Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FOR TESTING PURPOSES] try delta on formatted profile #4

Open
wants to merge 3 commits into
base: upuntu-updates-delta-format
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 32 additions & 15 deletions controls/SV-238196.rb
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
control 'SV-238196' do
control "SV-238196" do
title "The Ubuntu operating system must provision temporary user accounts with an expiration time
of 72 hours or less. "
desc "If temporary user accounts remain active when no longer needed or for an excessive period,
Expand All @@ -15,8 +15,23 @@

To address
access requirements, many operating systems may be integrated with enterprise-level
authentication/access mechanisms that meet or exceed access control policy requirements. "
desc 'check', "Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or
authentication/access mechanisms that meet or exceed access control policy requirements."
desc "default", "If temporary user accounts remain active when no longer needed or for an excessive period,
these accounts may be used to gain unauthorized access. To mitigate this risk, automated
termination of all temporary accounts must be set upon account creation.

Temporary
accounts are established as part of normal account activation procedures when there is a need
for short-term accounts without the demand for immediacy in account activation.

If
temporary accounts are used, the operating system must be configured to automatically
terminate these types of accounts after a DoD-defined time period of 72 hours.

To address
access requirements, many operating systems may be integrated with enterprise-level
authentication/access mechanisms that meet or exceed access control policy requirements."
desc "check", "Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or
less.

For every existing temporary account, run the following command to obtain its
Expand All @@ -32,24 +47,25 @@
accounts has an expiration date set within 72 hours of account creation.

If any temporary
account does not expire within 72 hours of that account's creation, this is a finding. "
desc 'fix', "If a temporary account must be created, configure the system to terminate the account after a
account does not expire within 72 hours of that account's creation, this is a finding."
desc "fix", "If a temporary account must be created, configure the system to terminate the account after a
72-hour time period with the following command to set an expiration date on it.

Substitute
\"system_account_name\" with the account to be created.

$ sudo chage -E $(date -d \"+3 days\"
+%F) system_account_name "
+%F) system_account_name"
impact 0.5
tag severity: 'medium '
tag gtitle: 'SRG-OS-000002-GPOS-00002 '
tag gid: 'V-238196 '
tag rid: 'SV-238196r653763_rule '
tag stig_id: 'UBTU-20-010000 '
tag fix_id: 'F-41365r653762_fix '
tag cci: ['CCI-000016']
tag nist: ['AC-2 (2)']
ref 'DPMS Target Canonical Ubuntu 20.04 LTS'
tag severity: "medium "
tag gtitle: "SRG-OS-000002-GPOS-00002 "
tag gid: "V-238196 "
tag rid: "SV-238196r653763_rule "
tag stig_id: "UBTU-20-010000 "
tag fix_id: "F-41365r653762_fix "
tag cci: ["CCI-000016"]
tag nist: ["AC-2 (2)"]

temporary_accounts = input('temporary_accounts')

Expand All @@ -65,4 +81,5 @@
end
end
end
end

end
79 changes: 64 additions & 15 deletions controls/SV-238197.rb
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
control 'SV-238197' do
control "SV-238197" do
title "The Ubuntu operating system must enable the graphical user logon banner to display the
Standard Mandatory DoD Notice and Consent Banner before granting local access to the system
via a graphical user logon. "
Expand Down Expand Up @@ -48,8 +48,55 @@
characters that can be displayed in the banner:

\"I've read & consent to terms in IS user
agreem't.\" "
desc 'check', "Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD
agreem't.\""
desc "default", "Display of a standardized and approved use notification before granting access to the Ubuntu
operating system ensures privacy and security notification verbiage used is consistent
with applicable federal laws, Executive Orders, directives, policies, regulations,
standards, and guidance.

System use notifications are required only for access via logon
interfaces with human users and are not required when such human interfaces do not exist.


The banner must be formatted in accordance with applicable DoD policy. Use the following
verbiage for operating systems that can accommodate banners of 1300 characters:

\"You are
accessing a U.S. Government (USG) Information System (IS) that is provided for
USG-authorized use only.

By using this IS (which includes any device attached to this IS),
you consent to the following conditions:

-The USG routinely intercepts and monitors
communications on this IS for purposes including, but not limited to, penetration testing,
COMSEC monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may
inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS
are not private, are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.

-This IS includes security measures
(e.g., authentication and access controls) to protect USG interests--not for your personal
benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of privileged
communications, or work product, related to personal representation or services by
attorneys, psychotherapists, or clergy, and their assistants. Such communications and
work product are private and confidential. See User Agreement for details.\"

Use the
following verbiage for operating systems that have severe limitations on the number of
characters that can be displayed in the banner:

\"I've read & consent to terms in IS user
agreem't.\""
desc "check", "Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD
Notice and Consent Banner before granting access to the operating system via a graphical user
logon.

Expand All @@ -65,8 +112,8 @@
banner-message-enable=true

If the line is
commented out or set to \"false\", this is a finding. "
desc 'fix', "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.
commented out or set to \"false\", this is a finding."
desc "fix", "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.

Look for the
\"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and
Expand All @@ -84,16 +131,17 @@

$ sudo dconf
update
$ sudo systemctl restart gdm3 "
$ sudo systemctl restart gdm3"
impact 0.5
tag severity: 'medium '
tag gtitle: 'SRG-OS-000023-GPOS-00006 '
tag gid: 'V-238197 '
tag rid: 'SV-238197r653766_rule '
tag stig_id: 'UBTU-20-010002 '
tag fix_id: 'F-41366r653765_fix '
tag cci: ['CCI-000048']
tag nist: ['AC-8 a']
ref 'DPMS Target Canonical Ubuntu 20.04 LTS'
tag severity: "medium "
tag gtitle: "SRG-OS-000023-GPOS-00006 "
tag gid: "V-238197 "
tag rid: "SV-238197r653766_rule "
tag stig_id: "UBTU-20-010002 "
tag fix_id: "F-41366r653765_fix "
tag cci: ["CCI-000048"]
tag nist: ["AC-8 a"]

xorg_status = command('which Xorg').exit_status
if xorg_status == 0
Expand All @@ -106,4 +154,5 @@
skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s)
end
end
end

end
79 changes: 64 additions & 15 deletions controls/SV-238198.rb
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
control 'SV-238198' do
control "SV-238198" do
title "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent
Banner before granting local access to the system via a graphical user logon. "
desc "Display of a standardized and approved use notification before granting access to the Ubuntu
Expand Down Expand Up @@ -47,8 +47,55 @@
characters that can be displayed in the banner:

\"I've read & consent to terms in IS user
agreem't.\" "
desc 'check', "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent
agreem't.\""
desc "default", "Display of a standardized and approved use notification before granting access to the Ubuntu
operating system ensures privacy and security notification verbiage used is consistent
with applicable federal laws, Executive Orders, directives, policies, regulations,
standards, and guidance.

System use notifications are required only for access via logon
interfaces with human users and are not required when such human interfaces do not exist.


The banner must be formatted in accordance with applicable DoD policy. Use the following
verbiage for operating systems that can accommodate banners of 1300 characters:

\"You are
accessing a U.S. Government (USG) Information System (IS) that is provided for
USG-authorized use only.

By using this IS (which includes any device attached to this IS),
you consent to the following conditions:

-The USG routinely intercepts and monitors
communications on this IS for purposes including, but not limited to, penetration testing,
COMSEC monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may
inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS
are not private, are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.

-This IS includes security measures
(e.g., authentication and access controls) to protect USG interests--not for your personal
benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of privileged
communications, or work product, related to personal representation or services by
attorneys, psychotherapists, or clergy, and their assistants. Such communications and
work product are private and confidential. See User Agreement for details.\"

Use the
following verbiage for operating systems that have severe limitations on the number of
characters that can be displayed in the banner:

\"I've read & consent to terms in IS user
agreem't.\""
desc "check", "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent
Banner before granting access to the operating system via a graphical user logon.

Note: If
Expand Down Expand Up @@ -80,8 +127,8 @@

If the
banner-message-text is missing, commented out, or does not match the Standard Mandatory DoD
Notice and Consent Banner exactly, this is a finding. "
desc 'fix', "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.
Notice and Consent Banner exactly, this is a finding."
desc "fix", "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.

Set the \"banner-message-text\" line
to contain the appropriate banner message text as shown below:
Expand All @@ -108,16 +155,17 @@

$ sudo dconf update
$ sudo
systemctl restart gdm3 "
systemctl restart gdm3"
impact 0.5
tag severity: 'medium '
tag gtitle: 'SRG-OS-000023-GPOS-00006 '
tag gid: 'V-238198 '
tag rid: 'SV-238198r653769_rule '
tag stig_id: 'UBTU-20-010003 '
tag fix_id: 'F-41367r653768_fix '
tag cci: ['CCI-000048']
tag nist: ['AC-8 a']
ref 'DPMS Target Canonical Ubuntu 20.04 LTS'
tag severity: "medium "
tag gtitle: "SRG-OS-000023-GPOS-00006 "
tag gid: "V-238198 "
tag rid: "SV-238198r653769_rule "
tag stig_id: "UBTU-20-010003 "
tag fix_id: "F-41367r653768_fix "
tag cci: ["CCI-000048"]
tag nist: ["AC-8 a"]

banner_text = input('banner_text')
clean_banner = banner_text.gsub(/[\r\n\s]/, '')
Expand All @@ -134,4 +182,5 @@
skip 'Package gdm3 not installed, this control Not Applicable'
end
end
end

end
45 changes: 28 additions & 17 deletions controls/SV-238199.rb
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
control 'SV-238199' do
control "SV-238199" do
title "The Ubuntu operating system must retain a user's session lock until that user reestablishes
access using established identification and authentication procedures. "
desc "A session lock is a temporary action taken when a user stops work and moves away from the
Expand All @@ -11,10 +11,19 @@
Regardless of where the session lock is determined and
implemented, once invoked, a session lock of the Ubuntu operating system must remain in place
until the user reauthenticates. No other activity aside from reauthentication must unlock
the system.
the system."
desc "default", "A session lock is a temporary action taken when a user stops work and moves away from the
immediate physical vicinity of the information system but does not want to log out because of
the temporary nature of the absence.

"
desc 'check', "Verify the Ubuntu operation system has a graphical user interface session lock enabled.
The session lock is implemented at the point where
session activity can be determined.

Regardless of where the session lock is determined and
implemented, once invoked, a session lock of the Ubuntu operating system must remain in place
until the user reauthenticates. No other activity aside from reauthentication must unlock
the system."
desc "check", "Verify the Ubuntu operation system has a graphical user interface session lock enabled.


Note: If the Ubuntu operating system does not have a graphical user interface installed,
Expand All @@ -29,8 +38,8 @@
true

If \"lock-enabled\" is
not set to \"true\", this is a finding. "
desc 'fix', "Configure the Ubuntu operating system to allow a user to lock the current graphical user
not set to \"true\", this is a finding."
desc "fix", "Configure the Ubuntu operating system to allow a user to lock the current graphical user
interface session.

Note: If the Ubuntu operating system does not have a graphical user
Expand All @@ -40,17 +49,18 @@
to allow graphical user interface session locks with the following command:

$ sudo
gsettings set org.gnome.desktop.screensaver lock-enabled true "
gsettings set org.gnome.desktop.screensaver lock-enabled true"
impact 0.5
tag severity: 'medium '
tag gtitle: 'SRG-OS-000028-GPOS-00009 '
tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)
tag gid: 'V-238199 '
tag rid: 'SV-238199r653772_rule '
tag stig_id: 'UBTU-20-010004 '
tag fix_id: 'F-41368r653771_fix '
tag cci: %w(CCI-000056 CCI-000057)
tag nist: ['AC-11 b', 'AC-11 a']
ref 'DPMS Target Canonical Ubuntu 20.04 LTS'
tag severity: "medium "
tag gtitle: "SRG-OS-000028-GPOS-00009 "
tag satisfies: ["SRG-OS-000028-GPOS-00009", "SRG-OS-000029-GPOS-00010"]
tag gid: "V-238199 "
tag rid: "SV-238199r653772_rule "
tag stig_id: "UBTU-20-010004 "
tag fix_id: "F-41368r653771_fix "
tag cci: ["CCI-000056", "CCI-000057"]
tag nist: ["AC-11 b", "AC-11 a"]

xorg_status = command('which Xorg').exit_status
if xorg_status == 0
Expand All @@ -62,4 +72,5 @@
skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s)
end
end
end

end
Loading