diff --git a/controls/srg_gpos/SRG-OS-000047-GPOS-00023.yml b/controls/srg_gpos/SRG-OS-000047-GPOS-00023.yml
index c902300462d..7cb669cec25 100644
--- a/controls/srg_gpos/SRG-OS-000047-GPOS-00023.yml
+++ b/controls/srg_gpos/SRG-OS-000047-GPOS-00023.yml
@@ -11,5 +11,5 @@ controls:
- auditd_data_disk_full_action_stig
- var_auditd_disk_full_action=halt
- auditd_data_retention_max_log_file_action_stig
- - var_auditd_max_log_file_action=syslog
+ - var_auditd_max_log_file_action=rotate
status: automated
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
index 5c4f9b3d89a..fdc4e047c6d 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml
@@ -58,15 +58,19 @@ references:
stigid@ubuntu2004: UBTU-20-010052
vmmsrg: SRG-OS-000071-VMM-000380
-ocil_clause: 'dcredit is not found or not equal to or less than the required value'
+ocil_clause: 'the value of "dcredit" is a positive number or is commented out'
ocil: |-
- To check how many digits are required in a password, run the following command:
- $ grep dcredit /etc/security/pwquality.conf
- The dcredit parameter (as a negative number) will indicate how many digits are required.
+ Verify that {{{ full_name }}} enforces password complexity by requiring that at least one numeric character be used.
+
+ Check the value for "dcredit" with the following command:
+
+ $ sudo grep dcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+
+ /etc/security/pwquality.conf:dcredit = {{{ xccdf_value('var_password_pam_dcredit') }}}
fixtext: |-
- Configure {{{ full_name }}} to enforce password complexity by requiring that at least numeric character be used by setting the "dcredit" option.
+ Configure {{{ full_name }}} to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option.
Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
index 6cf970626f1..3aa2e7e65ee 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml
@@ -33,13 +33,14 @@ references:
stigid@rhel8: RHEL-08-020300
stigid@ubuntu2004: UBTU-20-010056
-ocil_clause: 'dictcheck is not found or not equal to the required value'
+ocil_clause: '"dictcheck" does not have a value other than "0", or is commented out'
ocil: |-
- To check if dictionary words are disallowed run the following command:
- $ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf
- The dictcheck parameter should be equal to 1. The value should look like
- dictcheck=1
+ Verify {{{ full_name }}} prevents the use of dictionary words for passwords with the following command:
+
+ $ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf
+
+ /etc/security/pwquality.conf:dictcheck=1
platform: pam
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
index 7b4bad53aec..2b48b8f6b6b 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
@@ -52,14 +52,14 @@ references:
stigid@ubuntu2004: UBTU-20-010053
vmmsrg: SRG-OS-000072-VMM-000390
-ocil_clause: 'difok is not found or set to less than the required value'
+ocil_clause: 'the value of "difok" is set to less than "{{{ xccdf_value("var_password_pam_difok") }}}", or is commented out'
ocil: |-
- To check how many characters must differ during a password change, run the following command:
+ Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command:
+
$ sudo grep difok /etc/security/pwquality.conf
- difok = {{{ xccdf_value("var_password_pam_difok") }}}
-
- The difok parameter will indicate how many characters must differ.
+
+ difok = {{{ xccdf_value("var_password_pam_difok") }}}
platform: pam
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
index 19a61043ab3..349cc9267ca 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml
@@ -30,17 +30,21 @@ references:
nist: IA-5(c),IA-5(1)(a),CM-6(a),IA-5(4)
srg: SRG-OS-000072-GPOS-00040,SRG-OS-000071-GPOS-00039,SRG-OS-000070-GPOS-00038,SRG-OS-000266-GPOS-00101,SRG-OS-000078-GPOS-00046,SRG-OS-000480-GPOS-00225,SRG-OS-000069-GPOS-00037
-ocil_clause: 'enforce_for_root is commented or not present'
+ocil_clause: '"enforce_for_root" is commented or missing'
ocil: |-
- To verify if root user is required to use complex passwords, run the following command:
- $ grep enforce_for_root /etc/security/pwquality.conf
- The output should return enforce_for_root uncommented.
+ Verify that {{{ full_name }}} enforces password complexity rules for the root account.
+
+ Check if root user is required to use complex passwords with the following command:
+
+ $ grep enforce_for_root /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+
+ /etc/security/pwquality.conf:enforce_for_root
fixtext: |-
Configure {{{ full_name }}} to enforce password complexity on the root account.
- Add the following line to /etc/security/pwquality.conf:
+ Add or update the following line in /etc/security/pwquality.conf:
enforce_for_root
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
index 87487b7710e..5e1f6cb070b 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml
@@ -59,12 +59,16 @@ references:
stigid@ubuntu2004: UBTU-20-010051
vmmsrg: SRG-OS-000070-VMM-000370
-ocil_clause: 'lcredit is not found or not less than or equal to the required value'
+ocil_clause: 'the value of "lcredit" is a positive number or is commented out'
ocil: |-
- To check how many lowercase characters are required in a password, run the following command:
- $ grep lcredit /etc/security/pwquality.conf
- The lcredit parameter (as a negative number) will indicate how many special characters are required.
+ Verify that {{{ full_name }}} enforces password complexity by requiring that at least one lower-case character.
+
+ Check the value for "lcredit" with the following command:
+
+ $ sudo grep lcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+
+ /etc/security/pwquality.conf:lcredit = -1
fixtext: |-
Configure {{{ full_name }}} to enforce password complexity by requiring that at least one lower-case character be used by setting the "lcredit" option.
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
index 768e70ef881..58195dd0416 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
@@ -45,8 +45,11 @@ references:
ocil_clause: the value of "maxclassrepeat" is set to "0", more than "{{{ xccdf_value("var_password_pam_maxclassrepeat") }}}" or is commented out
ocil: |-
- To check the value for maximum consecutive repeating characters, run the following command:
- $ sudo grep maxclassrepeat /etc/security/pwquality.conf
+ Verify the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command:
+
+ $ grep maxclassrepeat /etc/security/pwquality.conf
+
+ maxclassrepeat = {{{ xccdf_value("var_password_pam_maxclassrepeat") }}}
platform: pam
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
index 46af5feadf1..c48a5d9f8db 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
@@ -47,8 +47,11 @@ references:
ocil_clause: the value of "maxrepeat" is set to more than "{{{ xccdf_value("var_password_pam_maxrepeat") }}}" or is commented out
ocil: |-
- To check the maximum value for consecutive repeating characters, run the following command:
- $ sudo grep maxrepeat /etc/security/pwquality.conf
+ Verify the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command:
+
+ $ grep maxrepeat /etc/security/pwquality.conf
+
+ maxrepeat = {{{ xccdf_value("var_password_pam_maxrepeat") }}}
platform: pam
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
index cc8b7378487..5083c32b964 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
@@ -66,12 +66,11 @@ references:
ocil_clause: the value of "minclass" is set to less than "{{{ xccdf_value("var_password_pam_minclass") }}}" or is commented out
ocil: |-
- To check how many categories of characters must be used in password during a password change,
- run the following command:
- $ sudo grep minclass /etc/security/pwquality.conf
- The minclass parameter will indicate how many character classes must be used. If
- the requirement was for the password to contain characters from {{{ xccdf_value("var_password_pam_minclass") }}} different categories,
- then this would appear as minclass = {{{ xccdf_value("var_password_pam_minclass") }}}.
+ Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command:
+
+ $ grep minclass /etc/security/pwquality.conf
+
+ minclass = {{{ xccdf_value("var_password_pam_minclass") }}}
platform: pam
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
index bf2deaaa524..e5dbbe11792 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
@@ -58,21 +58,24 @@ references:
stigid@ubuntu2004: UBTU-20-010054
vmmsrg: SRG-OS-000072-VMM-000390,SRG-OS-000078-VMM-000450
-ocil_clause: 'minlen is not found, or not equal to or greater than the required value'
+ocil_clause: 'the command does not return a "minlen" value of "{{{ xccdf_value("var_password_pam_minlen") }}}" or greater, does not return a line, or the line is commented out'
ocil: |-
- To check how many characters are required in a password, run the following command:
- $ grep minlen /etc/security/pwquality.conf
- Your output should contain minlen = {{{ xccdf_value("var_password_pam_minlen") }}}
+ Verify that {{{ full_name }}} enforces a minimum {{{ xccdf_value("var_password_pam_minlen") }}}-character password length with the following command:
+
+ $ grep minlen /etc/security/pwquality.conf
+
+ minlen = {{{ xccdf_value("var_password_pam_minlen") }}}
fixtext: |-
- Configure {{{ full_name }}} to enforce a minimum 15-character password length.
+ Configure {{{ full_name }}} to enforce a minimum {{{ xccdf_value("var_password_pam_minlen") }}}-character password length.
Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
minlen = {{{ xccdf_value("var_password_pam_minlen") }}}
-srg_requirement: '{{{ full_name }}} passwords must have a minimum of 15 characters.'
+srg_requirement: |-
+ {{{ full_name }}} passwords must be created with a minimum of 15 characters.
platform: pam
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
index b8ffcd2bd0a..2d660572fa1 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
@@ -62,18 +62,21 @@ references:
ocil_clause: 'value of "ocredit" is a positive number or is commented out'
ocil: |-
- To check how many special characters are required in a password, run the following command:
- $ grep ocredit /etc/security/pwquality.conf
- The ocredit parameter (as a negative number) will indicate how many special
- characters are required.
+ Verify that {{{ full_name }}} enforces password complexity by requiring that at least one special character with the following command:
+ $ sudo grep ocredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+
+ ocredit = {{{ xccdf_value("var_password_pam_ocredit") }}}
fixtext: |-
- Add or modify the "ocredit" option line in /etc/security/pwquality.conf to have the required
- value, like in the following example:
+ Configure {{{ full_name }}} to enforce password complexity by requiring that at least one special character be used by setting the "ocredit" option.
+
+ Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+
ocredit = {{{ xccdf_value("var_password_pam_ocredit") }}}
-srg_requirement: '{{{ full_name }}} passwords must contain at least one special character.'
+srg_requirement: |-
+ {{{ full_name }}} must enforce password complexity by requiring that at least one special character be used.
platform: pam
diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
index 7418407612b..ab496ef089e 100644
--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml
@@ -55,13 +55,16 @@ references:
stigid@ubuntu2004: UBTU-20-010050
vmmsrg: SRG-OS-000069-VMM-000360
-ocil_clause: 'ucredit is not found or not set to the required value'
+ocil_clause: 'the value of "ucredit" is a positive number or is commented out'
ocil: |-
- To check how many uppercase characters are required in a password, run the following command:
- $ grep ucredit /etc/security/pwquality.conf
- The ucredit parameter (as a negative number) will indicate how many uppercase characters are required.
- This would appear as ucredit = -1.
+ Verify that {{{ full_name }}} enforces password complexity by requiring that at least one upper-case character.
+
+ Check the value for "ucredit" with the following command:
+
+ $ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+
+ ucredit = -1
fixtext: |-
Configure {{{ full_name }}} to enforce password complexity by requiring that at least one upper-case character be used by setting the "ucredit" option.
@@ -70,7 +73,7 @@ fixtext: |-
ucredit = {{{ xccdf_value("var_password_pam_ucredit") }}}
-srg_requirement: '{{{ full_name }}} must enforce password complexity by requiring that at least one uppercase character be used.'
+srg_requirement: '{{{ full_name }}} must enforce password complexity by requiring that at least one upper-case character be used.'
platform: pam
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml
index 854049c0906..88bf3523ac4 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml
@@ -79,8 +79,7 @@ checktext: |-
If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.
fixtext: |-
- If an emergency account must be created, configure the system to terminate the account after
- 72 hours with the following command to set an expiration date for the account.
+ If an emergency account must be created configure the system to terminate the account after a 72 hour time period with the following command to set an expiration date on it.
Substitute "emergency_account_name" with the account to be created.
$ sudo chage -E `date -d "+3 days" +%Y-%m-%d` emergency_account_name
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
index bf519c7df6d..ccb358a9001 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml
@@ -35,15 +35,14 @@ references:
# The rule check uses password probe, which doesn't support offline mode
platform: machine
-ocil_clause: 'a line is returned'
+ocil_clause: 'output is produced and the accounts listed are interactive user accounts'
ocil: |-
- Run the following command to check for duplicate account names:
- Check that the operating system contains no duplicate UIDs for interactive users by running the following command:
- # awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd
- If output is produced, this is a finding.
- Configure the operating system to contain no duplicate UIDs for interactive users.
- Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.
+ Verify that {{{ full_name }}} contains no duplicate User IDs (UIDs) for interactive users.
+
+ Check that the operating system contains no duplicate UIDs for interactive users with the following command:
+
+ $ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd
warnings:
- general: |-
@@ -55,3 +54,9 @@ fixtext: |-
srg_requirement: |-
{{{ full_name }}} duplicate User IDs (UIDs) must not exist for interactive users.
+
+vuldiscussion: |-
+ To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
+ Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following:
+ 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and
+ 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
index 5bb359639f4..020e7e80684 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
@@ -62,15 +62,17 @@ references:
stigid@sle15: SLES-15-020220
stigid@ubuntu2004: UBTU-20-010008
-ocil_clause: 'PASS_MAX_DAYS is not set equal to or greater than the required value'
+ocil_clause: 'the "PASS_MAX_DAYS" parameter value is greater than "{{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}", or commented out'
ocil: |-
- To check the maximum password age, run the command:
- $ grep PASS_MAX_DAYS /etc/login.defs
- The profile requirement is {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}.
+ Verify that {{{ full_name }}} enforces a {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}-day maximum password lifetime for new user accounts by running the following command:
+
+ $ grep -i pass_max_days /etc/login.defs
+
+ PASS_MAX_DAYS {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}
fixtext: |-
- Configure {{{ full_name }}} to enforce a 60-day maximum password lifetime.
+ Configure {{{ full_name }}} to enforce a {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}-day maximum password lifetime.
Add, or modify the following line in the "/etc/login.defs" file:
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
index 78f4b33e8f4..ca45e581151 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
@@ -60,11 +60,16 @@ references:
stigid@sle15: SLES-15-020200
stigid@ubuntu2004: UBTU-20-010007
-ocil_clause: 'it is not equal to or greater than the required value'
+ocil_clause: 'the "PASS_MIN_DAYS" parameter value is not "{{{ xccdf_value("var_accounts_minimum_age_login_defs") }}}" or greater, or is commented out'
ocil: |-
- To check the minimum password age, run the command:
- $ grep PASS_MIN_DAYS /etc/login.defs
+ Verify {{{ full_name }}} enforces 24 hours/1 day as the minimum password lifetime for new user accounts.
+
+ Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command:
+
+ $ grep -i pass_min_days /etc/login.defs
+
+ PASS_MIN_DAYS {{{ xccdf_value("var_accounts_minimum_age_login_defs") }}}
fixtext: |-
Configure {{{ full_name }}} to enforce 24 hours/1 day as the minimum password lifetime.
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml
index 7c2118635c3..c22c9f73236 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml
@@ -53,7 +53,7 @@ ocil: |-
fixtext: |-
Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.
- chage -M {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}} [user]
+ passwd -x {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}} [user]
srg_requirement: |-
{{{ full_name }}} user account passwords must have a 60-day maximum password lifetime restriction.
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml
index 5d8f335a9a4..d14f7c07abd 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml
@@ -45,7 +45,7 @@ references:
ocil_clause: 'any results are returned that are not associated with a system account'
ocil: |-
- Check whether the minimum time period between password changes for each user account is one day or greater.
+ Verify that {{{ full_name }}} has configured the minimum time period between password changes for each user account is one day or greater with the following command:
$ sudo awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
index 601fa409af6..2f749b9590d 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
@@ -35,13 +35,11 @@ references:
stigid@rhel8: RHEL-08-020310
stigid@sle12: SLES-12-010140
-ocil_clause: 'the above command returns no output, or FAIL_DELAY is configured less than the expected value'
+ocil_clause: 'the value of "FAIL_DELAY" is not set to "{{{ xccdf_value("var_accounts_fail_delay") }}}" or greater, or the line is commented out'
ocil: |-
- Verify the FAIL_DELAY setting is configured correctly in the /etc/login.defs file by
- running the following command:
- $ sudo grep -i "FAIL_DELAY" /etc/login.defs
- All output must show the value of FAIL_DELAY set as shown in the below:
+ Verify {{{ full_name }}} enforces a delay of at least {{{ xccdf_value("var_accounts_fail_delay") }}} seconds between console logon prompts following a failed logon attempt with the following command:
+
$ sudo grep -i "FAIL_DELAY" /etc/login.defs
FAIL_DELAY {{{ xccdf_value("var_accounts_fail_delay") }}}
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
index 9edbd994fb1..ffe6d9b9062 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
@@ -65,7 +65,7 @@ references:
stigid@ubuntu2004: UBTU-20-010013
vmmsrg: SRG-OS-000163-VMM-000700,SRG-OS-000279-VMM-001010
-ocil_clause: 'TMOUT is not set or its value is greater than expected setting'
+ocil_clause: 'value of TMOUT is not less than or equal to expected setting'
ocil: |-
Run the following command to ensure the TMOUT value is configured for all users
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml
index 5bfa1f80526..2a6368f8492 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml
@@ -37,22 +37,19 @@ references:
stigid@sle12: SLES-12-010780
stigid@sle15: SLES-15-040130
-ocil_clause: 'user initialization files are executing world-writable programs'
+ocil_clause: 'any local initialization files are found to reference world-writable files'
ocil: |-
- Verify that local initialization files do not execute world-writable programs,
- execute the following command:
+ Verify that local initialization files do not execute world-writable programs with the following command:
+
+ Note: The example will be for a system that is configured to create user home directories in the "/home" directory.
+
$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \;
- For all files listed, check for their presence in the local
- initialization files with the following command:
- Note: The example will be for a system that is configured to create
- users' home directories in the "/home" directory.
- sudo find /home/* -maxdepth 1 -type f -name \.\* -exec grep -H <file> {} \;
fixtext: |-
Set the mode on files being executed by the local initialization files with the following command:
- $ sudo chmod 0755
+ $ sudo chmod 0755 <file>
srg_requirement: |-
Local {{{ full_name }}} initialization files must not execute world-writable programs.
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml
index ae74ca87b2b..56fc415f92d 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml
@@ -39,14 +39,14 @@ references:
stigid@sle12: SLES-12-010770
stigid@sle15: SLES-15-040120
-ocil_clause: 'paths contain more than local home directories'
+ocil_clause: 'any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement'
ocil: |-
- To verify that all interactive user initialization files executable search
- path statements do not contain statements that will reference a working
- directory other than the users home directory, run the following command:
- $ sudo grep -r PATH /home/
- Inspect the output for any PATH is references directories outside the home directory.
+ Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands:
+
+ $ sudo grep -i path= /home/*/.*
+
+ /home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin
fixtext: |-
Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory.
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
index f88ffd3c4e8..64f21a9882a 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
@@ -39,11 +39,11 @@ references:
ocil_clause: 'users home directory is not defined'
ocil: |-
- To verify interactive users on the system have a home directory assigned,
- run the following command:
- $ sudo awk -F":" '{print $1 ":" $6}' /etc/passwd
- Inspect the output and verify that all interactive users have a home directory
- defined.
+ Verify that interactive users on the system have a home directory assigned with the following command:
+
+ $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd
+
+ Inspect the output and verify that all interactive users (normally users with a UID greater that 1000) have a home directory defined.
fixtext: |-
Assign home directories to all local interactive users on {{{ full_name }}} that currently do not have a home directory assigned.
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
index 7b64c0cb115..88f326e14b3 100644
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
@@ -46,9 +46,13 @@ references:
ocil_clause: 'users home directory does not exist'
ocil: |-
- To verify the assigned home directory of all interactive users on the system
- exist, run the following command:
- $ sudo pwck -r
+ Verify the assigned home directories of all interactive users on the system exist with the following command:
+
+ $ sudo pwck -r
+
+ user 'mailnull': directory 'var/spool/mqueue' does not exist
+
+ The output should not return any interactive users.
fixtext: |-
Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/passwd":
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
index bb8b82bc06a..0428b7e5a30 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
@@ -53,20 +53,32 @@ references:
stigid@ol8: OL08-00-020353
stigid@rhel8: RHEL-08-020353
-ocil_clause: 'the above command returns no output, or the umask is configured incorrectly'
+ocil_clause: 'the value for the "umask" parameter is not "{{{ xccdf_value("var_accounts_user_umask") }}}", or the "umask" parameter is missing or is commented out'
ocil: |-
- Verify the umask setting is configured correctly in the {{{ etc_bash_rc }}} file by
- running the following command:
- $ sudo grep "umask" {{{ etc_bash_rc }}}
- All output must show the value of umask set as shown below:
- umask {{{ xccdf_value("var_accounts_user_umask") }}}
+ Verify the umask setting is configured correctly in the {{{ etc_bash_rc }}} file with the following command:
+
+ $ sudo grep "umask" {{{ etc_bash_rc }}}
+
+ umask {{{ xccdf_value("var_accounts_user_umask") }}}
+
+checktext: |-
+ Verify the "umask" setting is configured correctly in the "/etc/bashrc" file with the following command:
+
+ Note: If the value of the "umask" parameter is set to "000" "/etc/bashrc" file, the Severity is raised to a CAT I.
+
+ $ grep umask /etc/bashrc
+
+ umask 077
+ umask 077
+
+ If the value for the "umask" parameter is not "077", or the "umask" parameter is missing or is commented out, this is a finding.
fixtext: |-
- Configure the {{{ full_name }}} to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
+ Configure {{{ full_name }}} to define default permissions for all authenticated users using the bash shell.
Add or edit the lines for the "umask" parameter in the "{{{ etc_bash_rc }}}" files to "{{{ xccdf_value("var_accounts_user_umask") }}}":
umask {{{ xccdf_value("var_accounts_user_umask") }}}
-srg_requirement: '{{{ full_name }}} must define default permissions for logon and non-logon shells.'
+srg_requirement: '{{{ full_name }}} must define default permissions for the bash shell.'
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
index 23cdb66e8e6..029837306a1 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
@@ -37,20 +37,33 @@ references:
stigid@ol8: OL08-00-020353
stigid@rhel8: RHEL-08-020353
-ocil_clause: 'the above command returns no output, or the umask is configured incorrectly'
+ocil_clause: 'the value for the "umask" parameter is not "{{{ xccdf_value("var_accounts_user_umask") }}}", or the "umask" parameter is missing or is commented out'
ocil: |-
- Verify the umask setting is configured correctly in the /etc/csh.cshrc file by
- running the following command:
- $ sudo grep "umask" /etc/csh.cshrc
- All output must show the value of umask set as shown in the below:
- umask {{{ xccdf_value("var_accounts_user_umask") }}}
+ Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file with the following command:
+
+ $ grep umask /etc/csh.cshrc
+
+ umask 077
+ umask 077
+
+checktext: |-
+ Verify the "umask" setting is configured correctly in the "/etc/csh.cshrc" file with the following command:
+
+ Note: If the value of the "umask" parameter is set to "000" "/etc/csh.cshrc" file, the Severity is raised to a CAT I.
+
+ $ grep umask /etc/csh.cshrc
+
+ umask 077
+ umask 077
+
+ If the value for the "umask" parameter is not "077", or the "umask" parameter is missing or is commented out, this is a finding.
fixtext: |-
- Configure the {{{ full_name }}} to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
+ Configure the {{{ full_name }}} to define default permissions for all authenticated users using the c shell.
- Add or edit the lines for the "umask" parameter in the "/etc/csh.cshrc" files to "{{{ xccdf_value("var_accounts_user_umask") }}}":
+ Add or edit the lines for the "umask" parameter in the "/etc/csh.cshrc" file to "{{{ xccdf_value("var_accounts_user_umask") }}}":
umask {{{ xccdf_value("var_accounts_user_umask") }}}
-srg_requirement: '{{{ full_name }}} must define default permissions for logon and non-logon shells.'
+srg_requirement: '{{{ full_name }}} must define default permissions for the c shell.'
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
index 783eb8f3ffe..11c507df34c 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
@@ -49,21 +49,32 @@ references:
stigid@sle15: SLES-15-040420
stigid@ubuntu2004: UBTU-20-010016
-ocil_clause: 'the above command returns no output, or the umask is configured incorrectly'
+ocil_clause: 'the value for the "UMASK" parameter is not "{{{ xccdf_value("var_accounts_user_umask") }}}", or the "UMASK" parameter is missing or is commented out'
ocil: |-
- Verify the UMASK setting is configured correctly in the /etc/login.defs file by
- running the following command:
- $ sudo grep "UMASK" /etc/login.defs
- All output must show the value of UMASK set as shown in the below:
- UMASK {{{ xccdf_value("var_accounts_user_umask") }}}
+ Verify {{{ full_name }}} defines default permissions for all authenticated users in such a way that the user can only read and modify their own files with the following command:
+
+ # grep -i umask /etc/login.defs
+
+ UMASK {{{ xccdf_value("var_accounts_user_umask") }}}
platform: login_defs
+checktext: |-
+ Verify {{{ full_name }}} defines default permissions for all authenticated users in such a way that the user can only read and modify their own files with the following command:
+
+ Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" file, the Severity is raised to a CAT I.
+
+ # grep -i umask /etc/login.defs
+
+ UMASK 077
+
+ If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.
+
fixtext: |-
Configure the {{{ full_name }}} to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
- Add or edit the lines for the "UMASK" parameter in the "/etc/login.defs" files to "{{{ xccdf_value("var_accounts_user_umask") }}}":
+ Add or edit the lines for the "UMASK" parameter in the "/etc/login.defs" file to "{{{ xccdf_value("var_accounts_user_umask") }}}":
UMASK {{{ xccdf_value("var_accounts_user_umask") }}}
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
index fd02d303ec5..6c649b0541a 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_interactive_users/rule.yml
@@ -31,12 +31,21 @@ references:
stigid@rhel7: RHEL-07-021040
stigid@rhel8: RHEL-08-020352
-ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly'
+ocil_clause: 'any local interactive user initialization files are found to have a umask statement that sets a value less restrictive than "077"'
ocil: |-
- Verify the UMASK setting is not configured for interactive users,
- run the following command:
- $ sudo grep -ri "UMASK" /home
+ Verify that the default umask for all local interactive users is "077".
+
+ Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file.
+
+ Check all local interactive user initialization files for interactive users with the following command:
+
+ Note: The example is for a system that is configured to create users home directories in the "/home" directory.
+
+ # grep -ri umask /home/
+
+ /home/smithj/.bash_history:grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile
+ /home/smithj/.bash_history:grep -i umask /etc/login.defs
fixtext: |-
Remove the umask statement from all local interactive user's initialization files.
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/rule.yml
index d82a7c17273..6fb1ec38e97 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/rule.yml
@@ -57,4 +57,4 @@ fixtext: |-
If availability has been determined to be more important, and this decision is documented with the ISSO, configure {{{ full_name }}} to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG".
-srg_requirement: The {{{ full_name }}} audit system must take appropriate action when an audit processing failure occurs.
+srg_requirement: The {{{ full_name }}} audit system must take appropriate action when an error writing to the audit storage volume occurs.
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/rule.yml
index 85532f1762e..966797ef186 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/rule.yml
@@ -44,7 +44,7 @@ ocil: |-
$ sudo grep disk_full_action /etc/audit/auditd.conf
- disk_full_action = HALT
+ disk_full_action = {{{ xccdf_value("var_auditd_disk_full_action") }}}
If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full.
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
index 2d414c236bd..62bb0000fae 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
@@ -56,21 +56,24 @@ references:
stigid@ubuntu2004: UBTU-20-010117
vmmsrg: SRG-OS-000046-VMM-000210,SRG-OS-000343-VMM-001240
-ocil_clause: 'auditd is not configured to send emails per identified actions'
+ocil_clause: 'the value of the "action_mail_acct" keyword is not set to "{{{ xccdf_value("var_auditd_action_mail_acct") }}}" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure'
ocil: |-
- Verify that the {{{ full_name }}} "auditd" service is configured to notify the SA and ISSO in the event of an audit processing failure.
- Inspect /etc/audit/auditd.conf and locate the following line to
- determine if the system is configured to send email to an
- account when it needs to notify an administrator:
- action_mail_acct = {{{ xccdf_value("var_auditd_action_mail_acct") }}}
+ Verify that {{{ full_name }}} is configured to notify the SA and/or ISSO (at a minimum) in the event of an audit processing failure with the following command:
+
+ $ sudo grep action_mail_acct /etc/audit/auditd.conf
+
+ action_mail_acct = {{{ xccdf_value("var_auditd_action_mail_acct") }}}
fixtext: |-
- Configure the {{{ full_name }}} "auditd" service to notify the SA and ISSO in the event of an audit processing failure.
+ Configure "auditd" service to notify the SA and ISSO in the event of an audit processing failure.
Edit the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations:
action_mail_acct = {{{ xccdf_value("var_auditd_action_mail_acct") }}}
-srg_requirement:
- {{{ full_name }}} must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.
+ The audit daemon must be restarted for changes to take effect.
+
+srg_requirement: |-
+ The {{{ full_name }}} System Administrator (SA) and/or Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
+ {{{ full_name }}} must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml
index a5ab90a233b..ddc3e3ef3a1 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml
@@ -53,20 +53,29 @@ references:
srg: SRG-OS-000343-GPOS-00134
stigid@ol7: OL07-00-030340
-ocil_clause: 'the system is not configured to switch to single user mode for corrective action'
+ocil_clause: 'there is no evidence that real-time alerts are configured on the system'
ocil: |-
- Inspect /etc/audit/auditd.conf and locate the following line to
- determine if the system is configured to either suspend, switch to single user mode,
- or halt when disk space has run low:
- admin_space_left_action single
+ Verify that {{{ full_name }}} is configured to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command:
+
+ $ sudo grep admin_space_left_action /etc/audit/auditd.conf
+
+ admin_space_left_action = single
+
+ If the value of the "admin_space_left_action" is not set to "single", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.
fixtext: |-
- Configure the {{{ full_name }}} audit system to take an action when the disk is audit disk is getting full.
+ Configure "auditd" service to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
- Add or edit the following line in "/etc/audit/auditd.conf"
- admin_space_left_action halt
- The value must be one of the following: email, suspend, single, and halt.
+ Edit the following line in "/etc/audit/auditd.conf" to ensure that the system is forced into single user mode in the event the audit record storage volume is about to reach maximum capacity:
+
+ admin_space_left_action = single
+
+ The audit daemon must be restarted for changes to take effect.
srg_requirement: |-
- {{{ full_name }}} must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.
+ {{{ full_name }}} must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
+ {{{ full_name }}} must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.
+
+vuldiscussion: |-
+ If security personnel are not notified immediately when storage volume reaches 90% utilization, they are unable to plan for audit record storage capacity expansion.
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/rule.yml
index ba86834693a..478812dd32a 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/rule.yml
@@ -44,19 +44,22 @@ references:
pcidss: Req-10.7
srg: SRG-OS-000047-GPOS-00023
-ocil_clause: 'the value of the "max_log_file_action" option is set to "ignore", "rotate", or "suspend", or the line is commented out'
+ocil_clause: 'the value of the "disk_full_action" option is not "ROTATE", "SINGLE", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action'
ocil: |-
- Verify that the SA and ISSO (at a minimum) are notified when the audit storage volume is full.
+ Verify {{{ full_name }}} takes the appropriate action when the audit files have reached maximum size.
- Check which action {{{ full_name }}} takes when the audit storage volume is full with the following command:
+ Check that {{{ full_name }}} takes the appropriate action when the audit files have reached maximum size with the following command:
$ sudo grep max_log_file_action /etc/audit/auditd.conf
+
max_log_file_action = {{{ xccdf_value("var_auditd_max_log_file_action") }}}
fixtext: |-
- Configure {{{ full_name }}} to notify the SA and ISSO when the audit storage volume is full by configuring the "max_log_file_action" parameter in the "/etc/audit/auditd.conf" file with the a value of "syslog" or "keep_logs":
+ Configure {{{ full_name }}} to rotate the audit log when it reaches maximum size.
+
+ Add or update the following line in "/etc/audit/auditd.conf" file:
max_log_file_action = {{{ xccdf_value("var_auditd_max_log_file_action") }}}
-srg_requirement: The {{{ full_name }}} audit system must take appropriate action when the audit storage volume is full.
+srg_requirement: The {{{ full_name }}} audit system must take appropriate action when the audit files have reached maximum size.