Add new rules to sle12/profiles/stig.profile

[brett060102]

This adds all rules in last PR sle12 stig.profile

Fix banner oval check:
Appropriately encode GDM banner
The OVAL check doesn't allow the banner text to be in single quote
so use the approprate macro to format it correctly.

Add missing bash remediation.

Description:

• add sl12 rules to stig.profile, fix a found bug

Rationale:

• Add newly supported sle12 rules to stig.profile

• Add shared/bash_remediation_functions/ensure_pam_module_options.sh which was dropped from earlier changes.

• banner oval check: Appropriately encode GDM banner. The OVAL check doesn't allow the banner text to be in single quote so use the appropriate macro to format it correctly.

[openscap-ci]

Changes identified:
Rules:
 banner_etc_gdm_banner
Profiles:
 stig on sle12

Show details

Rule banner_etc_gdm_banner:
 Ansible remediation changed.
Profile stig on sle12:
 Key deleted from profile.
 Rule smartcard_configure_ca, audit_rules_login_events_faillog, cracklib_accounts_password_pam_minlen, sssd_offline_cred_expiration, audit_rules_privileged_commands_chfn, audit_rules_privileged_commands_usermod, dconf_db_up_to_date, sssd_memcache_timeout, audit_rules_dac_modification_umount2, audit_rules_execution_setfacl, cracklib_accounts_password_pam_ocredit, cracklib_accounts_password_pam_ucredit, audit_rules_execution_chmod, clean_components_post_updating, dconf_gnome_login_banner_text, aide_check_audit_tools, smartcard_configure_cert_checking, accounts_passwords_pam_tally2, account_unique_id, audit_rules_execution_chacl, cracklib_accounts_password_pam_difok, gui_login_dod_acknowledgement, rsyslog_remote_loghost, sshd_use_approved_ciphers, audit_rules_dac_modification_umount, banner_etc_gdm_banner, accounts_password_all_shadowed_sha512, audit_rules_execution_chcon, account_emergency_admin, cracklib_accounts_password_pam_retry, install_smartcard_packages, audit_rules_privileged_commands_ssh_agent, enable_dconf_user_profile, audit_rules_suid_privilege_function, accounts_password_pam_pwhistory_remember, smartcard_pam_enabled, sysctl_net_ipv4_tcp_syncookies, set_password_hashing_min_rounds_logindefs, set_password_hashing_algorithm_systemauth, audit_rules_media_export, installed_OS_is_FIPS_certified, audit_rules_privileged_commands_passmass, cracklib_accounts_password_pam_lcredit, file_etc_security_opasswd, dconf_gnome_banner_enabled, accounts_passwords_pam_faildelay_delay, audit_rules_privileged_commands_kmod, accounts_tmout, cracklib_accounts_password_pam_dcredit, dir_perms_world_writable_system_owned_group, vlock_installed, policy_temp_passwords_immediate_change, service_autofs_disabled, audit_rules_execution_rm added to stig profile.
 Variable var_sssd_memcache_timeout=1_day added to stig profile.

Recommended tests to execute:
 build_product sle12
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using ansible --datastream build/ssg-sle12-ds.xml banner_etc_gdm_banner
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-sle12-ds.xml stig

[openshift-ci-robot]

Hi @brett060102. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ggbecker]

@brett060102 I think now is a good time to update the stig_overlay.xml. Check the reference: https://complianceascode.readthedocs.io/en/latest/manual/developer/04_updating_reference_and_overlay.html?highlight=create-stig-overlay#stig-overlay-content

[brett060102]

@ggbecker thank you @abergmann do you want to take this one or shall I?