From 50b9e244fb1f7ac31bf0d135a2f8f4969e8f7ff6 Mon Sep 17 00:00:00 2001 From: Edgar Aguilar Date: Wed, 30 Nov 2022 17:25:26 -0600 Subject: [PATCH] Changing a few harcoded OS names for full_name Mainly RHEL, also including oracle linux specific info where missing Signed-off-by: Edgar Aguilar --- .../fapolicyd/fapolicy_default_deny/rule.yml | 13 +++++++------ .../policy/stig/shared.yml | 2 +- .../package_tmux_installed/policy/stig/shared.yml | 2 +- .../policy/stig/shared.yml | 2 +- .../audit_rules_immutable/policy/stig/shared.yml | 2 +- .../audit_rules_sudoers_d/rule.yml | 2 +- .../policy/stig/shared.yml | 2 +- .../policy/stig/shared.yml | 2 +- .../policy/stig/shared.yml | 2 +- .../files/file_permissions_ungroupowned/rule.yml | 2 +- .../permissions/restrictions/enable_nx/group.yml | 14 +++++++++++++- .../policy/stig/shared.yml | 2 +- .../policy/stig/shared.yml | 2 +- .../policy/stig/shared.yml | 2 +- .../policy/stig/shared.yml | 2 +- .../policy/stig/shared.yml | 2 +- .../policy/stig/shared.yml | 2 +- .../policy/stig/shared.yml | 2 +- .../policy/stig/shared.yml | 6 +++--- .../policy/stig/shared.yml | 13 ++++++++++++- 20 files changed, 51 insertions(+), 27 deletions(-) diff --git a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml index 220801bc471..52c640e858b 100644 --- a/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml +++ b/linux_os/guide/services/fapolicyd/fapolicy_default_deny/rule.yml @@ -41,11 +41,12 @@ ocil: |- Check that fapolicyd employs a deny-all policy on system mounts with the following commands: - {{%- if product in ["rhel8"] %}} - For RHEL 8.5 systems and older: + {{%- if product in ["ol8", "rhel8"] %}} + {{% set product_short_name = "OL" if "ol" in product else "RHEL" %}} + For {{{ product_short_name }}} 8.5 systems and older: $ sudo tail /etc/fapolicyd/fapolicyd.rules - For RHEL 8.6 systems and newer: + For {{{ product_short_name }}} 8.6 systems and newer: {{%- endif %}} $ sudo tail /etc/fapolicyd/compiled.rules @@ -60,11 +61,11 @@ fixtext: |- permissive = 1 - {{%- if product in ["rhel8"] %}} - For RHEL 8.5 systems and older: + {{%- if product in ["ol8", "rhel8"] %}} + For {{{ product_short_name }}} 8.5 systems and older: Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all". - For RHEL 8.6 systems and newer: + For {{{ product_short_name }}} 8.6 systems and newer: {{%- endif %}} Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all". diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/policy/stig/shared.yml index 8937276b124..1ef08a664bf 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/policy/stig/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/policy/stig/shared.yml @@ -6,7 +6,7 @@ vuldiscussion: |- Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password. - RHEL 8 utilizes "pwquality" as a mechanism to enforce password complexity. Configurations are set in the "etc/security/pwquality.conf" file. + {{{ full_name }}} utilizes "pwquality" as a mechanism to enforce password complexity. Configurations are set in the "etc/security/pwquality.conf" file. The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum. diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/policy/stig/shared.yml index d4fc7d20876..9cbcd3b928a 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/policy/stig/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_tmux_installed/policy/stig/shared.yml @@ -3,7 +3,7 @@ srg_requirement: |- vuldiscussion: |- A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, {{{ full_name }}} needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. Tmux is a terminal multiplexer that enables a number of terminals to be created, accessed, and controlled from a single screen. Red Hat endorses tmux as the recommended session controlling package. The "tmux" package allows for a session lock to be implemented and configured. diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/policy/stig/shared.yml index f99d8550023..e4071ca8897 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/policy/stig/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/policy/stig/shared.yml @@ -7,7 +7,7 @@ vuldiscussion: |- Configuring the smart card driver in use by your organization helps to prevent users from using unauthorized smart cards. checktext: |- - Verify that RHEL loads the cac driver with the following command: + Verify that {{{ full_name }}} loads the cac driver with the following command: $ grep card_drivers /etc/opensc.conf diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/policy/stig/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/policy/stig/shared.yml index 11978924eab..8828da2d85d 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/policy/stig/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/policy/stig/shared.yml @@ -4,7 +4,7 @@ srg_requirement: |- vuldiscussion: |- Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. - Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit RHEL 8 system activity. + Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit {{{ full_name }}} system activity. In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious activity and then put the audit rules back. A system reboot would be noticeable and a system administrator could then investigate the unauthorized changes. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml index 5e572d37e7a..7f32fc3d011 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sudoers_d/rule.yml @@ -38,7 +38,7 @@ references: ocil_clause: 'the command does not return a line, or the line is commented out' ocil: |- - Verify RHEL 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: + Verify {{{ full_name }}} generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/" with the following command: $ sudo auditctl -l | grep/etc/sudoers.d diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/policy/stig/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/policy/stig/shared.yml index 490ec537d13..879e9ae6fe2 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/policy/stig/shared.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/policy/stig/shared.yml @@ -6,7 +6,7 @@ vuldiscussion: |- Off-loading is a common process in information systems with limited audit storage capacity. - RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + {{{ full_name }}} installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. "Rsyslog" supported authentication modes include: anon - anonymous authentication diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/policy/stig/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/policy/stig/shared.yml index a9fc02becc2..f727957f388 100644 --- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/policy/stig/shared.yml +++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdrivermode/policy/stig/shared.yml @@ -6,7 +6,7 @@ vuldiscussion: |- Off-loading is a common process in information systems with limited audit storage capacity. - RHEL 8 installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. + {{{ full_name }}} installation media provides "rsyslogd". "rsyslogd" is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with "gnutls" (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. "Rsyslog" supported authentication modes include: anon - anonymous authentication diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/policy/stig/shared.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/policy/stig/shared.yml index cc52593b3dc..7b7e1462bf9 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/policy/stig/shared.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/policy/stig/shared.yml @@ -7,7 +7,7 @@ vuldiscussion: |- Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. - RHEL 8 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). + {{{ full_name }}} functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). checktext: |- Verify that "firewalld" is active with the following command: diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml index 882888160b0..e54c838ecbf 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml @@ -68,7 +68,7 @@ ocil: |- 
$ sudo chgrp group file
fixtext: |- - Either remove all files and directories from RHEL 8 that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command: + Either remove all files and directories from {{{ full_name }}} that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command: $ sudo chgrp diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/group.yml b/linux_os/guide/system/permissions/restrictions/enable_nx/group.yml index b69ad696036..0946539a53e 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_nx/group.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_nx/group.yml @@ -4,4 +4,16 @@ title: |- Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems -description: "Recent processors in the x86 family support the\nability to prevent code execution on a per memory page basis.\nGenerically and on AMD processors, this ability is called No\nExecute (NX), while on Intel processors it is called Execute\nDisable (XD). This ability can help prevent exploitation of buffer\noverflow vulnerabilities and should be activated whenever possible.\nExtra steps must be taken to ensure that this protection is\nenabled, particularly on 32-bit x86 systems. Other processors, such\nas Itanium and POWER, have included such support since inception\nand the standard kernel for those platforms supports the\nfeature. This is enabled by default on the latest Red Hat and \nFedora systems if supported by the hardware." +description: |- + Recent processors in the x86 family support the + ability to prevent code execution on a per memory page basis. + Generically and on AMD processors, this ability is called No + Execute (NX), while on Intel processors it is called Execute + Disable (XD). This ability can help prevent exploitation of buffer + overflow vulnerabilities and should be activated whenever possible. + Extra steps must be taken to ensure that this protection is + enabled, particularly on 32-bit x86 systems. Other processors, such + as Itanium and POWER, have included such support since inception + and the standard kernel for those platforms supports the + feature. This is enabled by default on the latest Oracle Linux, Red Hat and + Fedora systems if supported by the hardware. diff --git a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/policy/stig/shared.yml b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/policy/stig/shared.yml index b8b7c939fc3..fd7072f6601 100644 --- a/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/policy/stig/shared.yml +++ b/linux_os/guide/system/permissions/restrictions/poisoning/grub2_slub_debug_argument/policy/stig/shared.yml @@ -25,7 +25,7 @@ checktext: |- If "slub_debug" is not set to "P", is missing or commented out, this is a finding. fixtext: |- - Configure RHEL to enable poisoning of SLUB/SLAB objects with the following commands: + Configure {{{ full_name }}} to enable poisoning of SLUB/SLAB objects with the following commands: $ sudo grubby --update-kernel=ALL --args="slub_debug=P" diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_lock_screen_on_smartcard_removal/policy/stig/shared.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_lock_screen_on_smartcard_removal/policy/stig/shared.yml index 0313b207e0b..a6a4a0315bd 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_lock_screen_on_smartcard_removal/policy/stig/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_lock_screen_on_smartcard_removal/policy/stig/shared.yml @@ -4,7 +4,7 @@ srg_requirement: |- vuldiscussion: |- A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. - The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, RHEL 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. + The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, {{{ full_name }}} needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. checktext: |- Verify {{{ full_name }}} disables ability of the user to override the smartcard removal action setting. diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/policy/stig/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/policy/stig/shared.yml index 0156fae89c2..cf25cdf6b12 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/policy/stig/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/policy/stig/shared.yml @@ -11,7 +11,7 @@ vuldiscussion: |- checktext: |- Verify {{{ full_name }}} initiates a session lock after a 15-minute period of inactivity for graphical user interfaces with the following command: - Note: This requirement assumes the use of the RHEL 0 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. + Note: This requirement assumes the use of the {{{ full_name }}} default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. $ sudo gsettings get org.gnome.desktop.session idle-delay diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/policy/stig/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/policy/stig/shared.yml index c020ad7884f..4dc6881b8a0 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/policy/stig/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/policy/stig/shared.yml @@ -8,7 +8,7 @@ vuldiscussion: |- checktext: |- Verify {{{ full_name }}} initiates a session lock a for graphical user interfaces when the screensaver is activated with the following command: - Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. + Note: This requirement assumes the use of the {{{ full_name }}} default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. $ gsettings get org.gnome.desktop.screensaver lock-delay diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/policy/stig/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/policy/stig/shared.yml index fefbc7d691b..b5320bb76fb 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/policy/stig/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/policy/stig/shared.yml @@ -11,7 +11,7 @@ vuldiscussion: |- checktext: |- Verify {{{ full_name }}} enables a user's session lock until that user re-establishes access using established identification and authentication procedures with the following command: - Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. + Note: This requirement assumes the use of the {{{ full_name }}} default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. $ gsettings get org.gnome.desktop.screensaver lock-enabled diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/policy/stig/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/policy/stig/shared.yml index 9c4364cd20b..24381f3ca98 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/policy/stig/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/policy/stig/shared.yml @@ -11,7 +11,7 @@ vuldiscussion: |- checktext: |- Verify {{{ full_name }}} prevents a user from overriding settings for graphical user interfaces. - Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. + Note: This requirement assumes the use of the {{{ full_name }}} default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. Determine which profile the system database is using with the following command: diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/policy/stig/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/policy/stig/shared.yml index 4e4fb97d0b9..c9e850f26d8 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/policy/stig/shared.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/policy/stig/shared.yml @@ -11,7 +11,7 @@ vuldiscussion: |- checktext: |- Verify {{{ full_name }}} prevents a user from overriding settings for graphical user interfaces. - Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. + Note: This requirement assumes the use of the {{{ full_name }}} default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. Determine which profile the system database is using with the following command: diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/policy/stig/shared.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/policy/stig/shared.yml index 421b35901e8..0b2e14f65f5 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/policy/stig/shared.yml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/policy/stig/shared.yml @@ -4,14 +4,14 @@ srg_requirement: |- vuldiscussion: |- An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. + {{% if "Red Hat" in full_name %}} Red Hat offers the Extended Update Support (EUS) ad-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. + {{% endif %}} checktext: |- Verify that the version or {{{ full_name }}} is vendor supported with the following command: - $ cat /etc/redhat-release - - Red Hat Enterprise Linux release 9.0 (Plow) + $ grep PRETTY_NAME /etc/os-release If the installed version of {{{ full_name }}} is not supported, this is a finding. diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/policy/stig/shared.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/policy/stig/shared.yml index 64ec73fbb67..0e78bb5e9d8 100644 --- a/linux_os/guide/system/software/updating/security_patches_up_to_date/policy/stig/shared.yml +++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/policy/stig/shared.yml @@ -1,3 +1,10 @@ +{{% if "Red Hat" in full_name %}} +{{% set vendor = "Red Hat" %}} +{{% set url = "https://access.redhat.com/errata-search/" %}} +{{% elif "ol" in product %}} +{{% set vendor = "Oracle" %}} +{{% set url = "https://linux.oracle.com/errata/" %}} +{{% endif %}} srg_requirement: |- {{{ full_name }}} vendor packaged system security patches and updates must be installed and up to date. @@ -11,7 +18,11 @@ vuldiscussion: |- checktext: |- Verify {{{ full_name }}} security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy. - Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. + {{% if "Red Hat" in full_name or "ol" in product %}} + Obtain the list of available package security updates from {{{ vendor }}}. The URL for updates + is {{{ url }}}. It is important to note that updates provided by {{{ vendor }}} may not be + present on the system if the underlying packages are not installed. + {{% endif %}} Check that the available package security updates have been installed on the system with the following command: