Merge pull request #12373 from Mab879/update_rhel9_stig_v2r1

Update RHEL 9 STIG to V2R1

controls/stig_rhel9.yml

@@ -2,7 +2,7 @@ policy: 'Red Hat Enterprise Linux 9 Security Technical Implementation Guide'
 title: 'Red Hat Enterprise Linux 9 Security Technical Implementation Guide'
 id: stig_rhel9
 source: https://public.cyber.mil/stigs/downloads/
-version: V1R3
+version: V2R1
 reference_type: stigid
 product: rhel9
 levels:
@@ -2813,28 +2813,6 @@ controls:
             - var_password_pam_retry=3
         status: automated
 
-    -   id: RHEL-09-611015
-        levels:
-            - medium
-        title:
-            RHEL 9 must be configured in the password-auth file to prohibit password
-            reuse for a minimum of five generations.
-        rules:
-            - accounts_password_pam_pwhistory_remember_password_auth
-            - var_password_pam_remember=5
-            - var_password_pam_remember_control_flag=requisite_or_required
-        status: automated
-
-    -   id: RHEL-09-611020
-        levels:
-            - medium
-        title:
-            RHEL 9 must be configured in the system-auth file to prohibit password reuse
-            for a minimum of five generations.
-        rules:
-            - accounts_password_pam_pwhistory_remember_system_auth
-        status: automated
-
     -   id: RHEL-09-611025
         levels:
             - high

linux_os/guide/auditing/auditd_configure_rules/audit_rules_immutable_login_uids/policy/stig/shared.yml

@@ -17,3 +17,7 @@ checktext: |-
 
     If the "--loginuid-immutable" option is not returned in the "/etc/audit/audit.rules", or the line is commented out, this is a finding.
 
+
+
+vuldiscussion: |-
+    If modification of login user identifiers (UIDs) is not prevented, they can be changed by nonprivileged users and make auditing complicated or impossible.

linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/policy/stig/shared.yml

@@ -17,3 +17,7 @@ checktext: |-
 
     If the "active" keyword does not have a value of "yes", the line is commented out, or the line is missing, this is a finding.
 
+
+
+vuldiscussion: |-
+    The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server.

linux_os/guide/auditing/package_audit_installed/policy/stig/shared.yml

@@ -8,8 +8,10 @@ vuldiscussion: |-
 
     Associating event types with detected events in audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured {{{ full_name }}} system.
 
+
+
 checktext: |-
-    Verify that {{{ full_name }}} audit service package is installed.
+    Verify that the {{{ full_name }}} audit service package is installed.
 
     Check that the audit service package is installed with the following command:
 
@@ -25,4 +27,3 @@ fixtext: |-
     Install the audit service package (if the audit service is not already installed) with the following command:
 
     $ sudo dnf install audit
-

linux_os/guide/services/kerberos/kerberos_disable_no_keytab/policy/stig/shared.yml

@@ -17,3 +17,13 @@ checktext: |-
 
     If this command produces any "keytab" file(s), this is a finding.
 
+
+
+vuldiscussion: |-
+    Unapproved mechanisms used for authentication to the cryptographic module are not verified; therefore, cannot be relied upon to provide confidentiality or integrity and DOD data may be compromised.
+
+    {{{ full_name }}} systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
+
+    The key derivation function (KDF) in Kerberos is not FIPS compatible. Ensuring the system does not have any keytab files present prevents system daemons from using Kerberos for authentication. A keytab is a file containing pairs of Kerberos principals and encrypted keys.
+
+    FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.

linux_os/guide/services/mail/package_s-nail_installed/policy/stig/shared.yml

@@ -19,3 +19,7 @@ checktext: |-
 
     If "s-nail" package is not installed, this is a finding.
 
+
+
+vuldiscussion: |-
+    The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated personnel.

linux_os/guide/services/obsolete/nis/package_ypserv_removed/policy/stig/shared.yml

@@ -15,3 +15,9 @@ checktext: |-
 
     If the "ypserv" package is installed, this is a finding.
 
+
+
+vuldiscussion: |-
+    The NIS service provides an unencrypted authentication service, which does not provide for the confidentiality and integrity of user passwords or the remote session.
+
+    Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.

linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/policy/stig/shared.yml

@@ -15,3 +15,7 @@ checktext: |-
 
     If the "rsh-server" package is installed, this is a finding.
 
+
+
+vuldiscussion: |-
+    The "rsh-server" service provides unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of accidental (or intentional) activation of those services.

linux_os/guide/services/obsolete/tftp/package_tftp-server_removed/policy/stig/shared.yml

@@ -7,14 +7,13 @@ vuldiscussion: |-
     If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the information systems security manager (ISSM), restricted to only authorized personnel, and have access control rules established.
 
 checktext: |-
-    Verify that {{{ full_name }}} does not have a tftp server package installed with the following command:
+    Verify that {{{ full_name }}} does not have a "tftp-server" package installed with the following command:
 
-    $ sudo dnf list --installed | grep tftp
+    $ sudo dnf list --installed | grep tftp-server
 
-    If the "tftp" package is installed, this is a finding.
+    If the "tftp-server" package is installed, this is a finding.
 
 fixtext: |-
-    The tftp package can be removed with the following command:
-
-    $ sudo dnf remove tftp
+    The "tftp-server" package can be removed with the following command:
 
+    $ sudo dnf remove tftp-server

linux_os/guide/services/ssh/ssh_server/disable_host_auth/policy/stig/shared.yml

@@ -7,7 +7,7 @@ vuldiscussion: |-
 checktext: |-
     Verify the operating system does not allow a noncertificate trusted host SSH logon to the system with the following command:
 
-    $ sudo grep -ir hostbasedauthentication /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+    $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*hostbasedauthentication'
 
     HostbasedAuthentication no
 
@@ -23,4 +23,3 @@ fixtext: |-
     Restart the SSH daemon for the settings to take effect:
 
     $ sudo systemctl restart sshd.service
-

linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/policy/stig/shared.yml

@@ -4,10 +4,12 @@ srg_requirement: |-
 vuldiscussion: |-
     If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
 
+
+
 checktext: |-
-    Verify {{{ full_name }}} remote access using SSH prevents logging on with a blank password with the following command:
+    Verify that {{{ full_name }}} remote access using SSH prevents logging on with a blank password with the following command:
 
-    $ sudo grep -ir PermitEmptyPasswords /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+    $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*permitemptypasswords'
 
     PermitEmptyPassword no
 
@@ -21,4 +23,3 @@ fixtext: |-
     Restart the SSH daemon for the settings to take effect:
 
     $ sudo systemctl restart sshd.service
-

linux_os/guide/services/ssh/ssh_server/sshd_disable_gssapi_auth/policy/stig/shared.yml

@@ -4,10 +4,12 @@ srg_requirement: |-
 vuldiscussion: |-
     Generic Security Service Application Program Interface (GSSAPI) authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system.
 
+
+
 checktext: |-
     Verify the SSH daemon does not allow GSSAPI authentication with the following command:
 
-    $ sudo grep -ir gssapiauth  /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+    $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*gssapiauthentication'
 
     GSSAPIAuthentication no
 
@@ -25,4 +27,3 @@ fixtext: |-
     The SSH service must be restarted for changes to take effect:
 
     $ sudo systemctl restart sshd.service
-

linux_os/guide/services/ssh/ssh_server/sshd_disable_kerb_auth/policy/stig/shared.yml

@@ -4,10 +4,12 @@ srg_requirement: |-
 vuldiscussion: |-
     Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation.
 
+
+
 checktext: |-
     Verify the SSH daemon does not allow Kerberos authentication with the following command:
 
-    $ sudo grep -i kerberosauth  /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+    $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*kerberosauthentication'
 
     KerberosAuthentication no
 
@@ -23,4 +25,3 @@ fixtext: |-
     The SSH service must be restarted for changes to take effect:
 
     $ sudo systemctl restart sshd.service
-

linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts/policy/stig/shared.yml

@@ -7,7 +7,7 @@ vuldiscussion: |-
 checktext: |-
     Verify the SSH daemon does not allow rhosts authentication with the following command:
 
-    $ sudo grep -ir ignorerhosts /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+    $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*ignorerhosts'
 
     IgnoreRhosts yes
 
@@ -23,4 +23,3 @@ fixtext: |-
     The SSH service must be restarted for changes to take effect:
 
     $ sudo systemctl restart sshd.service
-

linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/policy/stig/shared.yml

@@ -4,10 +4,12 @@ srg_requirement: |-
 vuldiscussion: |-
     Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password.
 
+
+
 checktext: |-
-    Verify {{{ full_name }}} remote access using SSH prevents users from logging on directly as "root" with the following command:
+    Verify that {{{ full_name }}} remote access using SSH prevents users from logging on directly as "root" with the following command:
 
-    $ sudo grep -ir PermitRootLogin /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+    $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*permitrootlogin'
 
     PermitRootLogin no
 
@@ -21,4 +23,3 @@ fixtext: |-
     Restart the SSH daemon for the settings to take effect:
 
     $ sudo systemctl restart sshd.service
-

linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/policy/stig/shared.yml

@@ -7,7 +7,7 @@ vuldiscussion: |-
 checktext: |-
     Verify the SSH daemon does not allow known hosts authentication with the following command:
 
-    $ sudo grep -ir ignoreuser  /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+    $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*ignoreuserknownhosts'
 
     IgnoreUserKnownHosts yes
 
@@ -23,4 +23,3 @@ fixtext: |-
     The SSH service must be restarted for changes to take effect:
 
     $ sudo systemctl restart sshd.service
-

linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/policy/stig/shared.yml

@@ -7,7 +7,7 @@ vuldiscussion: |-
 checktext: |-
     Verify the SSH daemon does not allow X11Forwarding with the following command:
 
-    $ sudo grep -ir x11for  /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+    $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*x11forwarding'
 
     X11forwarding no
 
@@ -23,4 +23,3 @@ fixtext: |-
     The SSH service must be restarted for changes to take effect:
 
     $ sudo systemctl restart sshd.service
-

linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/policy/stig/shared.yml

@@ -7,7 +7,7 @@ vuldiscussion: |-
 checktext: |-
     Verify that unattended or automatic logon via SSH is disabled with the following command:
 
-    $ sudo grep -ir permituserenvironment /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+    $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*permituserenvironment'
 
     PermitUserEnvironment no
 
@@ -25,4 +25,3 @@ fixtext: |-
     Restart the SSH daemon  for the setting to take effect:
 
     $ sudo systemctl restart sshd.service
-

linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/policy/stig/shared.yml

@@ -7,7 +7,7 @@ vuldiscussion: |-
 checktext: |-
     Verify the {{{ full_name }}} SSHD is configured to allow for the UsePAM interface with the following command:
 
-    $ sudo grep -ir usepam /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+    $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*usepam'
 
     UsePAM yes
 
@@ -21,4 +21,3 @@ fixtext: |-
     Restart the SSH daemon for the settings to take effect:
 
     $ sudo systemctl restart sshd.service
-

linux_os/guide/services/ssh/ssh_server/sshd_enable_pubkey_auth/policy/stig/shared.yml

@@ -2,12 +2,14 @@ srg_requirement: |-
     {{{ full_name }}} SSHD must accept public key authentication.
 
 vuldiscussion: |-
-    Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. A DOD CAC with DOD-approved PKI is an example of multifactor authentication.
+    Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. A DOD common access card (CAC) with DOD-approved PKI is an example of multifactor authentication.
+
+
 
 checktext: |-
     Verify that {{{ full_name }}} SSH daemon accepts public key encryption with the following command:
 
-    $ sudo grep -ir PubkeyAuthentication /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+    $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*pubkeyauthentication'
 
     PubkeyAuthentication yes
 
@@ -21,4 +23,3 @@ fixtext: |-
     Restart the SSH daemon for the settings to take effect:
 
     $ sudo systemctl restart sshd.service
-

linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/policy/stig/shared.yml

@@ -7,7 +7,7 @@ vuldiscussion: |-
 checktext: |-
     Verify the SSH daemon performs strict mode checking of home directory configuration files with the following command:
 
-    $ sudo grep -ir strictmodes  /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+    $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*strictmodes'
 
     StrictModes yes
 
@@ -23,4 +23,3 @@ fixtext: |-
     The SSH service must be restarted for changes to take effect:
 
     $ sudo systemctl restart sshd.service
-

linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/policy/stig/shared.yml

@@ -4,12 +4,14 @@ srg_requirement: |-
 vuldiscussion: |-
     The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution.
 
+
+
 checktext: |-
-    Verify any SSH connection to the operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.
+    Verify that any SSH connection to the operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.
 
     Check for the location of the banner file being used with the following command:
 
-    $ sudo grep -ir banner /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+    $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*banner'
 
     banner /etc/issue
 
@@ -25,4 +27,3 @@ fixtext: |-
     An example configuration line is:
 
     Banner /etc/issue
-

linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/policy/stig/shared.yml

@@ -7,7 +7,7 @@ vuldiscussion: |-
 checktext: |-
     Verify the SSH daemon provides users with feedback on when account accesses last occurred with the following command:
 
-    $ sudo grep -ir printlast  /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+    $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*printlastlog'
 
     PrintLastLog yes
 
@@ -23,4 +23,3 @@ fixtext: |-
     The SSH service must be restarted for changes to take effect:
 
     $ sudo systemctl restart sshd.service
-

linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/policy/stig/shared.yml

@@ -5,15 +5,15 @@ vuldiscussion: |-
     SSH provides several logging levels with varying amounts of verbosity. "DEBUG" is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. "INFO" or "VERBOSE" level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.
 
 checktext: |-
-    Verify {{{ full_name }}} logs SSH connection attempts and failures to the server.
+    Verify that {{{ full_name }}} logs SSH connection attempts and failures to the server.
 
     Check what the SSH daemon's "LogLevel" option is set to with the following command:
 
-    $ sudo grep -ir LogLevel /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*
+    $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '' ' ' | xargs sudo grep -iH '^\s*loglevel'
 
     LogLevel VERBOSE
 
-    If a value of "VERBOSE" is not returned, the line is commented out, or is missing, this is a finding.
+    If a value of "VERBOSE" is not returned or the line is commented out or missing, this is a finding.
 
 fixtext: |-
     Configure {{{ full_name }}} to log connection attempts add or modify the following line in "/etc/ssh/sshd_config".
@@ -23,4 +23,3 @@ fixtext: |-
     Restart the SSH daemon for the settings to take effect:
 
     $ sudo systemctl restart sshd.service
-