Merge pull request #14382 from vojtapolasek/rhel9_stig_update_02_26

Update RHEL 9 STIG content to align with DISA STIG v2r7

Author: Mab879

linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/ansible/shared.yml

@@ -6,7 +6,7 @@
 
 {{{ ansible_instantiate_variables("var_logind_session_timeout") }}}
 
-{{% if product in ["sle15", "sle16"] %}}
+{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}}
 # create drop-in in the /etc/systemd/logind.conf.d/ directory
 {{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}}
 {{% else %}}

linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/bash/shared.sh

@@ -2,7 +2,7 @@
 
 {{{ bash_instantiate_variables("var_logind_session_timeout") }}}
 
-{{% if product in ["sle15", "sle16"] %}}
+{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}}
 # create drop-in in the /etc/systemd/logind.conf.d/ directory
 {{% set logind_conf_file = "/etc/systemd/logind.conf.d/oscap-idle-sessions.conf" %}}
 {{% else %}}

linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/oval/shared.xml

@@ -1,12 +1,12 @@
-{{% if product in ["sle15", "sle16"] %}}
+{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}}
 {{% set logind_conf_file = "/etc/systemd/logind.conf.d/" %}}
 {{% else %}}
 {{% set logind_conf_file = "/etc/systemd/logind.conf" %}}
 {{% endif %}}
 
 <def-group>
   <definition class="compliance" id="logind_session_timeout" version="1">
-    {{% if product in ["sle15", "sle16"] %}}
+    {{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}}
     {{{ oval_metadata("Ensure 'StopIdleSessionSec' is configured with desired value in section 'Login' in {{{ logind_conf_file }}}", rule_title=rule_title) }}}
     <criteria comment="logind is configured correctly and configuration file exists" operator="AND">
       <criterion comment="Check the StopIdleSessionSec in {{{ logind_conf_file }}}" test_ref="test_logind_session_timeout_drop_in"/>

linux_os/guide/system/accounts/accounts-physical/logind_session_timeout/tests/common.sh

@@ -3,7 +3,7 @@
 # this file prepares unified test environment used by other scenarios
 # These should be tuned per product to match defaults
 
-{{% if product in ["sle15", "sle16"] %}}
+{{% if product in ["rhel9", "rhel10", "sle15", "sle16"] %}}
 LOGIND_CONF_FILE="/etc/systemd/logind.conf.d/oscap-idle-sessions.conf"
 mkdir -p /etc/systemd/logind.conf.d/
 {{% else %}}

linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/ansible/shared.yml

@@ -11,6 +11,7 @@
       dest: /etc/systemd/system/emergency.service.d/10-oscap.conf
       block: |
         [Service]
+        ExecStart=
         ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
 {{% else %}}
 - name: Require emergency mode password

linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/bash/shared.sh

@@ -16,6 +16,7 @@ sulogin='/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default
 {{% if 'sle' in product or 'rhel' in product or product == 'fedora' or product == 'slmicro5' or 'ol' in families  %}}
 mkdir -p "${service_dropin_cfg_dir}"
 echo "[Service]" >> "${service_dropin_file}"
+echo "ExecStart=" >> "${service_dropin_file}"
 echo "ExecStart=-$sulogin" >> "${service_dropin_file}"
 {{% else %}}
 if grep "^ExecStart=.*" "$service_file" ; then

linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml

@@ -28,6 +28,9 @@ references:
     stigid@ol7: OL07-00-021031
     stigid@ol8: OL08-00-010700
 
+identifiers:
+    cce@rhel9: CCE-86469-4
+
 ocil_clause: 'there is output'
 
 ocil: |-

products/rhel9/controls/stig_rhel9.yml

@@ -1303,7 +1303,7 @@ controls:
       title: All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application
           user.
       rules:
-          - dir_perms_world_writable_root_owned
+          - dir_perms_world_writable_system_owned
       status: automated
 
     - id: RHEL-09-232245
@@ -2087,9 +2087,10 @@ controls:
     - id: RHEL-09-271065
       levels:
           - medium
-      title: RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity.
+      title: RHEL 9 must automatically lock graphical user sessions after 10 minutes of inactivity.
       rules:
           - dconf_gnome_screensaver_idle_delay
+          - inactivity_timeout_value=10_minutes
       status: automated
 
     - id: RHEL-09-271070
@@ -2495,7 +2496,7 @@ controls:
       title: RHEL 9 must terminate idle user sessions.
       rules:
           - logind_session_timeout
-          - var_logind_session_timeout=15_minutes
+          - var_logind_session_timeout=10_minutes
       status: automated
 
     - id: RHEL-09-431010
@@ -3484,6 +3485,16 @@ controls:
           - audit_rules_privileged_commands_crontab
       status: automated
 
+    - id: RHEL-09-654097
+      levels:
+          - medium
+      title: RHEL 9 must audit any script or executable called by cron as root or by any privileged user.
+      rules:
+          - audit_rules_etc_cron_d
+          - audit_rules_var_spool_cron
+      status: automated
+
+
     - id: RHEL-09-654100
       levels:
           - medium

shared/references/cce-redhat-avail.txt

@@ -1,6 +1,5 @@
 CCE-86466-0
 CCE-86468-6
-CCE-86469-4
 CCE-86482-7
 CCE-86483-5
 CCE-86484-3