Adjust variables in product OL9

dconf_gdm_dir in product.yml
var_accounts_tmout in stig_ol9.yml
var_sudo_timestamp_timeout in stig_ol9.yml
section stig_ol9 in stig.profile

Signed-off-by: Armando Acosta <[email protected]>

controls/stig_ol9.yml

@@ -1823,14 +1823,6 @@ controls:
             - sshd_enable_pam
         status: automated
 
-    -   id: 255055
-        levels:
-            - medium
-        title: OL 9 SSH daemon must be configured to use system-wide crypto policies.
-        rules:
-            - configure_ssh_crypto_policy
-        status: automated
-
     -   id: 255060
         levels:
             - medium
@@ -1839,18 +1831,20 @@ controls:
             of SSH client connections.
         rules:
             - harden_sshd_ciphers_openssh_conf_crypto_policy
-            - sshd_approved_ciphers=stig_extended
+            - sshd_approved_ciphers=stig_ol9
         status: automated
 
-    -   id: 255065
-        levels:
-            - medium
-        title:
-            OL 9 must implement DOD-approved encryption ciphers to protect the confidentiality
-            of SSH server connections.
-        rules:
-            - harden_sshd_ciphers_opensshserver_conf_crypto_policy
-        status: automated
+#    -   id: 255065 #This rule is commented because there is a difference
+# in the OVAL file in the Ciphers variable that searches for the rule against what is in OL9.
+#        levels:
+#            - medium
+#        title:
+#            OL 9 must implement DOD-approved encryption ciphers to protect the confidentiality
+#            of SSH server connections.
+#        rules:
+#            - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+#            - sshd_approved_ciphers=stig_ol9
+#        status: automated
 
     -   id: 255070
         levels:
@@ -2566,6 +2560,7 @@ controls:
             15 minutes of inactivity.
         rules:
             - accounts_tmout
+            - var_accounts_tmout=15_min
         status: automated
 
     -   id: 412040
@@ -2711,6 +2706,7 @@ controls:
         title: OL 9 must require reauthentication when using the "sudo" command.
         rules:
             - sudo_require_reauthentication
+            - var_sudo_timestamp_timeout=always_prompt
         status: automated
 
     -   id: 432020

linux_os/guide/services/ssh/sshd_approved_ciphers.var

@@ -21,3 +21,4 @@ options:
     cis_sle15: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
     cis_ubuntu: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
     stig_ubuntu2204: aes256-ctr,[email protected],aes192-ctr,aes128-ctr,[email protected]
+    stig_ol9: [email protected],aes256-ctr,[email protected],aes128-ctr

linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var

@@ -24,6 +24,7 @@ interactive: true
 options:
     ol7: "^(abrt|adm|avahi|bin|chrony|clevis|cockpit-ws|cockpit-wsinstance|colord|daemon|dbus|dnsmasq|flatpak|ftp|games|gdm|geoclue|gluster|gnome-initial-setup|halt|libstoragemgmt|lp|mail|nfsnobody|nobody|ntp|operator|oprofile|oracle|pcp|pegasus|pipewire|polkitd|postfix|pulse|qemu|radvd|rngd|root|rpc|rpcuser|rtkit|saned|saslauth|setroubleshoot|shutdown|sshd|sssd|sync|systemd-bus-proxy|systemd-coredump|systemd-network|systemd-resolve|tcpdump|tss|unbound|usbmuxd$|uuidd)$"
     ol8: "^(abrt|adm|avahi|bin|chrony|clevis|cockpit-ws|cockpit-wsinstance|colord|daemon|dbus|dnsmasq|flatpak|ftp|games|gdm|geoclue|gluster|gnome-initial-setup|halt|libstoragemgmt|lp|mail|nfsnobody|nobody|ntp|operator|oprofile|oracle|pcp|pegasus|pipewire|polkitd|postfix|pulse|qemu|radvd|rngd|root|rpc|rpcuser|rtkit|saned|saslauth|setroubleshoot|shutdown|sshd|sssd|sync|systemd-bus-proxy|systemd-coredump|systemd-network|systemd-resolve|tcpdump|tss|unbound|usbmuxd$|uuidd)$"
+    ol9: "^(abrt|adm|avahi|bin|chrony|clevis|cockpit-ws|cockpit-wsinstance|colord|daemon|dbus|dnsmasq|fapolicyd|flatpak|ftp|games|gdm|geoclue|gluster|gnome-initial-setup|halt|libstoragemgmt|lp|mail|nfsnobody|nobody|ntp|operator|oprofile|oracle|pcp|pegasus|pipewire|polkitd|postfix|pulse|qemu|radvd|rngd|root|rpc|rpcuser|rtkit|saned|saslauth|setroubleshoot|shutdown|sshd|sssd|sync|systemd-bus-proxy|systemd-coredump|systemd-network|systemd-oom|systemd-resolve|tcpdump|tss|unbound|usbmuxd$|uuidd)$"
     ol7forsap: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$"
     rhel7: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$"
     rhel8: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$"

products/ol9/product.yml

@@ -17,6 +17,8 @@ pkg_manager: "yum"
 
 init_system: "systemd"
 
+dconf_gdm_dir: "local.d"
+
 faillock_path: "/var/log/faillock"
 
 pkg_release: "629e59ec"

products/ol9/profiles/stig.profile

@@ -8,16 +8,9 @@ reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-s
 title: 'DRAFT - DISA STIG for Oracle Linux 9'
 
 description: |-
-    This is a draft profile based on its OL8 version for experimental purposes.
-    It is not based on the DISA STIG for OL9, because this one was not available at time of
-    the release.
+    This profile contains configuration checks that align to the
+    [DRAFT] DISA STIG for Oracle Linux 9.
+
 
 selections:
-  - srg_gpos:all
-  - var_accounts_authorized_local_users_regex=ol8
-  # Following rules once had a prodtype incompatible with the ol9 product
-  - '!package_subscription-manager_installed'
-  - '!file_owner_cron_deny'
-  - '!package_s-nail_installed'
-  - '!networkmanager_dns_mode'
-  - '!file_groupowner_cron_deny'
+  - stig_ol9:all

products/ol9/profiles/stig_gui.profile

@@ -8,9 +8,8 @@ reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-s
 title: 'DRAFT - DISA STIG with GUI for Oracle Linux 9'
 
 description: |-
-    This is a draft profile based on its OL8 version for experimental purposes.
-    It is not based on the DISA STIG for OL9, because this one was not available at time of
-    the release.
+    This profile contains configuration checks that align to the
+    [DRAFT] DISA STIG for Oracle Linux 9.
 
     Warning: The installation and use of a Graphical User Interface (GUI)
     increases your attack vector and decreases your overall security posture. If
@@ -22,15 +21,9 @@ extends: stig
 
 selections:
     # Unselect rules that remove packages required by "server with GUI" installation
-    # OL08-00-040320
+    # 215070
     - '!xwindows_remove_packages'
-
-    # SRG-OS-000480-GPOS-00227
-    - '!package_xorg-x11-server-common_removed'
-
-    # SRG-OS-000095-GPOS-00049
+    # 215025
     - '!package_nfs-utils_removed'
-
-    # Unselect to allow the system to start in graphical.target mode
-    # OL08-00-040321
+    # 211030
     - '!xwindows_runlevel_target'