From ee3f13855ded228cd1c9eec157f5515886b7a100 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 9 Aug 2023 11:45:57 +0200 Subject: [PATCH 1/3] Update sshd_approved_ciphers value for RHEL8 STIG --- products/rhel8/profiles/stig.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 5be8fb81275..0e136784a17 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -51,7 +51,7 @@ selections: - var_password_pam_minlen=15 - var_sshd_set_keepalive=1 - sshd_approved_macs=stig_extended - - sshd_approved_ciphers=stig + - sshd_approved_ciphers=stig_extended - sshd_idle_timeout_value=10_minutes - var_accounts_authorized_local_users_regex=rhel8 - var_accounts_passwords_pam_faillock_deny=3 From 1e7b1c85ca72c2c1ae089d5884d3c3f9feae0740 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 9 Aug 2023 11:47:45 +0200 Subject: [PATCH 2/3] Update sshd_approved_ciphers value for RHEL9 STIG Draft --- controls/srg_gpos.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml index 65d58d52915..1be70cf332e 100644 --- a/controls/srg_gpos.yml +++ b/controls/srg_gpos.yml @@ -20,7 +20,7 @@ controls: - var_password_hashing_algorithm=SHA512 - var_password_pam_dictcheck=1 - sshd_approved_macs=stig_extended - - sshd_approved_ciphers=stig + - sshd_approved_ciphers=stig_extended - sshd_idle_timeout_value=10_minutes - var_accounts_authorized_local_users_regex=rhel8 - var_account_disable_post_pw_expiration=35 From 051c1331a7795bd9746d15e96e66971340e51e47 Mon Sep 17 00:00:00 2001 From: Marcus Burghardt Date: Wed, 9 Aug 2023 13:33:22 +0200 Subject: [PATCH 3/3] Update reference for profile stability tests --- tests/data/profile_stability/rhel8/stig.profile | 6 +++--- tests/data/profile_stability/rhel8/stig_gui.profile | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 3fe7cdf4ea0..7aabec8694a 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -1,6 +1,6 @@ description: 'This profile contains configuration checks that align to the - DISA STIG for Red Hat Enterprise Linux 8 V1R9. + DISA STIG for Red Hat Enterprise Linux 8 V1R11. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes @@ -22,7 +22,7 @@ description: 'This profile contains configuration checks that align to the - Red Hat Containers with a Red Hat Enterprise Linux 8 image' extends: null metadata: - version: V1R10 + version: V1R11 SMEs: - mab879 - ggbecker @@ -455,7 +455,7 @@ selections: - var_password_pam_retry=3 - var_sshd_set_keepalive=1 - sshd_approved_macs=stig_extended -- sshd_approved_ciphers=stig +- sshd_approved_ciphers=stig_extended - sshd_idle_timeout_value=10_minutes - var_accounts_authorized_local_users_regex=rhel8 - var_accounts_passwords_pam_faillock_deny=3 diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 66ada8588fe..bef14375366 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -1,6 +1,6 @@ description: 'This profile contains configuration checks that align to the - DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R9. + DISA STIG with GUI for Red Hat Enterprise Linux 8 V1R11. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes @@ -33,7 +33,7 @@ description: 'This profile contains configuration checks that align to the standard DISA STIG for Red Hat Enterprise Linux 8 profile.' extends: null metadata: - version: V1R10 + version: V1R11 SMEs: - mab879 - ggbecker @@ -463,7 +463,7 @@ selections: - var_password_pam_retry=3 - var_sshd_set_keepalive=1 - sshd_approved_macs=stig_extended -- sshd_approved_ciphers=stig +- sshd_approved_ciphers=stig_extended - sshd_idle_timeout_value=10_minutes - var_accounts_authorized_local_users_regex=rhel8 - var_accounts_passwords_pam_faillock_deny=3