From df6dcb939721603f98a10c6c0513294c4982d8a2 Mon Sep 17 00:00:00 2001 From: Tomatotech90 Date: Tue, 30 Jun 2026 22:08:30 -0400 Subject: [PATCH 1/2] Remove DoD-specific verbiage from rule.yml files (part 2) Continues work from PR #14834. Removes DoD-specific phrasing from 15 additional files, replacing with policy-agnostic language where the underlying security requirement applies to any organization. Also fixes pre-existing trailing whitespace in var_smartcard_drivers.var and banner_etc_profiled_ssh_confirm/rule.yml found during lint verification. Updates #8709 --- .../httpd_public_resources_not_shared/rule.yml | 4 ++-- .../ssh_use_approved_macs_ordered_stig/rule.yml | 5 +++-- .../sssd_certificate_verification/policy/stig/shared.yml | 4 ++-- .../accounts-banners/banner_etc_issue_net/rule.yml | 2 +- .../accounts/accounts-banners/banner_etc_motd/rule.yml | 2 +- .../banner_etc_profiled_ssh_confirm/rule.yml | 6 +++--- .../gui_login_banner/banner_etc_gdm_banner/rule.yml | 2 +- .../accounts_password_pam_minlen/policy/stig/shared.yml | 1 - .../policy/stig/rhel10.yml | 4 ++-- .../policy/stig/shared.yml | 4 ++-- .../smart_card_login/var_smartcard_drivers.var | 3 +-- .../set_firewalld_default_zone/policy/stig/shared.yml | 2 +- .../crypto/configure_gnutls_tls_crypto_policy/rule.yml | 8 ++++---- .../policy/stig/shared.yml | 2 +- .../updating/ensure_gpgcheck_repo_metadata/rule.yml | 4 ++-- 15 files changed, 26 insertions(+), 27 deletions(-) diff --git a/linux_os/guide/services/http/securing_httpd/httpd_public_resources_not_shared/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_public_resources_not_shared/rule.yml index 1a6a3591ed79..304e3a10d905 100644 --- a/linux_os/guide/services/http/securing_httpd/httpd_public_resources_not_shared/rule.yml +++ b/linux_os/guide/services/http/securing_httpd/httpd_public_resources_not_shared/rule.yml @@ -13,8 +13,8 @@ rationale: |- public web server and private servers the intent of data and resource segregation can be compromised. - In addition to the requirements of the DoD Internet-NIPRNet DMZ STIG that - isolates inbound traffic from external network to the internal network, + In addition to the requirements of applicable DMZ segmentation policies that + isolate inbound traffic from the external network to the internal network, resources such as printers, files, and folders/directories will not be shared between public web servers and assets located within the internal network. diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml index a3b143a1e57f..fafb8448892f 100644 --- a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml @@ -14,8 +14,9 @@ description: |- is commented out, or is missing, this is a finding. rationale: |- - DoD Information Systems are required to use FIPS-approved cryptographic hash - functions. The only hash algorithms meeting this requirement is SHA2. + FIPS-approved cryptographic hash functions are required for protecting the + integrity of communications. The only hash algorithms meeting this requirement + are SHA2-based algorithms. severity: medium diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/policy/stig/shared.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/policy/stig/shared.yml index fceb27189e55..b522e612c21a 100644 --- a/linux_os/guide/services/sssd/sssd_certificate_verification/policy/stig/shared.yml +++ b/linux_os/guide/services/sssd/sssd_certificate_verification/policy/stig/shared.yml @@ -2,9 +2,9 @@ srg_requirement: |- {{{ full_name }}} must implement certificate status checking for multifactor authentication. vuldiscussion: |- - Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. + Using an authentication device, such as a hardware token or smart card that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. - Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. + Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card. {{{ full_name }}} includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function. diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml index bc2cf5ccdc83..e7e088d5163c 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml @@ -8,7 +8,7 @@ description: |- default text with a message compliant with the local site policy or a legal disclaimer. - The DoD required text is either: + The required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml index 32df952364e3..984a22ae6410 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml @@ -8,7 +8,7 @@ description: |- default text with a message compliant with the local site policy or a legal disclaimer. - The DoD required text is either: + The required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml index 35fe221fcf9f..d42f620157fa 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml @@ -4,10 +4,10 @@ documentation_complete: true title: 'Enable the SSH login confirmation banner' description: |- - This rule verifies that that the SSH login confirmation banner is set + This rule verifies that that the SSH login confirmation banner is set correctly. - The DoD required text is: + The required text is:

if [ -n "$SSH_CLIENT" ] || [ -n "$SSH_TTY" ]; then
while true; do
@@ -45,7 +45,7 @@ rationale: |- access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. - + severity: medium ocil_clause: 'it does not display the required banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml index 9cce04ec9ae5..49450c01fc7f 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml @@ -8,7 +8,7 @@ description: |- Replace the default text with a message compliant with the local site policy or a legal disclaimer. - The DoD required text is either: + The required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/policy/stig/shared.yml index b01bbb434bc1..6d7047dbd12d 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/policy/stig/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/policy/stig/shared.yml @@ -10,7 +10,6 @@ vuldiscussion: |- The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum. - The DoD minimum password requirement is 15 characters. checktext: |- Verify that {{{ full_name }}} enforces a minimum 15-character password length with the following command: diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/policy/stig/rhel10.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/policy/stig/rhel10.yml index 8d7369da0ec6..ec19a6bfc9f5 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/policy/stig/rhel10.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/policy/stig/rhel10.yml @@ -3,11 +3,11 @@ srg_requirement: |- {{{ full_name }}} pam_unix.so module must be configured in the system-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication. vuldiscussion: |- - Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and sensitive data may be compromised. {{{ full_name }}} systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets organizational requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. checktext: |- Verify that the pam_unix.so module is configured to use yescrypt in /etc/pam.d/system-auth with the following command: diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/policy/stig/shared.yml index ec6a05b02b92..0172d849b5c1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/policy/stig/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/policy/stig/shared.yml @@ -2,11 +2,11 @@ srg_requirement: |- {{{ full_name }}} pam_unix.so module must be configured in the system-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication. vuldiscussion: |- - Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and sensitive data may be compromised. {{{ full_name }}} systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets organizational requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. checktext: |- Verify that the pam_unix.so module is configured to use sha512 in /etc/pam.d/system-auth with the following command: diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/var_smartcard_drivers.var b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/var_smartcard_drivers.var index 8a67eb458e54..b05950bd0f0b 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/var_smartcard_drivers.var +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/var_smartcard_drivers.var @@ -4,7 +4,6 @@ title: 'OpenSC Smart Card Drivers' description: |- Choose the Smart Card Driver in use by your organization. -
For DoD, choose the cac driver.
If your driver is not listed and you don't want to use the default driver, use the other option and manually specify your driver. @@ -46,7 +45,7 @@ options: npa: npa oberthur: oberthur openpgp: openpgp - other: + other: PIV-II: PIV-II rutoken_ecp: rutoken_ecp rutoken: rutoken diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/policy/stig/shared.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/policy/stig/shared.yml index dbc1709596dc..e373860b2c18 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/policy/stig/shared.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/policy/stig/shared.yml @@ -2,7 +2,7 @@ srg_requirement: |- A {{{ full_name }}} firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. vuldiscussion: |- - Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. + Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of sensitive data. {{{ full_name }}} incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. diff --git a/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml index 849d62a869ed..b08dcdac4b40 100644 --- a/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml +++ b/linux_os/guide/system/software/integrity/crypto/configure_gnutls_tls_crypto_policy/rule.yml @@ -1,7 +1,7 @@ documentation_complete: true -title: 'Configure GnuTLS library to use DoD-approved TLS Encryption' +title: 'Configure GnuTLS library to use Approved TLS Encryption' description: |- Crypto Policies provide a centralized control over crypto algorithms usage of many packages. @@ -33,17 +33,17 @@ references: ocil_clause: 'cryptographic policy for gnutls is not configured or is configured incorrectly' ocil: |- - To verify if GnuTLS uses defined DoD-approved TLS Crypto Policy, run: + To verify if GnuTLS uses the defined approved TLS Crypto Policy, run:
$ sudo grep
     '+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0'
     /etc/crypto-policies/back-ends/gnutls.config
and verify that a match exists. fixtext: |- - Configure the {{{ full_name }}} GnuTLS library to use only DoD-approved encryption by adding the following line to "/etc/crypto-policies/back-ends/gnutls.config": + Configure the {{{ full_name }}} GnuTLS library to use only approved encryption by adding the following line to "/etc/crypto-policies/back-ends/gnutls.config": +VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0 A reboot is required for the changes to take effect. srg_requirement: - {{{ full_name }}} must implement DoD-approved TLS encryption in the GnuTLS package. + {{{ full_name }}} must implement approved TLS encryption in the GnuTLS package. diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/policy/stig/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/policy/stig/shared.yml index 48e4361f4cfd..3a9802ca27d3 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/policy/stig/shared.yml +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/policy/stig/shared.yml @@ -4,7 +4,7 @@ srg_requirement: |- vuldiscussion: |- Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + Remote access (e.g., RDP) is access to nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml index 38d109e4f6d3..481041d37628 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/rule.yml @@ -23,8 +23,8 @@ rationale: |- a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have - to verify the software again. NOTE: For U.S. Military systems, this - requirement does not mandate DoD certificates for this purpose; however, + to verify the software again. NOTE: For regulated systems, this requirement + does not mandate organization-specific certificates for this purpose; however, the certificate used to verify the software must be from an approved Certificate Authority. From 5f56e413f1f5661579c489e8dba28d28e346122c Mon Sep 17 00:00:00 2001 From: Tomatotech90 Date: Wed, 1 Jul 2026 18:45:45 -0400 Subject: [PATCH 2/2] Address review feedback on DoD verbiage removal (part 2) Revert 8 STIG-specific files to original DoD wording, since these mirror upstream STIG content per maintainer feedback: - ssh_use_approved_macs_ordered_stig/rule.yml - set_firewalld_default_zone/policy/stig/shared.yml - harden_sshd_macs_opensshserver_conf_crypto_policy/policy/stig/shared.yml - set_password_hashing_algorithm_systemauth/policy/stig/shared.yml - set_password_hashing_algorithm_systemauth/policy/stig/rhel10.yml - accounts_password_pam_minlen/policy/stig/shared.yml - sssd_certificate_verification/policy/stig/shared.yml - var_smartcard_drivers.var Remove the required banner text entirely from 3 banner files, since rewording the lead-in sentence alone was not sufficient: - banner_etc_issue_net/rule.yml - banner_etc_motd/rule.yml - banner_etc_gdm_banner/rule.yml banner_etc_profiled_ssh_confirm/rule.yml is left unchanged in this commit. Its required text is embedded in a shell script's read -p prompt rather than a standalone block, and I want maintainer input before deciding whether to remove the script or just the wording. --- .../rule.yml | 5 ++-- .../policy/stig/shared.yml | 4 +-- .../banner_etc_issue_net/rule.yml | 27 ------------------- .../accounts-banners/banner_etc_motd/rule.yml | 27 ------------------- .../banner_etc_gdm_banner/rule.yml | 27 ------------------- .../policy/stig/shared.yml | 1 + .../policy/stig/rhel10.yml | 4 +-- .../policy/stig/shared.yml | 4 +-- .../var_smartcard_drivers.var | 3 ++- .../policy/stig/shared.yml | 2 +- .../policy/stig/shared.yml | 2 +- 11 files changed, 13 insertions(+), 93 deletions(-) diff --git a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml index fafb8448892f..a3b143a1e57f 100644 --- a/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_client/ssh_use_approved_macs_ordered_stig/rule.yml @@ -14,9 +14,8 @@ description: |- is commented out, or is missing, this is a finding. rationale: |- - FIPS-approved cryptographic hash functions are required for protecting the - integrity of communications. The only hash algorithms meeting this requirement - are SHA2-based algorithms. + DoD Information Systems are required to use FIPS-approved cryptographic hash + functions. The only hash algorithms meeting this requirement is SHA2. severity: medium diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/policy/stig/shared.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/policy/stig/shared.yml index b522e612c21a..fceb27189e55 100644 --- a/linux_os/guide/services/sssd/sssd_certificate_verification/policy/stig/shared.yml +++ b/linux_os/guide/services/sssd/sssd_certificate_verification/policy/stig/shared.yml @@ -2,9 +2,9 @@ srg_requirement: |- {{{ full_name }}} must implement certificate status checking for multifactor authentication. vuldiscussion: |- - Using an authentication device, such as a hardware token or smart card that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. + Using an authentication device, such as a DoD Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. - Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card. + Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DoD CAC. {{{ full_name }}} includes multiple options for configuring certificate status checking, but for this requirement focuses on the System Security Services Daemon (SSSD). By default, sssd performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function. diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml index e7e088d5163c..3d661dde7d35 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue_net/rule.yml @@ -8,33 +8,6 @@ description: |- default text with a message compliant with the local site policy or a legal disclaimer. - The required text is either: -

- You are accessing a U.S. Government (USG) Information System (IS) that - is provided for USG-authorized use only. By using this IS (which includes - any device attached to this IS), you consent to the following conditions: -
-The USG routinely intercepts and monitors communications on this IS - for purposes including, but not limited to, penetration testing, COMSEC - monitoring, network operations and defense, personnel misconduct (PM), law - enforcement (LE), and counterintelligence (CI) investigations. -
-At any time, the USG may inspect and seize data stored on this IS. -
-Communications using, or data stored on, this IS are not private, - are subject to routine monitoring, interception, and search, and may be - disclosed or used for any USG-authorized purpose. -
-This IS includes security measures (e.g., authentication and access - controls) to protect USG interests -- not for your personal benefit or - privacy. -
-Notwithstanding the above, using this IS does not constitute consent - to PM, LE or CI investigative searching or monitoring of the content of - privileged communications, or work product, related to personal - representation or services by attorneys, psychotherapists, or clergy, and - their assistants. Such communications and work product are private and - confidential. See User Agreement for details.
-

- OR: -

- I've read & consent to terms in IS user agreem't. - rationale: |- Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml index 984a22ae6410..92326b1028f8 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml @@ -8,33 +8,6 @@ description: |- default text with a message compliant with the local site policy or a legal disclaimer. - The required text is either: -

- You are accessing a U.S. Government (USG) Information System (IS) that - is provided for USG-authorized use only. By using this IS (which includes - any device attached to this IS), you consent to the following conditions: -
-The USG routinely intercepts and monitors communications on this IS - for purposes including, but not limited to, penetration testing, COMSEC - monitoring, network operations and defense, personnel misconduct (PM), law - enforcement (LE), and counterintelligence (CI) investigations. -
-At any time, the USG may inspect and seize data stored on this IS. -
-Communications using, or data stored on, this IS are not private, - are subject to routine monitoring, interception, and search, and may be - disclosed or used for any USG-authorized purpose. -
-This IS includes security measures (e.g., authentication and access - controls) to protect USG interests -- not for your personal benefit or - privacy. -
-Notwithstanding the above, using this IS does not constitute consent - to PM, LE or CI investigative searching or monitoring of the content of - privileged communications, or work product, related to personal - representation or services by attorneys, psychotherapists, or clergy, and - their assistants. Such communications and work product are private and - confidential. See User Agreement for details.
-

- OR: -

- I've read & consent to terms in IS user agreem't. - rationale: |- Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml index 49450c01fc7f..35e3d0b04ef1 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml @@ -8,33 +8,6 @@ description: |- Replace the default text with a message compliant with the local site policy or a legal disclaimer. - The required text is either: -

- You are accessing a U.S. Government (USG) Information System (IS) that - is provided for USG-authorized use only. By using this IS (which includes - any device attached to this IS), you consent to the following conditions: -
-The USG routinely intercepts and monitors communications on this IS - for purposes including, but not limited to, penetration testing, COMSEC - monitoring, network operations and defense, personnel misconduct (PM), law - enforcement (LE), and counterintelligence (CI) investigations. -
-At any time, the USG may inspect and seize data stored on this IS. -
-Communications using, or data stored on, this IS are not private, - are subject to routine monitoring, interception, and search, and may be - disclosed or used for any USG-authorized purpose. -
-This IS includes security measures (e.g., authentication and access - controls) to protect USG interests -- not for your personal benefit or - privacy. -
-Notwithstanding the above, using this IS does not constitute consent - to PM, LE or CI investigative searching or monitoring of the content of - privileged communications, or work product, related to personal - representation or services by attorneys, psychotherapists, or clergy, and - their assistants. Such communications and work product are private and - confidential. See User Agreement for details.
-

- OR: -

- I've read & consent to terms in IS user agreem't. - rationale: |- Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/policy/stig/shared.yml index 6d7047dbd12d..b01bbb434bc1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/policy/stig/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/policy/stig/shared.yml @@ -10,6 +10,7 @@ vuldiscussion: |- The "minlen", sometimes noted as minimum length, acts as a "score" of complexity based on the credit components of the "pwquality" module. By setting the credit components to a negative value, not only will those components be required, they will not count towards the total "score" of "minlen". This will enable "minlen" to require a 15-character minimum. + The DoD minimum password requirement is 15 characters. checktext: |- Verify that {{{ full_name }}} enforces a minimum 15-character password length with the following command: diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/policy/stig/rhel10.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/policy/stig/rhel10.yml index ec19a6bfc9f5..8d7369da0ec6 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/policy/stig/rhel10.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/policy/stig/rhel10.yml @@ -3,11 +3,11 @@ srg_requirement: |- {{{ full_name }}} pam_unix.so module must be configured in the system-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication. vuldiscussion: |- - Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and sensitive data may be compromised. + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. {{{ full_name }}} systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets organizational requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. checktext: |- Verify that the pam_unix.so module is configured to use yescrypt in /etc/pam.d/system-auth with the following command: diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/policy/stig/shared.yml index 0172d849b5c1..ec6a05b02b92 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/policy/stig/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/policy/stig/shared.yml @@ -2,11 +2,11 @@ srg_requirement: |- {{{ full_name }}} pam_unix.so module must be configured in the system-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication. vuldiscussion: |- - Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and sensitive data may be compromised. + Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. {{{ full_name }}} systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. - FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets organizational requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. + FIPS 140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system. checktext: |- Verify that the pam_unix.so module is configured to use sha512 in /etc/pam.d/system-auth with the following command: diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/var_smartcard_drivers.var b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/var_smartcard_drivers.var index b05950bd0f0b..8a67eb458e54 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/var_smartcard_drivers.var +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/var_smartcard_drivers.var @@ -4,6 +4,7 @@ title: 'OpenSC Smart Card Drivers' description: |- Choose the Smart Card Driver in use by your organization. +
For DoD, choose the cac driver.
If your driver is not listed and you don't want to use the default driver, use the other option and manually specify your driver. @@ -45,7 +46,7 @@ options: npa: npa oberthur: oberthur openpgp: openpgp - other: + other: PIV-II: PIV-II rutoken_ecp: rutoken_ecp rutoken: rutoken diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/policy/stig/shared.yml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/policy/stig/shared.yml index e373860b2c18..dbc1709596dc 100644 --- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/policy/stig/shared.yml +++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/policy/stig/shared.yml @@ -2,7 +2,7 @@ srg_requirement: |- A {{{ full_name }}} firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. vuldiscussion: |- - Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of sensitive data. + Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DoD data. {{{ full_name }}} incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. diff --git a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/policy/stig/shared.yml b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/policy/stig/shared.yml index 3a9802ca27d3..48e4361f4cfd 100644 --- a/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/policy/stig/shared.yml +++ b/linux_os/guide/system/software/integrity/crypto/harden_sshd_macs_opensshserver_conf_crypto_policy/policy/stig/shared.yml @@ -4,7 +4,7 @@ srg_requirement: |- vuldiscussion: |- Without cryptographic integrity protections, information can be altered by unauthorized users without detection. - Remote access (e.g., RDP) is access to nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. + Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.