CIS Profiles for SLE12

[truzzon]

Description:

• Initial CIS Profiles for SLE12. Based on Benchmark Version 3.0.0 (released at 2021-04-27)
• Minor updates to SLE15 Chapter reference, If I found them during work.

[openshift-ci]

Hi @truzzon. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Mab879]

Thank you for this contribution. I left few notes on this PR, mostly around prodtype ordering. Also please make sure that you have cce on the rules as well.

[Mab879]

/ok-to-test

[truzzon]

Hello @Mab879, thanks for your feedback. I'll fix what I can in the next days.

About the CCE reference for SLE: there are none in the Nist resources.
@brett060102 and @guangyee since your profiles say SUSE, can you provide a CCE resource, where I can look up the missing references, if publicly available? I also have an SCC account, if required.

[truzzon]

Hello @Mab879,

I have contacted @teacup-on-rockingchair via e-mail and asked him, if he could help me out with the CCEs, since he is the only one in the recent commit history, who added CCEs for SLE.
He responded, that he can't disclose the source. I'm currently waiting for any information, he can provide, or maybe a PR, that adds the CCEs to my changes.

In case, the references are incomplete or nothing can be provided, is it still possible to merge the PR? After all, the build is working. And on my past PR CCEs were not required at all for SLE.

[Mab879]

@truzzon Thanks for the update. Please rebase this PR and I will take a look again and get it merged.

[Mab879]

Please run ./utils/fix_rules.py sort_prodtypes to fix the prodtype ordering issues.
See https://complianceascode.readthedocs.io/en/latest/manual/developer/05_tools_and_utilities.html for more information on running the utilities.

[truzzon]

Hello @Mab879,

I fixed your findings manually. The scripts did not work for me yet:

(content_3.9.6) nico@tower-nico: content [cis_sle12_v300]$ ./utils/rule_dir_json.py 
Product sle12 has multiple remediations of the same type in rule no_empty_passwords: shared.sh,shared.yml,sle12.yml,sle15.yml
Product sle15 has multiple remediations of the same type in rule no_empty_passwords: shared.sh,shared.yml,sle12.yml,sle15.yml
Product sle12 has multiple remediations of the same type in rule accounts_tmout: shared.sh,sle12.sh,sle12.yml,sle15.yml
Product sle15 has multiple remediations of the same type in rule accounts_tmout: shared.sh,sle12.sh,sle12.yml,sle15.yml
Product sle12 has multiple remediations of the same type in rule audit_rules_privileged_commands_kmod: sle12.yml,sle15.yml
Product sle15 has multiple remediations of the same type in rule audit_rules_privileged_commands_kmod: sle12.yml,sle15.yml
Traceback (most recent call last):
  File "/home/nico/git/content/./utils/rule_dir_json.py", line 232, in <module>
    main()
  File "/home/nico/git/content/./utils/rule_dir_json.py", line 192, in main
    rule_obj['ovals'], oval_products = handle_ovals(given_products, product_yamls, rule_obj)
  File "/home/nico/git/content/./utils/rule_dir_json.py", line 120, in handle_ovals
    platforms = ssg.oval.applicable_platforms(oval_path)
  File "/home/nico/git/content/ssg/oval.py", line 123, in applicable_platforms
    body = process_file_with_macros(oval_file, subst_dict)
  File "/home/nico/git/content/ssg/jinja.py", line 184, in process_file_with_macros
    return process_file(filepath, substitutions_dict)
  File "/home/nico/git/content/ssg/jinja.py", line 136, in process_file
    return template.render(substitutions_dict)
  File "/home/nico/.pyenv/versions/3.9.6/envs/content_3.9.6/lib/python3.9/site-packages/jinja2/environment.py", line 1304, in render
    self.environment.handle_exception()
  File "/home/nico/.pyenv/versions/3.9.6/envs/content_3.9.6/lib/python3.9/site-packages/jinja2/environment.py", line 925, in handle_exception
    raise rewrite_traceback_stack(source=source)
  File "/home/nico/git/content/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/oval/shared.xml", line 11, in top-level template code
    {{% if 'rhel' not in product %}}
jinja2.exceptions.UndefinedError: 'product' is undefined

The prerequisites fail. What do I do in these cases?
For every project I am working on I use a separate pyenv environment.

[Mab879]

/test e2e-aws-rhcos4-moderate

[Mab879]

@truzzon I have fixed a couple more as well.

What OS are using for this? I'm not reproduce on Fedora 34 with Python 3.9.6.

[truzzon]

I am working on Mint 20.2.

I'll keep that tool in mind, when I start to work on sle15 again. I haven't had the time to debug it today.

[Mab879]

Thank you @truzzon!