Update Ubuntu 24.04 STIG profile from V1R1 to V1R5 #14854
Conversation
Closes ComplianceAsCode#14714 controls/stig_ubuntu2404.yml already matched nearly all of V1R5's content despite still being labeled V1R1 -- diffed every requirement against DISA's V1R5 XCCDF (via cyber.trackr.live) to find the real remaining gap: - Bump version metadata to V1R5 in the control file and stig.profile - Rename UBTU-24-90890 to UBTU-24-909890 (DISA renumbered it; same rule, same title, aide_check_audit_tools) - Remove UBTU-24-300024 (last successful logon display) -- DISA dropped this requirement in a later revision; display_login_attempts itself is untouched since other profiles still use it - Bump UBTU-24-700400 (vendor-supported release) from medium to high severity, matching DISA's current rating - Fix two title typos DISA corrected: "preform" -> "perform" (plus "if installed" qualifier) on UBTU-24-100110, and "group-owned" -> "group owned" on UBTU-24-901250 Verified zero remaining discrepancies (ID/severity/title) between this file and DISA's V1R5 across all 194 controls.
|
Hi @rrskris. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
mpurg
left a comment
There was a problem hiding this comment.
Looks good, thanks for the contribution!
|
/ok-to-test |
|
@rrskris: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Closes #14714
controls/stig_ubuntu2404.ymlalready matched nearly all of V1R5's content despite still being labeled V1R1 -- diffed every requirement against DISA's V1R5 XCCDF (via cyber.trackr.live) to find the real remaining gap:aide_check_audit_tools)display_login_attemptsitself is untouched since other profiles still use itVerified zero remaining discrepancies (ID/severity/title) between this file and DISA's V1R5 across all 194 controls.
Description:
Updates the Canonical Ubuntu 24.04 LTS STIG profile (
controls/stig_ubuntu2404.ymlandproducts/ubuntu2404/profiles/stig.profile) from the stale V1R1 label to V1R5, and fixes the handful of real content drifts found along the way (one renumbered control, one dropped control, one severity bump, two title typos).Rationale:
DISA has released V1R2-V1R5 of this STIG since ComplianceAsCode last touched the version label, and issue #14714 reported the mismatch. Most of the content had already been kept in sync incrementally without the version string being bumped, so the actual diff needed is small and precisely scoped -- verified control-by-control against DISA's published V1R5 data rather than assumed.
Review Hints:
Diff is confined to the two files above. The control-count and per-control (id/severity/title) parity against DISA's V1R5 XCCDF was verified programmatically before opening this PR.