Merge pull request #11479 from Mab879/update_rhel9_v1r2

Update RHEL 9 STIG to V1R2

controls/stig_rhel9.yml

@@ -2,7 +2,7 @@ policy: 'Red Hat Enterprise Linux 9 Security Technical Implementation Guide'
 title: 'Red Hat Enterprise Linux 9 Security Technical Implementation Guide'
 id: stig_rhel9
 source: https://public.cyber.mil/stigs/downloads/
-version: V1R1
+version: V1R2
 levels:
     -   id: high
     -   id: medium
@@ -1927,6 +1927,7 @@ controls:
             SSH traffic terminate after becoming unresponsive.
         rules:
             - sshd_set_keepalive
+            - var_sshd_set_keepalive=1
         status: automated
 
     -   id: RHEL-09-255100

linux_os/guide/services/rng/service_rngd_enabled/rule.yml

@@ -49,6 +49,16 @@ warnings:
       Consequently, the rngd service can't be started in FIPS mode.
 {{% endif %}}
 
+{{% if product == "rhel9" %}}
+platform: not runtime_kernel_fips_enabled
+warnings:
+  - general: |-
+      For RHEL 9 running with kernel FIPS mode enabled this rule is not applicable.
+      The in-kernel deterministic random bit generator (DRBG) is used in FIPS mode instead.
+      Consequently, the rngd service can't be started in FIPS mode.
+{{% endif %}}
+
+
 
 template:
     name: service_enabled

linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/ansible/shared.yml

@@ -8,14 +8,14 @@
   ansible.builtin.find:
     paths: '/etc'
     patterns: 'bashrc'
-    contains: '.*case "$name" in sshd|login\) exec tmux ;; esac.*'
+    contains: '.*case "$name" in sshd|login\) tmux ;; esac.*'
   register: tmux_in_bashrc
 
 - name: "{{{ rule_title }}}: Determine If the Tmux Launch Script Is Present in /etc/profile.d/*.sh"
   ansible.builtin.find:
     paths: '/etc/profile.d'
     patterns: '*.sh'
-    contains: .*case "$name" in sshd|login\) exec tmux ;; esac.*
+    contains: .*case "$name" in sshd|login\) tmux ;; esac.*
   register: tmux_in_profile_d
 
 - name: "{{{ rule_title }}}: Insert the Correct Script into /etc/profile.d/tmux.sh"
@@ -25,7 +25,7 @@
       if [ "$PS1" ]; then
         parent=$(ps -o ppid= -p $$)
         name=$(ps -o comm= -p $parent)
-        case "$name" in sshd|login) exec tmux ;; esac
+        case "$name" in sshd|login) tmux ;; esac
       fi
     create: true
   when:

linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/bash/shared.sh

@@ -4,12 +4,12 @@
 # complexity = low
 # disruption = low
 
-if ! grep -x '  case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then
+if ! grep -x '  case "$name" in sshd|login) tmux ;; esac' /etc/bashrc; then
     cat >> /etc/profile.d/tmux.sh <<'EOF'
 if [ "$PS1" ]; then
   parent=$(ps -o ppid= -p $$)
   name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) exec tmux ;; esac
+  case "$name" in sshd|login) tmux ;; esac
 fi
 EOF
     chmod 0644 /etc/profile.d/tmux.sh

linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml

@@ -1,7 +1,7 @@
 <def-group>
   <definition class="compliance" id="configure_bashrc_exec_tmux" version="1">
     {{{ oval_metadata("Check if tmux is configured to exec at the end of bashrc.") }}}
-    <criteria comment="Check exec tmux configured at the end of bashrc" operator="AND">
+    <criteria comment="Check tmux configured at the end of bashrc" operator="AND">
       <criterion comment="check tmux is configured to exec on the last line of /etc/bashrc"
         test_ref="test_configure_bashrc_exec_tmux" />
     </criteria>
@@ -14,7 +14,7 @@
   <ind:textfilecontent54_object id="obj_configure_bashrc_exec_tmux" version="1">
     <ind:behaviors singleline="true" multiline="false" />
     <ind:filepath operation="pattern match">^/etc/bashrc$|^/etc/profile\.d/.*$</ind:filepath>
-    <ind:pattern operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi</ind:pattern>
+    <ind:pattern operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) tmux ;; esac\nfi</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 </def-group>

linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/rule.yml

@@ -40,7 +40,7 @@ ocil: |-
 
     <pre>$ sudo grep tmux /etc/bashrc /etc/profile.d/*
 
-    /etc/profile.d/tmux.sh:  case "$name" in (sshd|login) exec tmux ;; esac</pre>
+    /etc/profile.d/tmux.sh:  case "$name" in (sshd|login) tmux ;; esac</pre>
 
     Review the tmux script by using the following example:
 
@@ -49,7 +49,7 @@ ocil: |-
     if [ "$PS1" ]; then
     parent=$(ps -o ppid= -p $$)
     name=$(ps -o comm= -p $parent)
-    case "$name" in (sshd|login) exec tmux ;; esac
+    case "$name" in (sshd|login) tmux ;; esac
     fi</pre>
 
     If the shell file is not configured as the example above, is commented out, or is missing, this is a finding.
@@ -64,7 +64,7 @@ fixtext: |-
     if [ "$PS1" ]; then
         parent=$(ps -o ppid= -p $$)
         name=$(ps -o comm= -p $parent)
-        case "$name" in sshd|login) exec tmux ;; esac
+        case "$name" in sshd|login) tmux ;; esac
     fi
 
     Then, ensure a correct mode of /etc/profile.d/tmux.sh using this command:

linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value.pass.sh

@@ -5,7 +5,7 @@ cat >> /etc/bashrc <<'EOF'
 if [ "$PS1" ]; then
   parent=$(ps -o ppid= -p $$)
   name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) exec tmux ;; esac
+  case "$name" in sshd|login) tmux ;; esac
 fi
 EOF
 

linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/correct_value_d_directory.pass.sh

@@ -6,7 +6,7 @@ cat >> /etc/profile.d/00-complianceascode.conf <<'EOF'
 if [ "$PS1" ]; then
   parent=$(ps -o ppid= -p $$)
   name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) exec tmux ;; esac
+  case "$name" in sshd|login) tmux ;; esac
 fi
 EOF
 

linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/tests/duplicate_value_multiple_files.pass.sh

@@ -5,15 +5,15 @@ cat >> /etc/profile.d/00-complianceascode.conf <<'EOF'
 if [ "$PS1" ]; then
   parent=$(ps -o ppid= -p $$)
   name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) exec tmux ;; esac
+  case "$name" in sshd|login) tmux ;; esac
 fi
 EOF
 
 cat >> /etc/bashrc <<'EOF'
 if [ "$PS1" ]; then
   parent=$(ps -o ppid= -p $$)
   name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) exec tmux ;; esac
+  case "$name" in sshd|login) tmux ;; esac
 fi
 EOF
 

linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount/policy/stig/shared.yml

@@ -20,5 +20,5 @@ checktext: |-
 fixtext: |-
     Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount" system call by adding or updating the following rules in "/etc/audit/audit.rules" and adding the following rules to "/etc/audit/rules.d/perm_mod.rules" or updating the existing rules in files in the "/etc/audit/rules.d/" directory:
 
-    -a always,exit -F arch=b32 -S umount -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S umount -F auid>={{{ uid_min }}} -F auid!=unset -k perm_mod
+    -a always,exit -F arch=b32 -S umount -F auid>={{{ uid_min }}} -F auid!=unset -k privileged-umount
     The audit daemon must be restarted for the changes to take effect.

products/rhel9/profiles/stig.profile

@@ -1,7 +1,7 @@
 documentation_complete: true
 
 metadata:
-    version: V1R1
+    version: V1R2
     SMEs:
         - mab879
         - ggbecker
@@ -12,7 +12,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 9'
 
 description: |-
     This profile contains configuration checks that align to the
-    DISA STIG for Red Hat Enterprise Linux 9 V1R1.
+    DISA STIG for Red Hat Enterprise Linux 9 V1R2.
 
     In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this
     configuration baseline as applicable to the operating system tier of

products/rhel9/profiles/stig_gui.profile

@@ -1,7 +1,7 @@
 documentation_complete: true
 
 metadata:
-    version: V1R1
+    version: V1R2
     SMEs:
         - mab879
         - ggbecker
@@ -12,7 +12,7 @@ title: 'DISA STIG with GUI for Red Hat Enterprise Linux 9'
 
 description: |-
     This profile contains configuration checks that align to the
-    DISA STIG for Red Hat Enterprise Linux 9 V1R1.
+    DISA STIG for Red Hat Enterprise Linux 9 V1R2.
 
 
     In addition to being applicable to Red Hat Enterprise Linux 9, DISA recognizes this

shared/macros/01-general.jinja

@@ -1115,7 +1115,6 @@ p+i+n+u+g+s+b+acl+xattrs+sha512
     /usr/sbin/autrace {{{ aide_string() }}}
     {{% if 'rhel' not in product and 'ol' not in product %}}/usr/sbin/audispd {{{ aide_string() }}}{{% endif %}}
     {{% if 'ol' in product %}}/usr/sbin/rsyslogd {{{ aide_string() }}}{{% endif %}}
-    {{% if product == 'rhel9' %}}/usr/sbin/autrace {{{ aide_string() }}}{{% endif %}}
     /usr/sbin/augenrules {{{ aide_string() }}}
 {{% endmacro %}}