diff --git a/linux_os/guide/services/http/securing_httpd/httpd_public_resources_not_shared/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_public_resources_not_shared/rule.yml index 1a6a3591ed79..304e3a10d905 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_public_resources_not_shared/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_public_resources_not_shared/rule.yml @@ -13,8 +13,8 @@ rationale: |- public web server and private servers the intent of data and resource segregation can be compromised. - In addition to the requirements of the DoD Internet-NIPRNet DMZ STIG that - isolates inbound traffic from external network to the internal network, + In addition to the requirements of applicable DMZ segmentation policies that + isolate inbound traffic from the external network to the internal network, resources such as printers, files, and folders/directories will not be shared between public web servers and assets located within the internal network. diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml index bc2cf5ccdc83..3d661dde7d35 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml @@ -8,33 +8,6 @@ description: |- default text with a message compliant with the local site policy or a legal disclaimer. - The DoD required text is either: -

- You are accessing a U.S. Government (USG) Information System (IS) that - is provided for USG-authorized use only. By using this IS (which includes - any device attached to this IS), you consent to the following conditions: -
-The USG routinely intercepts and monitors communications on this IS - for purposes including, but not limited to, penetration testing, COMSEC - monitoring, network operations and defense, personnel misconduct (PM), law - enforcement (LE), and counterintelligence (CI) investigations. -
-At any time, the USG may inspect and seize data stored on this IS. -
-Communications using, or data stored on, this IS are not private, - are subject to routine monitoring, interception, and search, and may be - disclosed or used for any USG-authorized purpose. -
-This IS includes security measures (e.g., authentication and access - controls) to protect USG interests -- not for your personal benefit or - privacy. -
-Notwithstanding the above, using this IS does not constitute consent - to PM, LE or CI investigative searching or monitoring of the content of - privileged communications, or work product, related to personal - representation or services by attorneys, psychotherapists, or clergy, and - their assistants. Such communications and work product are private and - confidential. See User Agreement for details.
-

- OR: -

- I've read & consent to terms in IS user agreem't. - rationale: |- Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml index 32df952364e3..92326b1028f8 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml @@ -8,33 +8,6 @@ description: |- default text with a message compliant with the local site policy or a legal disclaimer. - The DoD required text is either: -

- You are accessing a U.S. Government (USG) Information System (IS) that - is provided for USG-authorized use only. By using this IS (which includes - any device attached to this IS), you consent to the following conditions: -
-The USG routinely intercepts and monitors communications on this IS - for purposes including, but not limited to, penetration testing, COMSEC - monitoring, network operations and defense, personnel misconduct (PM), law - enforcement (LE), and counterintelligence (CI) investigations. -
-At any time, the USG may inspect and seize data stored on this IS. -
-Communications using, or data stored on, this IS are not private, - are subject to routine monitoring, interception, and search, and may be - disclosed or used for any USG-authorized purpose. -
-This IS includes security measures (e.g., authentication and access - controls) to protect USG interests -- not for your personal benefit or - privacy. -
-Notwithstanding the above, using this IS does not constitute consent - to PM, LE or CI investigative searching or monitoring of the content of - privileged communications, or work product, related to personal - representation or services by attorneys, psychotherapists, or clergy, and - their assistants. Such communications and work product are private and - confidential. See User Agreement for details.
-

- OR: -

- I've read & consent to terms in IS user agreem't. - rationale: |- Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml index 35fe221fcf9f..d42f620157fa 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml @@ -4,10 +4,10 @@ documentation_complete: true title: 'Enable the SSH login confirmation banner' description: |- - This rule verifies that that the SSH login confirmation banner is set + This rule verifies that that the SSH login confirmation banner is set correctly. - The DoD required text is: + The required text is:

if [ -n "$SSH_CLIENT" ] || [ -n "$SSH_TTY" ]; then
while true; do
@@ -45,7 +45,7 @@ rationale: |- access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - + severity: medium ocil_clause: 'it does not display the required banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml index 9cce04ec9ae5..35e3d0b04ef1 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml @@ -8,33 +8,6 @@ description: |- Replace the default text with a message compliant with the local site policy or a legal disclaimer. - The DoD required text is either: -

- You are accessing a U.S. Government (USG) Information System (IS) that - is provided for USG-authorized use only. By using this IS (which includes - any device attached to this IS), you consent to the following conditions: -
-The USG routinely intercepts and monitors communications on this IS - for purposes including, but not limited to, penetration testing, COMSEC - monitoring, network operations and defense, personnel misconduct (PM), law - enforcement (LE), and counterintelligence (CI) investigations. -
-At any time, the USG may inspect and seize data stored on this IS. -
-Communications using, or data stored on, this IS are not private, - are subject to routine monitoring, interception, and search, and may be - disclosed or used for any USG-authorized purpose. -
-This IS includes security measures (e.g., authentication and access - controls) to protect USG interests -- not for your personal benefit or - privacy. -
-Notwithstanding the above, using this IS does not constitute consent - to PM, LE or CI investigative searching or monitoring of the content of - privileged communications, or work product, related to personal - representation or services by attorneys, psychotherapists, or clergy, and - their assistants. Such communications and work product are private and - confidential. See User Agreement for details.
-

- OR: -

- I've read & consent to terms in IS user agreem't. - rationale: |- Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification diff --git a/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml index 849d62a869ed..b08dcdac4b40 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml @@ -1,7 +1,7 @@ documentation_complete: true -title: 'Configure GnuTLS library to use DoD-approved TLS Encryption' +title: 'Configure GnuTLS library to use Approved TLS Encryption' description: |- Crypto Policies provide a centralized control over crypto algorithms usage of many packages. @@ -33,17 +33,17 @@ references: ocil_clause: 'cryptographic policy for gnutls is not configured or is configured incorrectly' ocil: |- - To verify if GnuTLS uses defined DoD-approved TLS Crypto Policy, run: + To verify if GnuTLS uses the defined approved TLS Crypto Policy, run:
$ sudo grep
     '+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0'
     /etc/crypto-policies/back-ends/gnutls.config
and verify that a match exists. fixtext: |- - Configure the {{{ full_name }}} GnuTLS library to use only DoD-approved encryption by adding the following line to "/etc/crypto-policies/back-ends/gnutls.config": + Configure the {{{ full_name }}} GnuTLS library to use only approved encryption by adding the following line to "/etc/crypto-policies/back-ends/gnutls.config": +VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0 A reboot is required for the changes to take effect. srg_requirement: - {{{ full_name }}} must implement DoD-approved TLS encryption in the GnuTLS package. + {{{ full_name }}} must implement approved TLS encryption in the GnuTLS package. diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml index 38d109e4f6d3..481041d37628 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml @@ -23,8 +23,8 @@ rationale: |- a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have - to verify the software again. NOTE: For U.S. Military systems, this - requirement does not mandate DoD certificates for this purpose; however, + to verify the software again. NOTE: For regulated systems, this requirement + does not mandate organization-specific certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority.