-
Notifications
You must be signed in to change notification settings - Fork 695
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update RHEL 9 STIG to V2R2 #12551
Open
Mab879
wants to merge
6
commits into
ComplianceAsCode:master
Choose a base branch
from
Mab879:rhel9_stig_v2r2
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Update RHEL 9 STIG to V2R2 #12551
+4,193
−4,585
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mab879
added
New Rule
Issues or pull requests related to new Rules.
RHEL9
Red Hat Enterprise Linux 9 product related.
Update Profile
Issues or pull requests related to Profiles updates.
STIG
STIG Benchmark related.
labels
Oct 29, 2024
This datastream diff is auto generated by the check Click here to see the trimmed diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_crypto_policy
@@ -158,7 +158,7 @@
SV-258238r991554_rule
[reference]:
-SV-258241r987791_rule
+SV-258241r1017572_rule
[rationale]:
Centralized cryptographic policies simplify applying secure ciphers across an operating system and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
@@ -79,12 +79,6 @@
[reference]:
2.2
-[reference]:
-RHEL-09-255055
-
-[reference]:
-SV-257987r991554_rule
-
[rationale]:
Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented.
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
@@ -5,7 +5,6 @@
regexp: (?i)^\s*CRYPTO_POLICY.*$
tags:
- CCE-83445-7
- - DISA-STIG-RHEL-09-255055
- NIST-800-53-AC-17(2)
- NIST-800-53-AC-17(a)
- NIST-800-53-CM-6(a)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
@@ -46,7 +46,13 @@
SRG-OS-000250-GPOS-00093
[reference]:
+RHEL-09-255055
+
+[reference]:
RHEL-09-255065
+
+[reference]:
+SV-257987r1014852_rule
[reference]:
SV-257989r991554_rule
New content has different text for rule 'xccdf_org.ssgproject.content_rule_encrypt_partitions'.
--- xccdf_org.ssgproject.content_rule_encrypt_partitions
+++ xccdf_org.ssgproject.content_rule_encrypt_partitions
@@ -233,7 +233,7 @@
RHEL-09-231190
[reference]:
-SV-257879r958872_rule
+SV-257879r1014836_rule
[rationale]:
The risk of a system's physical compromise, particularly mobile systems such as
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown
@@ -165,7 +165,7 @@
RHEL-09-271100
[reference]:
-SV-258029r991589_rule
+SV-258029r1014857_rule
[reference]:
SV-258030r991589_rule
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal
@@ -37,10 +37,10 @@
RHEL-09-271050
[reference]:
-SV-258019r997071_rule
+SV-258019r1015086_rule
[reference]:
-SV-258020r997072_rule
+SV-258020r1015087_rule
[rationale]:
Locking the screen automatically when removing the smartcard can
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -142,10 +142,10 @@
RHEL-09-271060
[reference]:
-SV-258021r997073_rule
+SV-258021r1015088_rule
[reference]:
-SV-258022r997074_rule
+SV-258022r1015089_rule
[rationale]:
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate'.
--- xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
+++ xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
@@ -147,7 +147,7 @@
RHEL-09-432025
[reference]:
-SV-258086r997081_rule
+SV-258086r1015095_rule
[rationale]:
Without re-authentication, users may access resources or perform tasks for which they
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd'.
--- xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
+++ xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
@@ -148,7 +148,7 @@
RHEL-09-611085
[reference]:
-SV-258106r997092_rule
+SV-258106r1015106_rule
[rationale]:
Without re-authentication, users may access resources or perform tasks for which they
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'.
--- xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
+++ xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
@@ -46,7 +46,7 @@
RHEL-09-432015
[reference]:
-SV-258084r997080_rule
+SV-258084r1015094_rule
[rationale]:
Without re-authentication, users may access resources or perform tasks for which they
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_subscription-manager_installed'.
--- xccdf_org.ssgproject.content_rule_package_subscription-manager_installed
+++ xccdf_org.ssgproject.content_rule_package_subscription-manager_installed
@@ -47,7 +47,7 @@
RHEL-09-215010
[reference]:
-SV-257825r997056_rule
+SV-257825r1015079_rule
[rationale]:
Red Hat Subscription Manager is a local service which tracks installed products
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated'.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
@@ -188,7 +188,7 @@
RHEL-09-214015
[reference]:
-SV-257820r997053_rule
+SV-257820r1015076_rule
[rationale]:
Changes to any software components can have significant effects on the
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages'.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages
@@ -113,7 +113,7 @@
RHEL-09-214020
[reference]:
-SV-257821r997054_rule
+SV-257821r1015077_rule
[rationale]:
Changes to any software components can have significant effects to the overall security
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled'.
--- xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
+++ xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled
@@ -182,7 +182,7 @@
RHEL-09-214025
[reference]:
-SV-257822r997055_rule
+SV-257822r1015078_rule
[rationale]:
Verifying the authenticity of the software prior to installation validates
New content has different text for rule 'xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed'.
--- xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
+++ xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed
@@ -201,7 +201,7 @@
RHEL-09-214010
[reference]:
-SV-257819r997052_rule
+SV-257819r1015075_rule
[rationale]:
Changes to software components can have significant effects on the overall
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
@@ -158,7 +158,7 @@
RHEL-09-271015
[reference]:
-SV-258012r958390_rule
+SV-258012r1014855_rule
[reference]:
SV-258013r958390_rule
New content has different text for rule 'xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo'.
--- xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo
+++ xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo
@@ -27,7 +27,7 @@
RHEL-09-611145
[reference]:
-SV-258118r997103_rule
+SV-258118r1015117_rule
[rationale]:
Without re-authentication, users may access resources or perform tasks for which they do not
New content has different text for rule 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth'.
--- xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth
+++ xccdf_org.ssgproject.content_rule_account_password_pam_faillock_password_auth
@@ -21,7 +21,7 @@
RHEL-09-611035
[reference]:
-SV-258096r958388_rule
+SV-258096r1014883_rule
[rationale]:
If the pam_faillock.so module is not loaded the system will not correctly lockout accounts to prevent
New content has different text for rule 'xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth'.
--- xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth
+++ xccdf_org.ssgproject.content_rule_account_password_pam_faillock_system_auth
@@ -21,7 +21,7 @@
RHEL-09-611030
[reference]:
-SV-258095r958388_rule
+SV-258095r1014881_rule
[rationale]:
If the pam_faillock.so module is not loaded the system will not correctly lockout accounts to prevent
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit
@@ -232,7 +232,7 @@
RHEL-09-611070
[reference]:
-SV-258103r997089_rule
+SV-258103r1015103_rule
[rationale]:
Use of a complex password helps to increase the time and resources required
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_difok'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_difok
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_difok
@@ -183,7 +183,7 @@
RHEL-09-611115
[reference]:
-SV-258112r997097_rule
+SV-258112r1015111_rule
[rationale]:
Use of a complex password helps to increase the time and resources
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root
@@ -51,7 +51,7 @@
RHEL-09-611060
[reference]:
-SV-258101r997087_rule
+SV-258101r1015101_rule
[rationale]:
Use of a complex password helps to increase the time and resources required to compromise
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit
@@ -232,7 +232,7 @@
RHEL-09-611065
[reference]:
-SV-258102r997088_rule
+SV-258102r1015102_rule
[rationale]:
Use of a complex password helps to increase the time and resources required
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat
@@ -178,7 +178,7 @@
RHEL-09-611120
[reference]:
-SV-258113r997098_rule
+SV-258113r1015112_rule
[rationale]:
Use of a complex password helps to increase the time and resources required to compromise the password.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat
@@ -175,7 +175,7 @@
RHEL-09-611125
[reference]:
-SV-258114r997099_rule
+SV-258114r1015113_rule
[rationale]:
Use of a complex password helps to increase the time and resources required to compromise the password.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
@@ -237,7 +237,7 @@
RHEL-09-611130
[reference]:
-SV-258115r997100_rule
+SV-258115r1015114_rule
[rationale]:
Use of a complex password helps to increase the time and resources required to compromise the password.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
@@ -243,7 +243,7 @@
RHEL-09-611090
[reference]:
-SV-258107r997093_rule
+SV-258107r1015107_rule
[rationale]:
The shorter the password, the lower the number of possible combinations
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
@@ -225,7 +225,7 @@
RHEL-09-611100
[reference]:
-SV-258109r997095_rule
+SV-258109r1015109_rule
[rationale]:
Use of a complex password helps to increase the time and resources required
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth
@@ -24,7 +24,7 @@
RHEL-09-611040
[reference]:
-SV-258097r997084_rule
+SV-258097r1015098_rule
[rationale]:
Enabling PAM password complexity permits to enforce strong passwords and consequently
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth
@@ -18,7 +18,7 @@
RHEL-09-611045
[reference]:
-SV-258098r991589_rule
+SV-258098r1014887_rule
[rationale]:
Enabling PAM password complexity permits to enforce strong passwords and consequently
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_retry'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_retry
@@ -238,7 +238,7 @@
RHEL-09-611010
[reference]:
-SV-258091r997083_rule
+SV-258091r1015097_rule
[rationale]:
Setting the password retry prompts that are permitted on a per-session basis to a low value
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit
@@ -229,7 +229,7 @@
RHEL-09-611110
[reference]:
-SV-258111r997096_rule
+SV-258111r1015110_rule
[rationale]:
Use of a complex password helps to increase the time and resources required to compromise the password.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf
@@ -198,7 +198,7 @@
RHEL-09-611135
[reference]:
-SV-258116r997101_rule
+SV-258116r1015115_rule
[rationale]:
Passwords need to be protected at all times, and encryption is the standard method for
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
@@ -200,7 +200,7 @@
RHEL-09-611140
[reference]:
-SV-258117r997102_rule
+SV-258117r1015116_rule
[rationale]:
Passwords need to be protected at all times, and encryption is the standard method for
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
@@ -218,7 +218,7 @@
RHEL-09-671025
[reference]:
-SV-258233r997115_rule
+SV-258233r1015136_rule
[rationale]:
Passwords need to be protected at all times, and encryption is the standard method for
New content has different text for rule 'xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs'.
--- xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
+++ xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs
@@ -26,9 +26,6 @@
[reference]:
RHEL-09-611150
-[reference]:
-SV-258119r997104_rule
-
[rationale]:
Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
New content has different text for rule 'xccdf_org.ssgproject.content_rule_logind_session_timeout'.
--- xccdf_org.ssgproject.content_rule_logind_session_timeout
+++ xccdf_org.ssgproject.content_rule_logind_session_timeout
@@ -308,7 +308,7 @@
RHEL-09-412080
[reference]:
-SV-258077r970703_rule
+SV-258077r1014874_rule
[rationale]:
Terminating an idle session within a short time period reduces the window of
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_tmux_installed'.
--- xccdf_org.ssgproject.content_rule_package_tmux_installed
+++ xccdf_org.ssgproject.content_rule_package_tmux_installed
@@ -135,9 +135,6 @@
[reference]:
RHEL-09-412010
-[reference]:
-SV-258063r997079_rule
-
[rationale]:
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_bashrc_tmux'.
--- xccdf_org.ssgproject.content_rule_configure_bashrc_tmux
+++ xccdf_org.ssgproject.content_rule_configure_bashrc_tmux
@@ -29,9 +29,6 @@
[reference]:
RHEL-09-412015
-[reference]:
-SV-258064r958404_rule
-
[rationale]:
Unlike bash itself, the tmux terminal multiplexer
provides a mechanism to lock sessions after period of inactivity.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time'.
--- xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time
+++ xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time
@@ -32,9 +32,6 @@
[reference]:
RHEL-09-412025
-[reference]:
-SV-258066r958402_rule
-
[rationale]:
Locking the session after a period of inactivity limits the
potential exposure if the session is left unattended.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_command'.
--- xccdf_org.ssgproject.content_rule_configure_tmux_lock_command
+++ xccdf_org.ssgproject.content_rule_configure_tmux_lock_command
@@ -41,9 +41,6 @@
[reference]:
RHEL-09-412020
-[reference]:
-SV-258065r958400_rule
-
[rationale]:
The tmux package allows for a session lock to be implemented and configured.
However, the session lock is implemented by an external command. The tmux
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding'.
--- xccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding
+++ xccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding
@@ -22,9 +22,6 @@
[reference]:
RHEL-09-412020
-[reference]:
-SV-258065r958400_rule
-
[rationale]:
The tmux package allows for a session lock to be implemented and configured.
However, the session lock is implemented by an external command. The tmux
New content has different text for rule 'xccdf_org.ssgproject.content_rule_no_tmux_in_shells'.
--- xccdf_org.ssgproject.content_rule_no_tmux_in_shells
+++ xccdf_org.ssgproject.content_rule_no_tmux_in_shells
@@ -37,9 +37,6 @@
[reference]:
RHEL-09-412030
-[reference]:
-SV-258067r958726_rule
-
[rationale]:
Not listing tmux among permitted shells
prevents malicious program running as user
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_opensc_installed'.
--- xccdf_org.ssgproject.content_rule_package_opensc_installed
+++ xccdf_org.ssgproject.content_rule_package_opensc_installed
@@ -35,7 +35,7 @@
RHEL-09-611185
[reference]:
-SV-258126r997110_rule
+SV-258126r1015124_rule
[rationale]:
Using an authentication device, such as a CAC or token that is separate from
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed'.
--- xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed
+++ xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed
@@ -29,7 +29,7 @@
RHEL-09-611175
[reference]:
-SV-258124r997108_rule
+SV-258124r1015122_rule
[rationale]:
The pcsc-lite package must be installed if it is to be available for
New content has different text for rule 'xccdf_org.ssgproject.content_rule_install_smartcard_packages'.
--- xccdf_org.ssgproject.content_rule_install_smartcard_packages
+++ xccdf_org.ssgproject.content_rule_install_smartcard_packages
@@ -44,7 +44,7 @@
RHEL-09-215075
[reference]:
-SV-257838r997057_rule
+SV-257838r1015080_rule
[rationale]:
Using an authentication device, such as a CAC or token that is separate from
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_pcscd_enabled'.
--- xccdf_org.ssgproject.content_rule_service_pcscd_enabled
+++ xccdf_org.ssgproject.content_rule_service_pcscd_enabled
@@ -52,7 +52,7 @@
RHEL-09-611180
[reference]:
-SV-258125r997109_rule
+SV-258125r1015123_rule
[rationale]:
Using an authentication device, such as a CAC or token that is separate from
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_opensc_card_drivers'.
--- xccdf_org.ssgproject.content_rule_configure_opensc_card_drivers
+++ xccdf_org.ssgproject.content_rule_configure_opensc_card_drivers
@@ -237,7 +237,7 @@
RHEL-09-611160
[reference]:
-SV-258121r997105_rule
+SV-258121r1015119_rule
[rationale]:
Smart card login provides two-factor authentication stronger than
New content has different text for rule 'xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration'.
--- xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
+++ xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration
@@ -284,7 +284,7 @@
RHEL-09-411050
[reference]:
-SV-258049r997078_rule
+SV-258049r1015092_rule
[rationale]:
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs'.
--- xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs
@@ -205,7 +205,7 @@
RHEL-09-411010
[reference]:
-SV-258041r997076_rule
+SV-258041r1015090_rule
[rationale]:
Any password, no matter how complex, can eventually be cracked. Therefore, passwords
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs'.
--- xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs
@@ -196,7 +196,7 @@
RHEL-09-611075
[reference]:
-SV-258104r997090_rule
+SV-258104r1015104_rule
[rationale]:
Enforcing a minimum password lifetime helps to prevent repeated password
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs'.
--- xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
@@ -231,9 +231,6 @@
[reference]:
RHEL-09-611095
-[reference]:
-SV-258108r997094_rule
-
[rationale]:
Requiring a minimum password length makes password
cracking attacks more difficult by ensuring a larger
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing'.
--- xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
+++ xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
@@ -39,7 +39,7 @@
RHEL-09-411015
[reference]:
-SV-258042r997077_rule
+SV-258042r1015091_rule
[rationale]:
Any password, no matter how complex, can eventually be cracked. Therefore,
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing'.
--- xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing
+++ xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing
@@ -32,7 +32,7 @@
RHEL-09-611080
[reference]:
-SV-258105r997091_rule
+SV-258105r1015105_rule
[rationale]:
Enforcing a minimum password lifetime helps to prevent repeated password
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512'.
--- xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512
+++ xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512
@@ -43,7 +43,7 @@
RHEL-09-671015
[reference]:
-SV-258231r997114_rule
+SV-258231r1015135_rule
[rationale]:
Passwords need to be protected at all times, and encryption is the standard method for
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_password_auth
@@ -36,7 +36,7 @@
RHEL-09-611050
[reference]:
-SV-258099r997085_rule
+SV-258099r1015099_rule
[rationale]:
Using a higher number of rounds makes password cracking attacks more difficult.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth'.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_rounds_system_auth
@@ -34,7 +34,7 @@
RHEL-09-611055
[reference]:
-SV-258100r997086_rule
+SV-258100r1015100_rule
[rationale]:
Using a higher number of rounds makes password cracking attacks more difficult.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords'.
--- xccdf_org.ssgproject.content_rule_no_empty_passwords
+++ xccdf_org.ssgproject.content_rule_no_empty_passwords
@@ -337,7 +337,7 @@
RHEL-09-611025
[reference]:
-SV-258094r991589_rule
+SV-258094r1014878_rule
[rationale]:
If an account has an empty password, anyone could log in and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su'.
--- xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
+++ xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
@@ -35,7 +35,7 @@
RHEL-09-432035
[reference]:
-SV-258088r997082_rule
+SV-258088r1015096_rule
[rationale]:
The su program allows to run commands with a substitute user and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_tmout'.
--- xccdf_org.ssgproject.content_rule_accounts_tmout
+++ xccdf_org.ssgproject.content_rule_accounts_tmout
@@ -171,7 +171,7 @@
RHEL-09-412035
[reference]:
-SV-258068r970703_rule
+SV-258068r1014872_rule
[rationale]:
Terminating an idle session within a short time period reduces
New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_admin_username'.
--- xccdf_org.ssgproject.content_rule_grub2_admin_username
+++ xccdf_org.ssgproject.content_rule_grub2_admin_username
@@ -317,7 +317,7 @@
RHEL-09-212020
[reference]:
-SV-257789r958472_rule
+SV-257789r1014822_rule
[rationale]:
Having a non-default grub superuser username makes password-guessing attacks less effective.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_rsyslog_nolisten'.
--- xccdf_org.ssgproject.content_rule_rsyslog_nolisten
+++ xccdf_org.ssgproject.content_rule_rsyslog_nolisten
@@ -344,7 +344,7 @@
RHEL-09-652025
[reference]:
-SV-258143r991589_rule
+SV-258143r1014907_rule
[rationale]:
Any process which receives messages from the network incurs some risk of receiving malicious
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_firewalld_ports'.
--- xccdf_org.ssgproject.content_rule_configure_firewalld_ports
+++ xccdf_org.ssgproject.content_rule_configure_firewalld_ports
@@ -311,9 +311,6 @@
[reference]:
RHEL-09-251025
-[reference]:
-SV-257938r958480_rule
-
[rationale]:
In order to prevent unauthorized connection of devices, unauthorized transfer of information,
or unauthorized tunneling (i.e., embedding of data types within data types), organizations must
New content has different text for rule 'xccdf_org.ssgproject.content_rule_networkmanager_dns_mode'.
--- xccdf_org.ssgproject.content_rule_networkmanager_dns_mode
+++ xccdf_org.ssgproject.content_rule_networkmanager_dns_mode
@@ -18,7 +18,7 @@
RHEL-09-252040
[reference]:
-SV-257949r991589_rule
+SV-257949r1014841_rule
[rationale]:
To ensure that DNS resolver settings are respected, a DNS mode in NetworkManager must be configured.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_autofs_disabled'.
--- xccdf_org.ssgproject.content_rule_service_autofs_disabled
+++ xccdf_org.ssgproject.content_rule_service_autofs_disabled
@@ -254,7 +254,7 @@
RHEL-09-231040
[reference]:
-SV-257849r958498_rule
+SV-257849r1014829_rule
[rationale]:
Disabling the automounter permits the administrator to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nodev'.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nodev
@@ -76,7 +76,7 @@
RHEL-09-231095
[reference]:
-SV-257860r958804_rule
+SV-257860r1014832_rule
[rationale]:
The only legitimate location for device files is the /dev directory
New content has different text for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid'.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid
@@ -83,7 +83,7 @@
RHEL-09-231100
[reference]:
-SV-257861r958804_rule
+SV-257861r1014834_rule
[rationale]:
The presence of SUID and SGID executables should be tightly controlled. Users
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled'.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled
@@ -25,7 +25,7 @@
RHEL-09-213020
[reference]:
-SV-257799r997051_rule
+SV-257799r1015074_rule
[rationale]:
Disabling kexec_load allows greater control of the kernel memory.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces'.
--- xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces
+++ xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces
@@ -37,7 +37,7 @@
RHEL-09-213105
[reference]:
-SV-257816r991589_rule
+SV-257816r1014825_rule
[rationale]:
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled'.
--- xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled
+++ xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled
@@ -452,7 +452,7 @@
RHEL-09-232260
[reference]:
-SV-257932r991589_rule
+SV-257932r1014838_rule
[rationale]:
If a device file carries the SELinux type device_t or
New content has different text for rule 'xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay'.
--- xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
+++ xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
@@ -17,7 +17,7 @@
RHEL-09-252050
[reference]:
-SV-257951r991589_rule
+SV-257951r1014843_rule
[rationale]:
If unrestricted mail relaying is permitted, unauthorized senders could use this
Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay'
--- xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
+++ xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
@@ -1 +1 @@
-
+oval:ssg-package_postfix:def:1
New content has different text for rule 'xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems'.
--- xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems
+++ xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems
@@ -165,9 +165,6 @@
[reference]:
RHEL-09-231060
-[reference]:
-SV-257853r991589_rule
-
[rationale]:
When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle
requests from the remote user. The userid and groupid could mistakenly or maliciously be set
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_chrony_installed'.
--- xccdf_org.ssgproject.content_rule_package_chrony_installed
+++ xccdf_org.ssgproject.content_rule_package_chrony_installed
@@ -47,7 +47,7 @@
RHEL-09-252010
[reference]:
-SV-257943r997065_rule
+SV-257943r1015081_rule
[rationale]:
Time synchronization is important to support time sensitive security mechanisms like
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_chronyd_enabled'.
--- xccdf_org.ssgproject.content_rule_service_chronyd_enabled
+++ xccdf_org.ssgproject.content_rule_service_chronyd_enabled
@@ -29,7 +29,7 @@
RHEL-09-252015
[reference]:
-SV-257944r997066_rule
+SV-257944r1015082_rule
[rationale]:
If chrony is in use on the system proper configuration is vital to ensuring time
New content has different text for rule 'xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server'.
--- xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server
+++ xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server
@@ -59,7 +59,7 @@
RHEL-09-252020
[reference]:
-SV-257945r997067_rule
+SV-257945r1015083_rule
[rationale]:
If chrony is in use on the system proper configuration is vital to ensuring time
New content has different text for rule 'xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll'.
--- xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll
+++ xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll
@@ -131,7 +131,7 @@
RHEL-09-252020
[reference]:
-SV-257945r997067_rule
+SV-257945r1015083_rule
[rationale]:
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_chronyd_server_directive'.
--- xccdf_org.ssgproject.content_rule_chronyd_server_directive
+++ xccdf_org.ssgproject.content_rule_chronyd_server_directive
@@ -30,7 +30,7 @@
RHEL-09-252020
[reference]:
-SV-257945r997067_rule
+SV-257945r1015083_rule
[rationale]:
Depending on the infrastructure being used the pool directive may not be supported.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode'.
--- xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode
+++ xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode
@@ -378,9 +378,6 @@
[reference]:
RHEL-09-252055
-[reference]:
-SV-257952r991589_rule
-
[rationale]:
Using the -s option causes the TFTP service to only serve files from the
given directory. Serving files from an intentionally-specified directory
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -400,7 +400,7 @@
RHEL-09-255040
[reference]:
-SV-257984r958486_rule
+SV-257984r1014848_rule
[rationale]:
Configuring this setting for the SSH daemon provides additional assurance
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -442,7 +442,7 @@
RHEL-09-255045
[reference]:
-SV-257985r997069_rule
+SV-257985r1015085_rule
[rationale]:
Even though the communications channel may be encrypted, an additional layer of
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
@@ -37,7 +37,7 @@
RHEL-09-255035
[reference]:
-SV-257983r997068_rule
+SV-257983r1015084_rule
[rationale]:
Without the use of multifactor authentication, the ease of access to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation'.
--- xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
+++ xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
@@ -194,9 +194,6 @@
[reference]:
RHEL-09-255170
-[reference]:
-SV-258010r991589_rule
-
[rationale]:
SSH daemon privilege separation causes the SSH process to drop root privileges
when not needed which would decrease the impact of software vulnerabilities in
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sssd_certificate_verification'.
--- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
+++ xccdf_org.ssgproject.content_rule_sssd_certificate_verification
@@ -28,7 +28,7 @@
RHEL-09-611170
[reference]:
-SV-258123r997107_rule
+SV-258123r1015121_rule
[rationale]:
Ensuring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP)
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_certmap'.
--- xccdf_org.ssgproject.content_rule_sssd_enable_certmap
+++ xccdf_org.ssgproject.content_rule_sssd_enable_certmap
@@ -29,7 +29,7 @@
RHEL-09-631015
[reference]:
-SV-258132r958452_rule
+SV-258132r1014905_rule
[rationale]:
Without mapping the certificate used to authenticate to the user account, the ability to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards'.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -92,7 +92,7 @@
RHEL-09-611165
[reference]:
-SV-258122r997106_rule
+SV-258122r1015120_rule
[rationale]:
Using an authentication device, such as a CAC or token that is separate from
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sssd_has_trust_anchor'.
--- xccdf_org.ssgproject.content_rule_sssd_has_trust_anchor
+++ xccdf_org.ssgproject.content_rule_sssd_has_trust_anchor
@@ -27,7 +27,7 @@
RHEL-09-631010
[reference]:
-SV-258131r997113_rule
+SV-258131r1015125_rule
[rationale]:
Without path validation, an informed trust decision by the relying party cannot be made when
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_usbguard_installed'.
--- xccdf_org.ssgproject.content_rule_package_usbguard_installed
+++ xccdf_org.ssgproject.content_rule_package_usbguard_installed
@@ -35,7 +35,7 @@
RHEL-09-291015
[reference]:
-SV-258035r997117_rule
+SV-258035r1014859_rule
[rationale]:
usbguard is a software framework that helps to protect
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_usbguard_enabled'.
--- xccdf_org.ssgproject.content_rule_service_usbguard_enabled
+++ xccdf_org.ssgproject.content_rule_service_usbguard_enabled
@@ -39,7 +39,7 @@
RHEL-09-291020
[reference]:
-SV-258036r997118_rule
+SV-258036r1014861_rule
[rationale]:
The usbguard service must be running in order to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend'.
--- xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
+++ xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
@@ -36,7 +36,7 @@
RHEL-09-291025
[reference]:
-SV-258037r958442_rule
+SV-258037r1014863_rule
[rationale]:
Using the Linux Audit logging allows for centralized trace
New content has different text for rule 'xccdf_org.ssgproject.content_rule_usbguard_generate_policy'.
--- xccdf_org.ssgproject.content_rule_usbguard_generate_policy
+++ xccdf_org.ssgproject.content_rule_usbguard_generate_policy
@@ -27,7 +27,7 @@
RHEL-09-291030
[reference]:
-SV-258038r958820_rule
+SV-258038r1017033_rule
[rationale]:
The usbguard must be configured to allow connected USB devices to work
New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_audit_installed'.
--- xccdf_org.ssgproject.content_rule_package_audit_installed
+++ xccdf_org.ssgproject.content_rule_package_audit_installed
@@ -219,7 +219,7 @@
RHEL-09-653010
[reference]:
-SV-258151r997050_rule
+SV-258151r1015126_rule
[rationale]:
The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_auditd_enabled'.
--- xccdf_org.ssgproject.content_rule_service_auditd_enabled
+++ xccdf_org.ssgproject.content_rule_service_auditd_enabled
@@ -560,7 +560,7 @@
RHEL-09-653015
[reference]:
-SV-258152r997058_rule
+SV-258152r1015127_rule
[rationale]:
Without establishing what type of events occurred, it would be difficult
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers'.
--- xccdf_org.ssgproject.content_rule_audit_rules_sudoers
+++ xccdf_org.ssgproject.content_rule_audit_rules_sudoers
@@ -105,7 +105,7 @@
RHEL-09-654215
[reference]:
-SV-258217r997059_rule
+SV-258217r1015128_rule
[rationale]:
The actions taken by system administrators should be audited to keep a record
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d'.
--- xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d
+++ xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d
@@ -105,7 +105,7 @@
RHEL-09-654220
[reference]:
-SV-258218r997060_rule
+SV-258218r1015129_rule
[rationale]:
The actions taken by system administrators should be audited to keep a record
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function'.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -77,7 +77,7 @@
RHEL-09-654010
[reference]:
-SV-258176r958730_rule
+SV-258176r1014909_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown
+++ xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown
@@ -153,7 +153,7 @@
RHEL-09-654265
[reference]:
-SV-258227r958424_rule
+SV-258227r1014992_rule
[rationale]:
It is critical for the appropriate personnel to be aware if a system
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
@@ -607,7 +607,7 @@
RHEL-09-654225
[reference]:
-SV-258219r997061_rule
+SV-258219r1015130_rule
[rationale]:
In addition to auditing new user and group accounts, these watches
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
@@ -607,7 +607,7 @@
RHEL-09-654230
[reference]:
-SV-258220r997062_rule
+SV-258220r1015131_rule
[rationale]:
In addition to auditing new user and group accounts, these watches
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
@@ -613,7 +613,7 @@
RHEL-09-654235
[reference]:
-SV-258221r997063_rule
+SV-258221r1015132_rule
[rationale]:
In addition to auditing new user and group accounts, these watches
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
@@ -622,7 +622,7 @@
RHEL-09-654240
[reference]:
-SV-258222r997064_rule
+SV-258222r1015133_rule
[rationale]:
In addition to auditing new user and group accounts, these watches
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
@@ -607,7 +607,7 @@
RHEL-09-654245
[reference]:
-SV-258223r997075_rule
+SV-258223r1015134_rule
[rationale]:
In addition to auditing new user and group accounts, these watches
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
@@ -454,7 +454,7 @@
RHEL-09-654015
[reference]:
-SV-258177r958412_rule
+SV-258177r1014911_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
@@ -457,7 +457,7 @@
RHEL-09-654020
[reference]:
-SV-258178r958412_rule
+SV-258178r1014913_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
@@ -454,7 +454,7 @@
RHEL-09-654015
[reference]:
-SV-258177r958412_rule
+SV-258177r1014911_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
@@ -454,7 +454,7 @@
RHEL-09-654015
[reference]:
-SV-258177r958412_rule
+SV-258177r1014911_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
@@ -460,7 +460,7 @@
RHEL-09-654020
[reference]:
-SV-258178r958412_rule
+SV-258178r1014913_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
@@ -457,7 +457,7 @@
RHEL-09-654020
[reference]:
-SV-258178r958412_rule
+SV-258178r1014913_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
@@ -485,7 +485,7 @@
RHEL-09-654025
[reference]:
-SV-258179r958412_rule
+SV-258179r1014915_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
@@ -479,7 +479,7 @@
RHEL-09-654025
[reference]:
-SV-258179r958412_rule
+SV-258179r1014915_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
@@ -457,7 +457,7 @@
RHEL-09-654020
[reference]:
-SV-258178r958412_rule
+SV-258178r1014913_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
@@ -491,7 +491,7 @@
RHEL-09-654025
[reference]:
-SV-258179r958412_rule
+SV-258179r1014915_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
@@ -479,7 +479,7 @@
RHEL-09-654025
[reference]:
-SV-258179r958412_rule
+SV-258179r1014915_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
@@ -490,7 +490,7 @@
RHEL-09-654025
[reference]:
-SV-258179r958412_rule
+SV-258179r1014915_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
@@ -455,7 +455,7 @@
RHEL-09-654025
[reference]:
-SV-258179r958412_rule
+SV-258179r1014915_rule
[rationale]:
The changing of file permissions could indicate that a user is attempting to
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl
@@ -63,7 +63,7 @@
RHEL-09-654035
[reference]:
-SV-258181r958412_rule
+SV-258181r1014918_rule
[rationale]:
Without generating audit records that are specific to the security and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl
@@ -57,7 +57,7 @@
RHEL-09-654040
[reference]:
-SV-258182r958412_rule
+SV-258182r1014920_rule
[rationale]:
Without generating audit records that are specific to the security and
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
@@ -291,7 +291,7 @@
RHEL-09-654045
[reference]:
-SV-258183r958412_rule
+SV-258183r1014922_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage
@@ -306,7 +306,7 @@
RHEL-09-654050
[reference]:
-SV-258184r958412_rule
+SV-258184r1014924_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles
@@ -81,7 +81,7 @@
RHEL-09-654055
[reference]:
-SV-258185r958412_rule
+SV-258185r1014926_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool
@@ -279,7 +279,7 @@
RHEL-09-654060
[reference]:
-SV-258186r958412_rule
+SV-258186r1014928_rule
[rationale]:
Misuse of privileged functions, either intentionally or unintentionally by
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
@@ -449,7 +449,7 @@
RHEL-09-654065
[reference]:
-SV-258187r958412_rule
+SV-258187r1014930_rule
[rationale]:
Auditing file deletions will create an audit trail for files that are removed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
@@ -449,7 +449,7 @@
RHEL-09-654065
[reference]:
-SV-258187r958412_rule
+SV-258187r1014930_rule
[rationale]:
Auditing file deletions will create an audit trail for files that are removed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir
@@ -446,7 +446,7 @@
RHEL-09-654065
[reference]:
-SV-258187r958412_rule
+SV-258187r1014930_rule
[rationale]:
Auditing file deletions will create an audit trail for files that are removed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink
@@ -449,7 +449,7 @@
RHEL-09-654065
[reference]:
-SV-258187r958412_rule
+SV-258187r1014930_rule
[rationale]:
Auditing file deletions will create an audit trail for files that are removed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
+++ xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
@@ -449,7 +449,7 @@
RHEL-09-654065
[reference]:
-SV-258187r958412_rule
+SV-258187r1014930_rule
[rationale]:
Auditing file deletions will create an audit trail for files that are removed
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat
@@ -433,7 +433,7 @@
RHEL-09-654070
[reference]:
-SV-258188r958412_rule
+SV-258188r1014932_rule
[rationale]:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate
@@ -436,7 +436,7 @@
RHEL-09-654070
[reference]:
-SV-258188r958412_rule
+SV-258188r1014932_rule
[rationale]:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open
@@ -436,7 +436,7 @@
RHEL-09-654070
[reference]:
-SV-258188r958412_rule
+SV-258188r1014932_rule
[rationale]:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at
@@ -424,7 +424,7 @@
RHEL-09-654070
[reference]:
-SV-258188r958412_rule
+SV-258188r1014932_rule
[rationale]:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat
@@ -436,7 +436,7 @@
RHEL-09-654070
[reference]:
-SV-258188r958412_rule
+SV-258188r1014932_rule
[rationale]:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate'.
--- xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate
+++ xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate
@@ -436,7 +436,7 @@
RHEL-09-654070
[reference]:
-SV-258188r958412_rule
+SV-258188r1014932_rule
[rationale]:
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete'.
--- xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete
+++ xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete
@@ -416,7 +416,7 @@
RHEL-09-654075
[reference]:
-SV-258189r958412_rule
+SV-258189r1014934_rule
[rationale]:
The removal of kernel modules can be used to alter the behavior of
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit'.
--- xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit
+++ xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit
@@ -416,7 +416,7 @@
RHEL-09-654080
[reference]:
-SV-258190r958412_rule
+SV-258190r1014936_rule
[rationale]:
The addition/removal of kernel modules can be used to alter the behavior of
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init'.
--- xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init
+++ xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init
@@ -416,7 +416,7 @@
RHEL-09-654080
[reference]:
-SV-258190r958412_rule
+SV-258190r1014936_rule
[rationale]:
The addition of kernel modules can be used to alter the behavior of
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock'.
--- xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock
+++ xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock
@@ -404,7 +404,7 @@
RHEL-09-654250
[reference]:
-SV-258224r958846_rule
+SV-258224r1014988_rule
[rationale]:
Manual editing of these files may indicate nefarious activity, such
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog'.
--- xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog
+++ xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog
@@ -431,7 +431,7 @@
RHEL-09-654255
[reference]:
-SV-258225r958412_rule
+SV-258225r1014990_rule
[rationale]:
Manual editing of these files may indicate nefarious activity, such
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_privileged_commands_init'.
--- xccdf_org.ssgproject.content_rule_audit_privileged_commands_init
+++ xccdf_org.ssgproject.content_rule_audit_privileged_commands_init
@@ -27,7 +27,7 @@
RHEL-09-654185
[reference]:
-SV-258211r991586_rule
+SV-258211r1014976_rule
[rationale]:
Misuse of the init command may cause availability issues for the system.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_privileged_commands_poweroff'.
--- xccdf_org.ssgproject.content_rule_audit_privileged_commands_poweroff
+++ xccdf_org.ssgproject.content_rule_audit_privileged_commands_poweroff
@@ -27,7 +27,7 @@
RHEL-09-654190
[reference]:
-SV-258212r991586_rule
+SV-258212r1014978_rule
[rationale]:
Misuse of the poweroff command may cause availability issues for the system.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_privileged_commands_reboot'.
--- xccdf_org.ssgproject.content_rule_audit_privileged_commands_reboot
+++ xccdf_org.ssgproject.content_rule_audit_privileged_commands_reboot
@@ -27,7 +27,7 @@
RHEL-09-654195
[reference]:
-SV-258213r991586_rule
+SV-258213r1014980_rule
[rationale]:
Misuse of the reboot command may cause availability issues for the system.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_privileged_commands_shutdown'.
--- xccdf_org.ssgproject.content_rule_audit_privileged_commands_shutdown
+++ xccdf_org.ssgproject.content_rule_audit_privileged_commands_shutdown
@@ -27,7 +27,7 @@
RHEL-09-654200
[reference]:
-SV-258214r991586_rule
+SV-258214r1017037_rule
[rationale]:
Misuse of the shutdown command may cause availability issues for the system.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
@@ -303,7 +303,7 @@
RHEL-09-6
... The diff is trimmed here ... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
New Rule
Issues or pull requests related to new Rules.
RHEL9
Red Hat Enterprise Linux 9 product related.
STIG
STIG Benchmark related.
Update Profile
Issues or pull requests related to Profiles updates.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Rationale: