Merge pull request #5 from Eric-Domeier/fix/rules

Fix/rules

Author: Eric-Domeier

controls/stig_al2023.yml

@@ -209,6 +209,14 @@ controls:
       - sudo_remove_nopasswd
     status: automated
 
+  - id: AZLX-23-002610
+    levels:
+      - medium
+    title: Amazon Linux 2023 must implement nonexecutable data to protect its memory from unauthorized code execution.
+    rules:
+      - bios_enable_execution_restrictions
+    status: automated
+
   - id: AZLX-23-001025
     levels:
       - medium
@@ -528,20 +536,23 @@ controls:
       package.
     rules: []
     status: pending
+
   - id: AZLX-23-001265
     levels:
       - medium
     title: Amazon Linux 2023 must implement DOD-approved TLS encryption in the
       OpenSSL package.
     rules: []
     status: pending
+
   - id: AZLX-23-001270
     levels:
       - medium
     title: Amazon Linux 2023 must implement a FIPS 140-2/140-3 compliant
       systemwide cryptographic policy.
     rules: []
     status: pending
+
   - id: AZLX-23-001275
     levels:
       - medium
@@ -552,6 +563,7 @@ controls:
       - harden_sshd_ciphers_opensshserver_conf_crypto_policy
       - sshd_approved_ciphers=stig_rhel9
     status: automated
+
   - id: AZLX-23-001280
     levels:
       - high
@@ -569,6 +581,7 @@ controls:
     title: Amazon Linux 2023 crypto policy must not be overridden.
     rules: []
     status: pending
+
   - id: AZLX-23-001290
     levels:
       - medium
@@ -613,8 +626,10 @@ controls:
     title: Amazon Linux 2023, for PKI-based authentication, must validate
       certificates by constructing a certification path (which includes status
       information) to an accepted trust anchor.
-    rules: []
+    rules: 
+      - sssd_has_trust_anchor
     status: pending
+
   - id: AZLX-23-001315
     levels:
       - medium
@@ -748,8 +763,10 @@ controls:
       - medium
     title: Amazon Linux 2023 must be configured to off-load audit records onto a
       different system from the system being audited via syslog.
-    rules: []
-    status: pending
+    rules: 
+      - rsyslog_remote_loghost
+    status: automated
+
   - id: AZLX-23-002065
     levels:
       - medium
@@ -804,7 +821,8 @@ controls:
     title: Amazon Linux 2023 must generate audit records for all account
       creations, modifications, disabling, and termination events that affect
       /etc/sudoers.d/ directory.
-    rules: []
+    rules: 
+      - audit_rules_sudoers_d
     status: pending
   - id: AZLX-23-002095
     levels:
@@ -1017,8 +1035,10 @@ controls:
     title: Amazon Linux 2023 must generate audit records for all account
       creations, modifications, disabling, and termination events that affect
       /etc/passwd.
-    rules: []
+    rules: 
+      - audit_rules_usergroup_modification_shadow
     status: pending
+
   - id: AZLX-23-002210
     levels:
       - medium
@@ -1034,8 +1054,10 @@ controls:
     title: Amazon Linux 2023 must alert the information system security officer
       (ISSO) and system administrator (SA), at a minimum, in the event of an audit
       processing failure.
-    rules: []
+    rules: 
+      - auditd_data_retention_action_mail_acct
     status: pending
+
   - id: AZLX-23-002220
     levels:
       - medium
@@ -1051,23 +1073,29 @@ controls:
       - medium
     title: Amazon Linux 2023 audit logs must be group-owned by root or by a
       restricted logging group to prevent unauthorized read access.
-    rules: []
+    rules: 
+      - file_group_ownership_var_log_audit
     status: pending
+
   - id: AZLX-23-002230
     levels:
       - medium
     title:
       Amazon Linux 2023 audit log directory must be owned by root to prevent
       unauthorized read access.
-    rules: []
+    rules:
+      - file_ownership_var_log_audit_stig
     status: pending
+
   - id: AZLX-23-002235
     levels:
       - medium
     title: Amazon Linux 2023 audit logs file must have mode "0600" or less
       permissive to prevent unauthorized access to the audit log.
-    rules: []
+    rules: 
+      - file_permissions_var_log_audit
     status: pending
+
   - id: AZLX-23-002240
     levels:
       - medium
@@ -1656,6 +1684,7 @@ controls:
       for the appropriate DOD network.
     rules: []
     status: pending
+
   - id: AZLX-23-002565
     levels:
       - medium
@@ -1740,13 +1769,7 @@ controls:
       configured on impacted network interfaces.
     rules: []
     status: pending
-  - id: AZLX-23-002610
-    levels:
-      - medium
-    title: Amazon Linux 2023 must implement nonexecutable data to protect its
-      memory from unauthorized code execution.
-    rules: []
-    status: pending
+
   - id: AZLX-23-002615
     levels:
       - low

linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml

@@ -4,6 +4,7 @@
           The operating system installed on the system is a certified operating system that meets FIPS 140-2 requirements.
       ", rule_title=rule_title) }}}
     <criteria comment="Installed operating system is a certified operating system" operator="OR">
+      <extend_definition comment="Installed OS is Al2023" definition_ref="installed_OS_is_al2023" />
       <extend_definition comment="Installed OS is RHEL8" definition_ref="installed_OS_is_rhel8" />
       <!--extend_definition comment="Installed OS is RHEL9" definition_ref="installed_OS_is_rhel9" /-->
       <extend_definition comment="Installed OS is RHCOS4" definition_ref="installed_OS_is_rhcos4" />

linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml

@@ -5,6 +5,7 @@
       ", rule_title=rule_title) }}}
     <criteria comment="Installed operating system is supported by a vendor" operator="OR">
       <extend_definition comment="Installed OS is ALMALINUX9" definition_ref="installed_OS_is_almalinux9" />
+      <extend_definition comment="Installed OS is AL2023" definition_ref="installed_OS_is_al2023" />
       <extend_definition comment="Installed OS is RHEL8" definition_ref="installed_OS_is_rhel8" />
       <extend_definition comment="Installed OS is RHEL9" definition_ref="installed_OS_is_rhel9" />
       <extend_definition comment="Installed OS is RHEL10" definition_ref="installed_OS_is_rhel10" />

products/al2023/CMakeLists.txt

@@ -9,11 +9,11 @@ ssg_build_product(${PRODUCT})
 
 ssg_build_html_cce_table(${PRODUCT})
 
-ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "anssi;cis;cui;nist;pcidss")
+ssg_build_html_ref_tables("${PRODUCT}" "table-${PRODUCT}-{ref_id}refs" "cis;nist")
 
 ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-stig" "${PRODUCT}" "stig" "nist")
 
 ssg_build_html_srgmap_tables(${PRODUCT})
 
 ssg_build_html_stig_tables(${PRODUCT})
-ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig")
+ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig")

products/al2023/profiles/standard.profile

@@ -48,3 +48,7 @@ selections:
     - audit_rules_sysadmin_actions
     - audit_rules_kernel_module_loading
     - audit_rules_immutable_login_uids
+    - mount_option_boot_efi_nosuid
+    - grub2_audit_backlog_limit_argument
+    - grub2_audit_argument
+    - file_permissions_var_log_audit

products/al2023/profiles/stig.profile

@@ -1,4 +1,4 @@
-{{%- if product in ["almalinux9", "debian12", "debian13", "fedora", "ol7", "ol8", "ol9", "ol10", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "slmicro6", "ubuntu2204", "ubuntu2404"] %}}
+{{%- if product in ["almalinux9", "al2023", "debian12", "debian13", "fedora", "ol7", "ol8", "ol9", "ol10", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "slmicro6", "ubuntu2204", "ubuntu2404"] %}}
   {{%- set perm_x="(?:[\s]+-F[\s]+perm=x)" %}}
 {{%- endif %}}
 <def-group>