Merge pull request #11820 from mpurg/ubuntu_2204_stig_initial

Initial implementation of STIG V1R1 profile for Ubuntu 22.04 LTS

linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/rule.yml

@@ -14,3 +14,4 @@ severity: unknown
 
 references:
     stigid@ubuntu2004: UBTU-20-010438
+    stigid@ubuntu2204: UBTU-22-214010

linux_os/guide/services/base/service_kdump_disabled/rule.yml

@@ -44,6 +44,7 @@ references:
     stigid@sle12: SLES-12-010840
     stigid@sle15: SLES-15-040190
     stigid@ubuntu2004: UBTU-20-010413
+    stigid@ubuntu2204: UBTU-22-213015
 
 ocil_clause: |-
     {{{ ocil_clause_service_disabled(service="kdump") }}}

linux_os/guide/services/deprecated/package_telnetd_removed/rule.yml

@@ -25,6 +25,7 @@ references:
     nist: CM-7(a),CM-7(b),CM-6(a)
     nist-csf: PR.AC-3,PR.IP-1,PR.PT-3,PR.PT-4
     stigid@ubuntu2004: UBTU-20-010405
+    stigid@ubuntu2204: UBTU-22-215035
 
 template:
     name: package_removed

linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml

@@ -98,6 +98,7 @@ references:
     stigid@sle12: SLES-12-030300
     stigid@sle15: SLES-15-010400
     stigid@ubuntu2004: UBTU-20-010435
+    stigid@ubuntu2204: UBTU-22-252010
 
 ocil_clause: '"maxpoll" has not been set to the value of "{{{ xccdf_value("var_time_service_set_maxpoll") }}}", is commented out, or is missing'
 

linux_os/guide/services/ntp/chronyd_sync_clock/rule.yml

@@ -20,6 +20,7 @@ references:
     disa: CCI-002046
     srg: SRG-OS-000356-GPOS-00144
     stigid@ubuntu2004: UBTU-20-010436
+    stigid@ubuntu2204: UBTU-22-252015
 
 ocil_clause: ''
 

linux_os/guide/services/ntp/package_chrony_installed/rule.yml

@@ -34,6 +34,7 @@ references:
     pcidss: Req-10.4
     srg: SRG-OS-000355-GPOS-00143
     stigid@ubuntu2004: UBTU-20-010435
+    stigid@ubuntu2204: UBTU-22-215015
 
 ocil_clause: 'the package is not installed'
 

linux_os/guide/services/obsolete/r_services/package_rsh-server_removed/rule.yml

@@ -39,6 +39,7 @@ references:
     stigid@rhel7: RHEL-07-020000
     stigid@rhel8: RHEL-08-040010
     stigid@ubuntu2004: UBTU-20-010406
+    stigid@ubuntu2204: UBTU-22-215030
 
 {{{ complete_ocil_entry_package(package="rsh-server") }}}
 

linux_os/guide/services/ssh/package_openssh-server_installed/rule.yml

@@ -33,6 +33,7 @@ references:
     stigid@rhel7: RHEL-07-040300
     stigid@rhel8: RHEL-08-040159
     stigid@ubuntu2004: UBTU-20-010042
+    stigid@ubuntu2204: UBTU-22-255010
 
 ocil_clause: 'the package is not installed'
 

linux_os/guide/services/ssh/service_sshd_enabled/rule.yml

@@ -44,6 +44,7 @@ references:
     stigid@sle12: SLES-12-030100
     stigid@sle15: SLES-15-010530
     stigid@ubuntu2004: UBTU-20-010042
+    stigid@ubuntu2204: UBTU-22-255015
 
 ocil: |-
     {{{ ocil_service_enabled(service="sshd") }}}

linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml

@@ -56,6 +56,7 @@ references:
     stigid@sle12: SLES-12-030150
     stigid@sle15: SLES-15-040440
     stigid@ubuntu2004: UBTU-20-010047
+    stigid@ubuntu2204: UBTU-22-255025
 
 {{{ complete_ocil_entry_sshd_option(default="yes", option="PermitEmptyPasswords", value="no") }}}
 

linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml

@@ -46,6 +46,7 @@ references:
     stigid@rhel8: RHEL-08-040340
     stigid@sle15: SLES-15-040290
     stigid@ubuntu2004: UBTU-20-010048
+    stigid@ubuntu2204: UBTU-22-255040
 
 {{{ complete_ocil_entry_sshd_option(default="yes", option="X11Forwarding", value="no") }}}
 

linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml

@@ -51,6 +51,7 @@ references:
     stigid@sle12: SLES-12-030151
     stigid@sle15: SLES-15-040440
     stigid@ubuntu2004: UBTU-20-010047
+    stigid@ubuntu2204: UBTU-22-255025
 
 {{{ complete_ocil_entry_sshd_option(default="yes", option="PermitUserEnvironment", value="no") }}}
 

linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml

@@ -35,6 +35,7 @@ references:
     disa: CCI-000877
     srg: SRG-OS-000125-GPOS-00065
     stigid@ubuntu2004: UBTU-20-010035
+    stigid@ubuntu2204: UBTU-22-255065
 
 {{{ complete_ocil_entry_sshd_option(default="no", option="UsePAM", value="yes") }}}
 

linux_os/guide/services/ssh/ssh_server/sshd_enable_pubkey_auth/rule.yml

@@ -30,6 +30,7 @@ references:
     disa: CCI-000765,CCI-000766,CCI-000767,CCI-000768
     srg: SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055
     stigid@ubuntu2004: UBTU-20-010033
+    stigid@ubuntu2204: UBTU-22-612020
 
 {{{ complete_ocil_entry_sshd_option(default="no", option="PubkeyAuthentication", value="yes") }}}
 

linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner_net/rule.yml

@@ -43,6 +43,7 @@ references:
     ospp: FTA_TAB.1
     srg: SRG-OS-000023-GPOS-00006,SRG-OS-000228-GPOS-00088
     stigid@ubuntu2004: UBTU-20-010038
+    stigid@ubuntu2204: UBTU-22-255020
 
 {{{ complete_ocil_entry_sshd_option(default="no", option="Banner", value="/etc/issue.net") }}}
 

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml

@@ -62,6 +62,7 @@ references:
     stigid@sle12: SLES-12-030190
     stigid@sle15: SLES-15-010280
     stigid@ubuntu2004: UBTU-20-010037
+    stigid@ubuntu2204: UBTU-22-255035
 
 requires:
   {{% if product in ['ubuntu2004', 'ubuntu2204'] %}}

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml

@@ -54,6 +54,7 @@ references:
     stigid@sle12: SLES-12-030191
     stigid@sle15: SLES-15-010320
     stigid@ubuntu2004: UBTU-20-010036
+    stigid@ubuntu2204: UBTU-22-255030
 
 requires:
     - sshd_set_idle_timeout

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml

@@ -35,6 +35,7 @@ references:
     stigid@rhel7: RHEL-07-040110
     stigid@sle15: SLES-15-010160
     stigid@ubuntu2004: UBTU-20-010044
+    stigid@ubuntu2204: UBTU-22-255050
 
 ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved'
 

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml

@@ -52,6 +52,7 @@ references:
     stigid@sle12: SLES-12-030270
     stigid@sle15: SLES-15-040450
     stigid@ubuntu2004: UBTU-20-010045
+    stigid@ubuntu2204: UBTU-22-255060
 
 ocil_clause: 'KexAlgorithms option is commented out, contains non-approved algorithms, or the FIPS-approved algorithms are not in the exact order'
 

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml

@@ -28,6 +28,7 @@ references:
     stigid@rhel7: RHEL-07-040400
     stigid@sle15: SLES-15-010270
     stigid@ubuntu2004: UBTU-20-010043
+    stigid@ubuntu2204: UBTU-22-255055
 
 ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms'
 

linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml

@@ -41,6 +41,7 @@ references:
     stigid@rhel8: RHEL-08-040341
     stigid@sle12: SLES-12-030261
     stigid@ubuntu2004: UBTU-20-010049
+    stigid@ubuntu2204: UBTU-22-255045
 
 ocil_clause: "the display proxy is listening on wildcard address"
 

linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml

@@ -50,6 +50,7 @@ references:
     stigid@sle12: SLES-12-010680
     stigid@sle15: SLES-15-010500
     stigid@ubuntu2004: UBTU-20-010441
+    stigid@ubuntu2204: UBTU-22-631015
 
 ocil_clause: 'it does not exist or is not configured properly'
 

linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml

@@ -62,6 +62,7 @@ references:
     disa: CCI-000048,CCI-001384,CCI-001385,CCI-001386,CCI-001387,CCI-001388
     srg: SRG-OS-000023-GPOS-00006,SRG-OS-000228-GPOS-00088
     stigid@ubuntu2004: UBTU-20-010038
+    stigid@ubuntu2204: UBTU-22-255020
 
 ocil_clause: 'it does not display the required banner'
 

linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml

@@ -59,6 +59,7 @@ references:
     stigid@sle12: SLES-12-010040
     stigid@sle15: SLES-15-010080
     stigid@ubuntu2004: UBTU-20-010002
+    stigid@ubuntu2204: UBTU-22-271010
 
 ocil_clause: 'it is not'
 

linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml

@@ -63,6 +63,7 @@ references:
     stigid@sle12: SLES-12-010050
     stigid@sle15: SLES-15-010090
     stigid@ubuntu2004: UBTU-20-010003
+    stigid@ubuntu2204: UBTU-22-271015
 
 ocil_clause: 'it does not'
 

linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml

@@ -58,6 +58,7 @@ references:
     stigid@sle12: SLES-12-010390
     stigid@sle15: SLES-15-020080
     stigid@ubuntu2004: UBTU-20-010453
+    stigid@ubuntu2204: UBTU-22-412015
 
 platform: package[pam]
 

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml

@@ -43,6 +43,7 @@ references:
     srg: SRG-OS-000077-GPOS-00045
     stigid@sle15: SLES-15-020250
     stigid@ubuntu2004: UBTU-20-010070
+    stigid@ubuntu2204: UBTU-22-611050
 
 ocil_clause: 'the value of remember is not equal to or greater than the expected value'
 

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml

@@ -27,6 +27,7 @@ references:
     stigid@sle12: SLES-12-010370
     stigid@sle15: SLES-15-040010
     stigid@ubuntu2004: UBTU-20-010075
+    stigid@ubuntu2204: UBTU-22-412010
 
 ocil_clause: 'the value of delay is not set properly or the line is commented or missing'
 

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_audit/rule.yml

@@ -21,6 +21,7 @@ references:
     stigid@ol8: OL08-00-020020,OL08-00-020021
     stigid@rhel8: RHEL-08-020021
     stigid@ubuntu2004: UBTU-20-010072
+    stigid@ubuntu2204: UBTU-22-411045
 
 {{% if product == "rhel8" %}}
 platform: os_linux[rhel]>=8.2

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml

@@ -59,6 +59,7 @@ references:
     stigid@rhel7: RHEL-07-010320
     stigid@rhel8: RHEL-08-020011
     stigid@ubuntu2004: UBTU-20-010072
+    stigid@ubuntu2204: UBTU-22-411045
 
 platform: package[pam]
 

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml

@@ -54,6 +54,7 @@ references:
     stigid@rhel7: RHEL-07-010320
     stigid@rhel8: RHEL-08-020012,RHEL-08-020013
     stigid@ubuntu2004: UBTU-20-010072
+    stigid@ubuntu2204: UBTU-22-411045
 
 platform: package[pam]
 

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/rule.yml

@@ -31,6 +31,7 @@ references:
     stigid@ol8: OL08-00-020018,OL08-00-020019
     stigid@rhel8: RHEL-08-020018,RHEL-08-020019
     stigid@ubuntu2004: UBTU-20-010072
+    stigid@ubuntu2204: UBTU-22-411045
 
 ocil_clause: 'the system shows messages when three unsuccessful logon attempts occur'
 

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml

@@ -61,6 +61,7 @@ references:
     stigid@rhel7: RHEL-07-010320
     stigid@rhel8: RHEL-08-020014,RHEL-08-020015
     stigid@ubuntu2004: UBTU-20-010072
+    stigid@ubuntu2204: UBTU-22-411045
 
 platform: package[pam]
 

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/rule.yml

@@ -50,6 +50,7 @@ references:
     stigid@sle12: SLES-12-010130
     stigid@sle15: SLES-15-020010
     stigid@ubuntu2004: UBTU-20-010072
+    stigid@ubuntu2204: UBTU-22-411045
 
 ocil_clause: 'the account option is missing or commented out'
 

linux_os/guide/system/accounts/accounts-pam/package_pam_pwquality_installed/rule.yml

@@ -29,6 +29,7 @@ references:
     disa: CCI-000366
     srg: SRG-OS-000480-GPOS-00225
     stigid@ubuntu2004: UBTU-20-010057
+    stigid@ubuntu2204: UBTU-22-215010
 
 ocil_clause: 'the package is not installed'
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dcredit/rule.yml

@@ -51,6 +51,7 @@ references:
     stigid@rhel7: RHEL-07-010140
     stigid@rhel8: RHEL-08-020130
     stigid@ubuntu2004: UBTU-20-010052
+    stigid@ubuntu2204: UBTU-22-611020
 
 ocil_clause: 'the value of "dcredit" is a positive number or is commented out'
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_dictcheck/rule.yml

@@ -32,6 +32,7 @@ references:
     stigid@ol8: OL08-00-020300
     stigid@rhel8: RHEL-08-020300
     stigid@ubuntu2004: UBTU-20-010056
+    stigid@ubuntu2204: UBTU-22-611030
 
 ocil_clause: '"dictcheck" does not have a value other than "0", or is commented out'
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml

@@ -49,6 +49,7 @@ references:
     stigid@rhel7: RHEL-07-010160
     stigid@rhel8: RHEL-08-020170
     stigid@ubuntu2004: UBTU-20-010053
+    stigid@ubuntu2204: UBTU-22-611040
 
 ocil_clause: 'the value of "difok" is set to less than "{{{ xccdf_value("var_password_pam_difok") }}}", or is commented out'
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_enforcing/rule.yml

@@ -31,6 +31,7 @@ references:
     disa: CCI-000366
     srg: SRG-OS-000480-GPOS-00225
     stigid@ubuntu2004: UBTU-20-010057
+    stigid@ubuntu2204: UBTU-22-611045
 
 ocil_clause: 'enforcing is not uncommented or configured correctly'
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_lcredit/rule.yml

@@ -51,6 +51,7 @@ references:
     stigid@rhel7: RHEL-07-010130
     stigid@rhel8: RHEL-08-020120
     stigid@ubuntu2004: UBTU-20-010051
+    stigid@ubuntu2204: UBTU-22-611015
 
 ocil_clause: 'the value of "lcredit" is a positive number or is commented out'
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml

@@ -51,6 +51,7 @@ references:
     stigid@rhel7: RHEL-07-010280
     stigid@rhel8: RHEL-08-020230
     stigid@ubuntu2004: UBTU-20-010054
+    stigid@ubuntu2204: UBTU-22-611035
 
 ocil_clause: 'the command does not return a "minlen" value of "{{{ xccdf_value("var_password_pam_minlen") }}}" or greater, does not return a line, or the line is commented out'
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml

@@ -52,6 +52,7 @@ references:
     stigid@rhel7: RHEL-07-010150
     stigid@rhel8: RHEL-08-020280
     stigid@ubuntu2004: UBTU-20-010055
+    stigid@ubuntu2204: UBTU-22-611025
 
 ocil_clause: 'value of "ocredit" is a positive number or is commented out'
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml

@@ -51,6 +51,7 @@ references:
     stigid@rhel7: RHEL-07-010119
     stigid@rhel8: RHEL-08-020104
     stigid@ubuntu2004: UBTU-20-010057
+    stigid@ubuntu2204: UBTU-22-611045
 
 ocil_clause: 'the value of "retry" is set to "0" or greater than "{{{ xccdf_value("var_password_pam_retry") }}}", or is missing'
 

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ucredit/rule.yml

@@ -48,6 +48,7 @@ references:
     stigid@rhel7: RHEL-07-010120
     stigid@rhel8: RHEL-08-020110
     stigid@ubuntu2004: UBTU-20-010050
+    stigid@ubuntu2204: UBTU-22-611010
 
 ocil_clause: 'the value of "ucredit" is a positive number or is commented out'
 

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml

@@ -48,6 +48,7 @@ references:
     stigid@sle12: SLES-12-010210
     stigid@sle15: SLES-15-010260
     stigid@ubuntu2004: UBTU-20-010404
+    stigid@ubuntu2204: UBTU-22-611070
 
 ocil_clause: 'ENCRYPT_METHOD is not set to {{{ xccdf_value("var_password_hashing_algorithm") }}}'
 

linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml

@@ -74,6 +74,7 @@ references:
     stigid@rhel8: RHEL-08-040172
     stigid@sle15: SLES-15-040062
     stigid@ubuntu2004: UBTU-20-010460
+    stigid@ubuntu2204: UBTU-22-211015
 
 ocil_clause: 'the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.'
 

linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml

@@ -80,6 +80,7 @@ references:
     stigid@sle12: SLES-12-010610
     stigid@sle15: SLES-15-040060
     stigid@ubuntu2004: UBTU-20-010460
+    stigid@ubuntu2204: UBTU-22-211015
 
 ocil_clause: 'the system is configured to reboot when Ctrl-Alt-Del is pressed'
 

linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/vlock_installed/rule.yml

@@ -40,6 +40,7 @@ references:
     stigid@sle12: SLES-12-010070
     stigid@sle15: SLES-15-010110
     stigid@ubuntu2004: UBTU-20-010005
+    stigid@ubuntu2204: UBTU-22-412025
 
 ocil_clause: 'the package is not installed'
 

linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml

@@ -57,6 +57,7 @@ references:
     stigid@sle12: SLES-12-030500
     stigid@sle15: SLES-15-010460
     stigid@ubuntu2004: UBTU-20-010063
+    stigid@ubuntu2204: UBTU-22-612010
 
 ocil_clause: 'smartcard software is not installed'
 

linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/package_opensc_installed/rule.yml

@@ -37,6 +37,7 @@ references:
     stigid@ol8: OL08-00-010410
     stigid@rhel8: RHEL-08-010410
     stigid@ubuntu2004: UBTU-20-010064
+    stigid@ubuntu2204: UBTU-22-612015
 
 ocil_clause: 'the package is not installed'