diff --git a/applications/openshift/authentication/oauth_or_oauthclient_token_maxage/rule.yml b/applications/openshift/authentication/oauth_or_oauthclient_token_maxage/rule.yml index 8145422ff0b..04e06dfbd40 100644 --- a/applications/openshift/authentication/oauth_or_oauthclient_token_maxage/rule.yml +++ b/applications/openshift/authentication/oauth_or_oauthclient_token_maxage/rule.yml @@ -51,6 +51,7 @@ rationale: |- references: nist: AC-12 + srg: SRG-APP-000400-CTR-000960 identifiers: cce@ocp4: CCE-84162-7 diff --git a/applications/openshift/authentication/oauth_token_maxage/rule.yml b/applications/openshift/authentication/oauth_token_maxage/rule.yml index e40f9415471..68d80cbeef5 100644 --- a/applications/openshift/authentication/oauth_token_maxage/rule.yml +++ b/applications/openshift/authentication/oauth_token_maxage/rule.yml @@ -68,6 +68,4 @@ template: filepath: {{{ openshift_filtered_path(default_api_path, default_jqfilter) }}} yamlpath: ".tokenConfig.accessTokenMaxAgeSeconds" check_existence: "only_one_exists" - values: - - value: ".*" - operation: "pattern match" + xccdf_variable: var_oauth_token_maxage diff --git a/applications/openshift/authentication/oauthclient_token_maxage/rule.yml b/applications/openshift/authentication/oauthclient_token_maxage/rule.yml index 51595d807cd..3255bd63883 100644 --- a/applications/openshift/authentication/oauthclient_token_maxage/rule.yml +++ b/applications/openshift/authentication/oauthclient_token_maxage/rule.yml @@ -63,6 +63,4 @@ template: check_existence_yamlpath: ".items[:].grantMethod" check_existence: "all_exist" entity_check: "all" - values: - - value: ".*" - operation: "pattern match" + xccdf_variable: var_oauth_token_maxage diff --git a/applications/openshift/authentication/var_oauth_token_maxage.var b/applications/openshift/authentication/var_oauth_token_maxage.var new file mode 100644 index 00000000000..9f52243ab43 --- /dev/null +++ b/applications/openshift/authentication/var_oauth_token_maxage.var @@ -0,0 +1,16 @@ +documentation_complete: true + +title: 'OAuth Token Maximum Age' + +description: 'Enter OAuth Token Maximum Age Timeout' + +type: number + +operator: equals + +interactive: true + +options: + default: 86400 + 24h: 86400 + 8h: 28800 diff --git a/controls/srg_ctr/SRG-APP-000092-CTR-000165.yml b/controls/srg_ctr/SRG-APP-000092-CTR-000165.yml index 2eb8e6f6368..f754f37bb16 100644 --- a/controls/srg_ctr/SRG-APP-000092-CTR-000165.yml +++ b/controls/srg_ctr/SRG-APP-000092-CTR-000165.yml @@ -7,5 +7,6 @@ controls: - cluster_logging_operator_exist - audit_log_forwarding_enabled - coreos_audit_option + - coreos_audit_backlog_limit_kernel_argument status: automated diff --git a/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml b/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml index f92c38bc8b1..a8e21dd0222 100644 --- a/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml +++ b/controls/srg_ctr/SRG-APP-000141-CTR-000315.yml @@ -3,11 +3,12 @@ controls: levels: - medium title: {{{ full_name }}} must be configured with only essential configurations. - related_rules: + rules: - service_sshd_disabled - kernel_module_usb-storage_disabled - package_usbguard_installed - service_usbguard_enabled - configure_usbguard_auditbackend + - usbguard_allow_hid_and_hub status: automated diff --git a/controls/srg_ctr/SRG-APP-000400-CTR-000960.yml b/controls/srg_ctr/SRG-APP-000400-CTR-000960.yml index 484579bfe0b..401913b232c 100644 --- a/controls/srg_ctr/SRG-APP-000400-CTR-000960.yml +++ b/controls/srg_ctr/SRG-APP-000400-CTR-000960.yml @@ -4,7 +4,7 @@ controls: - medium title: {{{ full_name }}} must prohibit the use of cached authenticators after an organization-defined time period. - status: inherently met + status: automated artifact_description: |- Supporting evidence is in the following documentation @@ -18,4 +18,5 @@ controls: `oc edit oauth.config.openshift.io/cluster` See: https://docs.openshift.com/container-platform/latest/authentication/configuring-internal-oauth.html#oauth-configuring-internal-oauth_configuring-internal-oauth - + rules: + - oauth_or_oauthclient_token_maxage diff --git a/controls/srg_ctr/SRG-APP-000499-CTR-001255.yml b/controls/srg_ctr/SRG-APP-000499-CTR-001255.yml index 6de12b0ad49..04f11355b2b 100644 --- a/controls/srg_ctr/SRG-APP-000499-CTR-001255.yml +++ b/controls/srg_ctr/SRG-APP-000499-CTR-001255.yml @@ -23,6 +23,7 @@ controls: - audit_rules_file_deletion_events_rmdir - audit_rules_file_deletion_events_unlink - audit_rules_file_deletion_events_unlinkat + - audit_rules_privileged_commands_pt_chown - audit_rules_privileged_commands_su - audit_rules_privileged_commands_sudo - audit_rules_privileged_commands_usermod diff --git a/controls/srg_ctr/SRG-APP-000501-CTR-001265.yml b/controls/srg_ctr/SRG-APP-000501-CTR-001265.yml index fcece9b8ca7..c32097948da 100644 --- a/controls/srg_ctr/SRG-APP-000501-CTR-001265.yml +++ b/controls/srg_ctr/SRG-APP-000501-CTR-001265.yml @@ -18,4 +18,10 @@ controls: - audit_rules_file_deletion_events_unlink - audit_rules_file_deletion_events_unlinkat - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_pt_chown + - audit_delete_failed + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat status: automated diff --git a/controls/srg_ctr/SRG-APP-000502-CTR-001270.yml b/controls/srg_ctr/SRG-APP-000502-CTR-001270.yml index 7973a1b7876..d1a364e5e4b 100644 --- a/controls/srg_ctr/SRG-APP-000502-CTR-001270.yml +++ b/controls/srg_ctr/SRG-APP-000502-CTR-001270.yml @@ -18,4 +18,10 @@ controls: - audit_rules_file_deletion_events_unlink - audit_rules_file_deletion_events_unlinkat - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_pt_chown + - audit_delete_failed + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat status: automated diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml index e9e56f1240e..c5b55207f54 100644 --- a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml +++ b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml @@ -48,7 +48,7 @@ references: disa: CCI-001958 ism: "1418" nist: CM-8(3),IA-3 - srg: SRG-OS-000378-GPOS-00163 + srg: SRG-OS-000378-GPOS-00163,SRG-APP-000141-CTR-000315 stigid@ol8: OL08-00-040139 stigid@rhel8: RHEL-08-040139 stigid@rhel9: RHEL-09-291015 diff --git a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml index 703949026db..bbc76cd0945 100644 --- a/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml +++ b/linux_os/guide/services/usbguard/service_usbguard_enabled/rule.yml @@ -24,7 +24,7 @@ references: ism: "1418" nist: CM-8(3)(a),IA-3 ospp: FMT_SMF_EXT.1 - srg: SRG-OS-000378-GPOS-00163 + srg: SRG-OS-000378-GPOS-00163,SRG-APP-000141-CTR-000315 stigid@ol8: OL08-00-040141 stigid@rhel8: RHEL-08-040141 stigid@rhel9: RHEL-09-291020 diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml index 9c8f78df519..376f524af24 100644 --- a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml +++ b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/rule.yml @@ -29,7 +29,7 @@ identifiers: references: nist: CM-8(3),IA-3 ospp: FMT_SMF_EXT.1 - srg: SRG-OS-000114-GPOS-00059 + srg: SRG-OS-000114-GPOS-00059,SRG-APP-000092-CTR-000165 ocil_clause: 'USB devices of class 3 and 9:00 are not authorized' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml index 2d7a75567fa..4e9159267bd 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml @@ -50,7 +50,7 @@ references: nist@sle15: AU-12(c),AU-12.1(iv) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 - srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@sle12: SLES-12-020411 stigid@sle15: SLES-15-030740 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml index 51e43372b84..32eb5378a05 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml @@ -58,7 +58,7 @@ references: nist@sle15: AU-12(c),AU-12.1(iv) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 - srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@sle12: SLES-12-020411 stigid@sle15: SLES-15-030740 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml index 203229194dc..a26d8ac12ff 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml @@ -64,7 +64,7 @@ references: nist@sle15: AU-12(c),AU-12.1(iv) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 - srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@sle12: SLES-12-020411 stigid@sle15: SLES-15-030740 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml index f213556c103..4c574a3bd5f 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml @@ -61,7 +61,7 @@ references: nist@sle15: AU-12(c),AU-12.1(iv) ospp: FAU_GEN.1.1.c pcidss: Req-10.2.4,Req-10.2.1 - srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212 + srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@sle12: SLES-12-020411 stigid@sle15: SLES-15-030740 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml index 35e31c1405f..a33830c58e7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml @@ -49,7 +49,7 @@ references: iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.14.2.7,A.15.2.1,A.15.2.2 nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 - srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 + srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215,SRG-APP-000499-CTR-001255,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 {{{ ocil_fix_srg_privileged_command("pt_chown", "/usr/libexec/") }}} diff --git a/linux_os/guide/system/auditing/coreos_audit_backlog_limit_kernel_argument/rule.yml b/linux_os/guide/system/auditing/coreos_audit_backlog_limit_kernel_argument/rule.yml index 9b0d628d331..68aee5be1a3 100644 --- a/linux_os/guide/system/auditing/coreos_audit_backlog_limit_kernel_argument/rule.yml +++ b/linux_os/guide/system/auditing/coreos_audit_backlog_limit_kernel_argument/rule.yml @@ -22,7 +22,7 @@ identifiers: references: nist: CM-6(a) - srg: SRG-OS-000254-GPOS-00095 + srg: SRG-OS-000254-GPOS-00095,SRG-APP-000092-CTR-000165 ocil_clause: 'audit backlog limit is not configured' diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml index 023388b6682..dab3d0eaa96 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/kubernetes/shared.yml @@ -9,7 +9,7 @@ spec: storage: files: - contents: - source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete + source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A mode: 0600 path: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules overwrite: true diff --git a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml index 9369175a0d8..aa45717ffd6 100644 --- a/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml +++ b/linux_os/guide/system/auditing/policy_rules/audit_delete_failed/rule.yml @@ -40,7 +40,7 @@ identifiers: references: nist: AU-2(a) ospp: FAU_GEN.1.1.c - srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212 + srg: SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220,SRG-OS-000463-GPOS-00207,SRG-OS-000465-GPOS-00209,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 ocil_clause: 'the file does not exist or the content differs' diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml index d25ccbf0f9e..95b86092335 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml @@ -42,7 +42,7 @@ references: nist: CM-7(a),CM-7(b),CM-6(a),MP-7 nist-csf: PR.AC-1,PR.AC-3,PR.AC-6,PR.AC-7 pcidss4: '3.4.2' - srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227 + srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227,SRG-APP-000141-CTR-000315 stigid@ol7: OL07-00-020100 stigid@ol8: OL08-00-040080 stigid@rhel7: RHEL-07-020100 diff --git a/products/ocp4/profiles/stig-v1r1.profile b/products/ocp4/profiles/stig-v1r1.profile index 96056451d63..6c70dba5801 100644 --- a/products/ocp4/profiles/stig-v1r1.profile +++ b/products/ocp4/profiles/stig-v1r1.profile @@ -25,6 +25,7 @@ selections: - srg_ctr:all ### Variables - var_openshift_audit_profile=WriteRequestBodies + - var_oauth_token_maxage=8h ### Helper Rules ### This is a helper rule to fetch the required api resource for detecting OCP version - version_detect_in_ocp