Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ rationale: |-
public web server and private servers the intent of data and resource
segregation can be compromised.
In addition to the requirements of the DoD Internet-NIPRNet DMZ STIG that
isolates inbound traffic from external network to the internal network,
In addition to the requirements of applicable DMZ segmentation policies that
isolate inbound traffic from the external network to the internal network,
resources such as printers, files, and folders/directories will not be
shared between public web servers and assets located within the internal
network.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,33 +8,6 @@ description: |-
default text with a message compliant with the local site policy or a legal
disclaimer.

The DoD required text is either:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we truly removing DOD specific content we should remove the required text.,

<br /><br />
<tt>You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
<br />-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
<br />-At any time, the USG may inspect and seize data stored on this IS.
<br />-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
<br />-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
<br />-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.</tt>
<br /><br />
OR:
<br /><br />
<tt>I've read &amp; consent to terms in IS user agreem't.</tt>

rationale: |-
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,33 +8,6 @@ description: |-
default text with a message compliant with the local site policy or a legal
disclaimer.
The DoD required text is either:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as banner_etc_issue_net.

<br /><br />
<tt>You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
<br />-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
<br />-At any time, the USG may inspect and seize data stored on this IS.
<br />-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
<br />-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
<br />-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.</tt>
<br /><br />
OR:
<br /><br />
<tt>I've read &amp; consent to terms in IS user agreem't.</tt>
rationale: |-
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,48 +4,19 @@
title: 'Enable the SSH login confirmation banner'

description: |-
This rule verifies that that the SSH login confirmation banner is set
This rule verifies that the SSH login confirmation banner is set
correctly.

The DoD required text is:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as banner_etc_issue_net.

<br /><br />
<tt>if [ -n "$SSH_CLIENT" ] || [ -n "$SSH_TTY" ]; then<br/>
while true; do<br/>
read -p "<br/>
You are accessing a U.S. Government (USG) Information System (IS) that is provided for
USG-authorized use only.<br/>
By using this IS (which includes any device attached to this IS), you consent to the
following conditions:<br/>
-The USG routinely intercepts and monitors communications on this IS for purposes
including, but not limited to, penetration testing, COMSEC monitoring, network
operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.<br/>
-At any time, the USG may inspect and seize data stored on this IS.<br/>
-Communications using, or data stored on, this IS are not private, are subject to routine
monitoring, interception, and search, and may be disclosed or used for any USG-
authorized purpose.<br/>
-This IS includes security measures (e.g., authentication and access controls) to protect
USG interests--not for your personal benefit or privacy.<br/>
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI
investigative searching or monitoring of the content of privileged communications, or
work product, related to personal representation or services by attorneys,
psychotherapists, or clergy, and their assistants. Such communications and work product
are private and confidential. See User Agreement for details.<br/>
Do you agree? [y/N] " yn<br/>
case $yn in
[Yy]* ) break ;;<br/>
[Nn]* ) exit 1 ;;<br/>
esac<br/>
done<br/>
fi<br/>
</tt>
The confirmation text is configurable through the var_ssh_confirm_text
variable, which supports the DoD-required consent text or a generic
alternative.

rationale: |-
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.

severity: medium

ocil_clause: 'it does not display the required banner'
Expand All @@ -54,4 +25,4 @@
To check if the system motd banner is compliant,
run the following command:
<pre>$ less /etc/profile.d/ssh_confirm.sh</pre>

Check warning on line 28 in linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml

View workflow job for this annotation

GitHub Actions / Yaml Lint on Changed yaml files

28:1 [empty-lines] too many blank lines (1 > 0)
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
#!/bin/bash
# platform = multi_platform_all
# variables = var_ssh_confirm_text=generic_default
{{% set var_ssh_confirm_text='#!/bin/bash
if [ -n "$SSH_CLIENT" ] || [ -n "$SSH_TTY" ]; then
while true; do
read -p "
This system is accessible only to authorized users.
By accessing this system, you agree to comply with your organization\'s acceptable use policy and applicable security requirements.
Unauthorized access, use, or modification of this system is prohibited and may be subject to disciplinary action or legal penalties.
All activity on this system may be monitored, recorded, and audited in accordance with your organization\'s policies.
Do you agree? [y/N] " yn
case $yn in
[Yy]* ) break ;;
[Nn]* ) exit 1 ;;
esac
done
fi
' %}}
echo '{{{ var_ssh_confirm_text }}}' | fold -sw 80 >/etc/profile.d/ssh_confirm.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,33 +8,6 @@ description: |-
Replace the default text with a message compliant with the local site
policy or a legal disclaimer.

The DoD required text is either:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as banner_etc_issue_net.

<br /><br />
<tt>You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
<br />-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
<br />-At any time, the USG may inspect and seize data stored on this IS.
<br />-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
<br />-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
<br />-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.</tt>
<br /><br />
OR:
<br /><br />
<tt>I've read &amp; consent to terms in IS user agreem't.</tt>

rationale: |-
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,5 @@ interactive: false
options:
# How to generate banner, check https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html#generating-login-banner-regular-expressions
dod_default: ^\#!\/bin\/bash(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)if[\s\n]+\[[\s\n]+\-n[\s\n]+"\$SSH_CLIENT"[\s\n]+\][\s\n]+\|\|[\s\n]+\[[\s\n]+\-n[\s\n]+"\$SSH_TTY"[\s\n]+\];[\s\n]+then(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+while[\s\n]+true;[\s\n]+do(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+read[\s\n]+\-p[\s\n]+"[\s\n]+(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)Do[\s\n]+you[\s\n]+agree\?[\s\n]+\[y\/N\][\s\n]+"[\s\n]+yn(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+case[\s\n]+\$yn[\s\n]+in(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+\[Yy\]\*[\s\n]+\)[\s\n]+break[\s\n]+;;(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+\[Nn\]\*[\s\n]+\)[\s\n]+exit[\s\n]+1[\s\n]+;;(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+esac(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+done(?:[\n]+|(?:\\n)+)fi(?:[\n]+|(?:\\n)+)$
generic_default: ^\#!\/bin\/bash(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)if[\s\n]+\[[\s\n]+\-n[\s\n]+"\$SSH_CLIENT"[\s\n]+\][\s\n]+\|\|[\s\n]+\[[\s\n]+\-n[\s\n]+"\$SSH_TTY"[\s\n]+\];[\s\n]+then(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+while[\s\n]+true;[\s\n]+do(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+read[\s\n]+\-p[\s\n]+"[\s\n]+(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)This[\s\n]+system[\s\n]+is[\s\n]+accessible[\s\n]+only[\s\n]+to[\s\n]+authorized[\s\n]+users\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)By[\s\n]+accessing[\s\n]+this[\s\n]+system,[\s\n]+you[\s\n]+agree[\s\n]+to[\s\n]+comply[\s\n]+with[\s\n]+your[\s\n]+organization's[\s\n]+acceptable[\s\n]+use[\s\n]+policy[\s\n]+and[\s\n]+applicable[\s\n]+security[\s\n]+requirements\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)Unauthorized[\s\n]+access,[\s\n]+use,[\s\n]+or[\s\n]+modification[\s\n]+of[\s\n]+this[\s\n]+system[\s\n]+is[\s\n]+prohibited[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+subject[\s\n]+to[\s\n]+disciplinary[\s\n]+action[\s\n]+or[\s\n]+legal[\s\n]+penalties\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)All[\s\n]+activity[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+may[\s\n]+be[\s\n]+monitored,[\s\n]+recorded,[\s\n]+and[\s\n]+audited[\s\n]+in[\s\n]+accordance[\s\n]+with[\s\n]+your[\s\n]+organization's[\s\n]+policies\.(?:[\n]+|(?:\\n)+)(?:[\n]+|(?:\\n)+)Do[\s\n]+you[\s\n]+agree\?[\s\n]+\[y\/N\][\s\n]+"[\s\n]+yn(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+case[\s\n]+\$yn[\s\n]+in(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+\[Yy\]\*[\s\n]+\)[\s\n]+break[\s\n]+;;(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+\[Nn\]\*[\s\n]+\)[\s\n]+exit[\s\n]+1[\s\n]+;;(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+[\s\n]+esac(?:[\n]+|(?:\\n)+)[\s\n]+[\s\n]+[\s\n]+[\s\n]+done(?:[\n]+|(?:\\n)+)fi$

Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
documentation_complete: true


title: 'Configure GnuTLS library to use DoD-approved TLS Encryption'
title: 'Configure GnuTLS library to use Approved TLS Encryption'

description: |-
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
Expand Down Expand Up @@ -33,17 +33,17 @@ references:
ocil_clause: 'cryptographic policy for gnutls is not configured or is configured incorrectly'

ocil: |-
To verify if GnuTLS uses defined DoD-approved TLS Crypto Policy, run:
To verify if GnuTLS uses the defined approved TLS Crypto Policy, run:
<pre>$ sudo grep
'+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0'
/etc/crypto-policies/back-ends/gnutls.config</pre> and verify that a match exists.
fixtext: |-
Configure the {{{ full_name }}} GnuTLS library to use only DoD-approved encryption by adding the following line to "/etc/crypto-policies/back-ends/gnutls.config":
Configure the {{{ full_name }}} GnuTLS library to use only approved encryption by adding the following line to "/etc/crypto-policies/back-ends/gnutls.config":
+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0
A reboot is required for the changes to take effect.
srg_requirement:
{{{ full_name }}} must implement DoD-approved TLS encryption in the GnuTLS package.
{{{ full_name }}} must implement approved TLS encryption in the GnuTLS package.
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@ rationale: |-
a vendor. This ensures the software has not been tampered with and that it
has been provided by a trusted vendor. Self-signed certificates are
disallowed by this requirement. The operating system should not have
to verify the software again. NOTE: For U.S. Military systems, this
requirement does not mandate DoD certificates for this purpose; however,
to verify the software again. NOTE: For regulated systems, this requirement
does not mandate organization-specific certificates for this purpose; however,
the certificate used to verify the software must be from an approved
Certificate Authority.
Expand Down
Loading