Merge pull request #12005 from mpurg/ubuntu_2204_stig_cleanup

Update Ubuntu 22.04 STIG references and profile titles

linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml

@@ -60,7 +60,8 @@ references:
     stigid@rhel8: RHEL-08-030490
     stigid@sle12: SLES-12-020460
     stigid@sle15: SLES-15-030290
-    stigid@ubuntu2004: UBTU-20-010153
+    stigid@ubuntu2004: UBTU-20-010152
+    stigid@ubuntu2204: UBTU-22-654155
 
 {{{ complete_ocil_entry_audit_syscall(syscall="fchmod") }}}
 

linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml

@@ -60,7 +60,8 @@ references:
     stigid@rhel8: RHEL-08-030490
     stigid@sle12: SLES-12-020460
     stigid@sle15: SLES-15-030290
-    stigid@ubuntu2004: UBTU-20-010154
+    stigid@ubuntu2004: UBTU-20-010152
+    stigid@ubuntu2204: UBTU-22-654155
 
 {{{ complete_ocil_entry_audit_syscall(syscall="fchmodat") }}}
 

linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml

@@ -63,7 +63,8 @@ references:
     stigid@rhel8: RHEL-08-030480
     stigid@sle12: SLES-12-020420
     stigid@sle15: SLES-15-030250
-    stigid@ubuntu2004: UBTU-20-010149
+    stigid@ubuntu2004: UBTU-20-010148
+    stigid@ubuntu2204: UBTU-22-654160
 
 {{{ complete_ocil_entry_audit_syscall(syscall="fchown") }}}
 

linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml

@@ -60,7 +60,8 @@ references:
     stigid@rhel8: RHEL-08-030480
     stigid@sle12: SLES-12-020420
     stigid@sle15: SLES-15-030250
-    stigid@ubuntu2004: UBTU-20-010150
+    stigid@ubuntu2004: UBTU-20-010148
+    stigid@ubuntu2204: UBTU-22-654160
 
 {{{ complete_ocil_entry_audit_syscall(syscall="fchownat") }}}
 

linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml

@@ -63,7 +63,8 @@ references:
     stigid@rhel8: RHEL-08-030480
     stigid@sle12: SLES-12-020420
     stigid@sle15: SLES-15-030250
-    stigid@ubuntu2004: UBTU-20-010151
+    stigid@ubuntu2004: UBTU-20-010148
+    stigid@ubuntu2204: UBTU-22-654160
 
 {{{ complete_ocil_entry_audit_syscall(syscall="lchown") }}}
 

linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml

@@ -67,7 +67,8 @@ references:
     stigid@rhel8: RHEL-08-030420
     stigid@sle12: SLES-12-020490
     stigid@sle15: SLES-15-030150
-    stigid@ubuntu2004: UBTU-20-010158
+    stigid@ubuntu2004: UBTU-20-010155
+    stigid@ubuntu2204: UBTU-22-654165
 
 ocil: |-
     {{{ ocil_audit_rules_unsuccessful_file_modification("creat", "access") | indent(4) }}}

linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml

@@ -67,7 +67,8 @@ references:
     stigid@rhel8: RHEL-08-030420
     stigid@sle12: SLES-12-020490
     stigid@sle15: SLES-15-030150
-    stigid@ubuntu2004: UBTU-20-010157
+    stigid@ubuntu2004: UBTU-20-010155
+    stigid@ubuntu2204: UBTU-22-654165
 
 ocil: |-
     {{{ ocil_audit_rules_unsuccessful_file_modification("ftruncate", "access") | indent(4) }}}

linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml

@@ -60,7 +60,8 @@ references:
     stigid@rhel8: RHEL-08-030420
     stigid@sle12: SLES-12-020490
     stigid@sle15: SLES-15-030150
-    stigid@ubuntu2004: UBTU-20-010160
+    stigid@ubuntu2004: UBTU-20-010155
+    stigid@ubuntu2204: UBTU-22-654165
 
 ocil: |-
     {{{ ocil_audit_rules_unsuccessful_file_modification("open_by_handle_at", "access") | indent(4) }}}

linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml

@@ -67,7 +67,8 @@ references:
     stigid@rhel8: RHEL-08-030420
     stigid@sle12: SLES-12-020490
     stigid@sle15: SLES-15-030150
-    stigid@ubuntu2004: UBTU-20-010159
+    stigid@ubuntu2004: UBTU-20-010155
+    stigid@ubuntu2204: UBTU-22-654165
 
 ocil: |-
     {{{ ocil_audit_rules_unsuccessful_file_modification("openat", "access") | indent(4) }}}

linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml

@@ -66,7 +66,8 @@ references:
     stigid@rhel8: RHEL-08-030420
     stigid@sle12: SLES-12-020490
     stigid@sle15: SLES-15-030150
-    stigid@ubuntu2004: UBTU-20-010156
+    stigid@ubuntu2004: UBTU-20-010155
+    stigid@ubuntu2204: UBTU-22-654165
 
 ocil: |-
     {{{ ocil_audit_rules_unsuccessful_file_modification("truncate", "access") | indent(4) }}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/rule.yml

@@ -49,8 +49,6 @@ references:
     srg: SRG-OS-000021-GPOS-00005
     stigid@sle12: SLES-12-010130
     stigid@sle15: SLES-15-020010
-    stigid@ubuntu2004: UBTU-20-010072
-    stigid@ubuntu2204: UBTU-22-411045
 
 ocil_clause: 'the account option is missing or commented out'
 

products/ubuntu2004/profiles/stig.profile

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-title: 'Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide (STIG) V1R9'
+title: 'Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide (STIG) V1R11'
 
 description: |-
     This Security Technical Implementation Guide is published as a tool to

products/ubuntu2204/profiles/stig.profile

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-title: 'DRAFT Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) DRAFT'
+title: 'Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG) V1R1'
 
 description: |-
     This Security Technical Implementation Guide is published as a tool to
@@ -10,12 +10,10 @@ description: |-
 
 selections:
 
-    ### TODO
     # UBTU-22-271010 The Ubuntu operating system must enable the graphical user logon banner to display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon.
     - enable_dconf_user_profile
     - dconf_gnome_banner_enabled
 
-    ### TODO
     # UBTU-22-271015 The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon.
     - login_banner_text=dod_banners
     - dconf_gnome_login_banner_text
@@ -150,11 +148,9 @@ selections:
     # UBTU-22-612015 The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials.
     - package_opensc_installed
 
-    ### TODO
     # UBTU-22-612025 The Ubuntu operating system must electronically verify Personal Identity Verification (PIV) credentials.
     - smartcard_configure_cert_checking
 
-    ### TODO
     # UBTU-22-612035 The Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.
     - smartcard_configure_crl
 
@@ -172,7 +168,6 @@ selections:
     - accounts_passwords_pam_faillock_interval
     - accounts_passwords_pam_faillock_unlock_time
 
-    ### TODO
     # UBTU-22-651025 The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one.
     - aide_periodic_cron_checking
 
@@ -195,12 +190,10 @@ selections:
     # UBTU-22-654140 The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
     - audit_rules_usergroup_modification_opasswd
 
-    ### TODO
     # UBTU-22-653025 The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
     - var_auditd_action_mail_acct=root
     - auditd_data_retention_action_mail_acct
 
-    ### TODO
     # UBTU-22-653030 The Ubuntu operating system must shut down by default upon audit failure (unless availability is an overriding concern).
     - var_auditd_disk_full_action=halt
     - auditd_data_disk_full_action
@@ -352,11 +345,9 @@ selections:
     # UBTU-22-654230 The Ubuntu operating system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.
     - audit_rules_suid_privilege_function
 
-    ### TODO
     # UBTU-22-653035 The Ubuntu operating system must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility.
     - auditd_audispd_configure_sufficiently_large_partition
 
-    ### TODO
     # UBTU-22-653020 The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.
     #- var_audispd_remote_server=192.168.122.126
     - package_audit-audispd-plugins_installed
@@ -393,26 +384,22 @@ selections:
     # UBTU-22-654060 The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use modprobe command
     - audit_rules_privileged_commands_modprobe
 
-    ### TODO (double check, focal uses kmod_0)
     # UBTU-22-654055 The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the kmod command.
     - audit_rules_privileged_commands_kmod
 
     # UBTU-22-654045 The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the fdisk command.
     - audit_rules_privileged_commands_fdisk
 
-    ### TODO
     # UBTU-22-651035 The Ubuntu operating system must have a crontab script running weekly to offload audit events of standalone systems.
     - auditd_offload_logs
 
-    ### TODO
     # UBTU-22-412020 The Ubuntu operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.
     - var_accounts_max_concurrent_login_sessions=10
     - accounts_max_concurrent_login_sessions
 
     # UBTU-22-213010 The Ubuntu operating system must restrict access to the kernel message buffer.
     - sysctl_kernel_dmesg_restrict
 
-    ### TODO
     # UBTU-22-652015 The Ubuntu operating system must monitor remote access methods.
     - rsyslog_remote_access_monitoring
 
@@ -434,14 +421,12 @@ selections:
     # UBTU-22-411035 The Ubuntu operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
     - account_disable_post_pw_expiration
 
-    ### TODO
     # UBTU-22-411040 The Ubuntu operating system must provision temporary user accounts with an expiration time of 72 hours or less.
     - account_temp_expire_date
 
     # UBTU-22-232145 The Ubuntu operating system must set a sticky bit  on all public directories to prevent unauthorized and unintended information transferred via shared system resources.
     - dir_perms_world_writable_sticky_bits
 
-    ### TODO
     # UBTU-22-253010 The Ubuntu operating system must be configured to use TCP syncookies.
     - sysctl_net_ipv4_tcp_syncookies
 
@@ -508,19 +493,16 @@ selections:
     # UBTU-22-215015 The Ubuntu operating system must have the "chrony" package installed
     - package_chrony_installed
 
-    ### TODO
     # UBTU-22-252010 The Ubuntu operating system must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
     - var_time_service_set_maxpoll=18_hours
     - chronyd_or_ntpd_set_maxpoll
 
-    ### TODO
     # UBTU-22-252015 The Ubuntu operating system must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
     - chronyd_sync_clock
 
     # UBTU-22-651020 The Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the System Administrator when changes to the baseline configuration or anomalies in the oper
     - aide_disable_silentreports
 
-    ### TODO
     # UBTU-22-214010 The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
     - apt_conf_disallow_unauthenticated
 
@@ -533,22 +515,18 @@ selections:
     # UBTU-22-411020 The Ubuntu operating system must allow the use of a temporary password for system logons with an immediate change to a permanent password.
     - policy_temp_passwords_immediate_change
 
-    ### TODO
     # UBTU-22-631015 The Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.
     - sssd_offline_cred_expiration
 
     # UBTU-22-671010 The Ubuntu operating system must implement NIST FIPS-validated cryptography  to protect classified information and for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
     - is_fips_mode_enabled
 
-    ### TODO
     # UBTU-22-631010 The Ubuntu operating system must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
     - only_allow_dod_certs
 
-    ### TODO
     # UBTU-22-251025 The Ubuntu operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces.
     - ufw_rate_limit
 
-    ### TODO
     # UBTU-22-213025 The Ubuntu operating system must implement non-executable data to protect its memory from unauthorized code execution.
     - bios_enable_execution_restrictions
 
@@ -561,11 +539,9 @@ selections:
     # UBTU-22-651010 The Ubuntu operating system must use a file integrity tool to verify correct operation of all security functions.
     - package_aide_installed
 
-    ### TODO
     # UBTU-22-651015 The Ubuntu operating system must use a file integrity tool to verify correct operation of all security functions.
     - aide_build_database
 
-    ### TODO
     # UBTU-22-412015 The Ubuntu operating system must display the date and time of the last successful account logon upon logon.
     - display_login_attempts
 
@@ -575,7 +551,6 @@ selections:
     # UBTU-22-251020 The Ubuntu operating system must have an application firewall enabled.
     - service_ufw_enabled
 
-    ### TODO
     # UBTU-22-291015 The Ubuntu operating system must disable all wireless network adapters.
     - wireless_disable_interfaces
 
@@ -589,7 +564,6 @@ selections:
     # UBTU-22-232055 The Ubuntu operating system must have system commands group-owned by root.
     - file_groupownership_system_commands_dirs
 
-    ### TODO
     # UBTU-22-271030 The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.
     - dconf_gnome_disable_ctrlaltdel_reboot
 
@@ -606,7 +580,6 @@ selections:
     # UBTU-22-611060 The Ubuntu operating system must not allow accounts configured with blank or null passwords.
     - no_empty_passwords
 
-    ### TODO (fix dconf issues)
     # UBTU-22-271025 must initiate a graphical session lock after 15 minutes of inactivity
     - inactivity_timeout_value=15_minutes
     - var_screensaver_lock_delay=immediate