Merge pull request #12943 from Mab879/update_srg_gpos_v3r2

Update SRG GPOS to V3R2
ComplianceAsCode · Feb 3, 2025 · afb0cbf · afb0cbf
2 parents f9d7eea + 8ea4692
commit afb0cbf
Show file tree

Hide file tree

Showing 12 changed files with 38 additions and 54 deletions.
diff --git a/.github/workflows/srg-mapping-table.yaml b/.github/workflows/srg-mapping-table.yaml
@@ -45,19 +45,19 @@ jobs:
         env:
           PYTHONPATH: ${{ github.workspace }}
       - name: Generate XLSX for RHEL9
-        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel9 -m shared/references/disa-os-srg-v3r1.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-rhel9.xlsx
+        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel9 -m shared/references/disa-os-srg-v3r2.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-rhel9.xlsx
         env:
           PYTHONPATH: ${{ github.workspace }}
       - name: Generate HTML for RHEL9
-        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel9 -m shared/references/disa-os-srg-v3r1.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel9.html
+        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel9 -m shared/references/disa-os-srg-v3r2.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel9.html
         env:
           PYTHONPATH: ${{ github.workspace }}
       - name: Generate XLSX for RHEL10
-        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v3r1.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-rhel10.xlsx
+        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v3r2.xml --out-format xlsx --output $PAGES_DIR/srg-mapping-rhel10.xlsx
         env:
           PYTHONPATH: ${{ github.workspace }}
       - name: Generate HTML for RHEL10
-        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v3r1.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel10.html
+        run: python3 utils/create_srg_export.py -c controls/srg_gpos.yml -p rhel10 -m shared/references/disa-os-srg-v3r2.xml --out-format html --output $PAGES_DIR/srg-mapping-rhel10.html
         env:
           PYTHONPATH: ${{ github.workspace }}
       - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4

diff --git a/cmake/SSGCommon.cmake b/cmake/SSGCommon.cmake
@@ -1098,7 +1098,7 @@ macro(ssg_build_html_srgmap_tables PRODUCT)
         OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap.html"
         OUTPUT "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap-flat.html"
         COMMAND "${CMAKE_COMMAND}" -E make_directory "${CMAKE_BINARY_DIR}/tables"
-        COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_srg_table.py" --build-dir "${CMAKE_BINARY_DIR}" "${PRODUCT}" "${SSG_SHARED_REFS}/disa-os-srg-v3r1.xml" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap.html" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap-flat.html"
+        COMMAND env "PYTHONPATH=$ENV{PYTHONPATH}" "${PYTHON_EXECUTABLE}" "${CMAKE_SOURCE_DIR}/utils/gen_srg_table.py" --build-dir "${CMAKE_BINARY_DIR}" "${PRODUCT}" "${SSG_SHARED_REFS}/disa-os-srg-v3r2.xml" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap.html" "${CMAKE_BINARY_DIR}/tables/table-${PRODUCT}-srgmap-flat.html"
         DEPENDS ${PRODUCT}-compile-all "${CMAKE_CURRENT_BINARY_DIR}/ssg_build_compile_all-${PRODUCT}"
         COMMENT "[${PRODUCT}-tables] generating HTML SRG map tables"
     )

diff --git a/controls/srg_gpos/SRG-OS-000047-GPOS-00023.yml b/controls/srg_gpos/SRG-OS-000047-GPOS-00023.yml
diff --git a/controls/srg_gpos/SRG-OS-000076-GPOS-00044.yml b/controls/srg_gpos/SRG-OS-000076-GPOS-00044.yml
@@ -1,6 +1,6 @@
 controls:
     -   id: SRG-OS-000076-GPOS-00044
-        title: Operating systems must enforce a 60-day maximum password lifetime restriction.
+        title: {{{ full_name }}} must enforce a 60-day maximum password lifetime restriction.
         levels:
             - medium
         rules:

diff --git a/controls/srg_gpos/SRG-OS-000355-GPOS-00143.yml b/controls/srg_gpos/SRG-OS-000355-GPOS-00143.yml
@@ -1,10 +1,7 @@
 controls:
     -   id: SRG-OS-000355-GPOS-00143
         title: '{{{ full_name }}} must, for networked systems, compare internal information
-    system clocks at least every 24 hours with a server which is synchronized to one
-    of the redundant United States Naval Observatory (USNO) time servers, or a time
-    server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the
-    Global Positioning System (GPS).'
+                system clocks at least every 24 hours with an authoritative time source.'
 
         levels:
             - medium

diff --git a/controls/srg_gpos/SRG-OS-000373-GPOS-00157.yml b/controls/srg_gpos/SRG-OS-000373-GPOS-00157.yml
@@ -0,0 +1,6 @@
+controls:
+    -   id: SRG-OS-000373-GPOS-00157
+        levels:
+            - medium
+        title: '{{{ full_name }}} must require users to reauthenticate when changing roles.'
+        status: pending
diff --git a/controls/srg_gpos/SRG-OS-000373-GPOS-00158.yml b/controls/srg_gpos/SRG-OS-000373-GPOS-00158.yml
@@ -0,0 +1,7 @@
+controls:
+    -   id: SRG-OS-000373-GPOS-00158
+        levels:
+            - medium
+        title: "{{{ full_name }}} must require users to reauthenticate when
+                    changing authenticators."
+        status: pending
diff --git a/controls/srg_gpos/SRG-OS-000805-GPOS-00260.yml b/controls/srg_gpos/SRG-OS-000805-GPOS-00260.yml
diff --git a/docs/manual/developer/03_creating_content.md b/docs/manual/developer/03_creating_content.md
@@ -1258,7 +1258,7 @@ In order for export for DISA the IDs of your control must be SRG ID form the Gen
 
 If you have an existing product that you want to base your new STIG you can create the skeleton with the following command:
 
-    $ ./utils/build_stig_control.py --split -p rhel9 -m shared/references/disa-os-srg-v3r1.xml -o controls/srg_gpos.yml
+    $ ./utils/build_stig_control.py --split -p rhel9 -m shared/references/disa-os-srg-v3r2.xml -o controls/srg_gpos.yml
 
 The manual (`-m`) should be an SRG XML from DISA.
 

diff --git a/shared/references/disa-os-srg-v3r1.xml → shared/references/disa-os-srg-v3r2.xml b/shared/references/disa-os-srg-v3r1.xml → shared/references/disa-os-srg-v3r2.xml
diff --git a/shared/transforms/shared_xccdf2table-profileccirefs.xslt b/shared/transforms/shared_xccdf2table-profileccirefs.xslt
@@ -4,7 +4,7 @@
 <!-- this style sheet expects parameter $profile, which is the id of the Profile to be shown -->
 
 <xsl:variable name="cci_list" select="document('../references/disa-cci-list.xml')/cci:cci_list" />
-<xsl:variable name="os_srg" select="document('../references/disa-os-srg-v3r1.xml')/xccdf-1.1:Benchmark" />
+<xsl:variable name="os_srg" select="document('../references/disa-os-srg-v3r2.xml')/xccdf-1.1:Benchmark" />
 
 <xsl:param name="profile" select="''"/>
 <xsl:param name="testinfo" select="''" />

diff --git a/utils/create_srg_export.py b/utils/create_srg_export.py
@@ -34,7 +34,7 @@
 BUILD_CONFIG = os.path.join(SSG_ROOT, "build", "build_config.yml")
 OUTPUT = os.path.join(SSG_ROOT, 'build',
                       f'{datetime.datetime.now().strftime("%s")}_stig_export.csv')
-SRG_PATH = os.path.join(SSG_ROOT, 'shared', 'references', 'disa-os-srg-v3r1.xml')
+SRG_PATH = os.path.join(SSG_ROOT, 'shared', 'references', 'disa-os-srg-v3r2.xml')
 NS = {'scap': ssg.constants.datastream_namespace,
       'xccdf-1.2': ssg.constants.XCCDF12_NS,
       'xccdf-1.1': ssg.constants.XCCDF11_NS}