mitre
diff --git a/‎controls/SV-238196.rb‎
Lines changed: 31 additions & 15 deletions b/‎controls/SV-238196.rb‎
Lines changed: 31 additions & 15 deletions
diff --git a/‎controls/SV-238197.rb‎
Lines changed: 63 additions & 15 deletions b/‎controls/SV-238197.rb‎
Lines changed: 63 additions & 15 deletions
diff --git a/‎controls/SV-238198.rb‎
Lines changed: 63 additions & 16 deletions b/‎controls/SV-238198.rb‎
Lines changed: 63 additions & 16 deletions
diff --git a/‎controls/SV-238199.rb‎
Lines changed: 27 additions & 17 deletions b/‎controls/SV-238199.rb‎
Lines changed: 27 additions & 17 deletions
@@ -1,4 +1,4 @@
-control 'SV-238196' do
+control "SV-238196" do
   title "The Ubuntu operating system must provision temporary user accounts with an expiration time
 of 72 hours or less. "
   desc "If temporary user accounts remain active when no longer needed or for an excessive period,
@@ -15,8 +15,23 @@
 
 To address
 access requirements, many operating systems may be integrated with enterprise-level
-authentication/access mechanisms that meet or exceed access control policy requirements. "
-  desc 'check', "Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or
+authentication/access mechanisms that meet or exceed access control policy requirements."
+  desc "default", "If temporary user accounts remain active when no longer needed or for an excessive period,
+these accounts may be used to gain unauthorized access. To mitigate this risk, automated
+termination of all temporary accounts must be set upon account creation.
+
+Temporary
+accounts are established as part of normal account activation procedures when there is a need
+for short-term accounts without the demand for immediacy in account activation.
+
+If
+temporary accounts are used, the operating system must be configured to automatically
+terminate these types of accounts after a DoD-defined time period of 72 hours.
+
+To address
+access requirements, many operating systems may be integrated with enterprise-level
+authentication/access mechanisms that meet or exceed access control policy requirements."
+  desc "check", "Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or
 less.
 
 For every existing temporary account, run the following command to obtain its
@@ -32,24 +47,24 @@
 accounts has an expiration date set within 72 hours of account creation.
 
 If any temporary
-account does not expire within 72 hours of that account's creation, this is a finding. "
-  desc 'fix', "If a temporary account must be created, configure the system to terminate the account after a
+account does not expire within 72 hours of that account's creation, this is a finding."
+  desc "fix", "If a temporary account must be created, configure the system to terminate the account after a
 72-hour time period with the following command to set an expiration date on it.
 
 Substitute
 \"system_account_name\" with the account to be created.
 
 $ sudo chage -E $(date -d \"+3 days\"
-+%F) system_account_name "
++%F) system_account_name"
   impact 0.5
-  tag severity: 'medium '
-  tag gtitle: 'SRG-OS-000002-GPOS-00002 '
-  tag gid: 'V-238196 '
-  tag rid: 'SV-238196r653763_rule '
-  tag stig_id: 'UBTU-20-010000 '
-  tag fix_id: 'F-41365r653762_fix '
-  tag cci: ['CCI-000016']
-  tag nist: ['AC-2 (2)']
+  tag severity: "medium "
+  tag gtitle: "SRG-OS-000002-GPOS-00002 "
+  tag gid: "V-238196 "
+  tag rid: "SV-238196r653763_rule "
+  tag stig_id: "UBTU-20-010000 "
+  tag fix_id: "F-41365r653762_fix "
+  tag cci: ["CCI-000016"]
+  tag nist: ["AC-2 (2)"]
 
   temporary_accounts = input('temporary_accounts')
 
@@ -65,4 +80,5 @@
       end
     end
   end
-end
+
+end
@@ -1,4 +1,4 @@
-control 'SV-238197' do
+control "SV-238197" do
   title "The Ubuntu operating system must enable the graphical user logon banner to display the
 Standard Mandatory DoD Notice and Consent Banner before granting local access to the system
 via a graphical user logon. "
@@ -48,8 +48,55 @@
 characters that can be displayed in the banner:
 
 \"I've read & consent to terms in IS user
-agreem't.\" "
-  desc 'check', "Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD
+agreem't.\""
+  desc "default", "Display of a standardized and approved use notification before granting access to the Ubuntu
+operating system ensures privacy and security notification verbiage used is consistent
+with applicable federal laws, Executive Orders, directives, policies, regulations,
+standards, and guidance.
+
+System use notifications are required only for access via logon
+interfaces with human users and are not required when such human interfaces do not exist.
+
+
+The banner must be formatted in accordance with applicable DoD policy. Use the following
+verbiage for operating systems that can accommodate banners of 1300 characters:
+
+\"You are
+accessing a U.S. Government (USG) Information System (IS) that is provided for
+USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS),
+you consent to the following conditions:
+
+-The USG routinely intercepts and monitors
+communications on this IS for purposes including, but not limited to, penetration testing,
+COMSEC monitoring, network operations and defense, personnel misconduct (PM), law
+enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may
+inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS
+are not private, are subject to routine monitoring, interception, and search, and may be
+disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures
+(e.g., authentication and access controls) to protect USG interests--not for your personal
+benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent
+to PM, LE or CI investigative searching or monitoring of the content of privileged
+communications, or work product, related to personal representation or services by
+attorneys, psychotherapists, or clergy, and their assistants. Such communications and
+work product are private and confidential. See User Agreement for details.\"
+
+Use the
+following verbiage for operating systems that have severe limitations on the number of
+characters that can be displayed in the banner:
+
+\"I've read & consent to terms in IS user
+agreem't.\""
+  desc "check", "Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD
 Notice and Consent Banner before granting access to the operating system via a graphical user
 logon.
 
@@ -65,8 +112,8 @@
 banner-message-enable=true
 
 If the line is
-commented out or set to \"false\", this is a finding. "
-  desc 'fix', "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.
+commented out or set to \"false\", this is a finding."
+  desc "fix", "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.
 
 Look for the
 \"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and
@@ -84,16 +131,16 @@
 
 $ sudo dconf
 update
-$ sudo systemctl restart gdm3 "
+$ sudo systemctl restart gdm3"
   impact 0.5
-  tag severity: 'medium '
-  tag gtitle: 'SRG-OS-000023-GPOS-00006 '
-  tag gid: 'V-238197 '
-  tag rid: 'SV-238197r653766_rule '
-  tag stig_id: 'UBTU-20-010002 '
-  tag fix_id: 'F-41366r653765_fix '
-  tag cci: ['CCI-000048']
-  tag nist: ['AC-8 a']
+  tag severity: "medium "
+  tag gtitle: "SRG-OS-000023-GPOS-00006 "
+  tag gid: "V-238197 "
+  tag rid: "SV-238197r653766_rule "
+  tag stig_id: "UBTU-20-010002 "
+  tag fix_id: "F-41366r653765_fix "
+  tag cci: ["CCI-000048"]
+  tag nist: ["AC-8 a"]
 
   xorg_status = command('which Xorg').exit_status
   if xorg_status == 0
@@ -106,4 +153,5 @@
       skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s)
     end
   end
-end
+
+end
@@ -1,4 +1,4 @@
-control 'SV-238198' do
+control "SV-238198" do
   title "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent
 Banner before granting local access to the system via a graphical user logon. "
   desc "Display of a standardized and approved use notification before granting access to the Ubuntu
@@ -47,8 +47,55 @@
 characters that can be displayed in the banner:
 
 \"I've read & consent to terms in IS user
-agreem't.\" "
-  desc 'check', "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent
+agreem't.\""
+  desc "default", "Display of a standardized and approved use notification before granting access to the Ubuntu
+operating system ensures privacy and security notification verbiage used is consistent
+with applicable federal laws, Executive Orders, directives, policies, regulations,
+standards, and guidance.
+
+System use notifications are required only for access via logon
+interfaces with human users and are not required when such human interfaces do not exist.
+
+
+The banner must be formatted in accordance with applicable DoD policy. Use the following
+verbiage for operating systems that can accommodate banners of 1300 characters:
+
+\"You are
+accessing a U.S. Government (USG) Information System (IS) that is provided for
+USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS),
+you consent to the following conditions:
+
+-The USG routinely intercepts and monitors
+communications on this IS for purposes including, but not limited to, penetration testing,
+COMSEC monitoring, network operations and defense, personnel misconduct (PM), law
+enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may
+inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS
+are not private, are subject to routine monitoring, interception, and search, and may be
+disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures
+(e.g., authentication and access controls) to protect USG interests--not for your personal
+benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent
+to PM, LE or CI investigative searching or monitoring of the content of privileged
+communications, or work product, related to personal representation or services by
+attorneys, psychotherapists, or clergy, and their assistants. Such communications and
+work product are private and confidential. See User Agreement for details.\"
+
+Use the
+following verbiage for operating systems that have severe limitations on the number of
+characters that can be displayed in the banner:
+
+\"I've read & consent to terms in IS user
+agreem't.\""
+  desc "check", "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent
 Banner before granting access to the operating system via a graphical user logon.
 
 Note: If
@@ -80,8 +127,8 @@
 
 If the
 banner-message-text is missing, commented out, or does not match the Standard Mandatory DoD
-Notice and Consent Banner exactly, this is a finding. "
-  desc 'fix', "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.
+Notice and Consent Banner exactly, this is a finding."
+  desc "fix", "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.
 
 Set the \"banner-message-text\" line
 to contain the appropriate banner message text as shown below:
@@ -108,16 +155,15 @@
 
 $ sudo dconf update
 $ sudo
-systemctl restart gdm3 "
-  impact 0.5
-  tag severity: 'medium '
-  tag gtitle: 'SRG-OS-000023-GPOS-00006 '
-  tag gid: 'V-238198 '
-  tag rid: 'SV-238198r653769_rule '
-  tag stig_id: 'UBTU-20-010003 '
-  tag fix_id: 'F-41367r653768_fix '
-  tag cci: ['CCI-000048']
-  tag nist: ['AC-8 a']
+systemctl restart gdm3"
+  tag severity: "medium "
+  tag gtitle: "SRG-OS-000023-GPOS-00006 "
+  tag gid: "V-238198 "
+  tag rid: "SV-238198r653769_rule "
+  tag stig_id: "UBTU-20-010003 "
+  tag fix_id: "F-41367r653768_fix "
+  tag cci: ["CCI-000048"]
+  tag nist: ["AC-8 a"]
 
   banner_text = input('banner_text')
   clean_banner = banner_text.gsub(/[\r\n\s]/, '')
@@ -134,4 +180,5 @@
       skip 'Package gdm3 not installed, this control Not Applicable'
     end
   end
-end
+
+end
@@ -1,4 +1,4 @@
-control 'SV-238199' do
+control "SV-238199" do
   title "The Ubuntu operating system must retain a user's session lock until that user reestablishes
 access using established identification and authentication procedures. "
   desc "A session lock is a temporary action taken when a user stops work and moves away from the
@@ -11,10 +11,19 @@
 Regardless of where the session lock is determined and
 implemented, once invoked, a session lock of the Ubuntu operating system must remain in place
 until the user reauthenticates. No other activity aside from reauthentication must unlock
-the system.
+the system."
+  desc "default", "A session lock is a temporary action taken when a user stops work and moves away from the
+immediate physical vicinity of the information system but does not want to log out because of
+the temporary nature of the absence.
 
- "
-  desc 'check', "Verify the Ubuntu operation system has a graphical user interface session lock enabled.
+The session lock is implemented at the point where
+session activity can be determined.
+
+Regardless of where the session lock is determined and
+implemented, once invoked, a session lock of the Ubuntu operating system must remain in place
+until the user reauthenticates. No other activity aside from reauthentication must unlock
+the system."
+  desc "check", "Verify the Ubuntu operation system has a graphical user interface session lock enabled.
 
 
 Note: If the Ubuntu operating system does not have a graphical user interface installed,
@@ -29,8 +38,8 @@
  true
 
 If \"lock-enabled\" is
-not set to \"true\", this is a finding. "
-  desc 'fix', "Configure the Ubuntu operating system to allow a user to lock the current graphical user
+not set to \"true\", this is a finding."
+  desc "fix", "Configure the Ubuntu operating system to allow a user to lock the current graphical user
 interface session.
 
 Note: If the Ubuntu operating system does not have a graphical user
@@ -40,17 +49,17 @@
 to allow graphical user interface session locks with the following command:
 
 $ sudo
-gsettings set org.gnome.desktop.screensaver lock-enabled true "
+gsettings set org.gnome.desktop.screensaver lock-enabled true"
   impact 0.5
-  tag severity: 'medium '
-  tag gtitle: 'SRG-OS-000028-GPOS-00009 '
-  tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)
-  tag gid: 'V-238199 '
-  tag rid: 'SV-238199r653772_rule '
-  tag stig_id: 'UBTU-20-010004 '
-  tag fix_id: 'F-41368r653771_fix '
-  tag cci: %w(CCI-000056 CCI-000057)
-  tag nist: ['AC-11 b', 'AC-11 a']
+  tag severity: "medium "
+  tag gtitle: "SRG-OS-000028-GPOS-00009 "
+  tag satisfies: ["SRG-OS-000028-GPOS-00009", "SRG-OS-000029-GPOS-00010"]
+  tag gid: "V-238199 "
+  tag rid: "SV-238199r653772_rule "
+  tag stig_id: "UBTU-20-010004 "
+  tag fix_id: "F-41368r653771_fix "
+  tag cci: ["CCI-000056", "CCI-000057"]
+  tag nist: ["AC-11 b", "AC-11 a"]
 
   xorg_status = command('which Xorg').exit_status
   if xorg_status == 0
@@ -62,4 +71,5 @@
       skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s)
     end
   end
-end
+
+end