Update SRG-OS-000114-GPOS-00059 for RHEL 9 STIG

linux_os/guide/services/usbguard/usbguard_allow_hid/ansible/shared.yml

@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# complexity = low
+# strategy = configure
+# disruption = low
+
+{{{ ansible_lineinfile(msg='allow HID devices', path='/etc/usbguard/rules.conf', regex='', new_line='allow with-interface match-all { 03:*:* }', create='yes', state='present') }}}

linux_os/guide/services/usbguard/usbguard_allow_hid/rule.yml

@@ -23,6 +23,7 @@ severity: medium
 
 identifiers:
     cce@rhel8: CCE-82274-2
+    cce@rhel9: CCE-85990-0
 
 references:
     ospp: FMT_SMF_EXT.1
@@ -37,3 +38,9 @@ ocil: |-
     The output lines should include
     <pre>allow with-interface match-all { 03:*:* }</pre>
 
+fixtext: |-
+    Configure the USBGuard daemon to allow USB Human Interface Devices.
+
+    Add or edit the following line in "/etc/usbguard/rules.conf":
+
+    allow with-interface match-all { 03:*:* }

linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/ansible/shared.yml

@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# complexity = low
+# strategy = configure
+# disruption = low
+
+{{{ ansible_lineinfile(msg='allow HID devices and hubs', path='/etc/usbguard/rules.conf', regex='', new_line='allow with-interface match-all { 03:*:* 09:00:* }', create='yes', state='present') }}}

linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml

@@ -40,3 +40,10 @@ ocil: |-
     <pre>$ sudo grep allow /etc/usbguard/rules.conf</pre>
     The output lines should include
     <pre>allow with-interface match-all { 03:*:* 09:00:* }</pre>
+
+fixtext: |-
+    Configure the USBGuard daemon to allow USB Human Interface Devices and USB hubs.
+
+    Add or edit the following line in "/etc/usbguard/rules.conf":
+
+    allow with-interface match-all { 03:*:* 09:00:* }

linux_os/guide/services/usbguard/usbguard_allow_hub/ansible/shared.yml

@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# complexity = low
+# strategy = configure
+# disruption = low
+
+{{{ ansible_lineinfile(msg='allow hubs', path='/etc/usbguard/rules.conf', regex='', new_line='allow with-interface match-all { 09:00:* }', create='yes', state='present') }}}

linux_os/guide/services/usbguard/usbguard_allow_hub/rule.yml

@@ -35,3 +35,10 @@ ocil: |-
     <pre>$ sudo grep allow /etc/usbguard/rules.conf</pre>
     One of the output lines should be
     <pre>allow with-interface match-all { 09:00:* }</pre>
+
+fixtext: |-
+    Configure the USBGuard daemon to allow USB hubs.
+
+    Add or edit the following line in "/etc/usbguard/rules.conf"
+
+    allow with-interface match-all { 09:00:* }

linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml

@@ -57,3 +57,7 @@ template:
     name: kernel_module_disabled
     vars:
         kernmodule: usb-storage
+
+fixtext: |-
+    Configure {{{ full_name }}} to disable automated loading of the USB storage driver.
+    {{{ describe_module_disable(module="usb-storage") }}}

linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml

@@ -60,9 +60,15 @@ references:
 ocil: |-
     {{{ ocil_service_disabled(service="autofs") }}}
 
+ocil_clause: the autofs service is not disabled
+
 platform: machine
 
 template:
     name: service_disabled
     vars:
         servicename: autofs
+
+fixtext: |-
+    Configure {{{ full_name }}} to disable the ability to automount devices.
+    {{{ describe_service_disable(service="autofs") }}}

linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/rule.yml

@@ -51,6 +51,11 @@ ocil: |-
     AutomaticLoginEnable=false</pre>
 
 fixtext: |-
-    {{{ fixtext_dconf_ini_file("daemon", "AutomaticLoginEnable", "false") }}}
+    Configure GDM to disable automatic login.
+
+    Set AutomaticLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example:
+
+    [daemon]
+    AutomaticLoginEnable=false
 
 platform: machine

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml

@@ -19,6 +19,7 @@ description: |-
     After the settings have been set, run <tt>dconf update</tt>.
 
 rationale: |-
+    Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
     Disabling automatic mounting in GNOME3 can prevent
     the introduction of malware via removable media.
     It will, however, also prevent desktop users from legitimate use
@@ -56,3 +57,8 @@ ocil: |-
     If properly configured, the output for <tt>automount-open</tt> should be <tt>/org/gnome/desktop/media-handling/automount-open</tt>
 
 platform: machine
+
+fixtext: |-
+    Configure GNOME 3 to disable automated mount of removable media.
+
+    {{{ fixtext_dconf_ini_file("org/gnome/desktop/media-handling", "automount-open", "false") }}}

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml

@@ -19,6 +19,7 @@ description: |-
     After the settings have been set, run <tt>dconf update</tt>.
 
 rationale: |-
+    Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
     Disabling automatic mount running in GNOME3 can prevent
     the introduction of malware via removable media.
     It will, however, also prevent desktop users from legitimate use
@@ -56,3 +57,8 @@ ocil: |-
     If properly configured, the output for <tt>autorun-never</tt> should be <tt>/org/gnome/desktop/media-handling/autorun-never</tt>
 
 platform: machine
+
+fixtext: |-
+    Configure GNOME 3 to disable automated mount of removable media.
+
+    {{{ fixtext_dconf_ini_file("org/gnome/desktop/media-handling", "autorun-never", "true") }}}

linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml

@@ -81,6 +81,6 @@ ocil: |-
     {{% endif %}}
 
 fixtext: |-
-    {{{ fixtext_dconf_ini_file("/org/gnome/desktop/screensaver/lock-enabled", "lock-enabled", "true") }}}
+    {{{ fixtext_dconf_ini_file("org/gnome/desktop/screensaver/lock-enabled", "lock-enabled", "true") }}}
 
 platform: machine

shared/macros/fixtext.jinja

@@ -31,11 +31,17 @@ The audit daemon must be restarted for the changes to take effect.
 #}}
 {{%- macro fixtext_dconf_ini_file(section, parameter, value) -%}}
     The dconf settings can be edited in the /etc/dconf/db/* location.
-    Edit or add the {{{ section }}} section of the database file and add or update the following lines:
 
-    {{{parameter}}}={{{value}}}
+    First, add or update the [{{{ section }}}] section of the "/etc/dconf/db/local.d/00-security-settings" database file and add or update the following lines:
 
-    Update the system databases:
+    [{{{ section }}}]
+    {{{ parameter }}}={{{ value }}}
+
+    Then, add the following line to "/etc/dconf/db/local.d/locks/00-security-settings-lock" to prevent user modification:
+
+    /{{{ section }}}/{{{ parameter }}}
+
+    Finally, update the dconf system databases:
 
     $ sudo dconf update
 {{%- endmacro -%}}

shared/references/cce-redhat-avail.txt

@@ -63,7 +63,6 @@ CCE-85984-3
 CCE-85985-0
 CCE-85986-8
 CCE-85988-4
-CCE-85990-0
 CCE-85997-5
 CCE-85998-3
 CCE-85999-1