-
Notifications
You must be signed in to change notification settings - Fork 670
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add new rules to sle12/profiles/stig.profile
This adds all rules in last PR sle12 stig.profile Create sle15/profiles/stig.profile Setting up infrastructire for sle-15 development Fix banner oval check: Appropriately encode GDM banner (#255) The OVAL check doesn't allow the banner text to be in single quote so use the approprate macro to format it correctly.
- Loading branch information
1 parent
d730185
commit e52edae
Showing
5 changed files
with
5,186 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
56 changes: 56 additions & 0 deletions
56
shared/bash_remediation_functions/ensure_pam_module_options.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
function ensure_pam_module_options { | ||
if [ $# -lt 7 ] || [ $# -gt 8 ] ; then | ||
echo "$0 requires seven or eight arguments" >&2 | ||
exit 1 | ||
fi | ||
local _pamFile="$1" _type="$2" _control="$3" _module="$4" _option="$5" _valueRegex="$6" _defaultValue="$7" | ||
local _remove_argument="" | ||
if [ $# -eq 8 ] ; then | ||
_remove_argument="$8" | ||
# convert it to lowercase | ||
_remove_argument=${_remove_argument,,} | ||
fi | ||
|
||
# make sure that we have a line like this in ${_pamFile} (additional options are left as-is): | ||
# ${_type} ${_control} ${_module} ${_option}=${_valueRegex} | ||
|
||
if ! [ -e "$_pamFile" ] ; then | ||
echo "$_pamFile doesn't exist" >&2 | ||
exit 1 | ||
fi | ||
|
||
# if remove argument only | ||
if [ "${_remove_argument}" = "yes" -o "${_remove_argument}" = "true" ] ; then | ||
sed --follow-symlinks -i -E -e "s/^(\\s*${_type}\\s+\\S+\\s+${_module}(\\s.+)?)\\s${_option}(=\\S+)?/\\1/" "${_pamFile}" | ||
exit 0 | ||
fi | ||
|
||
# non-empty values need to be preceded by an equals sign | ||
[ -n "${_valueRegex}" ] && _valueRegex="=${_valueRegex}" | ||
# add an equals sign to non-empty values | ||
[ -n "${_defaultValue}" ] && _defaultValue="=${_defaultValue}" | ||
|
||
# fix 'type' if it's wrong | ||
if grep -q -P "^\\s*(?"'!'"${_type}\\s)[[:alnum:]]+\\s+[[:alnum:]]+\\s+${_module}" < "${_pamFile}" ; then | ||
sed --follow-symlinks -i -E -e "s/^(\\s*)[[:alnum:]]+(\\s+[[:alnum:]]+\\s+${_module})/\\1${_type}\\2/" "${_pamFile}" | ||
fi | ||
|
||
# fix 'control' if it's wrong | ||
if grep -q -P "^\\s*${_type}\\s+(?"'!'"${_control})[[:alnum:]]+\\s+${_module}" < "${_pamFile}" ; then | ||
sed --follow-symlinks -i -E -e "s/^(\\s*${_type}\\s+)[[:alnum:]]+(\\s+${_module})/\\1${_control}\\2/" "${_pamFile}" | ||
fi | ||
|
||
# fix the value for 'option' if one exists but does not match '_valueRegex' | ||
if grep -q -P "^\\s*${_type}\\s+${_control}\\s+${_module}(\\s.+)?\\s+${_option}(?"'!'"${_valueRegex}(\\s|\$))" < "${_pamFile}" ; then | ||
sed --follow-symlinks -i -E -e "s/^(\\s*${_type}\\s+${_control}\\s+${_module}(\\s.+)?\\s)${_option}=[^[:space:]]+/\\1${_option}${_defaultValue}/" "${_pamFile}" | ||
|
||
# add 'option=default' if option is not set | ||
elif grep -q -E "^\\s*${_type}\\s+${_control}\\s+${_module}" < "${_pamFile}" && | ||
grep -E "^\\s*${_type}\\s+${_control}\\s+${_module}" < "${_pamFile}" | grep -q -E -v "\\s${_option}(=|\\s|\$)" ; then | ||
|
||
sed --follow-symlinks -i -E -e "s/^(\\s*${_type}\\s+${_control}\\s+${_module}[^\\n]*)/\\1 ${_option}${_defaultValue}/" "${_pamFile}" | ||
# add a new entry if none exists | ||
elif ! grep -q -P "^\\s*${_type}\\s+${_control}\\s+${_module}(\\s.+)?\\s+${_option}${_valueRegex}(\\s|\$)" < "${_pamFile}" ; then | ||
echo "${_type} ${_control} ${_module} ${_option}${_defaultValue}" >> "${_pamFile}" | ||
fi | ||
} |
5,028 changes: 5,028 additions & 0 deletions
5,028
shared/references/disa-stig-sle15-v1r1-xccdf-manual.xml
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
documentation_complete: true | ||
|
||
metadata: | ||
version: V1R1 | ||
SMEs: | ||
- abergmann | ||
|
||
reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux | ||
|
||
title: 'DISA STIG for SUSE Linux Enterprise 15' | ||
|
||
description: |- | ||
This profile contains configuration checks that align to the | ||
DISA STIG for SUSE Linux Enterprise 15 V1R1. | ||
|
||
selections: | ||
- installed_OS_is_vendor_supported | ||
|