Skip to content

Commit

Permalink
Update selections for RHEL 10 STIG
Browse files Browse the repository at this point in the history 
To better match the RHEL 9 STIG.
  • Loading branch information
@Mab879
Mab879 committed Sep 11, 2024
1 parent d80b25c commit c12aefa
Show file tree
Hide file tree
Showing 11 changed files with 26 additions and 1 deletion.
2 changes: 1 addition & 1 deletion controls/srg_gpos.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ controls:
- sshd_approved_macs=stig_extended
- sshd_approved_ciphers=stig_extended
- sshd_idle_timeout_value=10_minutes
- var_accounts_authorized_local_users_regex=rhel8
- var_accounts_authorized_local_users_regex=rhel9
- var_account_disable_post_pw_expiration=35
- login_banner_text=dod_banners
- var_authselect_profile=sssd
Expand Down
1 change: 1 addition & 0 deletions controls/srg_gpos/SRG-OS-000031-GPOS-00012.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,5 @@ controls:
rules:
- configure_bashrc_exec_tmux
- configure_tmux_lock_after_time
- dconf_gnome_screensaver_mode_blank
status: automated
2 changes: 2 additions & 0 deletions controls/srg_gpos/SRG-OS-000073-GPOS-00041.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,6 @@ controls:
- set_password_hashing_algorithm_systemauth
- set_password_hashing_min_rounds_logindefs
- accounts_password_all_shadowed_sha512
- var_password_hashing_algorithm_pam=sha512
- var_password_pam_unix_rounds=5000
status: automated
1 change: 1 addition & 0 deletions controls/srg_gpos/SRG-OS-000163-GPOS-00072.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,5 @@ controls:
- sshd_set_keepalive
- accounts_tmout
- var_accounts_tmout=15_min
- var_sshd_set_keepalive=1
status: automated
4 changes: 4 additions & 0 deletions controls/srg_gpos/SRG-OS-000324-GPOS-00125.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,8 @@ controls:
- sysctl_fs_protected_hardlinks
- sysctl_fs_protected_symlinks
- package_sudo_installed
- sudo_remove_no_authenticate
- sudo_remove_nopasswd
- sudo_require_reauthentication
- disallow_bypass_password_sudo
status: automated
1 change: 1 addition & 0 deletions controls/srg_gpos/SRG-OS-000343-GPOS-00134.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ controls:
rules:
- auditd_data_retention_action_mail_acct
- auditd_data_retention_admin_space_left_action
- var_auditd_admin_space_left_action=single
- auditd_data_retention_admin_space_left_percentage
- var_auditd_admin_space_left_percentage=5pc
- auditd_data_retention_space_left_action
Expand Down
2 changes: 2 additions & 0 deletions controls/srg_gpos/SRG-OS-000363-GPOS-00150.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,6 @@ controls:
- aide_periodic_cron_checking
- package_aide_installed
- package_s-nail_installed
- aide_build_database
- aide_use_fips_hashes
status: automated
1 change: 1 addition & 0 deletions controls/srg_gpos/SRG-OS-000433-GPOS-00192.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,5 @@ controls:
- sysctl_kernel_kptr_restrict
- bios_enable_execution_restrictions
- grub2_slub_debug_argument
- sysctl_kernel_exec_shield
status: automated
2 changes: 2 additions & 0 deletions controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,6 @@ controls:
- enable_dracut_fips_module
- enable_fips_mode
- sysctl_crypto_fips_enabled
- aide_use_fips_hashes
- configure_kerberos_crypto_policy
status: automated
7 changes: 7 additions & 0 deletions controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ controls:
- file_groupowner_etc_gshadow
- file_groupowner_etc_passwd
- file_groupowner_etc_shadow
- file_owner_grub2_cfg
- file_groupowner_grub2_cfg
- file_owner_cron_d
- file_owner_cron_daily
Expand Down Expand Up @@ -66,6 +67,8 @@ controls:
- no_files_unowned_by_user
- file_owner_cron_deny
- file_groupowner_cron_deny
- file_permission_user_init_files_root
- var_user_initialization_files_regex=all_dotfiles

# service disabled
# - service_rngd_enabled - this rule was removed because it does bring questionable value on modern systems
Expand Down Expand Up @@ -146,6 +149,7 @@ controls:
- sysctl_net_ipv6_conf_default_accept_source_route
- sysctl_net_ipv4_conf_all_accept_redirects
- sysctl_net_ipv4_conf_all_accept_source_route
- sysctl_net_ipv4_conf_all_forwarding
- sysctl_net_ipv4_conf_default_accept_source_route
- sysctl_net_ipv4_conf_all_rp_filter
- sysctl_net_ipv4_conf_default_rp_filter
Expand All @@ -155,6 +159,7 @@ controls:
- sysctl_net_ipv4_conf_default_accept_redirects
- sysctl_net_ipv4_conf_default_send_redirects
- sysctl_net_ipv4_ip_forward
- sysctl_net_ipv4_icmp_ignore_bogus_error_responses
- sysctl_kernel_core_pattern
- sysctl_kernel_kexec_load_disabled
- sysctl_kernel_unprivileged_bpf_disabled
Expand Down Expand Up @@ -238,5 +243,7 @@ controls:
- tftpd_uses_secure_mode
- display_login_attempts
- installed_OS_is_vendor_supported
- selinux_all_devicefiles_labeled
- xwindows_remove_packages

status: automated
4 changes: 4 additions & 0 deletions controls/srg_gpos/SRG-OS-000730-GPOS-00190.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,7 @@ controls:
- var_password_pam_maxclassrepeat=3
- var_password_pam_dictcheck=1
- accounts_password_pam_dictcheck
- var_password_hashing_algorithm_pam=sha512
- var_password_pam_unix_rounds=5000
- var_password_pam_remember=5
- var_password_pam_remember_control_flag=requisite_or_required

0 comments on commit c12aefa

Please sign in to comment.