Merge pull request #9936 from Xeicker/unnecesary_harcoded_rhel

Changing a few  harcoded OS names for full_name

linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml

@@ -41,11 +41,12 @@ ocil: |-
 
     Check that fapolicyd employs a deny-all policy on system mounts with the following commands:
 
-    {{%- if product in ["rhel8"] %}}
-    For RHEL 8.5 systems and older:
+    {{%- if product in ["ol8", "rhel8"] %}}
+    {{% set product_short_name = "OL" if "ol" in product else "RHEL" %}}
+    For {{{ product_short_name }}} 8.5 systems and older:
     $ sudo tail /etc/fapolicyd/fapolicyd.rules
 
-    For RHEL 8.6 systems and newer:
+    For {{{ product_short_name }}} 8.6 systems and newer:
     {{%- endif %}}
     $ sudo tail /etc/fapolicyd/compiled.rules
 
@@ -60,11 +61,11 @@ fixtext: |-
 
     permissive = 1
 
-    {{%- if product in ["rhel8"] %}}
-    For RHEL 8.5 systems and older:
+    {{%- if product in ["ol8", "rhel8"] %}}
+    For {{{ product_short_name }}} 8.5 systems and older:
     Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all".
 
-    For RHEL 8.6 systems and newer:
+    For {{{ product_short_name }}} 8.6 systems and newer:
     {{%- endif %}}
     Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all".
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/policy/stig/shared.yml

@@ -6,7 +6,7 @@ vuldiscussion: |-
 
     Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.
 
-    RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Configurations are set in the "etc/security/pwquality.conf" file.
+    {{{ full_name }}} utilizes "pwquality" as a mechanism to enforce password complexity. Configurations are set in the "etc/security/pwquality.conf" file.
 
     The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum.
 

linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/policy/stig/shared.yml

@@ -3,7 +3,7 @@ srg_requirement: |-
 
 vuldiscussion: |-
     A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
-    The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
+    The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, {{{ full_name }}} needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
     Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen.  Red Hat endorses tmux as the recommended session controlling package.
 
     The "tmux" package allows for a session lock to be implemented and configured.

linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/policy/stig/shared.yml

@@ -7,7 +7,7 @@ vuldiscussion: |-
     Configuring the smart card driver in use by your organization helps to prevent users from using unauthorized smart cards.
 
 checktext: |-
-    Verify that RHEL loads the cac driver with the following command:
+    Verify that {{{ full_name }}} loads the cac driver with the following command:
 
     $ grep card_drivers /etc/opensc.conf
 

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/policy/stig/shared.yml

@@ -4,7 +4,7 @@ srg_requirement: |-
 vuldiscussion: |-
     Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality.
 
-    Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity.
+    Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit {{{ full_name }}} system activity.
 
     In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back.  A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes.
 

linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml

@@ -38,7 +38,7 @@ references:
 ocil_clause: 'the command does not return a line, or the line is commented out'
 
 ocil: |-
-    Verify RHEL 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command:
+    Verify {{{ full_name }}} generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command:
 
     $ sudo auditctl -l | grep/etc/sudoers.d
 

linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/policy/stig/shared.yml

@@ -6,7 +6,7 @@ vuldiscussion: |-
 
     Off-loading is a common process in information systems with limited audit storage capacity.
 
-    RHEL 8 installation media provides "rsyslogd".  "rsyslogd" is a system utility providing support for message logging.  Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging.  Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.
+    {{{ full_name }}} installation media provides "rsyslogd".  "rsyslogd" is a system utility providing support for message logging.  Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging.  Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.
 
     "Rsyslog" supported authentication modes include:
     anon - anonymous authentication

linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/policy/stig/shared.yml

@@ -6,7 +6,7 @@ vuldiscussion: |-
 
     Off-loading is a common process in information systems with limited audit storage capacity.
 
-    RHEL 8 installation media provides "rsyslogd".  "rsyslogd" is a system utility providing support for message logging.  Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging.  Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.
+    {{{ full_name }}} installation media provides "rsyslogd".  "rsyslogd" is a system utility providing support for message logging.  Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging.  Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing.
 
     "Rsyslog" supported authentication modes include:
     anon - anonymous authentication

linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/policy/stig/shared.yml

@@ -7,7 +7,7 @@ vuldiscussion: |-
     Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
 
     Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-    RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
+    {{{ full_name }}} functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
 
 checktext: |-
     Verify that "firewalld" is active with the following command:

linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml

@@ -68,7 +68,7 @@ ocil: |-
     <pre>$ sudo chgrp <i>group</i> <i>file</i></pre>
 
 fixtext: |-
-    Either remove all files and directories from RHEL 8 that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command:
+    Either remove all files and directories from {{{ full_name }}} that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command:
 
     $ sudo chgrp
 

linux_os/guide/system/permissions/restrictions/enable_nx/group.yml

@@ -4,4 +4,16 @@ title: |-
     Enable Execute Disable (XD) or No Execute (NX) Support on
     x86 Systems
 
-description: "Recent processors in the x86 family support the\nability to prevent code execution on a per memory page basis.\nGenerically and on AMD processors, this ability is called No\nExecute (NX), while on Intel processors it is called Execute\nDisable (XD). This ability can help prevent exploitation of buffer\noverflow vulnerabilities and should be activated whenever possible.\nExtra steps must be taken to ensure that this protection is\nenabled, particularly on 32-bit x86 systems. Other processors, such\nas Itanium and POWER, have included such support since inception\nand the standard kernel for those platforms supports the\nfeature. This is enabled by default on the latest Red Hat and \nFedora systems if supported by the hardware."
+description: |-
+    Recent processors in the x86 family support the
+    ability to prevent code execution on a per memory page basis.
+    Generically and on AMD processors, this ability is called No
+    Execute (NX), while on Intel processors it is called Execute
+    Disable (XD). This ability can help prevent exploitation of buffer
+    overflow vulnerabilities and should be activated whenever possible.
+    Extra steps must be taken to ensure that this protection is
+    enabled, particularly on 32-bit x86 systems. Other processors, such
+    as Itanium and POWER, have included such support since inception
+    and the standard kernel for those platforms supports the
+    feature. This is enabled by default on the latest Oracle Linux, Red Hat and
+    Fedora systems if supported by the hardware.

linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/policy/stig/shared.yml

@@ -25,7 +25,7 @@ checktext: |-
     If "slub_debug" is not set to "P", is missing or commented out, this is a finding.
 
 fixtext: |-
-    Configure RHEL  to enable poisoning of SLUB/SLAB objects with the following commands:
+    Configure {{{ full_name }}} to enable poisoning of SLUB/SLAB objects with the following commands:
 
     $ sudo grubby --update-kernel=ALL --args="slub_debug=P"
 

linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_lock_screen_on_smartcard_removal/policy/stig/shared.yml

@@ -4,7 +4,7 @@ srg_requirement: |-
 vuldiscussion: |-
     A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
 
-    The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
+    The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, {{{ full_name }}} needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
 
 checktext: |-
     Verify {{{ full_name }}} disables ability of the user to override the smartcard removal action setting.

linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/policy/stig/shared.yml

@@ -11,7 +11,7 @@ vuldiscussion: |-
 checktext: |-
     Verify {{{ full_name }}} initiates a session lock after a 15-minute period of inactivity for graphical user interfaces with the following command:
 
-    Note: This requirement assumes the use of the RHEL 0 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
+    Note: This requirement assumes the use of the {{{ full_name }}} default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
 
     $ sudo gsettings get org.gnome.desktop.session idle-delay
 

linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/policy/stig/shared.yml

@@ -8,7 +8,7 @@ vuldiscussion: |-
 checktext: |-
     Verify {{{ full_name }}} initiates a session lock a for graphical user interfaces when the screensaver is activated with the following command:
 
-    Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
+    Note: This requirement assumes the use of the {{{ full_name }}} default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
 
     $ gsettings get org.gnome.desktop.screensaver lock-delay
 

linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/policy/stig/shared.yml

@@ -11,7 +11,7 @@ vuldiscussion: |-
 checktext: |-
     Verify {{{ full_name }}} enables a user's session lock until that user re-establishes access using established identification and authentication procedures with the following command:
 
-    Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
+    Note: This requirement assumes the use of the {{{ full_name }}} default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
 
     $ gsettings get org.gnome.desktop.screensaver lock-enabled
 

linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/policy/stig/shared.yml

@@ -11,7 +11,7 @@ vuldiscussion: |-
 checktext: |-
     Verify {{{ full_name }}} prevents a user from overriding settings for graphical user interfaces.
 
-    Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
+    Note: This requirement assumes the use of the {{{ full_name }}} default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
 
     Determine which profile the system database is using with the following command:
 

linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/policy/stig/shared.yml

@@ -11,7 +11,7 @@ vuldiscussion: |-
 checktext: |-
     Verify {{{ full_name }}} prevents a user from overriding settings for graphical user interfaces.
 
-    Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
+    Note: This requirement assumes the use of the {{{ full_name }}} default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
 
     Determine which profile the system database is using with the following command:
 

linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/policy/stig/shared.yml

@@ -4,14 +4,14 @@ srg_requirement: |-
 vuldiscussion: |-
     An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
 
+    {{% if "Red Hat" in full_name %}}
     Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period.
+    {{% endif %}}
 
 checktext: |-
     Verify that the version or {{{ full_name }}} is vendor supported with the following command:
 
-    $ cat /etc/redhat-release
-
-    Red Hat Enterprise Linux release 9.0 (Plow)
+    $ grep PRETTY_NAME /etc/os-release
 
     If the installed version of {{{ full_name }}} is not supported, this is a finding.
 

linux_os/guide/system/software/updating/security_patches_up_to_date/policy/stig/shared.yml

@@ -1,3 +1,10 @@
+{{% if "Red Hat" in full_name %}}
+{{% set vendor = "Red Hat" %}}
+{{% set url = "https://access.redhat.com/errata-search/" %}}
+{{% elif "ol" in product %}}
+{{% set vendor = "Oracle" %}}
+{{% set url = "https://linux.oracle.com/errata/" %}}
+{{% endif %}}
 srg_requirement: |-
     {{{ full_name }}} vendor packaged system security patches and updates must be installed and up to date.
 
@@ -11,7 +18,11 @@ vuldiscussion: |-
 checktext: |-
     Verify {{{ full_name }}} security patches and updates are installed and up to date.    Updates are required to be applied with a frequency determined by organizational policy.
 
-    Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/.    It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.
+    {{% if "Red Hat" in full_name or "ol" in product %}}
+    Obtain the list of available package security updates from {{{ vendor }}}. The URL for updates
+    is {{{ url }}}.    It is important to note that updates provided by {{{ vendor }}} may not be
+    present on the system if the underlying packages are not installed.
+    {{% endif %}}
 
     Check that the available package security updates have been installed on the system with the following command: