Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ rationale: |-
public web server and private servers the intent of data and resource
segregation can be compromised.

In addition to the requirements of the DoD Internet-NIPRNet DMZ STIG that
isolates inbound traffic from external network to the internal network,
In addition to the requirements of applicable DMZ segmentation policies that
isolate inbound traffic from the external network to the internal network,
resources such as printers, files, and folders/directories will not be
shared between public web servers and assets located within the internal
network.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,33 +8,6 @@ description: |-
default text with a message compliant with the local site policy or a legal
disclaimer.

The DoD required text is either:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we truly removing DOD specific content we should remove the required text.,

<br /><br />
<tt>You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
<br />-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
<br />-At any time, the USG may inspect and seize data stored on this IS.
<br />-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
<br />-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
<br />-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.</tt>
<br /><br />
OR:
<br /><br />
<tt>I've read &amp; consent to terms in IS user agreem't.</tt>

rationale: |-
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,33 +8,6 @@ description: |-
default text with a message compliant with the local site policy or a legal
disclaimer.

The DoD required text is either:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as banner_etc_issue_net.

<br /><br />
<tt>You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
<br />-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
<br />-At any time, the USG may inspect and seize data stored on this IS.
<br />-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
<br />-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
<br />-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.</tt>
<br /><br />
OR:
<br /><br />
<tt>I've read &amp; consent to terms in IS user agreem't.</tt>

rationale: |-
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@
title: 'Enable the SSH login confirmation banner'

description: |-
This rule verifies that that the SSH login confirmation banner is set
This rule verifies that that the SSH login confirmation banner is set
correctly.

The DoD required text is:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as banner_etc_issue_net.

The required text is:
<br /><br />
<tt>if [ -n "$SSH_CLIENT" ] || [ -n "$SSH_TTY" ]; then<br/>
while true; do<br/>
Expand Down Expand Up @@ -45,7 +45,7 @@
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance.

severity: medium

ocil_clause: 'it does not display the required banner'
Expand All @@ -54,4 +54,4 @@
To check if the system motd banner is compliant,
run the following command:
<pre>$ less /etc/profile.d/ssh_confirm.sh</pre>

Check warning on line 57 in linux_os/guide/system/accounts/accounts-banners/banner_etc_profiled_ssh_confirm/rule.yml

View workflow job for this annotation

GitHub Actions / Yaml Lint on Changed yaml files

57:1 [empty-lines] too many blank lines (1 > 0)
Original file line number Diff line number Diff line change
Expand Up @@ -8,33 +8,6 @@ description: |-
Replace the default text with a message compliant with the local site
policy or a legal disclaimer.

The DoD required text is either:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as banner_etc_issue_net.

<br /><br />
<tt>You are accessing a U.S. Government (USG) Information System (IS) that
is provided for USG-authorized use only. By using this IS (which includes
any device attached to this IS), you consent to the following conditions:
<br />-The USG routinely intercepts and monitors communications on this IS
for purposes including, but not limited to, penetration testing, COMSEC
monitoring, network operations and defense, personnel misconduct (PM), law
enforcement (LE), and counterintelligence (CI) investigations.
<br />-At any time, the USG may inspect and seize data stored on this IS.
<br />-Communications using, or data stored on, this IS are not private,
are subject to routine monitoring, interception, and search, and may be
disclosed or used for any USG-authorized purpose.
<br />-This IS includes security measures (e.g., authentication and access
controls) to protect USG interests -- not for your personal benefit or
privacy.
<br />-Notwithstanding the above, using this IS does not constitute consent
to PM, LE or CI investigative searching or monitoring of the content of
privileged communications, or work product, related to personal
representation or services by attorneys, psychotherapists, or clergy, and
their assistants. Such communications and work product are private and
confidential. See User Agreement for details.</tt>
<br /><br />
OR:
<br /><br />
<tt>I've read &amp; consent to terms in IS user agreem't.</tt>

rationale: |-
Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
documentation_complete: true


title: 'Configure GnuTLS library to use DoD-approved TLS Encryption'
title: 'Configure GnuTLS library to use Approved TLS Encryption'

description: |-
Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
Expand Down Expand Up @@ -33,17 +33,17 @@ references:
ocil_clause: 'cryptographic policy for gnutls is not configured or is configured incorrectly'

ocil: |-
To verify if GnuTLS uses defined DoD-approved TLS Crypto Policy, run:
To verify if GnuTLS uses the defined approved TLS Crypto Policy, run:
<pre>$ sudo grep
'+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0'
/etc/crypto-policies/back-ends/gnutls.config</pre> and verify that a match exists.

fixtext: |-
Configure the {{{ full_name }}} GnuTLS library to use only DoD-approved encryption by adding the following line to "/etc/crypto-policies/back-ends/gnutls.config":
Configure the {{{ full_name }}} GnuTLS library to use only approved encryption by adding the following line to "/etc/crypto-policies/back-ends/gnutls.config":

+VERS-ALL:-VERS-DTLS0.9:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0:-VERS-DTLS1.0

A reboot is required for the changes to take effect.

srg_requirement:
{{{ full_name }}} must implement DoD-approved TLS encryption in the GnuTLS package.
{{{ full_name }}} must implement approved TLS encryption in the GnuTLS package.
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@ rationale: |-
a vendor. This ensures the software has not been tampered with and that it
has been provided by a trusted vendor. Self-signed certificates are
disallowed by this requirement. The operating system should not have
to verify the software again. NOTE: For U.S. Military systems, this
requirement does not mandate DoD certificates for this purpose; however,
to verify the software again. NOTE: For regulated systems, this requirement
does not mandate organization-specific certificates for this purpose; however,
the certificate used to verify the software must be from an approved
Certificate Authority.

Expand Down
Loading