Merge pull request #7484 from ggbecker/update-rhel7-stig-profile

Enable more RHEL7 STIG rules

linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/package_screen_installed/rule.yml

@@ -39,7 +39,6 @@ references:
     ospp: FMT_MOF_EXT.1
     srg: SRG-OS-000029-GPOS-00010
     stigid@ol7: OL07-00-010090
-    stigid@rhel7: RHEL-07-010090
     vmmsrg: SRG-OS-000030-VMM-000110
 
 ocil_clause: 'the package is not installed'

linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol7,sle12,sle15,fedora,rhel8
+prodtype: ol7,sle12,sle15,fedora,rhel7,rhel8
 
 title: 'Only Authorized Local User Accounts Exist on Operating System'
 
@@ -26,6 +26,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel7: CCE-88380-1
     cce@rhel8: CCE-85987-6
     cce@sle12: CCE-83195-8
     cce@sle15: CCE-85561-9
@@ -34,6 +35,7 @@ references:
     disa: CCI-000366
     nist@sle12: CM-6(b),CM-6.1(iv)
     srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel7: RHEL-07-020270
     stigid@rhel8: RHEL-08-020320
     stigid@sle12: SLES-12-010630
     stigid@sle15: SLES-15-020090

linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var

@@ -22,6 +22,7 @@ operator: pattern match
 interactive: true
 
 options:
+    rhel7: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$"
     rhel8: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$"
     ol7forsap: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$"
     saponol7 : "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|[a-z][a-z0-9][a-z0-9]adm|ora[a-z][a-z0-9][a-z0-9]|sapadm|oracle)$"

linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_name_format/rule.yml

@@ -26,6 +26,7 @@ references:
     ospp: FAU_GEN.1
     srg: SRG-OS-000039-GPOS-00017,SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
     stigid@ol7: OL07-00-030211
+    stigid@rhel7: RHEL-07-030211
     stigid@rhel8: RHEL-08-030062
 
 ocil_clause: name_format isn't set to hostname

linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml

@@ -15,12 +15,14 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel7: CCE-88073-2
     cce@rhel8: CCE-85889-4
 
 references:
     disa: CCI-001851
     nist: AU-4(1)
     srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
+    stigid@rhel7: RHEL-07-030210
     stigid@rhel8: RHEL-08-030700
 
 ocil_clause: 'auditd overflow action is not setup correctly'

linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhel8,sle12,sle15
+prodtype: rhel7,rhel8,sle12,sle15
 
 title: 'The operating system must require Re-Authentication when using the sudo command.
  Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeout'
@@ -25,6 +25,7 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel7: CCE-85963-7
     cce@rhel8: CCE-87838-9
     cce@sle12: CCE-83231-1
     cce@sle15: CCE-85764-9
@@ -33,6 +34,7 @@ references:
     disa: CCI-002038
     nist: IA-11
     srg: SRG-OS-000373-GPOS-00156
+    stigid@rhel7: RHEL-07-010343
     stigid@rhel8: RHEL-08-010384
     stigid@sle12: SLES-12-010113
     stigid@sle15: SLES-15-020102

products/rhel7/profiles/stig.profile

@@ -55,6 +55,7 @@ selections:
     - var_password_pam_retry=3
     - var_accounts_max_concurrent_login_sessions=10
     - var_accounts_tmout=15_min
+    - var_accounts_authorized_local_users_regex=rhel7
     - var_time_service_set_maxpoll=system_default
     - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
     - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
@@ -107,6 +108,7 @@ selections:
     - sudo_remove_nopasswd
     - sudo_restrict_privilege_elevation_to_authorized
     - sudo_remove_no_authenticate
+    - sudo_require_reauthentication
     - sudoers_validate_passwd
     - accounts_logon_fail_delay
     - gnome_gdm_disable_automatic_login
@@ -321,3 +323,6 @@ selections:
     - sysctl_net_ipv4_conf_default_rp_filter
     - package_mcafeetp_installed
     - agent_mfetpd_running
+    - accounts_authorized_local_users
+    - auditd_overflow_action
+    - auditd_name_format

shared/references/cce-redhat-avail.txt

@@ -84,7 +84,6 @@ CCE-85959-5
 CCE-85960-3
 CCE-85961-1
 CCE-85962-9
-CCE-85963-7
 CCE-85965-2
 CCE-85966-0
 CCE-85967-8
@@ -2135,7 +2134,6 @@ CCE-88069-0
 CCE-88070-8
 CCE-88071-6
 CCE-88072-4
-CCE-88073-2
 CCE-88074-0
 CCE-88075-7
 CCE-88076-5
@@ -2435,7 +2433,6 @@ CCE-88376-9
 CCE-88377-7
 CCE-88378-5
 CCE-88379-3
-CCE-88380-1
 CCE-88381-9
 CCE-88382-7
 CCE-88383-5