From 87ef62730d069983fcfc06310d63359b7edb8b11 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Tue, 14 Feb 2023 17:15:45 -0600
Subject: [PATCH] Update rules for RHEL 9 SIG

Rules that are staying that are not in the spreadsheet.
* Audit rules are being kept since we don't combine like DISA
* file_*_cron_* are kept due to some wild carding in some rules. We will need to replace these in the future, once everything is finalized.
* There a few rules for FIPS and donf rules that we need for technical reasons
* set_password_hashing_algorithm_* to ensure that CCE-83615-5 CCE-83621-3 are fully covered
---
 controls/srg_gpos/SRG-OS-000023-GPOS-00006.yml | 3 ++-
 controls/srg_gpos/SRG-OS-000057-GPOS-00027.yml | 1 -
 controls/srg_gpos/SRG-OS-000058-GPOS-00028.yml | 1 -
 controls/srg_gpos/SRG-OS-000059-GPOS-00029.yml | 3 ++-
 controls/srg_gpos/SRG-OS-000120-GPOS-00061.yml | 1 +
 controls/srg_gpos/SRG-OS-000228-GPOS-00088.yml | 1 -
 controls/srg_gpos/SRG-OS-000368-GPOS-00154.yml | 1 -
 controls/srg_gpos/SRG-OS-000392-GPOS-00172.yml | 1 -
 controls/srg_gpos/SRG-OS-000433-GPOS-00192.yml | 1 -
 controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml | 5 -----
 10 files changed, 5 insertions(+), 13 deletions(-)

diff --git a/controls/srg_gpos/SRG-OS-000023-GPOS-00006.yml b/controls/srg_gpos/SRG-OS-000023-GPOS-00006.yml
index 4a7adf0799e..89280e1c74c 100644
--- a/controls/srg_gpos/SRG-OS-000023-GPOS-00006.yml
+++ b/controls/srg_gpos/SRG-OS-000023-GPOS-00006.yml
@@ -8,5 +8,6 @@ controls:
             - sshd_enable_warning_banner
             - banner_etc_issue
             - dconf_gnome_banner_enabled
-            - dconf_gnome_login_banner_text
+            # Might be needed, its in all the other STIGs
+            #- dconf_gnome_login_banner_text
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000057-GPOS-00027.yml b/controls/srg_gpos/SRG-OS-000057-GPOS-00027.yml
index b1dcb82cadb..a148f4d1c7e 100644
--- a/controls/srg_gpos/SRG-OS-000057-GPOS-00027.yml
+++ b/controls/srg_gpos/SRG-OS-000057-GPOS-00027.yml
@@ -8,7 +8,6 @@ controls:
             - audit_rules_immutable
             - directory_group_ownership_var_log_audit
             - directory_ownership_var_log_audit
-            - directory_permissions_var_log_audit
             - file_group_ownership_var_log_audit
             - file_ownership_var_log_audit_stig
             - file_permissions_var_log_audit
diff --git a/controls/srg_gpos/SRG-OS-000058-GPOS-00028.yml b/controls/srg_gpos/SRG-OS-000058-GPOS-00028.yml
index a306faf9f07..7e56605f87d 100644
--- a/controls/srg_gpos/SRG-OS-000058-GPOS-00028.yml
+++ b/controls/srg_gpos/SRG-OS-000058-GPOS-00028.yml
@@ -7,7 +7,6 @@ controls:
             - audit_rules_immutable
             - directory_group_ownership_var_log_audit
             - directory_ownership_var_log_audit
-            - directory_permissions_var_log_audit
             - file_group_ownership_var_log_audit
             - file_ownership_var_log_audit_stig
             - file_permissions_var_log_audit
diff --git a/controls/srg_gpos/SRG-OS-000059-GPOS-00029.yml b/controls/srg_gpos/SRG-OS-000059-GPOS-00029.yml
index 64cf0f62c0e..38e7c0eab70 100644
--- a/controls/srg_gpos/SRG-OS-000059-GPOS-00029.yml
+++ b/controls/srg_gpos/SRG-OS-000059-GPOS-00029.yml
@@ -7,7 +7,8 @@ controls:
             - audit_rules_immutable
             - directory_group_ownership_var_log_audit
             - directory_ownership_var_log_audit
-            - directory_permissions_var_log_audit
+            # Not in the current drafts but in RHEL 8
+            # - directory_permissions_var_log_audit
             - file_group_ownership_var_log_audit
             - file_ownership_var_log_audit_stig
             - file_permissions_var_log_audit
diff --git a/controls/srg_gpos/SRG-OS-000120-GPOS-00061.yml b/controls/srg_gpos/SRG-OS-000120-GPOS-00061.yml
index d2f5450167a..fd962d2a155 100644
--- a/controls/srg_gpos/SRG-OS-000120-GPOS-00061.yml
+++ b/controls/srg_gpos/SRG-OS-000120-GPOS-00061.yml
@@ -10,4 +10,5 @@ controls:
             - package_rsyslog-gnutls_installed
             - libreswan_approved_tunnels
             - set_password_hashing_algorithm_passwordauth
+            - set_password_hashing_algorithm_systemauth
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000228-GPOS-00088.yml b/controls/srg_gpos/SRG-OS-000228-GPOS-00088.yml
index 2314d1a1914..f4514cbedc0 100644
--- a/controls/srg_gpos/SRG-OS-000228-GPOS-00088.yml
+++ b/controls/srg_gpos/SRG-OS-000228-GPOS-00088.yml
@@ -9,5 +9,4 @@ controls:
             - sshd_enable_warning_banner
             - banner_etc_issue
             - dconf_gnome_banner_enabled
-            - dconf_gnome_login_banner_text
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000368-GPOS-00154.yml b/controls/srg_gpos/SRG-OS-000368-GPOS-00154.yml
index 39c949ca534..748a1fffdf7 100644
--- a/controls/srg_gpos/SRG-OS-000368-GPOS-00154.yml
+++ b/controls/srg_gpos/SRG-OS-000368-GPOS-00154.yml
@@ -10,7 +10,6 @@ controls:
             - service_fapolicyd_enabled
             - mount_option_boot_nodev
             - mount_option_boot_nosuid
-            - mount_option_boot_efi_nosuid
             - mount_option_dev_shm_nodev
             - mount_option_dev_shm_noexec
             - mount_option_dev_shm_nosuid
diff --git a/controls/srg_gpos/SRG-OS-000392-GPOS-00172.yml b/controls/srg_gpos/SRG-OS-000392-GPOS-00172.yml
index 2538f18bb9e..463c3549e2a 100644
--- a/controls/srg_gpos/SRG-OS-000392-GPOS-00172.yml
+++ b/controls/srg_gpos/SRG-OS-000392-GPOS-00172.yml
@@ -59,7 +59,6 @@ controls:
             - audit_rules_privileged_commands_postdrop
             - audit_rules_privileged_commands_postqueue
             - audit_rules_privileged_commands_pt_chown
-            - audit_rules_execution_restorecon
             - audit_rules_privileged_commands_ssh_agent
             - audit_rules_privileged_commands_ssh_keysign
             - audit_rules_privileged_commands_su
diff --git a/controls/srg_gpos/SRG-OS-000433-GPOS-00192.yml b/controls/srg_gpos/SRG-OS-000433-GPOS-00192.yml
index 07d585803be..bff72ce9561 100644
--- a/controls/srg_gpos/SRG-OS-000433-GPOS-00192.yml
+++ b/controls/srg_gpos/SRG-OS-000433-GPOS-00192.yml
@@ -8,5 +8,4 @@ controls:
             - sysctl_kernel_kptr_restrict
             - bios_enable_execution_restrictions
             - grub2_slub_debug_argument
-            - sysctl_kernel_exec_shield
         status: automated
diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
index 5cdc1301065..1aceb0b1870 100644
--- a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
+++ b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
@@ -82,11 +82,9 @@ controls:
             - package_sendmail_removed
             - package_tftp-server_removed
             - package_quagga_removed
-            - xwindows_remove_packages
             - package_gssproxy_removed
             - package_iprutils_removed
             - package_tuned_removed
-            - package_gdm_removed
             - package_xorg-x11-server-common_removed
 
             # package installed
@@ -108,7 +106,6 @@ controls:
             - mount_option_noexec_remote_filesystems
             - mount_option_nosuid_remote_filesystems
             - mount_option_boot_nosuid
-            - mount_option_boot_efi_nosuid
             - mount_option_home_noexec
             - mount_option_home_nosuid
             - mount_option_nodev_nonroot_local_partitions
@@ -150,9 +147,7 @@ controls:
             - sysctl_net_ipv4_conf_default_accept_source_route
             - sysctl_net_ipv4_conf_all_rp_filter
             - sysctl_net_ipv4_conf_default_rp_filter
-            - sysctl_net_ipv4_conf_all_secure_redirects
             - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-            - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
             - sysctl_net_ipv4_tcp_syncookies
             - sysctl_net_ipv4_conf_all_send_redirects
             - sysctl_net_ipv4_conf_default_accept_redirects