RHEL 10 STIG Update

.github/workflows/srg-mapping-table.yaml

@@ -45,19 +45,19 @@ jobs:
         env:
           PYTHONPATH: ${{ github.workspace }}
       - name: Generate XLSX for RHEL9
-        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel9 -m shared/references/disa-os-srg-v2r7.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-rhel9.xlsx
+        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel9 -m shared/references/disa-os-srg-v3r1.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-rhel9.xlsx
         env:
           PYTHONPATH: ${{ github.workspace }}
       - name: Generate HTML for RHEL9
-        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel9 -m shared/references/disa-os-srg-v2r7.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel9.html
+        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel9 -m shared/references/disa-os-srg-v3r1.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel9.html
         env:
           PYTHONPATH: ${{ github.workspace }}
       - name: Generate XLSX for RHEL10
-        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v2r7.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-rhel10.xlsx
+        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v3r1.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-rhel10.xlsx
         env:
           PYTHONPATH: ${{ github.workspace }}
       - name: Generate HTML for RHEL10
-        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v2r7.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel10.html
+        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v3r1.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel10.html
         env:
           PYTHONPATH: ${{ github.workspace }}
       - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4

cmake/SSGCommon.cmake

@@ -1095,7 +1095,7 @@ macro(ssg_build_html_srgmap_tables PRODUCT)
         OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap.html"
         OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap-flat.html"
         COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables"
-        COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_srg_table.py" --build-dir "${CMAKE_BINARY_DIR}" "${PRODUCT}" "${SSG_SHARED_REFS}/disa-os-srg-v2r7.xml" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap.html" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap-flat.html"
+        COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_srg_table.py" --build-dir "${CMAKE_BINARY_DIR}" "${PRODUCT}" "${SSG_SHARED_REFS}/disa-os-srg-v3r1.xml" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap.html" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap-flat.html"
         DEPENDS ${PRODUCT}-compile-all "${CMAKE_CURRENT_BINARY_DIR}/ssg_build_compile_all-${PRODUCT}"
         COMMENT "[${PRODUCT}-tables] generating HTML SRG map tables"
     )

controls/srg_gpos.yml

@@ -1,7 +1,7 @@
 policy: Security Requirements Guide - General Purpose Operating System
 title: Security Requirements Guide - General Purpose Operating System
 id: srg_gpos
-version: 'v2r7'
+version: 'v3r1'
 source: https://public.cyber.mil/stigs/downloads/
 controls_dir: srg_gpos
 levels:

controls/srg_gpos/SRG-OS-000024-GPOS-00007.yml

@@ -1,13 +1,10 @@
 controls:
     -   id: SRG-OS-000024-GPOS-00007
+        title: '{{{ full_name }}} must display the Standard Mandatory DoD Notice and Consent
+            Banner until users acknowledge the usage conditions and take explicit actions
+            to log on for further access.'
         levels:
             - medium
-
-        title: |-
-          {{{ full_name }}} must display the Standard Mandatory DoD Notice and Consent Banner until
-          users acknowledge the usage conditions and take explicit actions to log on for
-          further access.
-
         status: does not meet
         rationale: |-
             The banner must be acknowledged by the user prior to allowing the user access to the operating system.

controls/srg_gpos/SRG-OS-000069-GPOS-00037.yml

@@ -1,9 +1,9 @@
 controls:
     -   id: SRG-OS-000069-GPOS-00037
+        title: '{{{ full_name }}} must enforce password complexity by requiring that at
+    least one uppercase character be used.'
         levels:
             - medium
-        title: {{{ full_name }}} must enforce password complexity by requiring that at
-            least one upper-case character be used.
         rules:
             - var_password_pam_retry=3
             - accounts_password_pam_enforce_root

controls/srg_gpos/SRG-OS-000070-GPOS-00038.yml

@@ -1,9 +1,9 @@
 controls:
     -   id: SRG-OS-000070-GPOS-00038
+        title: '{{{ full_name }}} must enforce password complexity by requiring that at
+    least one lowercase character be used.'
         levels:
             - medium
-        title: {{{ full_name }}} must enforce password complexity by requiring that at
-            least one lower-case character be used.
         rules:
             - accounts_password_pam_enforce_root
             - var_password_pam_lcredit=1

controls/srg_gpos/SRG-OS-000072-GPOS-00040.yml

@@ -1,9 +1,9 @@
 controls:
     -   id: SRG-OS-000072-GPOS-00040
+        title: '{{{ full_name }}} must require the change of at least 50 percent of the
+    total number of characters when passwords are changed.'
         levels:
             - medium
-        title: {{{ full_name }}} must require the change of at least 50% of the total
-            number of characters when passwords are changed.
         rules:
             - accounts_password_pam_difok
             - var_password_pam_difok=8

controls/srg_gpos/SRG-OS-000075-GPOS-00043.yml

@@ -1,8 +1,8 @@
 controls:
     -   id: SRG-OS-000075-GPOS-00043
+        title: {{{ full_name }}} must enforce 24 hours/1 day as the minimum password lifetime.
         levels:
             - medium
-        title: {{{ full_name }}} must enforce 24 hours/1 day as the minimum password lifetime.
         rules:
             - var_accounts_minimum_age_login_defs=1
             - accounts_minimum_age_login_defs

controls/srg_gpos/SRG-OS-000076-GPOS-00044.yml

@@ -1,8 +1,8 @@
 controls:
     -   id: SRG-OS-000076-GPOS-00044
+        title: Operating systems must enforce a 60-day maximum password lifetime restriction.
         levels:
             - medium
-        title: {{{ full_name }}} must enforce a 60-day maximum password lifetime restriction.
         rules:
             - var_accounts_maximum_age_login_defs=60
             - accounts_maximum_age_login_defs

controls/srg_gpos/SRG-OS-000108-GPOS-00055.yml

@@ -1,9 +1,9 @@
 controls:
     -   id: SRG-OS-000108-GPOS-00055
+        title: '{{{ full_name }}} must use multifactor authentication for local access to
+        nonprivileged accounts.'
         levels:
             - medium
-        title: {{{ full_name }}} must use multifactor authentication for local access
-            to non-privileged accounts.
         rules:
             - sshd_enable_pubkey_auth
             - configure_opensc_card_drivers

controls/srg_gpos/SRG-OS-000113-GPOS-00058.yml

@@ -2,9 +2,8 @@ controls:
     -   id: SRG-OS-000113-GPOS-00058
         levels:
             - medium
-        title: {{{ full_name }}} must implement replay-resistant authentication mechanisms for
-         network access to non-privileged accounts.
-
+        title: '{{{ full_name }}} must implement replay-resistant authentication mechanisms
+        for network access to nonprivileged accounts.'
         status: inherently met
         check: |-
             {{{ full_name }}} supports this requirement and cannot be configured to be out of compliance.

controls/srg_gpos/SRG-OS-000123-GPOS-00064.yml

@@ -1,9 +1,9 @@
 controls:
     -   id: SRG-OS-000123-GPOS-00064
+        title: The information system must automatically remove or disable emergency accounts
+            after the crisis is resolved or 72 hours.
         levels:
             - medium
-        title: {{{ full_name }}} must automatically remove or disable emergency accounts
-            after the crisis is resolved or 72 hours.
         rules:
             - account_temp_expire_date
         status: automated

controls/srg_gpos/SRG-OS-000138-GPOS-00069.yml

@@ -1,9 +1,9 @@
 controls:
     -   id: SRG-OS-000138-GPOS-00069
+        title: Operating systems must prevent unauthorized and unintended information transfer
+            via shared system resources.
         levels:
             - medium
-        title: {{{ full_name }}} must prevent unauthorized and unintended information transfer
-            via shared system resources.
         rules:
             - dir_perms_world_writable_sticky_bits
             - dir_perms_world_writable_root_owned

controls/srg_gpos/SRG-OS-000228-GPOS-00088.yml

@@ -1,10 +1,11 @@
 controls:
     -   id: SRG-OS-000228-GPOS-00088
-        levels:
-            - medium
-        title: Any publicly accessible connection to {{{ full_name }}} must display
+        title: Any publically accessible connection to the operating system must display
             the Standard Mandatory DoD Notice and Consent Banner before granting access to
             the system.
+
+        levels:
+            - medium
         rules:
             - sshd_enable_warning_banner
             - banner_etc_issue

controls/srg_gpos/SRG-OS-000269-GPOS-00103.yml

@@ -1,10 +1,10 @@
 controls:
     -   id: SRG-OS-000269-GPOS-00103
-        levels:
-            - medium
-        title: In the event of a system failure, {{{ full_name }}} must preserve any
+        title: In the event of a system failure, the operating system must preserve any
             information necessary to determine cause of failure and any information necessary
             to return to operations with least disruption to mission processes.
+        levels:
+            - medium
         status: automated
         rules:
             - service_systemd-journald_enabled

controls/srg_gpos/SRG-OS-000276-GPOS-00106.yml

@@ -1,14 +1,16 @@
 controls:
     -   id: SRG-OS-000276-GPOS-00106
+        title: '{{{ full_name }}} must notify system administrators and ISSOs when accounts are disabled.'
         levels:
             - medium
-        title: {{{ full_name }}} must notify system administrators and ISSOs when accounts are disabled.
-        rules:
-            - audit_rules_usergroup_modification_passwd
-        status: does not meet
         mitigation: |-
             Mitigate with third-party software.
 
             Although the listed mitigation is supporting the security function, it is not sufficient to reduce the residual risk of this requirement.
-        status_justification:
-            Notification when accounts are created/modified/deleted must be provided by a third-party application that will communicate that an audit record of these actions has been created.
+        rules:
+            - audit_rules_usergroup_modification_passwd
+        status: does not meet
+        status_justification: |-
+            Notification when accounts are created/modified/deleted must
+            be provided by a third-party application that will communicate that an audit record
+            of these actions has been created.

controls/srg_gpos/SRG-OS-000304-GPOS-00121.yml

@@ -1,9 +1,9 @@
 controls:
     -   id: SRG-OS-000304-GPOS-00121
+        title: '{{{ full_name }}} must notify system administrators (SAs) and information
+        system security officers (ISSOs) of account enabling actions.'
         levels:
             - medium
-        title: {{{ full_name }}} must notify system administrators and ISSOs of account
-            enabling actions.
         rules:
             - audit_rules_sudoers
             - audit_rules_sudoers_d

controls/srg_gpos/SRG-OS-000324-GPOS-00125.yml

@@ -1,12 +1,10 @@
 controls:
     -   id: SRG-OS-000324-GPOS-00125
+        title: '{{{ full_name }}} must prevent nonprivileged users from executing privileged
+        functions to include disabling, circumventing, or altering implemented security
+        safeguards/countermeasures.'
         levels:
             - high
-        title: |-
-            {{{ full_name }}} must prevent nonprivileged users from executing privileged functions
-            to include disabling, circumventing, or altering implemented security
-            safeguards/countermeasures.
-
         rules:
             - disable_ctrlaltdel_burstaction
             - disable_ctrlaltdel_reboot

controls/srg_gpos/SRG-OS-000341-GPOS-00132.yml

@@ -1,12 +1,10 @@
 controls:
     -   id: SRG-OS-000341-GPOS-00132
+        title: '{{{ full_name }}} must allocate audit record storage capacity to store at
+    least one week''s worth of audit records, when audit records are not immediately
+    sent to a central audit record storage facility.'
         levels:
             - low
-        title: |-
-            {{{ full_name }}} must allocate audit record storage capacity to store at least
-            one week's worth of audit records, when audit records are not immediately sent to a
-            central audit record storage facility.
-
         rules:
             - grub2_audit_backlog_limit_argument
             - partition_for_var_log_audit

controls/srg_gpos/SRG-OS-000355-GPOS-00143.yml

@@ -1,12 +1,13 @@
 controls:
     -   id: SRG-OS-000355-GPOS-00143
+        title: '{{{ full_name }}} must, for networked systems, compare internal information
+    system clocks at least every 24 hours with a server which is synchronized to one
+    of the redundant United States Naval Observatory (USNO) time servers, or a time
+    server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the
+    Global Positioning System (GPS).'
+
         levels:
             - medium
-        title: {{{ full_name }}} must, for networked systems, compare internal information
-            system clocks at least every 24 hours with a server which is synchronized to one
-            of the redundant United States Naval Observatory (USNO) time servers, or a time
-            server designated for the appropriate DoD network (NIPRNet/SIPRNet), 
-            and/or the Global Positioning System (GPS).
         rules:
             - chronyd_or_ntpd_set_maxpoll
             - chronyd_server_directive