returns no reviews", async () => { + // Test: unreviewedComment = notchecked + // This test validates the behavior of the xccdf parser function under the unreviewedComment = notchecked settings. + // Primary Focus: + // - Ensuring that the 'unreviewed' option in 'importOptions' correctly ignores a review without a compliance result + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'notchecked', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-notReviewed-Commented-Detailed-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + expect(review.checklists[0].reviews).to.be.empty + }) + + it("'emptyDetail = replace' testing that if an item has an empty detail we will replace it with a static message", async () => { + // Test: emptyDetail = replace + // This test validates the behavior of the xccdf parser function under the emptyDetail = replace settings. + // Primary Focus: + // - Ensuring that the 'emptyDetail' option in 'importOptions' correctly replaces an empty detail with a static message. + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-Pass-With-Comment-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedReview = { + ruleId: 'SV-2', + status: 'saved', + result: 'pass', + comment: 'xyz', + detail: + 'Result was reported by product "MyTestSystem" version 1 at 2023-11-13T16:41:49.000Z using check content "MyCheckContent"' + } + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'emptyDetail = ignore' testing that if there is no detail provided it will retain exisiting detail, if no exisitng then we will set to null", async () => { + // Test: emptyDetail = ignore + // This test validates the behavior of the xccdf parser function under the emptyDetail = ignore settings. + // Primary Focus: + // - Ensuring that the 'emptyDetail' option in 'importOptions' correctly replaces an empty detail a null value + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-Pass-With-Comment-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'saved', + result: 'pass', + comment: 'xyz', + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("'emptyDetail = import', testing empty detail will clear existing text (setting it to empty string)", async () => { + // Test: emptyDetail = import + // This test validates the behavior of the xccdf parser function under the emptyDetail = import settings. + // Primary Focus: + // - Ensuring that the 'emptyDetail' option in 'importOptions' correctly replaces an empty detail an empty string if no detail is provided + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-Pass-With-Comment-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'saved', + result: 'pass', + comment: 'xyz', + detail: '' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it(" 'emptyDetail = import' testing that a review with a detail provided will be applied", async () => { + // Test: emptyDetail = import + // This test validates the behavior of the xccdf parser function under the emptyDetail = import settings. + // Primary Focus: + // - Ensuring that the 'emptyDetail' option in 'importOptions' correctly uses the exisisitng detail if one is provided + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-Pass-With-Detail-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'saved', + result: 'pass', + comment: null, + detail: 'xyz' + } + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'emptyComment = replace' testing that if an item has an empty comment we will replace it with a dynamically created message", async () => { + // Test: emptyComment = replace + // This test validates the behavior of the xxcdf parser function under the emptyComment = replace settings. + // Primary Focus: + // - Ensuring that the 'emptyComment' option in 'importOptions' correctly replaces an empty comment with a dynamically created message based off the data. + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'replace', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-Pass-With-Detail-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'saved', + result: 'pass', + comment: + 'Result was reported by product "MyTestSystem" version 1 at 2023-11-13T16:41:49.000Z using check content "MyCheckContent"', + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'emptyComment = ignore' testing that we will use exisitng text, if none use null", async () => { + // Test: emptyComment = ignore + // This test validates the behavior of the xccdf parser function under the emptyComment = ignore settings. + // Primary Focus: + // - Ensuring that the 'emptyComment' option in 'importOptions' correctly replaces an empty comment a null value + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-Pass-With-Detail-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedReview = { + ruleId: 'SV-2', + status: 'saved', + result: 'pass', + comment: null, + detail: 'xyz' + } + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'emptyComment = import', will clear eixsitng with an empty string if no comment given ", async () => { + // Test: emptyComment = import + // This test validates the behavior of the xccdf parser function under the emptyComment = import settings. + // Primary Focus: + // - Ensuring that the 'emptyComment' option in 'importOptions' correctly replaces an empty comment an empty string: "" + + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'import', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-Pass-With-Detail-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'saved', + result: 'pass', + comment: '', + detail: 'xyz' + } + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'emptyComment = import', testing a review with a comment provided in the ckl to make sure we get it back in the review ", async () => { + // Test: emptyComment = import + // This test validates the behavior of the xccdf parser function under the emptyComment = import settings. + // Primary Focus: + // - Ensuring that the 'emptyComment' option in 'importOptions' correctly uses the exisisitng comment if one is provided + + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'import', + allowCustom: true + } + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-Pass-With-Comment-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'saved', + result: 'pass', + comment: 'xyz', + detail: null + } + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) +}) + +describe('fieldSettings testing for a review object in non multi-stig xccdf', () => { + it("DEFAULT FIELD SETTINGS with allowAccept=true and a passing review, testing that it has a detail and is 'submitted'", async () => { + // Test: autostatus = submitted, default field settings. + // This test validates the behavior of the xccdf parser function under the default field settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly ensures that a detail is required for a review to be submitted. + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'always' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-Pass-With-Detail-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'submitted', + result: 'pass', + comment: '', + detail: 'xyz' + } + + // expected status is submitted for the rule that has a detail + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it('DEFAULT FIELD SETTINGS with allowAccept=true and a failing review with no detail.', async () => { + //autostatus = submitted, testing default field settings with allowAccept=true + // This test validates the behavior of the xccdf parser function under the default field setting with a fail and a no detail. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a detail is always required for submission for a review. + // Test that with a failing review and no detail exisiting and it will be set to 'saved' + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-Empty-CommentDetail-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'saved', + result: 'fail', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it('fieldSettings.detail.required = findings with allowAccept=true with a failing review containing a detail', async () => { + // Test: autostatus = submitted, default field settings. + // This test validates the behavior of the xccdf parser function under the fieldSettings.detail.required = findings field settings. + // Primary Focus: + // - Ensuring that the 'autoStatus' option in 'importOptions' correctly ensures that a detail is required for a review that has findings to be submitted. + // Test that a failing review with a detail will be submitted + + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'findings' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-With-Detail-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'submitted', + result: 'fail', + comment: '', + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'fieldSettings.detail.required = findings' with allowAccept=true with a fail and no detail or comment", async () => { + // Test: autostatus = submitted, testing 'fieldSettings.detail.required = findings' allowAccept=true + // This test validates the behavior of the xccdf parser function under the fieldSettings.detail.required = findings field setting with a fail and no detail or comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a detail is required for a review that has findings to be submitted if not we will save. + // Test that no detail exisitng and it will be set to 'saved' + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'findings' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-Empty-CommentDetail-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedReview = { + ruleId: 'SV-2', + status: 'saved', + result: 'fail', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'fieldSettings.detail.required = optional' with allowAccept=true with a fail and no detail or comment, testing that it does not have a detail and is submitted ", async () => { + // TEST: autostatus = submitted, testing 'fieldSettings.detail.required = optional' with allowAccept=true + // This test validates the behavior of the xccdf parser function under the fieldSettings.detail.required = optional field setting with a fail and no detail or comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a detail is optional for submission for a review that has findings. + // Test that no detail exisitng and it will be set to 'submitted' + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'optional' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-Empty-CommentDetail-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'submitted', + result: 'fail', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("fieldSettings.detail.required = optional' with allowAccept=true with a fail and detail testing it has a detail and is submitted", async () => { + // autostatus = submitted, 'fieldSettings.detail.required = optional' with allowAccept=true + // This test validates the behavior of the xccdf parser function under the fieldSettings.detail.required = optional field setting with a fail and a detail. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a detail is optional for submission for a review that has findings. + // Test that with detail exisitng and it will be set to 'submitted' + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'import', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'optional' + }, + comment: { + enabled: 'findings', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-With-Detail-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'submitted', + result: 'fail', + comment: null, + detail: 'xyz' + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it('DEFAULT FIELD SETTINGS with allowAccept=true and a passing review testing that it has a comment and is submitted', async () => { + //autostatus = submitted, testing default field settings with allowAccept=true + // This test validates the behavior of the xccdf parser function under the default field setting with a pass and a comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is always required for submission for a review. + // Test that witha passing review and a comment exisiting and it will be set to 'submitted' + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-Pass-With-Comment-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'submitted', + result: 'pass', + comment: 'xyz', + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it('DEFAULT FIELD SETTINGS with allowAccept=true and a failing review with no comment.', async () => { + //autostatus = submitted, testing default field settings with allowAccept=true + // This test validates the behavior of the xccdf parser function under the default field setting with a fail and a no comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is always required for submission for a review. + // Test that with a failing review and no comment exisiting and it will be set to 'saved' + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-Empty-CommentDetail-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'saved', + result: 'fail', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it('fieldSettings.comment.required = findings with allowAccept=true with a fail and comment testing that it has a comment and is submitted', async () => { + // TEST: autostatus = submitted, fieldSettings.comment.required = findings with allowAccept=true + // This test validates the behavior of the xccdf parser function under the fieldSettings.comment.required = findings field setting with a fail and a comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is always required for submission for a review that contains a finding. + // Test that with a failed review and a comment exisitng and it will be set to 'submitted' + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-with-Comment-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'submitted', + result: 'fail', + comment: 'xyz', + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("'fieldSettings.comment.required = findings' with allowAccept=true with a fail and no detail or comment, testing that it does not have a comment and is 'saved' ", async () => { + // TEST: autostatus = submitted, testing 'fieldSettings.comment.required = findings' with allowAccept=true + // This test validates the behavior of the xccdf parser function under the fieldSettings.comment.required = findings field setting with a fail and no comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is always required for submission for a review that contains a finding. + // Test that with a failed review and no comment will be set to 'saved' + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-Empty-CommentDetail-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'saved', + result: 'fail', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + + it("'fieldSettings.comment.required = optional' with allowAccept=true with a fail and no detail or comment. testing that it doesnt have a comment and is submmited", async () => { + // TEST: autostatus = submitted, testing 'fieldSettings.comment.required = optional' with allowAccept=true + // This test validates the behavior of the xccdf parser function under the fieldSettings.comment.required = optional field setting with a fail and no comment or detail . + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is optionally required for submission for a review that contains a finding. + // Test that with a failed review and no comment will be set to 'submitted' + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-Empty-CommentDetail-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'submitted', + result: 'fail', + comment: null, + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) + it("fieldSettings.comment.required = optional' with allowAccept=true with a fail and comment, testing thhat it has a comment and is submitted", async () => { + // TEST: autostatus = submitted, 'fieldSettings.comment.required = optional' with allowAccept=true + // This test validates the behavior of the xccdf parser function under the fieldSettings.comment.required = optional field setting with a fail and a comment. + // Primary Focus: + // - ensuring that fieldSettings correctly ensures that a comment is optionally required for submission for a review that contains a finding. + // Test that with a failed review and a comment will be set to 'submitted' + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'import', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'optional' + }, + comment: { + enabled: 'always', // not used + required: 'optional' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-fail-with-Comment-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedReview = { + ruleId: 'SV-2', + status: 'submitted', + result: 'fail', + comment: 'xyz', + detail: null + } + + expect(review.checklists[0].reviews[0]).to.include(expectedReview) + }) +}) + +describe('Tests where fieldSettings and importOptions overlap xccdf. ', () => { + it("Testing where emptyDetail: 'ignore', emptyComment: 'ignore', aswell as requiring a comment and detail ", async () => { + // TEST: emptyDetail: 'ignore', emptyComment: 'ignore', fieldSettings.detail.required = always, fieldSettings.comment.required = always + // This test validates the behavior of the xccdf parser function under above settings with a non compliance resilt and no comment or detail. + // Primary Focus: + // - ensuring that we will have no reviews because a brand new review will be created with "null" comment or detail with are both required. + // Test that with a failed review and a comment will be set to 'submitted' + + const importOptions = { + autoStatus: 'submitted', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'findings', // not used + required: 'always' + }, + comment: { + enabled: 'always', // not used + required: 'always' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-notReviewed-Empty-CommentDetail-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + expect(review.checklists[0].reviews).to.be.empty + }) +}) + +describe('MISC. xccdf ', () => { + it('review with result engine data', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'never', + unreviewedCommented: 'notchecked', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/Single-Vuln-Pass-With-Comment-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + // console.log(JSON.stringify(review, null, 2)) + + const expectedResultEngineReview = { + ruleId: 'SV-2', + result: 'pass', + resultEngine: { + time: '2023-11-13T16:41:49.000Z', + type: 'scap', + version: "1", + product: 'MyTestSystem', + checkContent: { + location: 'MyCheckContent', + component: 'fso_comp_MyStig:135' + } + }, + detail: null, + comment: 'xyz', + status: 'saved' + } + + expect(review.checklists[0].reviews[0]).to.deep.equal( + expectedResultEngineReview + ) + }) + it('review with result override', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'never', + unreviewedCommented: 'notchecked', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/ReviewOverrides-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + + const expectedOveride = { + authority: 'Authority1', + oldResult: 'pass', + newResult: 'fail', + remark: 'Some remark' + } + + expect(review.checklists[0].reviews[0].resultEngine.overrides[0]).to.deep.equal( + expectedOveride + ) + }) +}) diff --git a/test/XCCDFReviewParserTargetObject.test.js b/test/XCCDFReviewParserTargetObject.test.js new file mode 100644 index 0000000..69a2464 --- /dev/null +++ b/test/XCCDFReviewParserTargetObject.test.js @@ -0,0 +1,216 @@ +import chai from 'chai'; +import { reviewsFromXccdf } from '../ReviewParser.js'; +import { XMLParser } from 'fast-xml-parser'; +import fs from 'fs/promises'; +import he from 'he'; +const expect = chai.expect +const valueProcessor = function ( + tagName, + tagValue, + jPath, + hasAttributes, + isLeafNode +) { + he.decode(tagValue) +} + +const dataArray = [ + { + scapBenchmarkId: 'CAN_Ubuntu_18-04_STIG', + benchmarkId: 'U_CAN_Ubuntu_18-04_STIG' + }, + { scapBenchmarkId: 'Mozilla_Firefox_RHEL', benchmarkId: 'Mozilla_Firefox' }, + { + scapBenchmarkId: 'Mozilla_Firefox_Windows', + benchmarkId: 'Mozilla_Firefox' + }, + { scapBenchmarkId: 'MOZ_Firefox_Linux', benchmarkId: 'MOZ_Firefox_STIG' }, + { scapBenchmarkId: 'MOZ_Firefox_Windows', benchmarkId: 'MOZ_Firefox_STIG' }, + { scapBenchmarkId: 'Solaris_10_X86_STIG', benchmarkId: 'Solaris_10_X86' } +] + +const scapBenchmarkMap = new Map( + dataArray.map(item => [item.scapBenchmarkId, item]) +) + +// Create a helper function to read the file and generate the review object +async function generateReviewObject ( + filePath, + importOptions, + fieldSettings, + allowAccept +) { + const data = await fs.readFile(filePath, 'utf8') + return reviewsFromXccdf({ + data, + fieldSettings, + allowAccept, + importOptions, + valueProcessor, + scapBenchmarkMap, + XMLParser + }) +} + +// Parse the XML +const parseOptions = { + allowBooleanAttributes: false, + attributeNamePrefix: '', + cdataPropName: '__cdata', //default is 'false' + ignoreAttributes: false, + parseTagValue: false, + removeNSPrefix: true, + trimValues: true, + tagValueProcessor: valueProcessor, + commentPropName: '__comment', + isArray: (name, jpath, isLeafNode, isAttribute) => { + const arrayElements = [ + 'override', + 'overrides', + 'target', + 'target-address', + 'fact', + 'rule-result' // made the change here!! + ] + return arrayElements.includes(name) + } +} + +describe('Target Object Tests xccdf', () => { + it('minimal target object', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'never', + unreviewedCommented: 'notchecked', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/TargetObjectMinimal-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedTarget = { + name: 'MyAsset', + description: '', + ip: '', + noncomputing: false, + metadata: {} + } + expect(review.target).to.deep.equal(expectedTarget) + }) + + + + it('TargetObject with full metadata', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'never', + unreviewedCommented: 'notchecked', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/TargetObjectMetaData-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedTarget = { + name: 'MyAsset', + description: '', + ip: '', + noncomputing: false, + metadata: { + 'tag:testTag:asset:name': 'MyAsset', + 'tag:testTag:asset:description': 'Description', + 'tag:testTag:asset:fqdn': 'MyAsset.domain.com', + 'tag:testTag:asset:ip': '1.1.1.1', + 'tag:testTag:asset:mac': 'fe80::8c33:57ff:fe94:2b33', + 'tag:testTag:asset:noncomputing': 'false' + } + } + expect(review.target).to.deep.equal(expectedTarget) + }) + it('General Target Object', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'never', + unreviewedCommented: 'notchecked', + emptyDetail: 'ignore', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = + './WATCHER-test-files/WATCHER/xccdf/TargetObjectBasic-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedTarget = { + name: 'MyAsset', + description: 'Description', + ip: '1.1.1.1', + noncomputing: false, + metadata: {}, + fqdn: 'MyAsset.domain.com', + mac: 'fe80::8c33:57ff:fe94:2b33' + } + expect(review.target).to.deep.equal(expectedTarget) + }) +}) diff --git a/test/XCCDFStatisticsObject.test.js b/test/XCCDFStatisticsObject.test.js new file mode 100644 index 0000000..b520e46 --- /dev/null +++ b/test/XCCDFStatisticsObject.test.js @@ -0,0 +1,336 @@ +import chai from 'chai'; +import { reviewsFromXccdf } from '../ReviewParser.js'; +import { XMLParser } from 'fast-xml-parser'; +import fs from 'fs/promises'; +import he from 'he'; + +const expect = chai.expect +const valueProcessor = function ( + tagName, + tagValue, + jPath, + hasAttributes, + isLeafNode +) { + he.decode(tagValue) +} + +const dataArray = [ + { + scapBenchmarkId: 'CAN_Ubuntu_18-04_STIG', + benchmarkId: 'U_CAN_Ubuntu_18-04_STIG' + }, + { scapBenchmarkId: 'Mozilla_Firefox_RHEL', benchmarkId: 'Mozilla_Firefox' }, + { + scapBenchmarkId: 'Mozilla_Firefox_Windows', + benchmarkId: 'Mozilla_Firefox' + }, + { scapBenchmarkId: 'MOZ_Firefox_Linux', benchmarkId: 'MOZ_Firefox_STIG' }, + { scapBenchmarkId: 'MOZ_Firefox_Windows', benchmarkId: 'MOZ_Firefox_STIG' }, + { scapBenchmarkId: 'Solaris_10_X86_STIG', benchmarkId: 'Solaris_10_X86' } +] + +const scapBenchmarkMap = new Map( + dataArray.map(item => [item.scapBenchmarkId, item]) +) + +// Create a helper function to read the file and generate the review object +async function generateReviewObject ( + filePath, + importOptions, + fieldSettings, + allowAccept +) { + const data = await fs.readFile(filePath, 'utf8') + return reviewsFromXccdf({ + data, + fieldSettings, + allowAccept, + importOptions, + valueProcessor, + scapBenchmarkMap, + XMLParser + }) +} + + +describe('Testing that the xccdf Review Parser will return the correct figures in the Statistics object', () => { + it('unreviewed: commented, unreviewedCommented: informational, has comments/detail', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/xccdf/GoodStatistics-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) + + it('unreviewed: commented, unreviewedCommented: notchecked, has comments/detail', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'commented', + unreviewedCommented: 'notchecked', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/xccdf/GoodStatistics-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) + + it('unreviewed: always, unreviewedCommented: informational, has comments/detail', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'always', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/xccdf/GoodStatistics-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 2, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) + + it('unreviewed: always, unreviewedCommented: notchecked, has comments/detail', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'always', + unreviewedCommented: 'notchecked', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/xccdf/GoodStatistics-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 2, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) + + it(' unreviewed: never, unreviewedCommented: informational, has comments/detail', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'never', + unreviewedCommented: 'informational', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/xccdf/GoodStatistics-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) + + it(' unreviewed: never, unreviewedCommented: notchecked', async () => { + const importOptions = { + autoStatus: 'saved', + unreviewed: 'never', + unreviewedCommented: 'notchecked', + emptyDetail: 'replace', + emptyComment: 'ignore', + allowCustom: true + } + + const fieldSettings = { + detail: { + enabled: 'always', + required: 'always' + }, + comment: { + enabled: 'findings', + required: 'findings' + } + } + + const allowAccept = true + + const filePath = './WATCHER-test-files/WATCHER/xccdf/GoodStatistics-xccdf.xml' + + const review = await generateReviewObject( + filePath, + importOptions, + fieldSettings, + allowAccept + ) + const expectedStats = { + pass: 2, + fail: 2, + notapplicable: 2, + notchecked: 0, + notselected: 0, + informational: 0, + error: 0, + fixed: 0, + unknown: 0 + } + + expect(review.checklists[0].stats).to.deep.equal(expectedStats) + }) +})