Add more SLE-15 stigs and CCE IDs to existing rules

[brett060102]

• Change is to add SLE-15 stigs to existing rule.
• No new rules are added
• SLES-12-03040 should have been attached to sysctl_net_ipv6_conf_default_accept_redirects
• Added SLE-15 stigs
  - SLES-15-040440 'Disable SSH Access via Empty Passwords'
  - SLES-15-040290 'Disable X11 Forwarding'
  - SLES-15-040440 'Do Not Allow SSH Environment Options'
  - SLES-15-010050 'Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement'
  - SLES-15-020250 'Limit Password Reuse'
  - SLES-15-020160 'Set Password Strength Minimum Different Characters'
  - SLES-15-020140 'Set Password Strength Minimum Lowercase Characters'
  - SLES-15-020130 'Set Password Strength Minimum Uppercase Characters'
  - SLES-15-040062 'Disable Ctrl-Alt-Del Burst Action'
  - SLES-15-020200 'Set Password Minimum Age'
  - SLES-15-020100 'Verify Only Root Has UID 0'
  - SLES-15-020091 'Ensure that System Accounts Do Not Run a Shell Upon Login'
  - SLES-15-040100 'All Interactive User Home Directories Must Be Group-Owned By The Primary User'
  - SLES-15-030250 'Record Events that Modify the System''s Discretionary Access Controls - chown'
  - SLES-15-030300 'Record Events that Modify the System''s Discretionary Access Controls - fchmod'
  - SLES-12-030310 'Record Events that Modify the System''s Discretionary Access Controls - fchmodat'
  - SLES-15-030260 'Record Events that Modify the System''s Discretionary Access Controls - fchown'
  - SLES-15-030280 'Record Events that Modify the System''s Discretionary Access Controls - fchownat'
  - SLES-15-030210 'Record Events that Modify the System''s Discretionary Access Controls - fremovexattr'
  - SLES-15-030230 'Record Events that Modify the System''s Discretionary Access Controls - fsetxattr'
  - SLES-15-030270 'Record Events that Modify the System''s Discretionary Access Controls - lchown'
  - SLES-15-030200 'Record Events that Modify the System''s Discretionary Access Controls - lremovexattr'
  - SLES-15-030240 'Record Events that Modify the System''s Discretionary Access Controls - lsetxattr'
  - SLES-15-030190 'Record Events that Modify the System''s Discretionary Access Controls - removexattr'
  - SLES-15-030220 'Record Events that Modify the System''s Discretionary Access Controls - setxattr'
  - SLES-15-030160 'Record Unsuccessful Access Attempts to Files - creat'
  - SLES-15-030320 'Record Unsuccessful Access Attempts to Files - ftruncate'
  - SLES-15-030150 'Record Unsuccessful Access Attempts to Files - open'
  - SLES-15-030180 'Record Unsuccessful Access Attempts to Files - open_by_handle_at'
  - SLES-15-030170 'Record Unsuccessful Access Attempts to Files - openat'
  - SLES-15-030710 'Record Unsuccessul Delete Attempts to Files - rename'
  - SLES-15-030720 'Record Unsuccessul Delete Attempts to Files - renameat'
  - SLES-15-030740 'Record Unsuccessul Delete Attempts to Files - unlink'
  - SLES-15-030750 'Record Unsuccessul Delete Attempts to Files - unlinkat'
  - SLES-15-030350 'Ensure auditd Collects Information on the Use of Privileged Commands - mount'
  - SLES-15-030330 'Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit'
  - SLES-15-030500 'Ensure auditd Collects Information on the Use of Privileged Commands - usermod'
  - SLES-15-030820 'Remove Default Configuration to Disable Syscall Auditing'
  - SLES-15-030140 'Ensure auditd Collects System Administrator Actions'
  - SLES-15-030660 'Configure a Sufficiently Large Partition for Audit Logs'
  - SLES-15-030790 'Configure audispd''s Plugin network_failure_action On Network Failure'
  - SLES-15-040341 'Disable Accepting ICMP Redirects for All IPv6 Interfaces'
  - SLES-15-040350 'Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces'
  - SLES-15-040380 'Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces'
  - SLES-15-010351 'Verify that Shared Library Files Have Restrictive Permissions'
  - SLES-15-010570 'Configure Periodic Execution of AIDE'

Description:

• Add more SLE-15 STIGS to existing rules
• SLES-12-03040 should have been attached to sysctl_net_ipv6_conf_default_accept_redirects not sysctl_net_ipv6_conf_default_accept_source_route

Rationale:

• SUSE SLES 15 support

[openshift-ci-robot]

Hi @brett060102. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openscap-ci]

Changes identified:
Rules:
 no_shelllogin_for_systemaccounts
Profiles:
 stig on sle12
 stig on sle15

Show details

Rule no_shelllogin_for_systemaccounts:
 Text changed in OVAL check.
Profile stig on sle12:
 Rule service_sshd_enabled, sysctl_net_ipv6_conf_default_accept_redirects added to stig profile.
 Rule sysctl_net_ipv6_conf_default_accept_source_route removed from stig profile.
Profile stig on sle15:
 Rule audit_rules_unsuccessful_file_modification_open, sshd_disable_x11_forwarding, audit_rules_privileged_commands_mount, aide_periodic_cron_checking, sysctl_net_ipv6_conf_default_accept_redirects, audit_rules_enable_syscall_auditing, audit_rules_unsuccessful_file_modification_unlinkat, auditd_audispd_network_failure_action, file_permissions_library_dirs, audit_rules_dac_modification_removexattr, audit_rules_dac_modification_fchmodat, audit_rules_dac_modification_lremovexattr, audit_rules_dac_modification_fchmod, audit_rules_dac_modification_fchownat, audit_rules_unsuccessful_file_modification_rename, sshd_do_not_permit_user_env, audit_rules_dac_modification_lchown, accounts_no_uid_except_zero, audit_rules_unsuccessful_file_modification_renameat, sysctl_net_ipv4_ip_forward, audit_rules_dac_modification_lsetxattr, cracklib_accounts_password_pam_ucredit, audit_rules_dac_modification_fchown, no_shelllogin_for_systemaccounts, sysctl_net_ipv6_conf_all_accept_redirects, audit_rules_unsuccessful_file_modification_creat, cracklib_accounts_password_pam_lcredit, audit_rules_unsuccessful_file_modification_openat, audit_rules_dac_modification_fremovexattr, audit_rules_dac_modification_fsetxattr, audit_rules_dac_modification_chown, gui_login_dod_acknowledgement, disable_ctrlaltdel_burstaction, audit_rules_unsuccessful_file_modification_open_by_handle_at, accounts_password_pam_unix_remember, cracklib_accounts_password_pam_difok, auditd_audispd_configure_sufficiently_large_partition, audit_rules_privileged_commands_sudoedit, sshd_disable_empty_passwords, audit_rules_unsuccessful_file_modification_ftruncate, file_groupownership_home_directories, audit_rules_unsuccessful_file_modification_unlink, audit_rules_sysadmin_actions, audit_rules_dac_modification_setxattr added to stig profile.
 Variable var_accounts_minimum_age_login_defs=7 added to stig profile.

Recommended tests to execute:
 build_product sle15
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-sle15-ds.xml stig
 build_product rhel8
 tests/test_suite.py rule --libvirt qemu:///system test-suite-vm --remediate-using bash --datastream build/ssg-rhel8-ds.xml no_shelllogin_for_systemaccounts
 build_product sle12
 tests/test_suite.py profile --libvirt qemu:///system test-suite-vm --datastream build/ssg-sle12-ds.xml stig

[ggbecker]

Tests have revealed duplicated CCEs in:

cce CCE-85678-1 is included in files: 
 - linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
 - linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml

cce CCE-85691-4 is included in files: 
 - linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
 - linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml

[ggbecker]

we might have to check if spaces in the references section can be a problem. I've seen that a lot of them proposed in this PR contain spaces.

[brett060102]

@ggbecker I can update to replace with (a),(b) etc, but that would be slightly different from what is in our STIG. I did not see an issue when I built this. I know we can't have a space following the comma. I am not sure about before the comma since I have not tried that case. I am OK with removing the spaces. I do see one other nist record with spaces:
jre/guide/java/java_jre_disable_untrusted_sources_locked/rule.yml: nist: SC-18 (3)
The only other occurrences I see are in sle12 or sle15 records. Again, happy to removes, so please advise.

[ggbecker]

It seems that the build system is able to work with spaces. It splits using comma as the separator (https://github.com/ComplianceAsCode/content/blob/master/ssg/build_yaml.py#L1261).

So, I don't have any strong opinions against it. It's just for the sake of consistency, and I do understand that in the original NIST references the spaces are present. To be honest, I don't know if there was a reason to strip these whitespaces, it goes beyond my time in this project.

[brett060102]

@ggbecker The spaces should be gone now.

[brett060102]

Will address the cce issue. Are there directions on running that test locally. I would really like to avoid that in the future.

[ggbecker]

Will address the cce issue. Are there directions on running that test locally. I would really like to avoid that in the future.

From build directory you can run:

ctest -R unique-cces --verbose

or tests labeled as quick that includes the unique-cces test:

ctest -L quick

More details on: https://complianceascode.readthedocs.io/en/latest/manual/developer/02_building_complianceascode.html?highlight=ctest#testing

[brett060102]

@ggbecker Is this one OK now?

[ggbecker]

@brett060102 Yes, it's ok now. Thanks.

[ggbecker]

/ok-to-test

[ggbecker]

Changes here are mostly to SLE content, changes to break something OCP is low and we can tackle any problem later if there is any.