Update rules for RHEL 9 SIG

Rules that are staying that are not in the spreadsheet. * Audit rules are being kept since we don't combine like DISA * file_*_cron_* are kept due to some wild carding in some rules. We will need to replace these in the future, once everything is finalized. * There a few rules for FIPS and donf rules that we need for technical reasons * set_password_hashing_algorithm_* to ensure that CCE-83615-5 CCE-83621-3 are fully covered
ComplianceAsCode · Feb 15, 2023 · 87ef627 · 87ef627
1 parent 144e98e
commit 87ef627
Show file tree

Hide file tree

Showing 10 changed files with 5 additions and 13 deletions.
diff --git a/controls/srg_gpos/SRG-OS-000023-GPOS-00006.yml b/controls/srg_gpos/SRG-OS-000023-GPOS-00006.yml
@@ -8,5 +8,6 @@ controls:
             - sshd_enable_warning_banner
             - banner_etc_issue
             - dconf_gnome_banner_enabled
-            - dconf_gnome_login_banner_text
+            # Might be needed, its in all the other STIGs
+            #- dconf_gnome_login_banner_text
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000057-GPOS-00027.yml b/controls/srg_gpos/SRG-OS-000057-GPOS-00027.yml
@@ -8,7 +8,6 @@ controls:
             - audit_rules_immutable
             - directory_group_ownership_var_log_audit
             - directory_ownership_var_log_audit
-            - directory_permissions_var_log_audit
             - file_group_ownership_var_log_audit
             - file_ownership_var_log_audit_stig
             - file_permissions_var_log_audit

diff --git a/controls/srg_gpos/SRG-OS-000058-GPOS-00028.yml b/controls/srg_gpos/SRG-OS-000058-GPOS-00028.yml
@@ -7,7 +7,6 @@ controls:
             - audit_rules_immutable
             - directory_group_ownership_var_log_audit
             - directory_ownership_var_log_audit
-            - directory_permissions_var_log_audit
             - file_group_ownership_var_log_audit
             - file_ownership_var_log_audit_stig
             - file_permissions_var_log_audit

diff --git a/controls/srg_gpos/SRG-OS-000059-GPOS-00029.yml b/controls/srg_gpos/SRG-OS-000059-GPOS-00029.yml
@@ -7,7 +7,8 @@ controls:
             - audit_rules_immutable
             - directory_group_ownership_var_log_audit
             - directory_ownership_var_log_audit
-            - directory_permissions_var_log_audit
+            # Not in the current drafts but in RHEL 8
+            # - directory_permissions_var_log_audit
             - file_group_ownership_var_log_audit
             - file_ownership_var_log_audit_stig
             - file_permissions_var_log_audit

diff --git a/controls/srg_gpos/SRG-OS-000120-GPOS-00061.yml b/controls/srg_gpos/SRG-OS-000120-GPOS-00061.yml
@@ -10,4 +10,5 @@ controls:
             - package_rsyslog-gnutls_installed
             - libreswan_approved_tunnels
             - set_password_hashing_algorithm_passwordauth
+            - set_password_hashing_algorithm_systemauth
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000228-GPOS-00088.yml b/controls/srg_gpos/SRG-OS-000228-GPOS-00088.yml
@@ -9,5 +9,4 @@ controls:
             - sshd_enable_warning_banner
             - banner_etc_issue
             - dconf_gnome_banner_enabled
-            - dconf_gnome_login_banner_text
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000368-GPOS-00154.yml b/controls/srg_gpos/SRG-OS-000368-GPOS-00154.yml
@@ -10,7 +10,6 @@ controls:
             - service_fapolicyd_enabled
             - mount_option_boot_nodev
             - mount_option_boot_nosuid
-            - mount_option_boot_efi_nosuid
             - mount_option_dev_shm_nodev
             - mount_option_dev_shm_noexec
             - mount_option_dev_shm_nosuid

diff --git a/controls/srg_gpos/SRG-OS-000392-GPOS-00172.yml b/controls/srg_gpos/SRG-OS-000392-GPOS-00172.yml
@@ -59,7 +59,6 @@ controls:
             - audit_rules_privileged_commands_postdrop
             - audit_rules_privileged_commands_postqueue
             - audit_rules_privileged_commands_pt_chown
-            - audit_rules_execution_restorecon
             - audit_rules_privileged_commands_ssh_agent
             - audit_rules_privileged_commands_ssh_keysign
             - audit_rules_privileged_commands_su

diff --git a/controls/srg_gpos/SRG-OS-000433-GPOS-00192.yml b/controls/srg_gpos/SRG-OS-000433-GPOS-00192.yml
@@ -8,5 +8,4 @@ controls:
             - sysctl_kernel_kptr_restrict
             - bios_enable_execution_restrictions
             - grub2_slub_debug_argument
-            - sysctl_kernel_exec_shield
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
@@ -82,11 +82,9 @@ controls:
             - package_sendmail_removed
             - package_tftp-server_removed
             - package_quagga_removed
-            - xwindows_remove_packages
             - package_gssproxy_removed
             - package_iprutils_removed
             - package_tuned_removed
-            - package_gdm_removed
             - package_xorg-x11-server-common_removed
 
             # package installed
@@ -108,7 +106,6 @@ controls:
             - mount_option_noexec_remote_filesystems
             - mount_option_nosuid_remote_filesystems
             - mount_option_boot_nosuid
-            - mount_option_boot_efi_nosuid
             - mount_option_home_noexec
             - mount_option_home_nosuid
             - mount_option_nodev_nonroot_local_partitions
@@ -150,9 +147,7 @@ controls:
             - sysctl_net_ipv4_conf_default_accept_source_route
             - sysctl_net_ipv4_conf_all_rp_filter
             - sysctl_net_ipv4_conf_default_rp_filter
-            - sysctl_net_ipv4_conf_all_secure_redirects
             - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-            - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
             - sysctl_net_ipv4_tcp_syncookies
             - sysctl_net_ipv4_conf_all_send_redirects
             - sysctl_net_ipv4_conf_default_accept_redirects