Merge pull request #11634 from Mab879/update_srg_gpos

Update SRG GPOS Control File
ComplianceAsCode · Mar 8, 2024 · 2c8422b · 2c8422b
2 parents 6644eae + 08c0c6e
commit 2c8422b
Show file tree

Hide file tree

Showing 38 changed files with 78 additions and 59 deletions.
diff --git a/controls/srg_gpos.yml b/controls/srg_gpos.yml
@@ -1,7 +1,7 @@
 policy: Security Requirements Guide - General Purpose Operating System
 title: Security Requirements Guide - General Purpose Operating System
 id: srg_gpos
-version: 'v2r3'
+version: 'v2r7'
 source: https://public.cyber.mil/stigs/downloads/
 controls_dir: srg_gpos
 levels:

diff --git a/controls/srg_gpos/SRG-OS-000024-GPOS-00007.yml b/controls/srg_gpos/SRG-OS-000024-GPOS-00007.yml
@@ -2,9 +2,12 @@ controls:
     -   id: SRG-OS-000024-GPOS-00007
         levels:
             - medium
-        title: {{{ full_name }}} must display the Standard Mandatory DoD Notice and Consent
-            Banner until users acknowledge the usage conditions and take explicit actions
-            to log on for further access via CLI and Graphical access.
+
+        title: |-
+          {{{ full_name }}} must display the Standard Mandatory DoD Notice and Consent Banner until
+          users acknowledge the usage conditions and take explicit actions to log on for
+          further access.
+
         status: does not meet
         rationale: |-
             The banner must be acknowledged by the user prior to allowing the user access to the operating system.

diff --git a/controls/srg_gpos/SRG-OS-000027-GPOS-00008.yml b/controls/srg_gpos/SRG-OS-000027-GPOS-00008.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000027-GPOS-00008
         levels:
-            - medium
+            - low
         title: {{{ full_name }}} must limit the number of concurrent sessions to ten
             for all accounts and/or account types.
         rules:

diff --git a/controls/srg_gpos/SRG-OS-000033-GPOS-00014.yml b/controls/srg_gpos/SRG-OS-000033-GPOS-00014.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000033-GPOS-00014
         levels:
-            - medium
+            - high
         title: {{{ full_name }}} must implement DoD-approved encryption to protect the
             confidentiality of remote access sessions.
         rules:

diff --git a/controls/srg_gpos/SRG-OS-000073-GPOS-00041.yml b/controls/srg_gpos/SRG-OS-000073-GPOS-00041.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000073-GPOS-00041
         levels:
-            - medium
+            - high
         title: {{{ full_name }}} must store only encrypted representations of passwords.
         rules:
             - accounts_password_pam_unix_rounds_password_auth

diff --git a/controls/srg_gpos/SRG-OS-000074-GPOS-00042.yml b/controls/srg_gpos/SRG-OS-000074-GPOS-00042.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000074-GPOS-00042
         levels:
-            - medium
+            - high
         title: {{{ full_name }}} must transmit only encrypted representations of passwords.
         rules:
             - package_vsftpd_removed

diff --git a/controls/srg_gpos/SRG-OS-000109-GPOS-00056.yml b/controls/srg_gpos/SRG-OS-000109-GPOS-00056.yml
@@ -2,7 +2,7 @@ controls:
     -   id: SRG-OS-000109-GPOS-00056
         levels:
             - medium
-        title: {{{ full_name }}}must require individuals to be authenticated with an
+        title: {{{ full_name }}} must require individuals to be authenticated with an
             individual authenticator prior to using a group authenticator.
         rules:
             - sshd_disable_root_login

diff --git a/controls/srg_gpos/SRG-OS-000113-GPOS-00058.yml b/controls/srg_gpos/SRG-OS-000113-GPOS-00058.yml
@@ -1,9 +1,10 @@
 controls:
     -   id: SRG-OS-000113-GPOS-00058
         levels:
-            - high
-        title: {{{ full_name }}} system must implement replay-resistant authentication mechanisms
-            for network access to non-privileged accounts.
+            - medium
+        title: {{{ full_name }}} must implement replay-resistant authentication mechanisms for
+         network access to non-privileged accounts.
+
         status: inherently met
         check: |-
             {{{ full_name }}} supports this requirement and cannot be configured to be out of compliance.

diff --git a/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml b/controls/srg_gpos/SRG-OS-000125-GPOS-00065.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000125-GPOS-00065
         levels:
-            - medium
+            - high
         title: {{{ full_name }}} must employ strong authenticators in the establishment
             of nonlocal maintenance and diagnostic sessions.
         rules:

diff --git a/controls/srg_gpos/SRG-OS-000191-GPOS-00080.yml b/controls/srg_gpos/SRG-OS-000191-GPOS-00080.yml
@@ -2,14 +2,15 @@ controls:
     -   id: SRG-OS-000191-GPOS-00080
         levels:
             - medium
-        title: '{{{ full_name }}} must employ automated mechanisms to determine the state
-                of system components with regard to flaw remediation using the following frequency:
-                continuously, where ESS is used; 30 days, for any additional internal network
-                scans not cover'
-        status: does not meet
+        title: |-
+            {{{ full_name }}} must employ automated mechanisms to determine the state of system
+            components with regard to flaw remediation using the following frequency:
+            continuously, 30 days, and annually, for external scans by Computer Network
+            Defense Service Provider (CNDSP).
+
         rationale: |-
             Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws.
-        
+
             To support this requirement, the operating system may have an integrated solution incorporating continuous scanning using ESS and periodic scanning using other tools, as specified in the requirement.
         status_justification:
             {{{ full_name }}} does not have configuration options to meet this requirement.
@@ -21,5 +22,6 @@ controls:
             An appropriate mitigation for the system must be implemented, but this finding cannot be considered fixed.
         mitigation:
             A third-party software will be needed to meet this requirement e.g. McAfee policy auditor.
-        
+
             Although the listed mitigation is supporting the security function, it is not sufficient to reduce the residual risk of this requirement.
+
diff --git a/controls/srg_gpos/SRG-OS-000228-GPOS-00088.yml b/controls/srg_gpos/SRG-OS-000228-GPOS-00088.yml
@@ -10,3 +10,6 @@ controls:
             - banner_etc_issue
             - dconf_gnome_banner_enabled
         status: automated
+
+title: |-
+    Any publically accessible connection to the operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
diff --git a/controls/srg_gpos/SRG-OS-000250-GPOS-00093.yml b/controls/srg_gpos/SRG-OS-000250-GPOS-00093.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000250-GPOS-00093
         levels:
-            - medium
+            - high
         title: {{{ full_name }}} must implement cryptography to protect the integrity
             of remote access sessions.
         rules:

diff --git a/controls/srg_gpos/SRG-OS-000274-GPOS-00104.yml b/controls/srg_gpos/SRG-OS-000274-GPOS-00104.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000274-GPOS-00104
         levels:
-            - low
+            - medium
         title: {{{ full_name }}} must notify system administrators and ISSOs when accounts
             are created.
         status: does not meet

diff --git a/controls/srg_gpos/SRG-OS-000275-GPOS-00105.yml b/controls/srg_gpos/SRG-OS-000275-GPOS-00105.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000275-GPOS-00105
         levels:
-            - low
+            - medium
         title: {{{ full_name }}} must notify system administrators and ISSOs when accounts
             are modified.
         rules:

diff --git a/controls/srg_gpos/SRG-OS-000278-GPOS-00108.yml b/controls/srg_gpos/SRG-OS-000278-GPOS-00108.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000278-GPOS-00108
         levels:
-            - medium
+            - high
         title: {{{ full_name }}} must use cryptographic mechanisms to protect the integrity
             of audit tools.
         rules:

diff --git a/controls/srg_gpos/SRG-OS-000324-GPOS-00125.yml b/controls/srg_gpos/SRG-OS-000324-GPOS-00125.yml
@@ -1,10 +1,12 @@
 controls:
     -   id: SRG-OS-000324-GPOS-00125
         levels:
-            - medium
-        title: {{{ full_name }}} must prevent non-privileged users from executing privileged
-            functions to include disabling, circumventing, or altering implemented security
+            - high
+        title: |-
+            {{{ full_name }}} must prevent nonprivileged users from executing privileged functions
+            to include disabling, circumventing, or altering implemented security
             safeguards/countermeasures.
+
         rules:
             - disable_ctrlaltdel_burstaction
             - disable_ctrlaltdel_reboot

diff --git a/controls/srg_gpos/SRG-OS-000341-GPOS-00132.yml b/controls/srg_gpos/SRG-OS-000341-GPOS-00132.yml
@@ -1,10 +1,12 @@
 controls:
     -   id: SRG-OS-000341-GPOS-00132
         levels:
-            - medium
-        title: {{{ full_name }}} must allocate audit record storage capacity to store
-            at least one weeks worth of audit records, when audit records are not immediately
-            sent to a central audit record storage facility.
+            - low
+        title: |-
+            {{{ full_name }}} must allocate audit record storage capacity to store at least
+            one week's worth of audit records, when audit records are not immediately sent to a
+            central audit record storage facility.
+
         rules:
             - grub2_audit_backlog_limit_argument
             - partition_for_var_log_audit

diff --git a/controls/srg_gpos/SRG-OS-000342-GPOS-00133.yml b/controls/srg_gpos/SRG-OS-000342-GPOS-00133.yml
@@ -1,9 +1,9 @@
 controls:
     -   id: SRG-OS-000342-GPOS-00133
         levels:
-            - medium
-        title: {{{ full_name }}} must off-load audit records onto a different system
-            or media from the system being audited.
+            - low
+        title: {{{ full_name }}} must offload audit records onto a different system or media from
+            the system being audited.
         rules:
             - auditd_name_format
             - auditd_overflow_action

diff --git a/controls/srg_gpos/SRG-OS-000343-GPOS-00134.yml b/controls/srg_gpos/SRG-OS-000343-GPOS-00134.yml
@@ -1,9 +1,9 @@
 controls:
     -   id: SRG-OS-000343-GPOS-00134
         levels:
-            - medium
+            - low
         title: {{{ full_name }}} must immediately notify the SA and ISSO (at a minimum)
-            when allocated audit record storage volume reaches 75% of the repository maximum
+            when allocated audit record storage volume reaches 75 percent of the repository maximum
             audit record storage capacity.
         rules:
             - auditd_data_retention_action_mail_acct

diff --git a/controls/srg_gpos/SRG-OS-000348-GPOS-00136.yml b/controls/srg_gpos/SRG-OS-000348-GPOS-00136.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000348-GPOS-00136
         levels:
-            - medium
+            - low
         title: {{{ full_name }}} must provide an audit reduction capability that supports
             on-demand audit review and analysis.
         rules:

diff --git a/controls/srg_gpos/SRG-OS-000349-GPOS-00137.yml b/controls/srg_gpos/SRG-OS-000349-GPOS-00137.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000349-GPOS-00137
         levels:
-            - medium
+            - low
         title: {{{ full_name }}} must provide an audit reduction capability that supports
             after-the-fact investigations of security incidents.
         rules:

diff --git a/controls/srg_gpos/SRG-OS-000350-GPOS-00138.yml b/controls/srg_gpos/SRG-OS-000350-GPOS-00138.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000350-GPOS-00138
         levels:
-            - medium
+            - low
         title: {{{ full_name }}} must provide a report generation capability that supports
             on-demand audit review and analysis.
         rules:

diff --git a/controls/srg_gpos/SRG-OS-000351-GPOS-00139.yml b/controls/srg_gpos/SRG-OS-000351-GPOS-00139.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000351-GPOS-00139
         levels:
-            - medium
+            - low
         title: {{{ full_name }}} must provide a report generation capability that supports
             on-demand reporting requirements.
         rules:

diff --git a/controls/srg_gpos/SRG-OS-000352-GPOS-00140.yml b/controls/srg_gpos/SRG-OS-000352-GPOS-00140.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000352-GPOS-00140
         levels:
-            - medium
+            - low
         title: {{{ full_name }}} must provide a report generation capability that supports
             after-the-fact investigations of security incidents.
         rules:

diff --git a/controls/srg_gpos/SRG-OS-000359-GPOS-00146.yml b/controls/srg_gpos/SRG-OS-000359-GPOS-00146.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000359-GPOS-00146
         levels:
-            - medium
+            - low
         title: {{{ full_name }}} must record time stamps for audit records that can be
             mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
         rules:

diff --git a/controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml b/controls/srg_gpos/SRG-OS-000366-GPOS-00153.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000366-GPOS-00153
         levels:
-            - medium
+            - high
         title: {{{ full_name }}} must prevent the installation of patches, service packs,
             device drivers, or operating system components without verification they have
             been digitally signed using a certificate that is recognized and approved by the

diff --git a/controls/srg_gpos/SRG-OS-000393-GPOS-00173.yml b/controls/srg_gpos/SRG-OS-000393-GPOS-00173.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000393-GPOS-00173
         levels:
-            - medium
+            - high
         title: {{{ full_name }}} must implement cryptographic mechanisms to protect the
             integrity of nonlocal maintenance and diagnostic communications, when used for
             nonlocal maintenance sessions.

diff --git a/controls/srg_gpos/SRG-OS-000394-GPOS-00174.yml b/controls/srg_gpos/SRG-OS-000394-GPOS-00174.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000394-GPOS-00174
         levels:
-            - medium
+            - high
         title: {{{ full_name }}} must implement cryptographic mechanisms to protect the
             confidentiality of nonlocal maintenance and diagnostic communications, when used
             for nonlocal maintenance sessions.

diff --git a/controls/srg_gpos/SRG-OS-000395-GPOS-00175.yml b/controls/srg_gpos/SRG-OS-000395-GPOS-00175.yml
@@ -2,11 +2,9 @@ controls:
     -   id: SRG-OS-000395-GPOS-00175
         levels:
             - medium
-        title: The {{{ full_name}}} must verify remote disconnection at the termination
-            of nonlocal maintenance and diagnostic sessions, when used for nonlocal maintenance
-            sessions.
-        rationale:
-            If the remote connection is not closed and verified as closed, the session may remain open and be exploited by an attacker; this is referred to as a zombie session. 
+        title: {{{ full_name }}} must verify remote disconnection at the termination of
+            nonlocal maintenance and diagnostic sessions, when used for nonlocal maintenance sessions.
+            If the remote connection is not closed and verified as closed, the session may remain open and be exploited by an attacker; this is referred to as a zombie session.
             Remote connections must be disconnected and verified as disconnected when nonlocal maintenance sessions have been terminated and are no longer available for use.
         check:
           {{{ full_name }}} supports this requirement and cannot be configured to be out of compliance.
@@ -15,7 +13,7 @@ controls:
             {{{ full_name }}} inherently meets this requirement. No fix is required.
         artifact_description:
             When a process terminates, Linux kernel executes the kernel/exit.c:do_exit() function which indirectly calls fs/file.c:close_files().
-            The latter iterates over all file descriptors of the process and close them. 
+            The latter iterates over all file descriptors of the process and close them.
             Since a socket also receives a file descriptor, the kernel close those, as well.
         status_justification:
             The use of the "exit" command will end any communication session on the system.

diff --git a/controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml b/controls/srg_gpos/SRG-OS-000396-GPOS-00176.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000396-GPOS-00176
         levels:
-            - medium
+            - high
         title: {{{ full_name }}} must implement NSA-approved cryptography to protect
             classified information in accordance with applicable federal laws, Executive Orders,
             directives, policies, regulations, and standards.

diff --git a/controls/srg_gpos/SRG-OS-000404-GPOS-00183.yml b/controls/srg_gpos/SRG-OS-000404-GPOS-00183.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000404-GPOS-00183
         levels:
-            - medium
+            - high
         title: {{{ full_name }}} must implement cryptographic mechanisms to prevent unauthorized
             modification of all information at rest on all operating system components.
         rules:

diff --git a/controls/srg_gpos/SRG-OS-000405-GPOS-00184.yml b/controls/srg_gpos/SRG-OS-000405-GPOS-00184.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000405-GPOS-00184
         levels:
-            - medium
+            - high
         title: {{{ full_name }}} must implement cryptographic mechanisms to prevent unauthorized
             disclosure of all information at rest on all operating system components.
         rules:

diff --git a/controls/srg_gpos/SRG-OS-000423-GPOS-00187.yml b/controls/srg_gpos/SRG-OS-000423-GPOS-00187.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000423-GPOS-00187
         levels:
-            - medium
+            - high
         title: {{{ full_name }}} must protect the confidentiality and integrity of transmitted
             information.
         rules:

diff --git a/controls/srg_gpos/SRG-OS-000424-GPOS-00188.yml b/controls/srg_gpos/SRG-OS-000424-GPOS-00188.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000424-GPOS-00188
         levels:
-            - medium
+            - high
         title: {{{ full_name }}} must implement cryptographic mechanisms to prevent unauthorized
             disclosure of information and/or detect changes to information during transmission
             unless otherwise protected by alternative physical safeguards, such as, at a minimum,

diff --git a/controls/srg_gpos/SRG-OS-000439-GPOS-00195.yml b/controls/srg_gpos/SRG-OS-000439-GPOS-00195.yml
@@ -0,0 +1,8 @@
+controls:
+    -   id: SRG-OS-000439-GPOS-00195
+        levels:
+            - medium
+        title: The operating system must install security-relevant software updates within
+            the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and
+            STIGs).
+        status: pending
diff --git a/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml b/controls/srg_gpos/SRG-OS-000478-GPOS-00223.yml
@@ -1,7 +1,7 @@
 controls:
     -   id: SRG-OS-000478-GPOS-00223
         levels:
-            - medium
+            - high
         title: '{{{ full_name }}} must implement NIST FIPS-validated cryptography for
     the following: to provision digital signatures, to generate cryptographic hashes,
     and to protect unclassified information requiring confidentiality and cryptographic