got rid of extra default field and fixed end section

Signed-off-by: Emily Rodriguez <[email protected]>
mitre · Dec 6, 2022 · 53cda84 · 53cda84
1 parent 77ae270
commit 53cda84
Show file tree

Hide file tree

Showing 167 changed files with 2,412 additions and 2,486 deletions.
diff --git a/controls/SV-238196.rb b/controls/SV-238196.rb
@@ -1,4 +1,4 @@
-control 'SV-238196' do
+control "SV-238196" do
   title "The Ubuntu operating system must provision temporary user accounts with an expiration time
 of 72 hours or less. "
   desc "If temporary user accounts remain active when no longer needed or for an excessive period,
@@ -15,8 +15,8 @@
 
 To address
 access requirements, many operating systems may be integrated with enterprise-level
-authentication/access mechanisms that meet or exceed access control policy requirements. "
-  desc 'check', "Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or
+authentication/access mechanisms that meet or exceed access control policy requirements."
+  desc "check", "Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or
 less.
 
 For every existing temporary account, run the following command to obtain its
@@ -32,24 +32,24 @@
 accounts has an expiration date set within 72 hours of account creation.
 
 If any temporary
-account does not expire within 72 hours of that account's creation, this is a finding. "
-  desc 'fix', "If a temporary account must be created, configure the system to terminate the account after a
+account does not expire within 72 hours of that account's creation, this is a finding."
+  desc "fix", "If a temporary account must be created, configure the system to terminate the account after a
 72-hour time period with the following command to set an expiration date on it.
 
 Substitute
 \"system_account_name\" with the account to be created.
 
 $ sudo chage -E $(date -d \"+3 days\"
-+%F) system_account_name "
++%F) system_account_name"
   impact 0.5
-  tag severity: 'medium '
-  tag gtitle: 'SRG-OS-000002-GPOS-00002 '
-  tag gid: 'V-238196 '
-  tag rid: 'SV-238196r653763_rule '
-  tag stig_id: 'UBTU-20-010000 '
-  tag fix_id: 'F-41365r653762_fix '
-  tag cci: ['CCI-000016']
-  tag nist: ['AC-2 (2)']
+  tag severity: "medium "
+  tag gtitle: "SRG-OS-000002-GPOS-00002 "
+  tag gid: "V-238196 "
+  tag rid: "SV-238196r653763_rule "
+  tag stig_id: "UBTU-20-010000 "
+  tag fix_id: "F-41365r653762_fix "
+  tag cci: ["CCI-000016"]
+  tag nist: ["AC-2 (2)"]
 
   temporary_accounts = input('temporary_accounts')
 

diff --git a/controls/SV-238197.rb b/controls/SV-238197.rb
@@ -1,4 +1,4 @@
-control 'SV-238197' do
+control "SV-238197" do
   title "The Ubuntu operating system must enable the graphical user logon banner to display the
 Standard Mandatory DoD Notice and Consent Banner before granting local access to the system
 via a graphical user logon. "
@@ -48,8 +48,8 @@
 characters that can be displayed in the banner:
 
 \"I've read & consent to terms in IS user
-agreem't.\" "
-  desc 'check', "Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD
+agreem't.\""
+  desc "check", "Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD
 Notice and Consent Banner before granting access to the operating system via a graphical user
 logon.
 
@@ -65,8 +65,8 @@
 banner-message-enable=true
 
 If the line is
-commented out or set to \"false\", this is a finding. "
-  desc 'fix', "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.
+commented out or set to \"false\", this is a finding."
+  desc "fix", "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.
 
 Look for the
 \"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and
@@ -84,16 +84,16 @@
 
 $ sudo dconf
 update
-$ sudo systemctl restart gdm3 "
+$ sudo systemctl restart gdm3"
   impact 0.5
-  tag severity: 'medium '
-  tag gtitle: 'SRG-OS-000023-GPOS-00006 '
-  tag gid: 'V-238197 '
-  tag rid: 'SV-238197r653766_rule '
-  tag stig_id: 'UBTU-20-010002 '
-  tag fix_id: 'F-41366r653765_fix '
-  tag cci: ['CCI-000048']
-  tag nist: ['AC-8 a']
+  tag severity: "medium "
+  tag gtitle: "SRG-OS-000023-GPOS-00006 "
+  tag gid: "V-238197 "
+  tag rid: "SV-238197r653766_rule "
+  tag stig_id: "UBTU-20-010002 "
+  tag fix_id: "F-41366r653765_fix "
+  tag cci: ["CCI-000048"]
+  tag nist: ["AC-8 a"]
 
   xorg_status = command('which Xorg').exit_status
   if xorg_status == 0

diff --git a/controls/SV-238198.rb b/controls/SV-238198.rb
@@ -1,4 +1,4 @@
-control 'SV-238198' do
+control "SV-238198" do
   title "The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent
 Banner before granting local access to the system via a graphical user logon. "
   desc "Display of a standardized and approved use notification before granting access to the Ubuntu
@@ -47,8 +47,8 @@
 characters that can be displayed in the banner:
 
 \"I've read & consent to terms in IS user
-agreem't.\" "
-  desc 'check', "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent
+agreem't.\""
+  desc "check", "Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent
 Banner before granting access to the operating system via a graphical user logon.
 
 Note: If
@@ -80,8 +80,8 @@
 
 If the
 banner-message-text is missing, commented out, or does not match the Standard Mandatory DoD
-Notice and Consent Banner exactly, this is a finding. "
-  desc 'fix', "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.
+Notice and Consent Banner exactly, this is a finding."
+  desc "fix", "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.
 
 Set the \"banner-message-text\" line
 to contain the appropriate banner message text as shown below:
@@ -108,16 +108,15 @@
 
 $ sudo dconf update
 $ sudo
-systemctl restart gdm3 "
-  impact 0.5
-  tag severity: 'medium '
-  tag gtitle: 'SRG-OS-000023-GPOS-00006 '
-  tag gid: 'V-238198 '
-  tag rid: 'SV-238198r653769_rule '
-  tag stig_id: 'UBTU-20-010003 '
-  tag fix_id: 'F-41367r653768_fix '
-  tag cci: ['CCI-000048']
-  tag nist: ['AC-8 a']
+systemctl restart gdm3"
+  tag severity: "medium "
+  tag gtitle: "SRG-OS-000023-GPOS-00006 "
+  tag gid: "V-238198 "
+  tag rid: "SV-238198r653769_rule "
+  tag stig_id: "UBTU-20-010003 "
+  tag fix_id: "F-41367r653768_fix "
+  tag cci: ["CCI-000048"]
+  tag nist: ["AC-8 a"]
 
   banner_text = input('banner_text')
   clean_banner = banner_text.gsub(/[\r\n\s]/, '')

diff --git a/controls/SV-238199.rb b/controls/SV-238199.rb
@@ -1,4 +1,4 @@
-control 'SV-238199' do
+control "SV-238199" do
   title "The Ubuntu operating system must retain a user's session lock until that user reestablishes
 access using established identification and authentication procedures. "
   desc "A session lock is a temporary action taken when a user stops work and moves away from the
@@ -11,10 +11,8 @@
 Regardless of where the session lock is determined and
 implemented, once invoked, a session lock of the Ubuntu operating system must remain in place
 until the user reauthenticates. No other activity aside from reauthentication must unlock
-the system.
-
- "
-  desc 'check', "Verify the Ubuntu operation system has a graphical user interface session lock enabled.
+the system."
+  desc "check", "Verify the Ubuntu operation system has a graphical user interface session lock enabled.
 
 
 Note: If the Ubuntu operating system does not have a graphical user interface installed,
@@ -29,8 +27,8 @@
  true
 
 If \"lock-enabled\" is
-not set to \"true\", this is a finding. "
-  desc 'fix', "Configure the Ubuntu operating system to allow a user to lock the current graphical user
+not set to \"true\", this is a finding."
+  desc "fix", "Configure the Ubuntu operating system to allow a user to lock the current graphical user
 interface session.
 
 Note: If the Ubuntu operating system does not have a graphical user
@@ -40,17 +38,17 @@
 to allow graphical user interface session locks with the following command:
 
 $ sudo
-gsettings set org.gnome.desktop.screensaver lock-enabled true "
+gsettings set org.gnome.desktop.screensaver lock-enabled true"
   impact 0.5
-  tag severity: 'medium '
-  tag gtitle: 'SRG-OS-000028-GPOS-00009 '
-  tag satisfies: %w(SRG-OS-000028-GPOS-00009 SRG-OS-000029-GPOS-00010)
-  tag gid: 'V-238199 '
-  tag rid: 'SV-238199r653772_rule '
-  tag stig_id: 'UBTU-20-010004 '
-  tag fix_id: 'F-41368r653771_fix '
-  tag cci: %w(CCI-000056 CCI-000057)
-  tag nist: ['AC-11 b', 'AC-11 a']
+  tag severity: "medium "
+  tag gtitle: "SRG-OS-000028-GPOS-00009 "
+  tag satisfies: ["SRG-OS-000028-GPOS-00009", "SRG-OS-000029-GPOS-00010"]
+  tag gid: "V-238199 "
+  tag rid: "SV-238199r653772_rule "
+  tag stig_id: "UBTU-20-010004 "
+  tag fix_id: "F-41368r653771_fix "
+  tag cci: ["CCI-000056", "CCI-000057"]
+  tag nist: ["AC-11 b", "AC-11 a"]
 
   xorg_status = command('which Xorg').exit_status
   if xorg_status == 0

diff --git a/controls/SV-238200.rb b/controls/SV-238200.rb
@@ -1,4 +1,4 @@
-control 'SV-238200' do
+control "SV-238200" do
   title "The Ubuntu operating system must allow users to directly initiate a session lock for all
 connection types. "
   desc "A session lock is a temporary action taken when a user stops work and moves away from the
@@ -9,29 +9,27 @@
 session activity can be determined. Rather than be forced to wait for a period of time to expire
 before the user session can be locked, the Ubuntu operating systems need to provide users with
 the ability to manually invoke a session lock so users may secure their session if they need to
-temporarily vacate the immediate physical vicinity.
-
- "
-  desc 'check', "Verify the Ubuntu operating system has the \"vlock\" package installed by running the
+temporarily vacate the immediate physical vicinity."
+  desc "check", "Verify the Ubuntu operating system has the \"vlock\" package installed by running the
 following command:
 
 $ dpkg -l | grep vlock
 
-If \"vlock\" is not installed, this is a finding. "
-  desc 'fix', "Install the \"vlock\" package (if it is not already installed) by running the following
+If \"vlock\" is not installed, this is a finding."
+  desc "fix", "Install the \"vlock\" package (if it is not already installed) by running the following
 command:
 
-$ sudo apt-get install vlock "
+$ sudo apt-get install vlock"
   impact 0.5
-  tag severity: 'medium '
-  tag gtitle: 'SRG-OS-000030-GPOS-00011 '
-  tag satisfies: %w(SRG-OS-000030-GPOS-00011 SRG-OS-000031-GPOS-00012)
-  tag gid: 'V-238200 '
-  tag rid: 'SV-238200r653775_rule '
-  tag stig_id: 'UBTU-20-010005 '
-  tag fix_id: 'F-41369r653774_fix '
-  tag cci: %w(CCI-000058 CCI-000060)
-  tag nist: ['AC-11 a', 'AC-11 (1)']
+  tag severity: "medium "
+  tag gtitle: "SRG-OS-000030-GPOS-00011 "
+  tag satisfies: ["SRG-OS-000030-GPOS-00011", "SRG-OS-000031-GPOS-00012"]
+  tag gid: "V-238200 "
+  tag rid: "SV-238200r653775_rule "
+  tag stig_id: "UBTU-20-010005 "
+  tag fix_id: "F-41369r653774_fix "
+  tag cci: ["CCI-000058", "CCI-000060"]
+  tag nist: ["AC-11 a", "AC-11 (1)"]
 
   describe package('vlock') do
     it { should be_installed }

diff --git a/controls/SV-238201.rb b/controls/SV-238201.rb
@@ -1,34 +1,34 @@
-control 'SV-238201' do
+control "SV-238201" do
   title "The Ubuntu operating system must map the authenticated identity to the user or group account
 for PKI-based authentication. "
   desc "Without mapping the certificate used to authenticate to the user account, the ability to
 determine the identity of the individual user or group will not be available for forensic
-analysis. "
-  desc 'check', "Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file:
+analysis."
+  desc "check", "Verify that \"use_mappers\" is set to \"pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" file:
 
 
 $ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf
 use_mappers = pwent
 
 If
-\"use_mappers\" is not found or the list does not contain \"pwent\" this is a finding. "
-  desc 'fix', "Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a
+\"use_mappers\" is not found or the list does not contain \"pwent\" this is a finding."
+  desc "fix", "Set \"use_mappers=pwent\" in \"/etc/pam_pkcs11/pam_pkcs11.conf\" or, if there is already a
 comma-separated list of mappers, add it to the list, separated by comma, and before the null
 mapper.
 
 If the system is missing an \"/etc/pam_pkcs11/\" directory and an
 \"/etc/pam_pkcs11/pam_pkcs11.conf\", find an example to copy into place and modify
 accordingly at
-\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\". "
+\"/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz\"."
   impact 0.7
-  tag severity: 'high '
-  tag gtitle: 'SRG-OS-000068-GPOS-00036 '
-  tag gid: 'V-238201 '
-  tag rid: 'SV-238201r832933_rule '
-  tag stig_id: 'UBTU-20-010006 '
-  tag fix_id: 'F-41370r653777_fix '
-  tag cci: ['CCI-000187']
-  tag nist: ['IA-5 (2) (a) (2)']
+  tag severity: "high "
+  tag gtitle: "SRG-OS-000068-GPOS-00036 "
+  tag gid: "V-238201 "
+  tag rid: "SV-238201r832933_rule "
+  tag stig_id: "UBTU-20-010006 "
+  tag fix_id: "F-41370r653777_fix "
+  tag cci: ["CCI-000187"]
+  tag nist: ["IA-5 (2) (a) (2)"]
 
   config_file = '/etc/pam_pkcs11/pam_pkcs11.conf'
   config_file_exists = file(config_file).exist?

diff --git a/controls/SV-238202.rb b/controls/SV-238202.rb
@@ -1,11 +1,11 @@
-control 'SV-238202' do
+control "SV-238202" do
   title "The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime.
 Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction. "
   desc "Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat
 the password reuse or history enforcement requirement. If users are allowed to immediately
 and continually change their password, then the password could be repeatedly changed in a
-short period of time to defeat the organization's policy regarding password reuse. "
-  desc 'check', "Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for
+short period of time to defeat the organization's policy regarding password reuse."
+  desc "check", "Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for
 new user accounts by running the following command:
 
 $ grep -i ^pass_min_days
@@ -14,22 +14,22 @@
 PASS_MIN_DAYS    1
 
 If the \"PASS_MIN_DAYS\" parameter value is less than
-\"1\" or is commented out, this is a finding. "
-  desc 'fix', "Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.
+\"1\" or is commented out, this is a finding."
+  desc "fix", "Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime.
 
 
 Add or modify the following line in the \"/etc/login.defs\" file:
 
-PASS_MIN_DAYS    1 "
+PASS_MIN_DAYS    1"
   impact 0.3
-  tag severity: 'low '
-  tag gtitle: 'SRG-OS-000075-GPOS-00043 '
-  tag gid: 'V-238202 '
-  tag rid: 'SV-238202r653781_rule '
-  tag stig_id: 'UBTU-20-010007 '
-  tag fix_id: 'F-41371r653780_fix '
-  tag cci: ['CCI-000198']
-  tag nist: ['IA-5 (1) (d)']
+  tag severity: "low "
+  tag gtitle: "SRG-OS-000075-GPOS-00043 "
+  tag gid: "V-238202 "
+  tag rid: "SV-238202r653781_rule "
+  tag stig_id: "UBTU-20-010007 "
+  tag fix_id: "F-41371r653780_fix "
+  tag cci: ["CCI-000198"]
+  tag nist: ["IA-5 (1) (d)"]
 
   describe login_defs do
     its('PASS_MIN_DAYS') { should >= '1' }