diff initial report

controls/SV-230221.rb

@@ -36,6 +36,7 @@
 If the release is not supported by the vendor, this is a finding.'
   desc 'fix', 'Upgrade to a supported version of RHEL 8.'
   impact 0.7
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'high'
   tag gtitle: 'SRG-OS-000480-GPOS-00227'
   tag gid: 'V-230221'

controls/SV-230222.rb

@@ -44,6 +44,7 @@
   desc 'fix', 'Install the operating system patches or updated packages
     available from Red Hat within 30 days or sooner as local policy dictates.'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000480-GPOS-00227'
   tag gid: 'V-230222'

controls/SV-230223.rb

@@ -33,6 +33,7 @@
 
 Reboot the system for the changes to take effect.'
   impact 0.7
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'high'
   tag gtitle: 'SRG-OS-000033-GPOS-00014'
   tag satisfies: ['SRG-OS-000033-GPOS-00014', 'SRG-OS-000125-GPOS-00065', 'SRG-OS-000396-GPOS-00176', 'SRG-OS-000423-GPOS-00187', 'SRG-OS-000478-GPOS-00223']

controls/SV-230224.rb

@@ -30,6 +30,7 @@
     because existing partitions will need to be resized and changed. To encrypt an
     entire partition, dedicate a partition for encryption in the partition layout.'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000185-GPOS-00079'
   tag satisfies: ['SRG-OS-000185-GPOS-00079', 'SRG-OS-000404-GPOS-00183', 'SRG-OS-000405-GPOS-00184']

controls/SV-230225.rb

@@ -1,11 +1,10 @@
 control 'SV-230225' do
-  title 'RHEL 8 must display the Standard Mandatory DoD Notice and Consent
-Banner before granting local or remote access to the system via a ssh logon.'
+  title 'RHEL 8 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a ssh logon.'
   desc %q(Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
 
 System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
 
-The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:
+The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:
 
 "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
 
@@ -24,20 +23,21 @@
 Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:
 
 "I've read & consent to terms in IS user agreem't.")
-  desc 'check', 'Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
+  desc 'check', %q(Verify any publicly accessible connection to the operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system.
 
 Check for the location of the banner file being used with the following command:
 
-$ sudo grep -ir banner /etc/ssh/sshd_config*
+$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*banner'
 
 banner /etc/issue
 
 This command will return the banner keyword and the name of the file that contains the ssh banner (in this case "/etc/issue").
 
 If the line is commented out, this is a finding.
+
 If conflicting results are returned, this is a finding.
 
-View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner:
+View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DOD Notice and Consent Banner:
 
 "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
 
@@ -51,57 +51,39 @@
 
 -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
 
-If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.
+If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.
 
-If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.'
-  desc 'fix', 'Configure the operating system to display the Standard Mandatory DoD Notice
-and Consent Banner before granting access to the system via the ssh.
+If the text in the file does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.)
+  desc 'fix', 'Configure the operating system to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the ssh.
 
-    Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and
-configure it to point to a file that will contain the logon banner (this file
-may be named differently or be in a different location if using a version of
-SSH that is provided by a third-party vendor). An example configuration line is:
+Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is:
 
-    banner /etc/issue
+banner /etc/issue
 
-    Either create the file containing the banner or replace the text in the
-file with the Standard Mandatory DoD Notice and Consent Banner. The
-DoD-required text is:
+Either create the file containing the banner or replace the text in the file with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is:
 
-    "You are accessing a U.S. Government (USG) Information System (IS) that is
-provided for USG-authorized use only. By using this IS (which includes any
-device attached to this IS), you consent to the following conditions:
+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
 
-    -The USG routinely intercepts and monitors communications on this IS for
-purposes including, but not limited to, penetration testing, COMSEC monitoring,
-network operations and defense, personnel misconduct (PM), law enforcement
-(LE), and counterintelligence (CI) investigations.
+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
 
-    -At any time, the USG may inspect and seize data stored on this IS.
+-At any time, the USG may inspect and seize data stored on this IS.
 
-    -Communications using, or data stored on, this IS are not private, are
-subject to routine monitoring, interception, and search, and may be disclosed
-or used for any USG-authorized purpose.
+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
 
-    -This IS includes security measures (e.g., authentication and access
-controls) to protect USG interests--not for your personal benefit or privacy.
+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
 
-    -Notwithstanding the above, using this IS does not constitute consent to
-PM, LE or CI investigative searching or monitoring of the content of privileged
-communications, or work product, related to personal representation or services
-by attorneys, psychotherapists, or clergy, and their assistants. Such
-communications and work product are private and confidential. See User
-Agreement for details."
+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
 
-    The SSH service must be restarted for changes to take effect.'
+The SSH service must be restarted for changes to take effect.'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000023-GPOS-00006'
   tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000228-GPOS-00088']
   tag gid: 'V-230225'
-  tag rid: 'SV-230225r858694_rule'
+  tag rid: 'SV-230225r951590_rule'
   tag stig_id: 'RHEL-08-010040'
-  tag fix_id: 'F-32869r567422_fix'
+  tag fix_id: 'F-32869r951589_fix'
   tag cci: ['CCI-000048']
   tag nist: ['AC-8 a']
   tag 'host'

controls/SV-230226.rb

@@ -68,6 +68,7 @@
 
     $ sudo dconf update)
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000023-GPOS-00006'
   tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000228-GPOS-00088']

controls/SV-230227.rb

@@ -112,6 +112,7 @@
 communications and work product are private and confidential. See User
 Agreement for details."'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000023-GPOS-00006'
   tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000228-GPOS-00088']

controls/SV-230228.rb

@@ -1,31 +1,19 @@
 control 'SV-230228' do
   title 'All RHEL 8 remote access methods must be monitored.'
-  desc 'Remote access services, such as those providing remote access to
-network devices and information systems, which lack automated monitoring
-capabilities, increase risk and make remote user access management difficult at
-best.
-
-    Remote access is access to DoD nonpublic information systems by an
-authorized user (or an information system) communicating through an external,
-non-organization-controlled network. Remote access methods include, for
-example, dial-up, broadband, and wireless.
-
-    Automated monitoring of remote access sessions allows organizations to
-detect cyber attacks and ensure ongoing compliance with remote access policies
-by auditing connection activities of remote access capabilities, such as Remote
-Desktop Protocol (RDP), on a variety of information system components (e.g.,
-servers, workstations, notebook computers, smartphones, and tablets).'
+  desc 'Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best.
+
+Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
+
+Automated monitoring of remote access sessions allows organizations to detect cyber attacks and ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).'
   desc 'check', %q(Verify that RHEL 8 monitors all remote access methods.
 
-    Check that remote access methods are being logged by running the following
-command:
+Check that remote access methods are being logged by running the following command:
 
-    $ sudo grep -E '(auth.*|authpriv.*|daemon.*)' /etc/rsyslog.conf
+$ sudo grep -E '(auth\.\*|authpriv\.\*|daemon\.\*)' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
 
-    auth.*;authpriv.*;daemon.* /var/log/secure
+auth.*;authpriv.*;daemon.* /var/log/secure
 
-    If "auth.*", "authpriv.*" or "daemon.*" are not configured to be
-logged, this is a finding.)
+If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged, this is a finding.)
   desc 'fix', 'Configure RHEL 8 to monitor all remote access methods by installing rsyslog
 with the following command:
 
@@ -40,10 +28,11 @@
 
     $ sudo systemctl restart rsyslog.service'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000032-GPOS-00013'
   tag gid: 'V-230228'
-  tag rid: 'SV-230228r627750_rule'
+  tag rid: 'SV-230228r951592_rule'
   tag stig_id: 'RHEL-08-010070'
   tag fix_id: 'F-32872r567431_fix'
   tag cci: ['CCI-000067']

controls/SV-230229.rb

@@ -52,6 +52,7 @@
 
 /etc/sssd/pki/sssd_auth_ca_db.pem'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000066-GPOS-00034'
   tag satisfies: ['SRG-OS-000066-GPOS-00034', 'SRG-OS-000384-GPOS-00167']

controls/SV-230230.rb

@@ -16,6 +16,7 @@
 
     $ sudo ssh-keygen -n [passphrase]'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000067-GPOS-00035'
   tag gid: 'V-230230'

controls/SV-230231.rb

@@ -29,6 +29,7 @@ module are not verified and therefore cannot be relied upon to provide
 
     ENCRYPT_METHOD SHA512'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000073-GPOS-00041'
   tag gid: 'V-230231'

controls/SV-230232.rb

@@ -20,6 +20,7 @@
   desc 'fix', 'Lock all interactive user accounts not using SHA-512 hashing
 until the passwords can be regenerated with SHA-512.'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000073-GPOS-00041'
   tag gid: 'V-230232'

controls/SV-230233.rb

@@ -20,6 +20,7 @@
 
 SHA_CRYPT_MIN_ROUNDS 5000'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000073-GPOS-00041'
   tag gid: 'V-230233'

controls/SV-230234.rb

@@ -29,6 +29,7 @@
     Enter password:
     Confirm password:'
   impact 0.7
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'high'
   tag gtitle: 'SRG-OS-000080-GPOS-00048'
   tag gid: 'V-230234'

controls/SV-230235.rb

@@ -28,6 +28,7 @@
     Enter password:
     Confirm password:'
   impact 0.7
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'high'
   tag gtitle: 'SRG-OS-000080-GPOS-00048'
   tag gid: 'V-230235'

controls/SV-230236.rb

@@ -20,6 +20,7 @@
 
     ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000080-GPOS-00048'
   tag gid: 'V-230236'

controls/SV-230237.rb

@@ -28,6 +28,7 @@
 
 password sufficient pam_unix.so sha512'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000120-GPOS-00061'
   tag gid: 'V-230237'

controls/SV-230238.rb

@@ -36,6 +36,7 @@
 
     Remove any files with the .keytab extension from the operating system.'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000120-GPOS-00061'
   tag gid: 'V-230238'

controls/SV-230239.rb

@@ -32,6 +32,7 @@
 
     $ sudo yum remove krb5-workstation'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000120-GPOS-00061'
   tag gid: 'V-230239'

controls/SV-230240.rb

@@ -34,6 +34,7 @@
 
     A reboot is required for the changes to take effect.'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000134-GPOS-00068'
   tag gid: 'V-230240'

controls/SV-230241.rb

@@ -27,6 +27,7 @@
 
     $ sudo yum install policycoreutils'
   impact 0.3
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'low'
   tag gtitle: 'SRG-OS-000134-GPOS-00068'
   tag gid: 'V-230241'

controls/SV-230243.rb

@@ -37,6 +37,7 @@
 
     $ sudo chmod 1777 [World-Writable Directory]'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000138-GPOS-00069'
   tag gid: 'V-230243'

controls/SV-230244.rb

@@ -5,17 +5,17 @@
         Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.
 
         RHEL 8 uses /etc/ssh/sshd_config for configurations of OpenSSH. Within the sshd_config, the product of the values of "ClientAliveInterval" and "ClientAliveCountMax" is used to establish the inactivity threshold. The "ClientAliveInterval" is a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The "ClientAliveCountMax" is the number of client alive messages that may be sent without sshd receiving any messages back from the client. If this threshold is met, sshd will disconnect the client. For more information on these settings and others, refer to the sshd_config man pages.'
-  desc 'check', 'Verify the SSH server automatically terminates a user session after the SSH client has become unresponsive.
+  desc 'check', %q(Verify the SSH server automatically terminates a user session after the SSH client has become unresponsive.
 
-        Check that the "ClientAliveCountMax" is set to "1" by performing the following command:
+Check that the "ClientAliveCountMax" is set to "1" by performing the following command:
 
-            $ sudo grep -ir clientalivecountmax /etc/ssh/sshd_config*
+$ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientalivecountmax'
 
-            ClientAliveCountMax 1
+ClientAliveCountMax 1
 
-        If "ClientAliveCountMax" do not exist, is not set to a value of "1" in "/etc/ssh/sshd_config", or is commented out, this is a finding.
+If "ClientAliveCountMax" do not exist, is not set to a value of "1" in "/etc/ssh/sshd_config", or is commented out, this is a finding.
 
-        If conflicting results are returned, this is a finding.'
+If conflicting results are returned, this is a finding.)
   desc 'fix', 'Note: This setting must be applied in conjunction with RHEL-08-010201 to function correctly.
 
         Configure the SSH server to terminate a user session automatically after the SSH client has become unresponsive.
@@ -28,11 +28,12 @@
 
             $ sudo systemctl restart sshd.service'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000163-GPOS-00072'
   tag satisfies: ['SRG-OS-000163-GPOS-00072', 'SRG-OS-000126-GPOS-00066', 'SRG-OS-000279-GPOS-00109']
   tag gid: 'V-230244'
-  tag rid: 'SV-230244r917867_rule'
+  tag rid: 'SV-230244r951594_rule'
   tag stig_id: 'RHEL-08-010200'
   tag fix_id: 'F-32888r917866_fix'
   tag cci: ['CCI-001133']

controls/SV-230245.rb

@@ -26,6 +26,7 @@
 
     $ sudo chmod 0640 /var/log/messages'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000206-GPOS-00084'
   tag gid: 'V-230245'

controls/SV-230246.rb

@@ -24,6 +24,7 @@
 
     $ sudo chown root /var/log/messages'
   impact 0.5
+  ref 'DPMS Target Red Hat Enterprise Linux 8'
   tag severity: 'medium'
   tag gtitle: 'SRG-OS-000206-GPOS-00084'
   tag gid: 'V-230246'