Merge pull request ComplianceAsCode#12501 from mpurg/ubuntu2004_STIG_…

…V1R12

Update ubuntu 20.04 STIG profile to V1R12

linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/rule.yml

@@ -9,14 +9,16 @@ description: |-
     VPN, proxy capability). This does not apply to authentication for the
     purpose of configuring the device itself (management).
 
+    {{% if 'ubuntu' in product %}}
+    Add or update the following line in <tt>/etc/pam.d/common-auth</tt>,
+    placing it above any lines containing <tt>pam_unix.so</tt>:
+    <pre>auth    [success=2 default=ignore] pam_pkcs11.so </pre>
+    {{% else %}}
     Check that the <tt>pam_pkcs11.so</tt> option is configured in the
     <tt>etc/pam.d/common-auth</tt> file with the following command:
 
     <pre># grep pam_pkcs11.so /etc/pam.d/common-auth
 
-    {{% if 'ubuntu' in product %}}
-    auth [success=2 default=ignore] pam_pkcs11.so</pre>
-    {{% else %}}
     auth sufficient pam_pkcs11.so</pre>
     {{% endif %}}
 

linux_os/guide/system/software/integrity/software-integrity/aide/aide_disable_silentreports/rule.yml

@@ -15,7 +15,7 @@ severity: medium
 references:
     disa: "CCI-001744,CCI-002702"
     srg: "SRG-OS-000447-GPOS-00201,SRG-OS-000363-GPOS-00150"
-    stigid@ubuntu2004: UBTU-20-010437
+    stigid@ubuntu2004: UBTU-20-010451
     stigid@ubuntu2204: UBTU-22-651020
 
 ocil_clause: 'silentreports is enabled in aide default configuration, or is missing'

products/ubuntu2004/profiles/stig.profile

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-title: 'Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide (STIG) V1R11'
+title: 'Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide (STIG) V1R12'
 
 description: |-
     This Security Technical Implementation Guide is published as a tool to
@@ -536,7 +536,7 @@ selections:
     # UBTU-20-010436 The Ubuntu operating system must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
     - chronyd_sync_clock
 
-    # UBTU-20-010437 The Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the System Administrator when changes to the baseline configuration or anomalies in the oper
+    # UBTU-20-010451 The Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the System Administrator when changes to the baseline configuration or anomalies in the oper
     - aide_disable_silentreports
 
     # UBTU-20-010438 The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
@@ -558,10 +558,6 @@ selections:
     # UBTU-20-010443 The Ubuntu operating system must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
     - only_allow_dod_certs
 
-    # UBTU-20-010444 Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest.
-
-    # UBTU-20-010445 Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest.
-
     # UBTU-20-010446 The Ubuntu operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces.
     - ufw_rate_limit
 
@@ -578,9 +574,6 @@ selections:
     - package_aide_installed
     - aide_build_database
 
-    # UBTU-20-010451 The Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the System Administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered.
-    # Same as UBTU-20-010437
-
     # UBTU-20-010453 The Ubuntu operating system must display the date and time of the last successful account logon upon logon.
     - display_login_attempts