OL7 DISA STIG v2r1 update

linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhel7,rhel8,sle12,sle15,rhv4
+prodtype: fedora,ol7,ol8,rhel7,rhel8,sle12,sle15,rhv4
 
 title: 'Disable X Windows Startup By Setting Default Target'
 

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml

@@ -33,7 +33,7 @@ references:
     cis: 5.3.2
     cjis: 5.5.3
     cui: 3.1.8
-    disa: CCI-000044,CCI-002238
+    disa: CCI-000044,CCI-002236,CCI-002237,CCI-002238
     nist: CM-6(a),AC-7(a)
     nist-csf: PR.AC-7
     ospp: FIA_AFL.1

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml

@@ -40,7 +40,7 @@ identifiers:
 
 references:
     stigid@ol7: OL07-00-010320
-    disa: CCI-000044,CCI-002238
+    disa: CCI-000044,CCI-002236,CCI-002237,CCI-002238
     nist: CM-6(a),AC-7(a)
     nist-csf: PR.AC-7
     ospp: FIA_AFL.1

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml

@@ -36,7 +36,7 @@ references:
     cis: 5.3.2
     cjis: 5.5.3
     cui: 3.1.8
-    disa: CCI-000044,CCI-002238
+    disa: CCI-000044,CCI-002236,CCI-002237,CCI-002238
     nist: CM-6(a),AC-7(b)
     nist-csf: PR.AC-7
     ospp: FIA_AFL.1

linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/rule.yml

@@ -26,6 +26,7 @@ identifiers:
 
 references:
     stigid@rhel7: RHEL-07-010481
+    stigid@ol7: OL07-00-010481
     cis@rhel7: 1.4.3
     cis@rhel8: 1.5.3
     cui: 3.1.1,3.4.5

linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml

@@ -30,7 +30,7 @@ references:
     stigid@ol7: OL07-00-041001
     disa: CCI-000765,CCI-001948,CCI-001953,CCI-001954
     nist: CM-6(a)
-    srg: SRG-OS-000105-GPOS-00052,SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161,SRG-OS-000377-GPOS-00162
+    srg: SRG-OS-000105-GPOS-00052,SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000377-GPOS-00162
     stigid@rhel7: RHEL-07-041001
 
 ocil_clause: 'smartcard software is not installed'

linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml

@@ -36,12 +36,13 @@ identifiers:
     cce@rhcos4: CCE-82595-0
 
 references:
-    disa: CCI-000172,CCI-002884
+    disa: CCI-000135,CCI-000172,CCI-002884
     nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
     ospp: FAU_GEN.1.1.c
     vmmsrg: SRG-OS-000471-VMM-001910
     srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172
     stigid@rhel7: RHEL-07-030740
+    stigid@ol7: OL07-00-030740
 
 ocil_clause: 'it is not the case'
 

linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml

@@ -42,6 +42,7 @@ references:
     ospp: FIA_UAU.1
     srg: SRG-OS-000080-GPOS-00048
     stigid@rhel7: RHEL-07-010480
+    stigid@ol7: OL07-00-010480
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7'
     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4
     cobit5: DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10

linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml

@@ -47,7 +47,7 @@ identifiers:
 
 references:
     cis@rhel8: 1.5.2
-    stigid@ol7: OL07-00-010480
+    stigid@ol7: OL07-00-010482
     cui: 3.4.5
     disa: CCI-000213
     hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii)
@@ -71,7 +71,7 @@ ocil: |-
     command:
     {{% if product == "sle12" %}}
     <pre>sudo grep "boot" /boot/grub2/grub.cfg</pre>
-    {{% else %}} 
+    {{% else %}}
     <pre>sudo grep "superusers" /etc/grub2.cfg</pre>
     {{% endif %}}
     The output should show the following:

linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_admin_username/rule.yml

@@ -49,6 +49,7 @@ references:
     ospp: FIA_UAU.1
     srg: SRG-OS-000080-GPOS-00048
     stigid@rhel7: RHEL-07-010490
+    stigid@ol7: OL07-00-010490
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7'
     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4
     cobit5: DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.03,DSS06.06

linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml

@@ -50,7 +50,7 @@ identifiers:
     cce@sle12: CCE-83045-5
 
 references:
-    stigid@ol7: OL07-00-010490
+    stigid@ol7: OL07-00-010491
     cis: 1.4.2
     cui: 3.4.5
     disa: CCI-000213

linux_os/guide/system/bootloader-grub2/uefi/uefi_no_removeable_media/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel7,rhel8
+prodtype: ol7,ol8,rhel7,rhel8
 
 title: 'UEFI Boot Loader Is Not Installed On Removeable Media'
 
@@ -21,9 +21,10 @@ identifiers:
     cce@rhel7: CCE-80518-4
 
 references:
-    disa: CCI-001814
+    disa: CCI-001813,CCI-001814
     srg: SRG-OS-000364-GPOS-00151
     stigid@rhel7: RHEL-07-021700
+    stigid@ol7: OL07-00-021700
 
 ocil_clause: 'it is not'
 

linux_os/guide/system/selinux/selinux_policytype/rule.yml

@@ -33,10 +33,11 @@ identifiers:
     cce@rhcos4: CCE-82532-3
 
 references:
+    stigid@ol7: OL07-00-020220
     anssi: BP28(R66)
     cis@rhel8: 1.7.1.3
     cui: 3.1.2,3.7.2
-    disa: CCI-002696
+    disa: CCI-002165,CCI-002696
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
     nist: AC-3,AC-3(3)(a),AU-9,SC-7(21)
     nist-csf: DE.AE-1,ID.AM-3,PR.AC-4,PR.AC-5,PR.AC-6,PR.DS-5,PR.PT-1,PR.PT-3,PR.PT-4

linux_os/guide/system/selinux/selinux_user_login_roles/rule.yml

@@ -37,7 +37,7 @@ identifiers:
 
 references:
     stigid@ol7: OL07-00-020020
-    disa: CCI-002235
+    disa: CCI-002165,CCI-002235
     srg: SRG-OS-000324-GPOS-00125
     stigid@rhel7: RHEL-07-020020
 

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8
 
 title: 'Disable GNOME3 Automounting'
 

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8
 
 title: 'Disable GNOME3 Automount Opening'
 

linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8
 
 title: 'Disable GNOME3 Automount running'
 

linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhel7,rhel8
+prodtype: fedora,ol7,ol8,rhel7,rhel8
 
 title: 'Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3'
 
@@ -32,6 +32,7 @@ identifiers:
     cce@rhel7: CCE-80124-1
 
 references:
+    stigid@ol7: OL07-00-020231
     cui: 3.1.2
     disa: CCI-000366
     nist: CM-6(a),AC-6(1),CM-7(b)

linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhcos4,rhel7,rhel8,rhv4,sle12,sle15
+prodtype: fedora,ol7,ol8,rhcos4,rhel7,rhel8,rhv4,sle12,sle15
 
 title: 'Install the Host Intrusion Prevention System (HIPS) Module'
 
@@ -21,18 +21,19 @@ identifiers:
     cce@sle12: CCE-83071-1
 
 references:
-    disa: CCI-000366,CCI-001263
+    disa: CCI-000366,CCI-001233,CCI-001263
     nist: CM-6(a)
     nist-csf: DE.AE-1,DE.AE-2,DE.AE-3,DE.AE-4,DE.CM-1,DE.CM-5,DE.CM-6,DE.CM-7,DE.DP-2,DE.DP-3,DE.DP-4,DE.DP-5,ID.RA-1,PR.AC-5,PR.DS-5,PR.IP-8,PR.PT-4,RS.AN-1,RS.CO-3
     pcidss: Req-11.4
-    srg: SRG-OS-000480-GPOS-00227,SRG-OS-000196
+    srg: SRG-OS-000191-GPOS-00080,SRG-OS-000196,SRG-OS-000480-GPOS-00227
     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.4,SR 2.8,SR 2.9,SR 3.1,SR 3.3,SR 3.5,SR 3.8,SR 3.9,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
     isa-62443-2009: 4.2.3,4.2.3.12,4.2.3.7,4.2.3.9,4.3.3.4,4.3.4.5.2,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.3.4.5.9,4.4.3.2,4.4.3.3,4.4.3.4
     cobit5: APO01.06,APO07.06,APO08.04,APO10.05,APO11.06,APO12.01,APO12.02,APO12.03,APO12.04,APO12.06,APO13.01,APO13.02,BAI08.02,BAI08.04,DSS01.03,DSS01.05,DSS02.04,DSS02.05,DSS02.07,DSS03.01,DSS03.04,DSS03.05,DSS04.05,DSS05.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.01,DSS06.02,MEA03.03,MEA03.04
     iso27001-2013: 'A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.3,A.12.5.1,A.12.6.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.7,A.14.2.8,A.15.2.1,A.16.1.1,A.16.1.2,A.16.1.3,A.16.1.4,A.16.1.5,A.16.1.6,A.16.1.7,A.18.1.4,A.18.2.2,A.18.2.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,Clause 16.1.2,Clause 7.4'
     cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
     stigid@rhel7: RHEL-07-020019
-    stigid@sle12: SLES-12-010599 
+    stigid@sle12: SLES-12-010599
+    stigid@ol7: OL07-00-020019
 
 ocil_clause: 'the HBSS HIPS module is not installed'
 
@@ -60,4 +61,3 @@ template:
         ansible: "off"
         bash: "off"
         puppet: "off"
-

linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml

@@ -41,7 +41,7 @@ references:
     nist: CM-6(d),CM-6(c),SI-7,SI-7(1),SI-7(6),AU-9(3)
     nist-csf: PR.AC-4,PR.DS-5,PR.IP-1,PR.PT-1
     pcidss: Req-11.5
-    srg: SRG-OS-000257-GPOS-00098,SRG-OS-000278-GPOS-00108
+    srg: SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000278-GPOS-00108
     isa-62443-2013: 'SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 5.2,SR 7.6'
     isa-62443-2009: 4.3.3.3.9,4.3.3.5.8,4.3.3.7.3,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
     cobit5: APO01.06,APO11.04,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.04,DSS05.07,DSS06.02,MEA02.01

linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml

@@ -23,6 +23,7 @@ identifiers:
     cce@sle12: CCE-83013-3
 
 references:
+    stigid@ol7: OL07-00-010350
     anssi: BP28(R5),BP28(R59)
     disa: CCI-002038
     nist: IA-11,CM-6(a)

ol7/profiles/stig.profile

@@ -4,7 +4,7 @@ title: 'DISA STIG for Oracle Linux 7'
 
 description: |-
     This profile contains configuration checks that align to the
-    DISA STIG for Oracle Linux V1R1.
+    DISA STIG for Oracle Linux V2R1.
 
 selections:
     - login_banner_text=dod_banners
@@ -55,7 +55,6 @@ selections:
     - dconf_gnome_screensaver_lock_locked
     - dconf_gnome_enable_smartcard_auth
     - dconf_gnome_screensaver_idle_delay
-    - package_screen_installed
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_idle_activation_locked
     - dconf_gnome_screensaver_lock_delay
@@ -115,7 +114,6 @@ selections:
     - accounts_no_uid_except_zero
     - no_files_unowned_by_user
     - file_permissions_ungroupowned
-    - accounts_user_interactive_home_directory_defined
     - accounts_have_homedir_login_defs
     - accounts_user_interactive_home_directory_exists
     - file_permissions_home_directories
@@ -288,3 +286,18 @@ selections:
     - audit_rules_usergroup_modification_opasswd
     - sysctl_net_ipv4_conf_all_accept_redirects
     - wireless_disable_interfaces
+    - sudo_remove_no_authenticate
+    - selinux_policytype
+    - dconf_gnome_disable_ctrlaltdel_reboot
+    - dconf_gnome_disable_automount_open
+    - dconf_gnome_disable_automount
+    - dconf_gnome_disable_autorun
+    - audit_rules_privileged_commands_mount
+    - dir_perms_world_writable_system_owned_group
+    - package_MFEhiplsm_installed
+    - sssd_ldap_configure_tls_reqcert
+    - uefi_no_removeable_media
+    - xwindows_runlevel_target
+    - require_emergency_target_auth
+    - grub2_admin_username
+    - grub2_uefi_admin_username