RHEL8 - ensuring stigid's and references are set where appropriate

linux_os/guide/services/base/package_abrt_removed/rule.yml

@@ -26,6 +26,7 @@ identifiers:
 references:
     srg: SRG-OS-000095-GPOS-00049
     stigid@rhel8: RHEL-08-040001
+    disa: CCI-000381
 
 {{{ complete_ocil_entry_package(package="abrt") }}}
 

linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml

@@ -19,7 +19,9 @@ identifiers:
 
 references:
     nist: CM-6(a),SI-4(22)
-    srg: SRG-OS-000370-GPOS-00155
+    srg: SRG-OS-000370-GPOS-00155,SRG-OS-000368-GPOS-00154
+    disa: CCI-001764
+    stigid@rhel8: RHEL-08-040135
 
 ocil_clause: 'the package is not installed'
 

linux_os/guide/services/fapolicyd/service_fapolicyd_enabled/rule.yml

@@ -21,8 +21,9 @@ identifiers:
 references:
     nist: CM-6(a),SI-4(22)
     ospp: FMT_SMF_EXT.1
-    srg: SRG-OS-000370-GPOS-00155
+    srg: SRG-OS-000370-GPOS-00155,SRG-OS-000368-GPOS-00154
     stigid@rhel8: RHEL-08-040135
+    disa: CCI-001764
 
 ocil_clause: 'the service is not enabled'
 

linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml

@@ -21,6 +21,7 @@ references:
     srg: SRG-OS-000120-GPOS-00061
     ism: 0418,1055,1402
     stigid@rhel8: RHEL-08-010161
+    disa: CCI-000803
 
 ocil_clause: 'it is present on the system'
 

linux_os/guide/services/mail/package_sendmail_removed/rule.yml

@@ -29,8 +29,9 @@ references:
     iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
     cis-csc: 11,14,3,9
     anssi: BP28(R1)
-    srg: SRG-OS-000480-GPOS-00227
+    srg: SRG-OS-000480-GPOS-00227,SRG-OS-000095-GPOS-00049
     stigid@rhel8: RHEL-08-040002
+    disa: CCI-000381
 
 {{{ complete_ocil_entry_package(package="sendmail") }}}
 

linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml

@@ -25,7 +25,7 @@ identifiers:
     cce@sle15: CCE-85605-4
 
 references:
-    disa: CCI-000366
+    disa: CCI-000366,CCI-000139
     nist: CM-6(a)
     stigid@sle12: SLES-12-020050
     stigid@sle15: SLES-15-030580

linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nodev_remote_filesystems/rule.yml

@@ -26,6 +26,7 @@ references:
     cis-csc: 11,13,14,3,8,9
     stigid@rhel8: RHEL-08-010640
     srg: SRG-OS-000480-GPOS-00227
+    disa: CCI-000366
 
 ocil_clause: 'the setting does not show'
 

linux_os/guide/services/ntp/chronyd_client_only/rule.yml

@@ -23,8 +23,9 @@ identifiers:
 
 references:
     ospp: FMT_SMF_EXT.1
-    srg: SRG-OS-000096-GPOS-00050
+    srg: SRG-OS-000096-GPOS-00050,SRG-OS-000095-GPOS-00049
     stigid@rhel8: RHEL-08-030741
+    disa: CCI-000381
 
 ocil_clause: 'it does not exist or port is set to non-zero value'
 

linux_os/guide/services/ntp/chronyd_no_chronyc_network/rule.yml

@@ -23,8 +23,9 @@ identifiers:
 
 references:
     ospp: FMT_SMF_EXT.1
-    srg: SRG-OS-000096-GPOS-00050
+    srg: SRG-OS-000096-GPOS-00050,SRG-OS-000095-GPOS-00049
     stigid@rhel8: RHEL-08-030742
+    disa: CCI-000381
 
 ocil_clause: 'it does not exist or port is set to non-zero value'
 

linux_os/guide/services/rng/service_rngd_enabled/rule.yml

@@ -22,6 +22,7 @@ references:
     ospp: FCS_RBG_EXT.1
     srg: SRG-OS-000480-GPOS-00227
     stigid@rhel8: RHEL-08-010471
+    disa: CCI-000366
 
 ocil_clause: 'the service is not enabled'
 

linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml

@@ -29,6 +29,7 @@ references:
     iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
     cis-csc: 13,14
     ospp: FIA_UAU.5,FTP_ITC_EXT.1
+    stigid@rhel8: RHEL-08-040160
 
 ocil_clause: 'the package is not installed'
 

linux_os/guide/services/ssh/ssh_client/ssh_client_rekey_limit/rule.yml

@@ -30,8 +30,9 @@ identifiers:
 
 references:
     ospp: FCS_SSHS_EXT.1
-    srg: SRG-OS-000423-GPOS-00187
+    srg: SRG-OS-000423-GPOS-00187,SRG-OS-000033-GPOS-00014
     stigid@rhel8: RHEL-08-040162
+    disa: CCI-000068
 
 ocil_clause: 'it is commented out or is not set'
 

linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml

@@ -38,7 +38,7 @@ references:
     nist@sle15: CM-6(b),CM-6.1(iv)
     nist-csf: PR.AC-4,PR.AC-6,PR.DS-5,PR.IP-1,PR.PT-3
     ospp: FIA_UAU.1
-    srg: SRG-OS-000106-GPOS-00053,SRG-OS-000480-GPOS-00229
+    srg: SRG-OS-000106-GPOS-00053,SRG-OS-000480-GPOS-00229,SRG-OS-000480-GPOS-00227
     vmmsrg: SRG-OS-000480-VMM-002000
     stigid@rhel7: RHEL-07-010300
     stigid@sle12: SLES-12-030150
@@ -49,6 +49,7 @@ references:
     iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
     cis-csc: 11,12,13,14,15,16,18,3,5,9
     cis@sle15: 5.2.11
+    stigid@rhel8: RHEL-08-020330
 
 {{{ complete_ocil_entry_sshd_option(default="yes", option="PermitEmptyPasswords", value="no") }}}
 

linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/rule.yml

@@ -22,12 +22,12 @@ identifiers:
 references:
     stigid@ol7: OL07-00-040430
     cui: 3.1.12
-    disa: CCI-000318,CCI-000368,CCI-001812,CCI-001813,CCI-001814
+    disa: CCI-000318,CCI-000368,CCI-001812,CCI-001813,CCI-001814,CCI-000366
     hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
     nist: CM-7(a),CM-7(b),CM-6(a),AC-17(a)
     nist-csf: PR.IP-1
     ospp: FTP_ITC_EXT.1
-    srg: SRG-OS-000364-GPOS-00151
+    srg: SRG-OS-000364-GPOS-00151,SRG-OS-000480-GPOS-00227
     vmmsrg: SRG-OS-000480-VMM-002000
     stigid@rhel7: RHEL-07-040430
     isa-62443-2013: 'SR 7.6'

linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/rule.yml

@@ -23,14 +23,15 @@ identifiers:
 references:
     stigid@ol7: OL07-00-040440
     cui: 3.1.12
-    disa: CCI-000318,CCI-000368,CCI-001812,CCI-001813,CCI-001814
+    disa: CCI-000318,CCI-000368,CCI-001812,CCI-001813,CCI-001814,CCI-000366
     hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
     nist: AC-17(a),CM-7(a),CM-7(b),CM-6(a)
     nist-csf: PR.IP-1
     ospp: FTP_ITC_EXT.1
-    srg: SRG-OS-000364-GPOS-00151
+    srg: SRG-OS-000364-GPOS-00151,SRG-OS-000480-GPOS-00227
     vmmsrg: SRG-OS-000480-VMM-002000
     stigid@rhel7: RHEL-07-040440
+    stigid@rhel8: RHEL-08-010521
     isa-62443-2013: 'SR 7.6'
     isa-62443-2009: 4.3.4.3.2,4.3.4.3.3
     cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05

linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml

@@ -21,8 +21,9 @@ identifiers:
 
 references:
     ospp: FCS_SSHS_EXT.1
-    srg: SRG-OS-000480-GPOS-00227
+    srg: SRG-OS-000480-GPOS-00227,SRG-OS-000033-GPOS-00014
     stigid@rhel8: RHEL-08-040161
+    disa: CCI-000068
 
 ocil_clause: 'it is commented out or is not set'
 

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml

@@ -45,6 +45,7 @@ references:
     srg: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109
     vmmsrg: SRG-OS-000480-VMM-002000
     stigid@rhel7: RHEL-07-040340
+    stigid@rhel8: RHEL-08-010200
     stigid@sle12: SLES-12-030191
     stigid@sle15: SLES-15-010320
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 6.2'

linux_os/guide/services/ssh/ssh_server/sshd_use_strong_rng/rule.yml

@@ -26,6 +26,8 @@ identifiers:
 references:
     ospp: FCS_RBG_EXT.1.2
     srg: SRG-OS-000480-GPOS-00227
+    disa: CCI-000366
+    stigid@rhel8: RHEL-08-010292
 
 ocil: |-
     To determine whether the SSH service is configured to use strong entropy seed,

linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml

@@ -34,8 +34,8 @@ identifiers:
     cce@rhel8: CCE-80909-5
 
 references:
-    disa: CCI-001954
-    srg: SRG-OS-000375-GPOS-00160
+    disa: CCI-001954,CCI-000765
+    srg: SRG-OS-000375-GPOS-00160,SRG-OS-000105-GPOS-00052
     vmmsrg: SRG-OS-000107-VMM-000530
     ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
     stigid@rhel8: RHEL-08-020250

linux_os/guide/services/usbguard/configure_usbguard_auditbackend/rule.yml

@@ -24,6 +24,7 @@ references:
     ospp: FMT_SMF_EXT.1
     srg: SRG-OS-000062-GPOS-00031
     stigid@rhel8: RHEL-08-030603
+    disa: CCI-000169
 
 ocil_clause: 'AuditBackend is not set to LinuxAudit'
 

linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml

@@ -8,7 +8,7 @@ description: |-
     {{% if product != "rhcos4" %}}
     {{{ describe_package_install(package="usbguard") }}}
     {{% else %}}
-    The <tt>usbguard</tt> package can be installed with the following manifest: 
+    The <tt>usbguard</tt> package can be installed with the following manifest:
     <pre>
     ---
     apiVersion: machineconfiguration.openshift.io/v1
@@ -46,6 +46,8 @@ identifiers:
 references:
     srg: SRG-OS-000378-GPOS-00163
     ism: "1418"
+    stigid@rhel8: RHEL-08-040140
+    disa: CCI-001958
 
 ocil_clause: 'the package is not installed'
 

linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml

@@ -25,6 +25,7 @@ references:
     srg: SRG-OS-000378-GPOS-00163
     ism: "1418"
     stigid@rhel8: RHEL-08-040140
+    disa: CCI-001958
 
 ocil_clause: 'the service is not enabled'
 

linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml

@@ -47,6 +47,7 @@ references:
     ospp: FMT_MOF_EXT.1
     srg: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007,SRG-OS-000228-GPOS-00088
     stigid@rhel7: RHEL-07-010030
+    stigid@rhel8: RHEL-08-010050
     stigid@sle12: SLES-12-010040
     stigid@sle15: SLES-15-010080
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml

@@ -32,7 +32,7 @@ identifiers:
 
 references:
     stigid@ol7: OL07-00-010330
-    disa: CCI-002238
+    disa: CCI-002238,CCI-000044
     nist: CM-6(a),AC-7(b),IA-5(c)
     nist-csf: PR.AC-7
     ospp: FMT_MOF_EXT.1

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml

@@ -32,7 +32,7 @@ references:
     nist: CM-6(a),AC-7(a),IA-5(4)
     nist-csf: PR.AC-1,PR.AC-6,PR.AC-7,PR.IP-1
     ospp: FMT_MOF_EXT.1
-    srg: SRG-OS-000480-GPOS-00225
+    srg: SRG-OS-000480-GPOS-00225,SRG-OS-000069-GPOS-00037
     stigid@rhel7: RHEL-07-010119
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 7.6'
     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml

@@ -62,6 +62,7 @@ references:
     srg: SRG-OS-000073-GPOS-00041
     vmmsrg: SRG-OS-000480-VMM-002000
     stigid@rhel7: RHEL-07-010200
+    stigid@rhel8: RHEL-08-010160
     stigid@sle12: SLES-12-010230
     stigid@sle15: SLES-15-020170
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'

linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml

@@ -25,6 +25,7 @@ identifiers:
 
 references:
     stigid@rhel7: RHEL-07-010481
+    stigid@rhel8: RHEL-08-010151
     stigid@ol7: OL07-00-010481
     stigid@rhel8: RHEL-08-010152
     cis@rhel7: 1.4.3

linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml

@@ -20,8 +20,9 @@ identifiers:
 
 references:
     ospp: FMT_SMF_EXT.1
-    srg: SRG-OS-000031-GPOS-00012
+    srg: SRG-OS-000031-GPOS-00012,SRG-OS-000028-GPOS-00009
     stigid@rhel8: RHEL-08-020041
+    disa: CCI-000056
 
 ocil_clause: 'exec tmux is not present at the end of bashrc'
 

linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/rule.yml

@@ -23,6 +23,7 @@ references:
     ospp: FMT_SMF_EXT.1
     srg: SRG-OS-000029-GPOS-00010
     stigid@rhel8: RHEL-08-020070
+    disa: CCI-000057
 
 ocil_clause: 'lock-after-time is not set or set to zero'
 

linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/rule.yml

@@ -21,8 +21,9 @@ identifiers:
 
 references:
     ospp: FMT_SMF_EXT.1
-    srg: SRG-OS-000324-GPOS-00125
+    srg: SRG-OS-000324-GPOS-00125,SRG-OS-000028-GPOS-00009
     stigid@rhel8: RHEL-08-020042
+    disa: CCI-000056
 
 ocil_clause: 'tmux is listed in /etc/shells'
 

linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/rule.yml

@@ -29,17 +29,18 @@ identifiers:
 
 references:
     cui: 3.1.10
-    disa: CCI-000058
+    disa: CCI-000058,CCI-000056
     nist: CM-6(a)
     nist-csf: PR.AC-7
     ospp: FMT_MOF_EXT.1
-    srg: SRG-OS-000030-GPOS-00011
+    srg: SRG-OS-000030-GPOS-00011,SRG-OS-000028-GPOS-00009
     vmmsrg: SRG-OS-000030-VMM-000110
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
     isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
     cobit5: DSS05.04,DSS05.10,DSS06.10
     iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
     cis-csc: 1,12,15,16
+    stigid@rhel8: RHEL-08-020040
 
 ocil_clause: 'the package is not installed'
 

linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml

@@ -26,9 +26,9 @@ identifiers:
     cce@rhel8: CCE-80846-9
 
 references:
-    disa: CCI-001954
+    disa: CCI-001954,CCI-001953
     nist: CM-6(a)
-    srg: SRG-OS-000375-GPOS-00160
+    srg: SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161
     vmmsrg: SRG-OS-000376-VMM-001520
     ism: 1382,1384,1386
     stigid@rhel8: RHEL-08-010410

linux_os/guide/system/accounts/accounts-physical/service_debug-shell_disabled/rule.yml

@@ -31,8 +31,9 @@ references:
     cui: 3.4.5
     hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii)
     ospp: FIA_UAU.1
-    srg: SRG-OS-000324-GPOS-00125
+    srg: SRG-OS-000324-GPOS-00125,SRG-OS-000480-GPOS-00227
     stigid@rhel8: RHEL-08-040180
+    disa: CCI-000366
 
 ocil: |-
     {{{ ocil_service_disabled(service="debug-shell") }}}

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml

@@ -7,7 +7,7 @@ description: |-
     <tt>/etc/login.defs</tt> and add or correct the following line:
     <pre>PASS_MIN_LEN {{{ xccdf_value("var_accounts_password_minlen_login_defs") }}}</pre>
     <br /><br />
-    The DoD requirement is <tt>15</tt>. 
+    The DoD requirement is <tt>15</tt>.
     The FISMA requirement is <tt>12</tt>.
     The profile requirement is
     <tt>{{{ xccdf_value("var_accounts_password_minlen_login_defs") }}}</tt>.
@@ -44,6 +44,7 @@ references:
     ism: 0421,0422,0431,0974,1173,1401,1504,1505,1546,1557,1558,1559,1560,1561
     stigid@rhel8: RHEL-08-020231
     anssi: BP28(R18)
+    disa: CCI-000205
 
 ocil_clause: 'it is not set to the required value'
 

linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_password_auth/rule.yml

@@ -28,7 +28,10 @@ identifiers:
     cce@rhel8: CCE-83403-6
 
 references:
-  anssi: BP28(R32)
+    anssi: BP28(R32)
+    stigid@rhel8: RHEL-08-010130
+    srg: SRG-OS-000073-GPOS-00041
+    disa: CCI-000196
 
 ocil_clause: 'it does not set the appropriate number of hashing rounds'
 

linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_pam_unix_rounds_system_auth/rule.yml

@@ -29,6 +29,9 @@ identifiers:
 
 references:
   anssi: BP28(R32)
+  stigid@rhel8: RHEL-08-010130
+  srg: SRG-OS-000073-GPOS-00041
+  disa: CCI-000196
 
 ocil_clause: 'it does not set the appropriate number of hashing rounds'