Update rules for RHEL 9 STIG

controls/srg_gpos/SRG-OS-000047-GPOS-00023.yml

@@ -11,5 +11,5 @@ controls:
             - auditd_data_disk_full_action_stig
             - var_auditd_disk_full_action=halt
             - auditd_data_retention_max_log_file_action_stig
-            - var_auditd_max_log_file_action=syslog
+            - var_auditd_max_log_file_action=rotate
         status: automated

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml

@@ -58,15 +58,19 @@ references:
     stigid@ubuntu2004: UBTU-20-010052
     vmmsrg: SRG-OS-000071-VMM-000380
 
-ocil_clause: 'dcredit is not found or not equal to or less than the required value'
+ocil_clause: 'the value of "dcredit" is a positive number or is commented out'
 
 ocil: |-
-    To check how many digits are required in a password, run the following command:
-    <pre>$ grep dcredit /etc/security/pwquality.conf</pre>
-    The <tt>dcredit</tt> parameter (as a negative number) will indicate how many digits are required.
+    Verify that {{{ full_name }}} enforces password complexity by requiring that at least one numeric character be used.
+
+    Check the value for "dcredit" with the following command:
+
+    <pre>$ sudo grep dcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+
+    /etc/security/pwquality.conf:dcredit = {{{ xccdf_value('var_password_pam_dcredit') }}}</pre>
 
 fixtext: |-
-    Configure {{{ full_name }}} to enforce password complexity by requiring that at least numeric character be used by setting the "dcredit" option.
+    Configure {{{ full_name }}} to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option.
 
     Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml

@@ -33,13 +33,14 @@ references:
     stigid@rhel8: RHEL-08-020300
     stigid@ubuntu2004: UBTU-20-010056
 
-ocil_clause: 'dictcheck is not found or not equal to the required value'
+ocil_clause: '"dictcheck" does not have a value other than "0", or is commented out'
 
 ocil: |-
-    To check if dictionary words are disallowed run the following command:
-    <pre>$ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf</pre>
-    The <tt>dictcheck</tt> parameter should be equal to 1. The value should look like
-    <pre>dictcheck=1</pre>
+    Verify {{{ full_name }}} prevents the use of dictionary words for passwords with the following command:
+
+    <pre>$ sudo grep dictcheck /etc/security/pwquality.conf /etc/pwquality.conf.d/*.conf
+
+    /etc/security/pwquality.conf:dictcheck=1</pre>
 
 platform: pam
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml

@@ -52,14 +52,14 @@ references:
     stigid@ubuntu2004: UBTU-20-010053
     vmmsrg: SRG-OS-000072-VMM-000390
 
-ocil_clause: 'difok is not found or set to less than the required value'
+ocil_clause: 'the value of "difok" is set to less than "{{{ xccdf_value("var_password_pam_difok") }}}", or is commented out'
 
 ocil: |-
-    To check how many characters must differ during a password change, run the following command:
+    Verify the value of the "difok" option in "/etc/security/pwquality.conf" with the following command:
+
     <pre>$ sudo grep difok /etc/security/pwquality.conf
-    difok = {{{ xccdf_value("var_password_pam_difok") }}}
-    </pre>
-    The <tt>difok</tt> parameter will indicate how many characters must differ.
+
+    difok = {{{ xccdf_value("var_password_pam_difok") }}}</pre>
 
 platform: pam
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforce_root/rule.yml

@@ -30,17 +30,21 @@ references:
     nist: IA-5(c),IA-5(1)(a),CM-6(a),IA-5(4)
     srg: SRG-OS-000072-GPOS-00040,SRG-OS-000071-GPOS-00039,SRG-OS-000070-GPOS-00038,SRG-OS-000266-GPOS-00101,SRG-OS-000078-GPOS-00046,SRG-OS-000480-GPOS-00225,SRG-OS-000069-GPOS-00037
 
-ocil_clause: 'enforce_for_root is commented or not present'
+ocil_clause: '"enforce_for_root" is commented or missing'
 
 ocil: |-
-    To verify if root user is required to use complex passwords, run the following command:
-    <pre>$ grep enforce_for_root /etc/security/pwquality.conf</pre>
-    The output should return <tt>enforce_for_root</tt> uncommented.
+    Verify that {{{ full_name }}} enforces password complexity rules for the root account.
+
+    Check if root user is required to use complex passwords with the following command:
+
+    <pre>$ grep enforce_for_root /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+
+    /etc/security/pwquality.conf:enforce_for_root</pre>
 
 fixtext: |-
     Configure {{{ full_name }}} to enforce password complexity on the root account.
 
-    Add the following line to /etc/security/pwquality.conf:
+    Add or update the following line in /etc/security/pwquality.conf:
 
     enforce_for_root
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml

@@ -59,12 +59,16 @@ references:
     stigid@ubuntu2004: UBTU-20-010051
     vmmsrg: SRG-OS-000070-VMM-000370
 
-ocil_clause: 'lcredit is not found or not less than or equal to the required value'
+ocil_clause: 'the value of "lcredit" is a positive number or is commented out'
 
 ocil: |-
-    To check how many lowercase characters are required in a password, run the following command:
-    <pre>$ grep lcredit /etc/security/pwquality.conf</pre>
-    The <tt>lcredit</tt> parameter (as a negative number) will indicate how many special characters are required.
+    Verify that {{{ full_name }}} enforces password complexity by requiring that at least one lower-case character.
+
+    Check the value for "lcredit" with the following command:
+
+    <pre>$ sudo grep lcredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+
+    /etc/security/pwquality.conf:lcredit = -1</pre>
 
 fixtext: |-
     Configure {{{ full_name }}} to enforce password complexity by requiring that at least one lower-case character be used by setting the "lcredit" option.

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml

@@ -45,8 +45,11 @@ references:
 ocil_clause: the value of "maxclassrepeat" is set to "0", more than "{{{ xccdf_value("var_password_pam_maxclassrepeat") }}}" or is commented out
 
 ocil: |-
-    To check the value for maximum consecutive repeating characters, run the following command:
-    <pre>$ sudo grep maxclassrepeat /etc/security/pwquality.conf</pre>
+    Verify the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command:
+
+    <pre>$ grep maxclassrepeat /etc/security/pwquality.conf
+
+    maxclassrepeat = {{{ xccdf_value("var_password_pam_maxclassrepeat") }}}</pre>
 
 platform: pam
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml

@@ -47,8 +47,11 @@ references:
 ocil_clause: the value of "maxrepeat" is set to more than "{{{ xccdf_value("var_password_pam_maxrepeat") }}}" or is commented out
 
 ocil: |-
-    To check the maximum value for consecutive repeating characters, run the following command:
-    <pre>$ sudo grep maxrepeat /etc/security/pwquality.conf</pre>
+    Verify the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command:
+
+    <pre>$ grep maxrepeat /etc/security/pwquality.conf
+
+    maxrepeat = {{{ xccdf_value("var_password_pam_maxrepeat") }}}</pre>
 
 platform: pam
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml

@@ -66,12 +66,11 @@ references:
 ocil_clause: the value of "minclass" is set to less than "{{{ xccdf_value("var_password_pam_minclass") }}}" or is commented out
 
 ocil: |-
-    To check how many categories of characters must be used in password during a password change,
-    run the following command:
-    <pre>$ sudo grep minclass /etc/security/pwquality.conf</pre>
-    The <tt>minclass</tt> parameter will indicate how many character classes must be used. If
-    the requirement was for the password to contain characters from {{{ xccdf_value("var_password_pam_minclass") }}} different categories,
-    then this would appear as <tt>minclass = {{{ xccdf_value("var_password_pam_minclass") }}}</tt>.
+    Verify the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command:
+
+    <pre>$ grep minclass /etc/security/pwquality.conf
+
+    minclass = {{{ xccdf_value("var_password_pam_minclass") }}}</pre>
 
 platform: pam
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml

@@ -58,21 +58,24 @@ references:
     stigid@ubuntu2004: UBTU-20-010054
     vmmsrg: SRG-OS-000072-VMM-000390,SRG-OS-000078-VMM-000450
 
-ocil_clause: 'minlen is not found, or not equal to or greater than the required value'
+ocil_clause: 'the command does not return a "minlen" value of "{{{ xccdf_value("var_password_pam_minlen") }}}" or greater, does not return a line, or the line is commented out'
 
 ocil: |-
-    To check how many characters are required in a password, run the following command:
-    <pre>$ grep minlen /etc/security/pwquality.conf</pre>
-    Your output should contain <tt>minlen = {{{ xccdf_value("var_password_pam_minlen") }}}</tt>
+    Verify that {{{ full_name }}} enforces a minimum {{{ xccdf_value("var_password_pam_minlen") }}}-character password length with the following command:
+
+    <pre>$ grep minlen /etc/security/pwquality.conf
+
+    minlen = {{{ xccdf_value("var_password_pam_minlen") }}}</pre>
 
 fixtext: |-
-    Configure {{{ full_name }}} to enforce a minimum 15-character password length.
+    Configure {{{ full_name }}} to enforce a minimum {{{ xccdf_value("var_password_pam_minlen") }}}-character password length.
 
     Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
 
     minlen = {{{ xccdf_value("var_password_pam_minlen") }}}
 
-srg_requirement: '{{{ full_name }}} passwords must have a minimum of 15 characters.'
+srg_requirement: |-
+    {{{ full_name }}} passwords must be created with a minimum of 15 characters.
 
 platform: pam
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml

@@ -62,18 +62,21 @@ references:
 ocil_clause: 'value of "ocredit" is a positive number or is commented out'
 
 ocil: |-
-    To check how many special characters are required in a password, run the following command:
-    <pre>$ grep ocredit /etc/security/pwquality.conf</pre>
-    The <tt>ocredit</tt> parameter (as a negative number) will indicate how many special
-    characters are required.
+    Verify that {{{ full_name }}} enforces password complexity by requiring that at least one special character with the following command:
 
+    <pre>$ sudo grep ocredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+
+    ocredit = {{{ xccdf_value("var_password_pam_ocredit") }}}</pre>
 
 fixtext: |-
-    Add or modify the "ocredit" option line in /etc/security/pwquality.conf to have the required
-    value, like in the following example:
+    Configure {{{ full_name }}} to enforce password complexity by requiring that at least one special character be used by setting the "ocredit" option.
+
+    Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+
     ocredit = {{{ xccdf_value("var_password_pam_ocredit") }}}
 
-srg_requirement: '{{{ full_name }}} passwords must contain at least one special character.'
+srg_requirement: |-
+    {{{ full_name }}} must enforce password complexity by requiring that at least one special character be used.
 
 platform: pam
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml

@@ -55,13 +55,16 @@ references:
     stigid@ubuntu2004: UBTU-20-010050
     vmmsrg: SRG-OS-000069-VMM-000360
 
-ocil_clause: 'ucredit is not found or not set to the required value'
+ocil_clause: 'the value of "ucredit" is a positive number or is commented out'
 
 ocil: |-
-    To check how many uppercase characters are required in a password, run the following command:
-    <pre>$ grep ucredit /etc/security/pwquality.conf</pre>
-    The <tt>ucredit</tt> parameter (as a negative number) will indicate how many uppercase characters are required.
-    This would appear as <tt>ucredit = -1</tt>.
+    Verify that {{{ full_name }}} enforces password complexity by requiring that at least one upper-case character.
+
+    Check the value for "ucredit" with the following command:
+
+    $ sudo grep ucredit /etc/security/pwquality.conf /etc/security/pwquality.conf.d/*.conf
+
+    ucredit = -1
 
 fixtext: |-
     Configure {{{ full_name }}} to enforce password complexity by requiring that at least one upper-case character be used by setting the "ucredit" option.
@@ -70,7 +73,7 @@ fixtext: |-
 
     ucredit = {{{ xccdf_value("var_password_pam_ucredit") }}}
 
-srg_requirement: '{{{ full_name }}} must enforce password complexity by requiring that at least one uppercase character be used.'
+srg_requirement: '{{{ full_name }}} must enforce password complexity by requiring that at least one upper-case character be used.'
 
 platform: pam
 

linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_expire_date/rule.yml

@@ -79,8 +79,7 @@ checktext: |-
     If any emergency accounts have no expiration date set or do not expire within 72 hours, this is a finding.
 
 fixtext: |-
-    If an emergency account must be created, configure the system to terminate the account after
-    72 hours with the following command to set an expiration date for the account.
+    If an emergency account must be created configure the system to terminate the account after a 72 hour time period with the following command to set an expiration date on it.
     Substitute "emergency_account_name" with the account to be created.
 
     $ sudo chage -E `date -d "+3 days" +%Y-%m-%d` emergency_account_name

linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml

@@ -35,15 +35,14 @@ references:
 # The rule check uses password probe, which doesn't support offline mode
 platform: machine
 
-ocil_clause: 'a line is returned'
+ocil_clause: 'output is produced and the accounts listed are interactive user accounts'
 
 ocil: |-
-    Run the following command to check for duplicate account names:
-    Check that the operating system contains no duplicate UIDs for interactive users by running the following command:
-    <pre># awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd</pre>
-    If output is produced, this is a finding.
-    Configure the operating system to contain no duplicate UIDs for interactive users.
-    Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.
+    Verify that {{{ full_name }}} contains no duplicate User IDs (UIDs) for interactive users.
+
+    Check that the operating system contains no duplicate UIDs for interactive users with the following command:
+
+    <pre>$ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd</pre>
 
 warnings:
     - general: |-
@@ -55,3 +54,9 @@ fixtext: |-
 
 srg_requirement: |-
         {{{ full_name }}} duplicate User IDs (UIDs) must not exist for interactive users.
+
+vuldiscussion: |-
+    To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
+    Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following:
+    1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and
+    2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.

linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml

@@ -65,5 +65,3 @@ fixtext: |-
     Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions.
 
     Document all authorized accounts on the system.
-
-srg_requirement: '{{{ full_name }}} must not have unnecessary accounts.'

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml

@@ -62,15 +62,17 @@ references:
     stigid@sle15: SLES-15-020220
     stigid@ubuntu2004: UBTU-20-010008
 
-ocil_clause: 'PASS_MAX_DAYS is not set equal to or greater than the required value'
+ocil_clause: 'the "PASS_MAX_DAYS" parameter value is greater than "{{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}", or commented out'
 
 ocil: |-
-    To check the maximum password age, run the command:
-    <pre>$ grep PASS_MAX_DAYS /etc/login.defs</pre>
-    The profile requirement is <tt>{{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}</tt>.
+    Verify that {{{ full_name }}} enforces a {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}-day maximum password lifetime for new user accounts by running the following command:
+
+    <pre>$ grep -i pass_max_days /etc/login.defs
+
+    PASS_MAX_DAYS {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}</pre>
 
 fixtext: |-
-    Configure {{{ full_name }}} to enforce a 60-day maximum password lifetime.
+    Configure {{{ full_name }}} to enforce a {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}-day maximum password lifetime.
 
     Add, or modify the following line in the "/etc/login.defs" file:
 

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml

@@ -60,11 +60,16 @@ references:
     stigid@sle15: SLES-15-020200
     stigid@ubuntu2004: UBTU-20-010007
 
-ocil_clause: 'it is not equal to or greater than the required value'
+ocil_clause: 'the "PASS_MIN_DAYS" parameter value is not "{{{ xccdf_value("var_accounts_minimum_age_login_defs") }}}" or greater, or is commented out'
 
 ocil: |-
-    To check the minimum password age, run the command:
-    <pre>$ grep PASS_MIN_DAYS /etc/login.defs</pre>
+    Verify {{{ full_name }}} enforces 24 hours/1 day as the minimum password lifetime for new user accounts.
+
+    Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command:
+
+    <pre>$ grep -i pass_min_days /etc/login.defs
+
+    PASS_MIN_DAYS {{{ xccdf_value("var_accounts_minimum_age_login_defs") }}}</pre>
 
 fixtext: |-
     Configure {{{ full_name }}} to enforce 24 hours/1 day as the minimum password lifetime.

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml

@@ -53,7 +53,7 @@ ocil: |-
 fixtext: |-
     Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.
 
-    chage -M {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}} [user]
+    passwd -x {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}} [user]
 
 srg_requirement: |-
     {{{ full_name }}} user account passwords must have a 60-day maximum password lifetime restriction.

linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml

@@ -45,7 +45,7 @@ references:
 ocil_clause: 'any results are returned that are not associated with a system account'
 
 ocil: |-
-    Check whether the minimum time period between password changes for each user account is one day or greater.
+    Verify that {{{ full_name }}} has configured the minimum time period between password changes for each user account is one day or greater with the following command:
 
     $ sudo awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow
 

linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml

@@ -35,13 +35,11 @@ references:
     stigid@rhel8: RHEL-08-020310
     stigid@sle12: SLES-12-010140
 
-ocil_clause: 'the above command returns no output, or FAIL_DELAY is configured less than the expected value'
+ocil_clause: 'the value of "FAIL_DELAY" is not set to "{{{ xccdf_value("var_accounts_fail_delay") }}}" or greater, or the line is commented out'
 
 ocil: |-
-    Verify the <tt>FAIL_DELAY</tt> setting is configured correctly in the <tt>/etc/login.defs</tt> file by
-    running the following command:
-    <pre>$ sudo grep -i "FAIL_DELAY" /etc/login.defs</pre>
-    All output must show the value of <tt>FAIL_DELAY</tt> set as shown in the below:
+    Verify {{{ full_name }}} enforces a delay of at least {{{ xccdf_value("var_accounts_fail_delay") }}} seconds between console logon prompts following a failed logon attempt with the following command:
+
     <pre>$ sudo grep -i "FAIL_DELAY" /etc/login.defs
     FAIL_DELAY {{{ xccdf_value("var_accounts_fail_delay") }}}</pre>
 

linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml

@@ -65,7 +65,7 @@ references:
     stigid@ubuntu2004: UBTU-20-010013
     vmmsrg: SRG-OS-000163-VMM-000700,SRG-OS-000279-VMM-001010
 
-ocil_clause: 'TMOUT is not set or its value is greater than expected setting'
+ocil_clause: 'value of TMOUT is not less than or equal to expected setting'
 
 ocil: |-
     Run the following command to ensure the <tt>TMOUT</tt> value is configured for all users