Skip to content

Commit 65402ce

Browse files
committed
v2r4 delta
1 parent f87ab5a commit 65402ce

173 files changed

Lines changed: 4241 additions & 4644 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

controls/SV-238196.rb

Lines changed: 17 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
control 'SV-238196' do
2-
title "The Ubuntu operating system must provision temporary user accounts with an expiration time
3-
of 72 hours or less. "
4-
desc "If temporary user accounts remain active when no longer needed or for an excessive period,
2+
title 'The Ubuntu operating system must provision temporary user accounts with an expiration time
3+
of 72 hours or less.'
4+
desc 'If temporary user accounts remain active when no longer needed or for an excessive period,
55
these accounts may be used to gain unauthorized access. To mitigate this risk, automated
66
termination of all temporary accounts must be set upon account creation.
77
@@ -15,7 +15,7 @@
1515
1616
To address
1717
access requirements, many operating systems may be integrated with enterprise-level
18-
authentication/access mechanisms that meet or exceed access control policy requirements. "
18+
authentication/access mechanisms that meet or exceed access control policy requirements.'
1919
desc 'check', "Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or
2020
less.
2121
@@ -32,25 +32,26 @@
3232
accounts has an expiration date set within 72 hours of account creation.
3333
3434
If any temporary
35-
account does not expire within 72 hours of that account's creation, this is a finding. "
36-
desc 'fix', "If a temporary account must be created, configure the system to terminate the account after a
35+
account does not expire within 72 hours of that account's creation, this is a finding."
36+
desc 'fix', 'If a temporary account must be created, configure the system to terminate the account after a
3737
72-hour time period with the following command to set an expiration date on it.
3838
3939
Substitute
40-
\"system_account_name\" with the account to be created.
40+
"system_account_name" with the account to be created.
4141
42-
$ sudo chage -E $(date -d \"+3 days\"
43-
+%F) system_account_name "
42+
$ sudo chage -E $(date -d "+3 days"
43+
+%F) system_account_name'
4444
impact 0.5
45-
tag severity: 'medium '
46-
tag gtitle: 'SRG-OS-000002-GPOS-00002 '
47-
tag gid: 'V-238196 '
48-
tag rid: 'SV-238196r653763_rule '
49-
tag stig_id: 'UBTU-20-010000 '
50-
tag fix_id: 'F-41365r653762_fix '
45+
tag severity: 'medium'
46+
tag gtitle: 'SRG-OS-000002-GPOS-00002'
47+
tag gid: 'V-238196'
48+
tag rid: 'SV-238196r958364_rule'
49+
tag stig_id: 'UBTU-20-010000'
50+
tag fix_id: 'F-41365r653762_fix'
5151
tag cci: ['CCI-000016']
5252
tag nist: ['AC-2 (2)']
53-
tag 'host', 'container'
53+
tag 'host'
54+
tag 'container'
5455

5556
if input('temporary_accounts').empty?
5657
describe 'Temporary accounts' do

controls/SV-238197.rb

Lines changed: 21 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
control 'SV-238197' do
2-
title "The Ubuntu operating system must enable the graphical user logon banner to display the
2+
title 'The Ubuntu operating system must enable the graphical user logon banner to display the
33
Standard Mandatory DoD Notice and Consent Banner before granting local access to the system
4-
via a graphical user logon. "
5-
desc "Display of a standardized and approved use notification before granting access to the Ubuntu
4+
via a graphical user logon.'
5+
desc %q(Display of a standardized and approved use notification before granting access to the Ubuntu
66
operating system ensures privacy and security notification verbiage used is consistent
77
with applicable federal laws, Executive Orders, directives, policies, regulations,
88
standards, and guidance.
@@ -14,7 +14,7 @@
1414
The banner must be formatted in accordance with applicable DoD policy. Use the following
1515
verbiage for operating systems that can accommodate banners of 1300 characters:
1616
17-
\"You are
17+
"You are
1818
accessing a U.S. Government (USG) Information System (IS) that is provided for
1919
USG-authorized use only.
2020
@@ -41,15 +41,15 @@
4141
to PM, LE or CI investigative searching or monitoring of the content of privileged
4242
communications, or work product, related to personal representation or services by
4343
attorneys, psychotherapists, or clergy, and their assistants. Such communications and
44-
work product are private and confidential. See User Agreement for details.\"
44+
work product are private and confidential. See User Agreement for details."
4545
4646
Use the
4747
following verbiage for operating systems that have severe limitations on the number of
4848
characters that can be displayed in the banner:
4949
50-
\"I've read & consent to terms in IS user
51-
agreem't.\" "
52-
desc 'check', "Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD
50+
"I've read & consent to terms in IS user
51+
agreem't.")
52+
desc 'check', 'Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD
5353
Notice and Consent Banner before granting access to the operating system via a graphical user
5454
logon.
5555
@@ -65,12 +65,12 @@
6565
banner-message-enable=true
6666
6767
If the line is
68-
commented out or set to \"false\", this is a finding. "
69-
desc 'fix', "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.
68+
commented out or set to "false", this is a finding.'
69+
desc 'fix', 'Edit the "/etc/gdm3/greeter.dconf-defaults" file.
7070
7171
Look for the
72-
\"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and
73-
uncomment it (remove the leading \"#\" characters):
72+
"banner-message-enable" parameter under the "[org/gnome/login-screen]" section and
73+
uncomment it (remove the leading "#" characters):
7474
7575
Note: The lines are all near the bottom of
7676
the file but not adjacent to each other.
@@ -84,17 +84,18 @@
8484
8585
$ sudo dconf
8686
update
87-
$ sudo systemctl restart gdm3 "
87+
$ sudo systemctl restart gdm3'
8888
impact 0.5
89-
tag severity: 'medium '
90-
tag gtitle: 'SRG-OS-000023-GPOS-00006 '
91-
tag gid: 'V-238197 '
92-
tag rid: 'SV-238197r653766_rule '
93-
tag stig_id: 'UBTU-20-010002 '
94-
tag fix_id: 'F-41366r653765_fix '
89+
tag severity: 'medium'
90+
tag gtitle: 'SRG-OS-000023-GPOS-00006'
91+
tag gid: 'V-238197'
92+
tag rid: 'SV-238197r958390_rule'
93+
tag stig_id: 'UBTU-20-010002'
94+
tag fix_id: 'F-41366r653765_fix'
9595
tag cci: ['CCI-000048']
9696
tag nist: ['AC-8 a']
97-
tag 'host', 'container'
97+
tag 'host'
98+
tag 'container'
9899

99100
xorg_status = command('which Xorg').exit_status
100101

controls/SV-238198.rb

Lines changed: 53 additions & 99 deletions
Original file line numberDiff line numberDiff line change
@@ -1,103 +1,56 @@
11
control 'SV-238198' do
2-
title "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent
3-
Banner before granting local access to the system via a graphical user logon. "
4-
desc "Display of a standardized and approved use notification before granting access to the Ubuntu
5-
operating system ensures privacy and security notification verbiage used is consistent
6-
with applicable federal laws, Executive Orders, directives, policies, regulations,
7-
standards, and guidance.
8-
9-
System use notifications are required only for access via logon
10-
interfaces with human users and are not required when such human interfaces do not exist.
11-
12-
13-
The banner must be formatted in accordance with applicable DoD policy. Use the following
14-
verbiage for operating systems that can accommodate banners of 1300 characters:
15-
16-
\"You are
17-
accessing a U.S. Government (USG) Information System (IS) that is provided for
18-
USG-authorized use only.
19-
20-
By using this IS (which includes any device attached to this IS),
21-
you consent to the following conditions:
22-
23-
-The USG routinely intercepts and monitors
24-
communications on this IS for purposes including, but not limited to, penetration testing,
25-
COMSEC monitoring, network operations and defense, personnel misconduct (PM), law
26-
enforcement (LE), and counterintelligence (CI) investigations.
27-
28-
-At any time, the USG may
29-
inspect and seize data stored on this IS.
30-
31-
-Communications using, or data stored on, this IS
32-
are not private, are subject to routine monitoring, interception, and search, and may be
33-
disclosed or used for any USG-authorized purpose.
34-
35-
-This IS includes security measures
36-
(e.g., authentication and access controls) to protect USG interests--not for your personal
37-
benefit or privacy.
38-
39-
-Notwithstanding the above, using this IS does not constitute consent
40-
to PM, LE or CI investigative searching or monitoring of the content of privileged
41-
communications, or work product, related to personal representation or services by
42-
attorneys, psychotherapists, or clergy, and their assistants. Such communications and
43-
work product are private and confidential. See User Agreement for details.\"
44-
45-
Use the
46-
following verbiage for operating systems that have severe limitations on the number of
47-
characters that can be displayed in the banner:
48-
49-
\"I've read & consent to terms in IS user
50-
agreem't.\" "
51-
desc 'check', "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent
52-
Banner before granting access to the operating system via a graphical user logon.
53-
54-
Note: If
55-
the system does not have a graphical user interface installed, this requirement is Not
56-
Applicable.
57-
58-
Verify the operating system displays the exact approved Standard Mandatory
59-
DoD Notice and Consent Banner text with the command:
60-
61-
$ grep ^banner-message-text
62-
/etc/gdm3/greeter.dconf-defaults
63-
64-
banner-message-text=\"You are accessing a U.S.
65-
Government \\(USG\\) Information System \\(IS\\) that is provided for USG-authorized use
66-
only.\\s+By using this IS \\(which includes any device attached to this IS\\), you consent to the
67-
following conditions:\\s+-The USG routinely intercepts and monitors communications on
68-
this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring,
69-
network operations and defense, personnel misconduct \\(PM\\), law enforcement \\(LE\\), and
70-
counterintelligence \\(CI\\) investigations.\\s+-At any time, the USG may inspect and seize
71-
data stored on this IS.\\s+-Communications using, or data stored on, this IS are not private,
72-
are subject to routine monitoring, interception, and search, and may be disclosed or used for
73-
any USG-authorized purpose.\\s+-This IS includes security measures \\(e.g.,
74-
authentication and access controls\\) to protect USG interests--not for your personal
75-
benefit or privacy.\\s+-Notwithstanding the above, using this IS does not constitute
76-
consent to PM, LE or CI investigative searching or monitoring of the content of privileged
77-
communications, or work product, related to personal representation or services by
78-
attorneys, psychotherapists, or clergy, and their assistants. Such communications and
79-
work product are private and confidential. See User Agreement for details.\"
80-
81-
If the
82-
banner-message-text is missing, commented out, or does not match the Standard Mandatory DoD
83-
Notice and Consent Banner exactly, this is a finding. "
84-
desc 'fix', "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.
85-
86-
Set the \"banner-message-text\" line
2+
title 'The Ubuntu operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting local access to the system via a graphical user logon.'
3+
desc %q(Display of a standardized and approved use notification before granting access to the Ubuntu operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
4+
5+
System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
6+
7+
The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:
8+
9+
"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
10+
11+
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
12+
13+
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
14+
15+
-At any time, the USG may inspect and seize data stored on this IS.
16+
17+
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
18+
19+
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
20+
21+
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
22+
23+
Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner:
24+
25+
"I've read & consent to terms in IS user agreem't.")
26+
desc 'check', "Verify the Ubuntu operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a graphical user logon.
27+
28+
Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable.
29+
30+
Verify the operating system displays the exact approved Standard Mandatory DOD Notice and Consent Banner text with the command:
31+
32+
$ grep ^banner-message-text /etc/gdm3/greeter.dconf-defaults
33+
34+
banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the USG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'
35+
36+
If the banner-message-text is missing, commented out, or does not match the Standard Mandatory DOD Notice and Consent Banner exactly, this is a finding."
37+
desc 'fix', %q(Edit the "/etc/gdm3/greeter.dconf-defaults" file.
38+
39+
Set the "banner-message-text" line
8740
to contain the appropriate banner message text as shown below:
8841
8942
banner-message-text='You
9043
are accessing a U.S. Government (USG) Information System (IS) that is provided for
91-
USG-authorized use only.\\n\\nBy using this IS (which includes any device attached to this
92-
IS), you consent to the following conditions:\\n\\n-The USG routinely intercepts and
44+
USG-authorized use only.\n\nBy using this IS (which includes any device attached to this
45+
IS), you consent to the following conditions:\n\n-The USG routinely intercepts and
9346
monitors communications on this IS for purposes including, but not limited to, penetration
9447
testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM),
95-
law enforcement (LE), and counterintelligence (CI) investigations.\\n\\n-At any time, the
96-
USG may inspect and seize data stored on this IS.\\n\\n-Communications using, or data stored
48+
law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the
49+
USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored
9750
on, this IS are not private, are subject to routine monitoring, interception, and search, and
98-
may be disclosed or used for any USG-authorized purpose.\\n\\n-This IS includes security
51+
may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security
9952
measures (e.g., authentication and access controls) to protect USG interests--not for your
100-
personal benefit or privacy.\\n\\n-Notwithstanding the above, using this IS does not
53+
personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not
10154
constitute consent to PM, LE or CI investigative searching or monitoring of the content of
10255
privileged communications, or work product, related to personal representation or
10356
services by attorneys, psychotherapists, or clergy, and their assistants. Such
@@ -108,17 +61,18 @@
10861
10962
$ sudo dconf update
11063
$ sudo
111-
systemctl restart gdm3 "
64+
systemctl restart gdm3)
11265
impact 0.5
113-
tag severity: 'medium '
114-
tag gtitle: 'SRG-OS-000023-GPOS-00006 '
115-
tag gid: 'V-238198 '
116-
tag rid: 'SV-238198r653769_rule '
117-
tag stig_id: 'UBTU-20-010003 '
118-
tag fix_id: 'F-41367r653768_fix '
66+
tag severity: 'medium'
67+
tag gtitle: 'SRG-OS-000023-GPOS-00006'
68+
tag gid: 'V-238198'
69+
tag rid: 'SV-238198r958390_rule'
70+
tag stig_id: 'UBTU-20-010003'
71+
tag fix_id: 'F-41367r653768_fix'
11972
tag cci: ['CCI-000048']
12073
tag nist: ['AC-8 a']
121-
tag 'host', 'container'
74+
tag 'host'
75+
tag 'container'
12276

12377
expected_banner_text = input('banner_text')
12478
clean_banner = expected_banner_text.gsub(/[\r\n\s]/, '')

0 commit comments

Comments
 (0)