V1r2 (#37)

* 257777 Signed-off-by: wdower <will@dower.dev> * adding 257779, adding inspec.yml from rhel8 to get started Signed-off-by: wdower <will@dower.dev> * adding in RHEL8 content to those RHEL9 controls where it applies (delta not run yet) Signed-off-by: wdower <will@dower.dev> * running delta to update RHEL8 controls with RHEL9 metadata Signed-off-by: wdower <will@dower.dev> * fixing the hardened controls Signed-off-by: wdower <will@dower.dev> * linitng Signed-off-by: wdower <will@dower.dev> * adding local config files to gitignore Signed-off-by: wdower <will@dower.dev> * adding -y to disa kitchenfile Signed-off-by: wdower <will@dower.dev> * adding local cinc-auditor install for convenience in testing Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * SV-257783 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * filling in tests up through 257789 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * adding status tracker Signed-off-by: wdower <will@dower.dev> * gitignore update Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * up through 257850 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * up through 257896 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * typo -- descibe --> describe Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * refactoring the mode checks to all use one big hash input for ease of use (can add keys to the hash for other file mode checks later Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * crontab ownership checks Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * up through 25977 -- fixed up the kernel ipv4 and ipv6 controls to ONLY have the 'is_router' caveat if that caveat is explicitly described in the check text Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * up through 257991 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * up through 258032 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * up through 258094 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * lint Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * pinning parser version until next release Signed-off-by: Aaron Lippold <lippold@gmail.com> * uop through 258236 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * up through 258242 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * missed one of the audit ones Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * fixing typo in inspec.yml, adding escape clause to 257777 to catch releases with no defined support window Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * removing branch triggers for pipeline since it keeps leading to duplicate runs -- the full pipeline should only be running for an actual PR Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * typo in 257853 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * fixing 258173 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * removing bogus check from 258239 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * only running the value test in 257789 if the value is known to not be nil Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * only testing value in 258068 if it exists. also, linting Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * reorganizing DISA role Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * adding correct Heimdall upload key name Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * tweaking threshold to match expected hardening level, turning off controls in the disaansible that wereforcing reboot Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * v1r2 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * cleanup -- re-added push pipeline triggers, removed 'WIP' from README, bumped upload-artifact version, removed unneeded pipeline step Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * removing errant references to rhel8 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * fixing grubby controls to use the right check command Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * updating 257800 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * fixing wrong input in 257803 and rhel8 version check in 257782 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * removing unneeded input from inspec.yml and fixing wrong control code in 257937 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * fixing filenames with commit hashes in the actions workflows to avoid name conflicts Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * making all controls that handle kernel settings consistent in approach, adding some caveat inputs for network settings that need to be enabled Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * removing outdated version checks from rhel8 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * Update controls/SV-257843.rb Co-authored-by: Amndeep Singh Mann <me@asm.works> * linting 257843 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * more cleanup Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * Update inspec.yml Co-authored-by: Amndeep Singh Mann <me@asm.works> * more cleanup Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * typo'd vars in 257869 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * removing short sha from the filename everywhere except the push to Heimdall for an easier time hooking it up with kitchen Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * typo'd '}' in disa workflow Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * adding caveat to catch case where NetworkManager not installed for 257949 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * fixing service param checks in 257818 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * fixing missing var in 257869 Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> * fixing ubi9 pipeline to use the actual ubi9 threshold files Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> --------- Signed-off-by: wdower <will@dower.dev> Signed-off-by: wdower <57142072+wdower@users.noreply.github.com> Signed-off-by: Aaron Lippold <lippold@gmail.com> Co-authored-by: Aaron Lippold <lippold@gmail.com> Co-authored-by: Amndeep Singh Mann <me@asm.works>
mitre · May 21, 2024 · b3e65d8 · b3e65d8
1 parent 00c4253
commit b3e65d8
Show file tree

Hide file tree

Showing 487 changed files with 31,988 additions and 9,014 deletions.
diff --git a/.github/workflows/lint-profile.yml b/.github/workflows/lint-profile.yml
@@ -1,10 +1,10 @@
 name: Lint & Check the Profile
 
 on:
-  push:
-    branches-ignore:
-      - none
   pull_request:
+  push:
+    branches:
+      - main
 
 jobs:
   validate:
@@ -36,10 +36,6 @@ jobs:
       - name: Confirm git commit SHA output
         run: echo ${{ env.COMMIT_SHORT_SHA }}
 
-      - name: Get commit message
-        id: commit
-        run: echo "::set-output name=message::$(git log --format=%B -n 1 ${{ github.sha }})"
-
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:

diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml
@@ -1,10 +1,10 @@
 name: UBI9 Testing Matrix
 
 on:
-  push:
-    branches-ignore:
-      - none
   pull_request:
+  push:
+    branches:
+      - main
 
 jobs:
   validate:
@@ -50,10 +50,6 @@ jobs:
       - name: Confirm git commit SHA output
         run: echo ${{ env.COMMIT_SHORT_SHA }}
 
-      - name: Get commit message
-        id: commit
-        run: echo "::set-output name=message::$(git log --format=%B -n 1 ${{ github.sha }})"
-
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:
@@ -76,7 +72,7 @@ jobs:
         continue-on-error: true
         run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-${{ env.PLATFORM }}
 
-      - name: Create our ${{ matrix.suite }} results summary
+      - name: Save our ${{ matrix.suite }} results summary
         continue-on-error: true
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
         uses: mitre/saf_action@v1.5.2
@@ -85,16 +81,16 @@ jobs:
 
       - name: Save Test Result JSON
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results
+          name: ${{ env.PLATFORM }}_${{ matrix.suite }}.json
           path: spec/results/
 
       - name: Upload ${{ matrix.suite }} to Heimdall
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
         continue-on-error: true
         run: |
-          curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_GROUP_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
+          curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.PLATFORM }}_${{ matrix.suite }}-${{ env.COMMIT_SHORT_SHA }}.json" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
 
       - name: Display our ${{ matrix.suite }} results summary
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
@@ -109,8 +105,8 @@ jobs:
           cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json | python markdown-summary.py > spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md
           cat spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-markdown-summary.md >> $GITHUB_STEP_SUMMARY
 
-      - name: Ensure the scan meets our ${{ matrix.suite }} results threshold ${{ env.PLATFORM }}_${{ matrix.suite }}.threshold.yml
+      - name: Ensure the scan meets our ${{ matrix.suite }} results threshold
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
         uses: mitre/saf_action@v1.5.2
         with:
-          command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ${{ env.PLATFORM }}_${{ matrix.suite }}.threshold.yml"
+          command_string: "validate threshold -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F ubi9_${{ matrix.suite }}.threshold.yml"
diff --git a/.github/workflows/verify-disa-hardened-ec2.yml b/.github/workflows/verify-disa-hardened-ec2.yml
@@ -1,10 +1,10 @@
 name: DISA Hardened EC2 Testing Matrix
 
 on:
-  push:
-    branches-ignore:
-      - none
   pull_request:
+  push:
+    branches:
+      - main
 
 jobs:
   validate:
@@ -50,10 +50,6 @@ jobs:
       - name: Confirm git commit SHA output
         run: echo ${{ env.COMMIT_SHORT_SHA }}
 
-      - name: Get commit message
-        id: commit
-        run: echo "::set-output name=message::$(git log --format=%B -n 1 ${{ github.sha }})"
-
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:
@@ -76,24 +72,25 @@ jobs:
         continue-on-error: true
         run: bundle exec kitchen test --destroy=always ${{ matrix.suite }}-${{ env.PLATFORM }}
 
-      - name: Create our ${{ matrix.suite }} results summary
+      - name: Save our ${{ matrix.suite }} results summary
+        continue-on-error: true
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
         uses: mitre/saf_action@v1.5.2
         with:
           command_string: "view summary -j -i spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -o spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}-data.json"
 
       - name: Save Test Result JSON
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results
+          name: ${{ env.PLATFORM }}_${{ matrix.suite }}.json
           path: spec/results/
 
       - name: Upload ${{ matrix.suite }} to Heimdall
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
         continue-on-error: true
         run: |
-          curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }},'Supplemental Automation Content v1r12'" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_GROUP_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
+          curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.PLATFORM }}_${{ matrix.suite }}-${{ env.COMMIT_SHORT_SHA }}.json" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
 
       - name: Display our ${{ matrix.suite }} results summary
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}

diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml
@@ -1,10 +1,10 @@
 name: EC2 Testing Matrix
 
 on:
-  push:
-    branches-ignore:
-      - none
   pull_request:
+  push:
+    branches:
+      - main
 
 jobs:
   validate:
@@ -50,10 +50,6 @@ jobs:
       - name: Confirm git commit SHA output
         run: echo ${{ env.COMMIT_SHORT_SHA }}
 
-      - name: Get commit message
-        id: commit
-        run: echo "::set-output name=message::$(git log --format=%B -n 1 ${{ github.sha }})"
-
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:
@@ -85,16 +81,16 @@ jobs:
 
       - name: Save Test Result JSON
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: ${{ github.workflow }}-${{ env.COMMIT_SHORT_SHA }}-results
+          name: ${{ env.PLATFORM }}_${{ matrix.suite }}.json
           path: spec/results/
 
       - name: Upload ${{ matrix.suite }} to Heimdall
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}
         continue-on-error: true
         run: |
-          curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_GROUP_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
+          curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.PLATFORM }}_${{ matrix.suite }}-${{ env.COMMIT_SHORT_SHA }}.json" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations"
 
       - name: Display our ${{ matrix.suite }} results summary
         if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }}

diff --git a/.gitignore b/.gitignore
@@ -66,5 +66,10 @@ build-iPhoneSimulator/
 
 # VS CODE / VSCODIUM
 .vscode
+
+# delta files
 delta.json
 report.md
+*xccdf.xml
+check-results.txt
+kitchen.local.ec2.yml
diff --git a/Gemfile b/Gemfile
@@ -14,6 +14,7 @@ gem 'kitchen-ec2'
 gem 'kitchen-inspec'
 gem 'kitchen-sync'
 gem 'kitchen-vagrant'
+gem 'parser', '3.3.0.5'
 gem 'pry-byebug'
 gem 'rake'
 gem 'rubocop'

diff --git a/README.md b/README.md
@@ -1,9 +1,9 @@
-# (WIP) RedHat Enterprise Linux 9.x Security Technical Implementation Guide InSpec Profile
+# RedHat Enterprise Linux 9.x Security Technical Implementation Guide InSpec Profile
 
-The Redhat Enterprise Linux 9.X Security Technical Implementation Guide (RHEL8.x STIG) InSpec Profile can help programs automate their compliance checks of RedHat Enterprise Linux 7.x System to Department of Defense (DoD) requirements.
+The Redhat Enterprise Linux 9.X Security Technical Implementation Guide (RHEL9.x STIG) InSpec Profile can help programs automate their compliance checks of RedHat Enterprise Linux 9.x System to Department of Defense (DoD) requirements.
 
-- Profile Version: `0.0.1` (WIP)
-- RedHat Enterprise Linux 9 Security Technical Implementation Guide v1r1
+- Profile Version: `1.2.0`
+- RedHat Enterprise Linux 9 Security Technical Implementation Guide v1r2
 
 This profile was developed to reduce the time it takes to perform a security checks based upon the STIG Guidance from the Defense Information Systems Agency (DISA) in partnership between the DISA Services Directorate (SD) and the DISA Risk Management Executive (RME) office.
 
@@ -38,12 +38,14 @@ The RHEL9.x STIG profile checks were developed to provide technical implementati
 
 ### Source Guidance
 
-- RedHat Enterprise Linux 9 Security Technical Implementation Guide v1r1
+- RedHat Enterprise Linux 9 Security Technical Implementation Guide v1r2
 
 ### Current Profile Statistics
 
 The profile will be tested on every commit and every release against both `vanilla` and `hardened` ubi and ec2 images using a CI/CD pipeline. The `vanilla` images are unmodified base images sourced from Red Hat itself. The `hardened` images have had their settings configured for security according to STIG guidance. Testing both vanilla and hardened configurations of both containerized and virtual machine implementations of RHEL9 is necessary to ensure the profile works in multiple environments.
 
+Further pipelines may be employed to test different hardening content sources (e.g., Ansible code sourced directly from DISA or Red Hat).
+
 # Getting Started and Intended Usage
 
 1. It is intended and recommended that InSpec and the profile be run from a **"runner"** host, either from source or a local archieve - [Running the Profile](#running-the-profile) - (such as a DevOps orchestration server, an administrative management system, or a developer's workstation/laptop) against the target [ remotely over **ssh**].
@@ -56,9 +58,9 @@ The profile will be tested on every commit and every release against both `vanil
 
 ## Intended Usage - `main` vs `releases`
 
-1. The latest `released` version of the profile is intended for use in A&A testing, formal results to AO's and IAM's etc. Please use the `released` versions of the profile in these types of workflows.
+1. The latest `released` version of the profile is intended for use in A&A testing, as well as providing formal results to Authorizing Officials and IAMs. Please use the `released` versions of the profile in these types of workflows.
 
-2. The `main` branch is a development branch that will become the next release of the profile. The `main` branch is intended for use in _developement and testing_ merge requests for the next release of the profile, and _is not intended_ be used for formal and ongoing testing on systems.
+2. The `main` branch is a development branch that will become the next release of the profile. The `main` branch is intended for use in _developing and testing_ merge requests for the next release of the profile, and _is not intended_ be used for formal and ongoing testing on systems.
 
 ## Environment Aware Testing
 

diff --git a/controls/SV-257777.rb b/controls/SV-257777.rb
@@ -13,14 +13,43 @@
   desc 'fix', 'Upgrade to a supported version of RHEL 9.'
   impact 0.7
   ref 'DPMS Target Red Hat Enterprise Linux 9'
-  tag check_id: 'C-61518r925316_chk'
   tag severity: 'high'
+  tag gtitle: 'SRG-OS-000480-GPOS-00227'
   tag gid: 'V-257777'
   tag rid: 'SV-257777r925318_rule'
   tag stig_id: 'RHEL-09-211010'
-  tag gtitle: 'SRG-OS-000480-GPOS-00227'
   tag fix_id: 'F-61442r925317_fix'
-  tag 'documentable'
   tag cci: ['CCI-000366']
   tag nist: ['CM-6 b']
+  tag 'host'
+  tag 'container'
+
+  release = os.release
+
+  # Note that versions 9.0 and 9.2 of RHEL9 are within the EUS window at
+  # time of writing.
+
+  # 9.1 is not a EUS-supported release and is no longer officially supported
+  # by Red Hat. The date given for the expiration for 9.1 is based on the
+  # RHEL9 Planning Guide diagram found on Red Hat's Life Cycle page:
+  # https://access.redhat.com/support/policy/updates/errata/#Life_Cycle_Dates
+
+  EOMS_DATE = {
+    /^9\.0/ => '31 May 2024',
+    /^9\.1/ => 'April 1, 2023',
+    /^9\.2/ => 'May 31, 2025',
+    /^9\.4/ => 'May 31, 2026'
+  }.find { |k, _v| k.match(release) }&.last
+
+  describe "The release \"#{release}\"" do
+    if EOMS_DATE.nil?
+      it 'is a supported release' do
+        expect(EOMS_DATE).not_to be_nil, "Release '#{release}' has no specified support window"
+      end
+    else
+      it 'is still within the support window' do
+        expect(Date.today).to be <= Date.parse(EOMS_DATE)
+      end
+    end
+  end
 end
diff --git a/controls/SV-257778.rb b/controls/SV-257778.rb
@@ -24,14 +24,39 @@
 $ sudo dnf update'
   impact 0.5
   ref 'DPMS Target Red Hat Enterprise Linux 9'
-  tag check_id: 'C-61519r925319_chk'
   tag severity: 'medium'
+  tag gtitle: 'SRG-OS-000480-GPOS-00227'
   tag gid: 'V-257778'
   tag rid: 'SV-257778r925321_rule'
   tag stig_id: 'RHEL-09-211015'
-  tag gtitle: 'SRG-OS-000480-GPOS-00227'
   tag fix_id: 'F-61443r925320_fix'
-  tag 'documentable'
   tag cci: ['CCI-000366']
   tag nist: ['CM-6 b']
+  tag 'host'
+  tag 'container'
+
+  only_if("This control takes a long time to execute so it has been disabled through 'slow_controls'") {
+    !input('disable_slow_controls')
+  }
+
+  if input('disconnected_system')
+    describe 'The system is set to a `disconnected` state and you must validate the state of the system packages manually' do
+      skip 'The system is set to a `disconnected` state and you must validate the state of the system packages manually'
+    end
+  else
+    updates = linux_update.updates
+    package_names = updates.map { |h| h['name'] }
+
+    describe.one do
+      describe 'List of out-of-date packages' do
+        subject { package_names }
+        it { should be_empty }
+      end
+      updates.each do |update|
+        describe package(update['name']) do
+          its('version') { should eq update['version'] }
+        end
+      end
+    end
+  end
 end
diff --git a/controls/SV-257779.rb b/controls/SV-257779.rb
@@ -2,9 +2,7 @@
   title 'RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.'
   desc 'Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
 
-System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
-
-'
+System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.'
   desc 'check', 'Verify RHEL 9 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a command line user logon.
 
 Check that a banner is displayed at the command line login screen with the following command:
@@ -47,15 +45,36 @@
 -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."'
   impact 0.5
   ref 'DPMS Target Red Hat Enterprise Linux 9'
-  tag check_id: 'C-61520r925322_chk'
   tag severity: 'medium'
+  tag gtitle: 'SRG-OS-000023-GPOS-00006'
+  tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000228-GPOS-00088']
   tag gid: 'V-257779'
   tag rid: 'SV-257779r925324_rule'
   tag stig_id: 'RHEL-09-211020'
-  tag gtitle: 'SRG-OS-000023-GPOS-00006'
   tag fix_id: 'F-61444r925323_fix'
-  tag satisfies: ['SRG-OS-000023-GPOS-00006', 'SRG-OS-000228-GPOS-00088']
-  tag 'documentable'
   tag cci: ['CCI-000048', 'CCI-001384', 'CCI-001385', 'CCI-001386', 'CCI-001387', 'CCI-001388']
-  tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 2', 'AC-8 c 2', 'AC-8 c 3']
+  tag nist: ['AC-8 a', 'AC-8 c 1', 'AC-8 c 2', 'AC-8 c 3']
+  tag 'host'
+
+  only_if('Control not applicable within a container', impact: 0.0) {
+    !virtualization.system.eql?('docker')
+  }
+
+  banner_file = file('/etc/issue')
+
+  describe banner_file do
+    it { should exist }
+  end
+
+  if banner_file.exist?
+
+    banner = banner_file.content.gsub(/[\r\n\s]/, '')
+    expected_banner = input('banner_message_text_cli').gsub(/[\r\n\s]/, '')
+
+    describe 'The CLI Login Banner ' do
+      it 'is set to the standard banner and has the correct text' do
+        expect(banner).to eq(expected_banner), 'Banner does not match expected text'
+      end
+    end
+  end
 end