Skip to content

Commit

Permalink
Merge pull request #6831 from brett060102/fix_SLES-15-010220
Browse files Browse the repository at this point in the history 
SLES-15-010220 updates for firewalld
  • Loading branch information
@ggbecker
ggbecker committed Apr 20, 2021
2 parents 03934dd + 598f79b commit 67e2109
Show file tree
Hide file tree
Showing 8 changed files with 14 additions and 21 deletions.
4 changes: 4 additions & 0 deletions ...ystem/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,15 @@ identifiers:
cce@rhel7: CCE-82999-4
cce@rhel8: CCE-82998-6
cce@rhcos4: CCE-82521-6
cce@sle15: CCE-85698-9

references:
nist: CM-6(a)
nist@sle15: CM-7,CM-7.1(iii),CM-7(b),AC-17(1)
srg: SRG-OS-000480-GPOS-00227,SRG-OS-000298-GPOS-00116
srg@sle15: SRG-OS-000096-GPOS-00050,SRG-OS-000297-GPOS-00115,SRG-OS-000480-GPOS-00232
cis@rhel8: 3.4.1.1
stigid@sle15: SLES-15-010220

ocil_clause: 'the package is not installed'

Expand Down
8 changes: 4 additions & 4 deletions .../system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,10 @@ references:
cis-csc: 11,3,9
cis@sle15: 3.5.1.4
stigid@rhel8: RHEL-08-040100
stigid@sle15: SLES-15-010370
srg@sle15: SRG-OS-000298-GPOS-00116
nist@sle15: AC-17(9)
disa@sle15: CCI-002322
stigid@sle15: SLES-15-010220
srg@sle15: SRG-OS-000096-GPOS-00050,SRG-OS-000297-GPOS-00115,SRG-OS-000480-GPOS-00232
nist@sle15: CM-7,CM-7.1(iii),CM-7(b),AC-17(1)
disa@sle15: CCI-000382

ocil: |-
{{{ ocil_service_enabled(service="firewalld") }}}
Expand Down
4 changes: 1 addition & 3 deletions linux_os/guide/system/network/network-susefirewall2/package_SuSEfirewall2_installed/rule.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: sle12,sle15
prodtype: sle12

title: 'Install SuSEfirewall2 Package'

Expand All @@ -13,14 +13,12 @@ severity: medium

identifiers:
cce@sle12: CCE-83157-8
cce@sle15: CCE-85661-7

references:
disa@sle12: CCI-000382,CCI-002080,CCI-002314
nist@sle12: CM-7,CA-3(5),AC-17(1)
srg@sle12: SRG-OS-000420-GPOS-00186,SRG-OS-000096-GPOS-00050
stigid@sle12: SLES-12-030030
stigid@sle15: SLES-15-010220

ocil_clause: 'the package is not installed'

Expand Down
4 changes: 1 addition & 3 deletions linux_os/guide/system/network/network-susefirewall2/service_SuSEfirewall2_enabled/rule.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: sle12,sle15
prodtype: sle12

title: 'Enable the SuSEfirewall 2'

Expand All @@ -24,14 +24,12 @@ severity: medium

identifiers:
cce@sle12: CCE-83164-4
cce@sle15: CCE-85662-5

references:
disa@sle12: CCI-000382
nist@sle12: CM-7,CA-3(5),AC-17(1)
srg@sle12: SRG-OS-000420-GPOS-00186,SRG-OS-000096-GPOS-00050
stigid@sle12: SLES-12-030030
stigid@sle15: SLES-15-010220

ocil: |-
{{{ ocil_service_enabled(service="SuSEfirewall2") }}}
Expand Down
4 changes: 1 addition & 3 deletions .../guide/system/network/network-susefirewall2/susefirewall2_only_required_services/rule.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: sle12,sle15
prodtype: sle12

title: 'Only Allow Authorized Network Services in SuSEfirewall2'

Expand Down Expand Up @@ -42,13 +42,11 @@ severity: medium

identifiers:
cce@sle12: CCE-83165-1
cce@sle15: CCE-85660-9

references:
disa@sle12: CCI-000382
nist@sle12: CM-7,CA-3(5),AC-17(1)
stigid@sle12: SLES-12-030030
stigid@sle15: SLES-15-010220
srg@sle12: SRG-OS-000096-GPOS-00050,SRG-OS-000297-GPOS-00115,SRG-OS-000480-GPOS-00231,SRG-OS-000480-GPOS-00232

ocil_clause: 'unauthorized network services can be accessed from the network'
Expand Down
4 changes: 1 addition & 3 deletions linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
documentation_complete: true

prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019

title: 'Disable DCCP Support'

Expand All @@ -19,12 +19,10 @@ severity: medium
identifiers:
cce@rhel7: CCE-82024-1
cce@rhel8: CCE-80833-7
cce@sle15: CCE-83276-6

references:
stigid@ol7: OL07-00-020101
stigid@rhel7: RHEL-07-020101
stigid@sle15: SLES-15-010220
cis@rhel7: 3.5.1
cis@rhel8: 3.3.1
cjis: 5.10.1
Expand Down
2 changes: 1 addition & 1 deletion sle15/profiles/cis.profile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -365,7 +365,7 @@ selections:

## 3.4 Uncommon Network Protocols
### 3.4.1 Ensure DCCP is disabled (Not Scored)
- kernel_module_dccp_disabled
##- kernel_module_dccp_disabled

### 3.4.2 Ensure SCTP is disabled (Not Scored)
- kernel_module_sctp_disabled
Expand Down
5 changes: 1 addition & 4 deletions sle15/profiles/stig.profile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,6 @@ selections:
- gui_login_dod_acknowledgement
- installed_OS_is_vendor_supported
- install_smartcard_packages
- kernel_module_dccp_disabled
- kernel_module_usb-storage_disabled
- mount_option_home_nosuid
- mount_option_noexec_remote_filesystems
Expand All @@ -193,8 +192,8 @@ selections:
- package_aide_installed
- package_audit-audispd-plugins_installed
- package_audit_installed
- package_SuSEfirewall2_installed
- package_telnet-server_removed
- package_firewalld_installed
- package_vsftpd_removed
- pam_disable_automatic_configuration
- partition_for_home
Expand All @@ -210,7 +209,6 @@ selections:
- service_firewalld_enabled
- service_kdump_disabled
- service_sshd_enabled
- service_SuSEfirewall2_enabled
- set_password_hashing_algorithm_logindefs
- set_password_hashing_algorithm_systemauth
- set_password_hashing_min_rounds_logindefs
Expand Down Expand Up @@ -239,7 +237,6 @@ selections:
- sudo_remove_nopasswd
- sudo_restrict_privilege_elevation_to_authorized
- sudo_require_authentication
- susefirewall2_only_required_services
- sysctl_kernel_kptr_restrict
- sysctl_kernel_randomize_va_space
- sysctl_net_ipv4_conf_all_accept_redirects
Expand Down

0 comments on commit 67e2109

Please sign in to comment.