Add rules for SLES-12-010430 STIG

guangyee · Dec 14, 2020 · 113a02a · 113a02a
1 parent e1103c4
commit 113a02a
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 2 deletions.
diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
 
 title: 'Set Boot Loader Password in grub2'
 
@@ -10,9 +10,23 @@ description: |-
     <br /><br />
     Since plaintext passwords are a security risk, generate a hash for the password
     by running the following command:
+    {{% if product == "sle12" %}}
+    <pre>$ grub2-mkpasswd-pbkdf2</pre>
+    {{% else %}}
     <pre>$ grub2-setpassword</pre>
+    {{% endif %}}
     When prompted, enter the password that was selected.
     <br /><br />
+    {{% if product == "sle12" %}}
+    Using the hash from the output, modify the <tt>/etc/grub.d/40_custom</tt>
+    file with the following content:
+    <pre>set superusers="boot"
+    password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString
+    </pre>
+    NOTE: the bootloader superuser account and password MUST differ from the
+    root account and password.
+    {{% endif %}}
+    <br /><br />
     Once the superuser password has been added,
     update the
     <tt>grub.cfg</tt> file by running:
@@ -29,6 +43,7 @@ severity: high
 identifiers:
     cce@rhel7: CCE-27309-4
     cce@rhel8: CCE-80828-7
+    cce@sle12: CCE-83044-8
 
 references:
     cis@rhel8: 1.5.2
@@ -41,6 +56,7 @@ references:
     ospp: FIA_UAU.1
     srg: SRG-OS-000080-GPOS-00048
     stigid@rhel7: RHEL-07-010482
+    stigid@sle12: SLES-12-010430
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7'
     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4
     cobit5: DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10
@@ -53,17 +69,28 @@ ocil_clause: 'it does not'
 ocil: |-
     To verify the boot loader superuser password has been set, run the following
     command:
+    {{% if product == "sle12" %}}
+    <pre>sudo grep "boot" /boot/grub2/grub.cfg</pre>
+    {{% else %}} 
     <pre>sudo grep "superusers" /etc/grub2.cfg</pre>
+    {{% endif %}}
     The output should show the following:
     <pre>password_pbkdf2 <b>superusers-account</b> <b>${GRUB2_PASSWORD}</b></pre>
     To verify the boot loader superuser account password has been set,
     and the password encrypted, run the following command:
+    {{% if product == "sle12" %}}
+    <pre>sudo cat /etc/grub.d/40_custom</pre>
+    The output should be similar to:
+    <pre>set superusers="boot"
+    password_pbkdf2 boot grub.pbkdf2.sha512.10000.5DE5DF6E01A52E17A8C2FEDF585A3916B345F654C9D19C9ECD0BC958DF8C8A5E1AB15862D9C0B6DCE1F3209D8E8B46101DB3AE7146BB9D7D6C1D379E1854AF9E.CD75F981FE5223C583FB7887544C3A4C96431B5C089801D26855B93A1CB0BC0A508D189F1799A1CC40036B069C36EAD51DAE6A2EE6C0732353B2B5B4F5C49088</pre>
+    {{% else %}}
     <pre>sudo cat /boot/grub2/user.cfg</pre>
     The output should be similar to:
     <pre>GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
     2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
     916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
     0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828</pre>
+    {{% endif %}}
 
 warnings:
     - general: |-

diff --git a/shared/checks/oval/installed_env_has_grub2_package.xml b/shared/checks/oval/installed_env_has_grub2_package.xml
@@ -31,7 +31,7 @@
     <linux:object object_ref="obj_env_has_grub2_installed" />
   </linux:rpminfo_test>
   <linux:rpminfo_object id="obj_env_has_grub2_installed" version="1">
-    <linux:name>grub2-common</linux:name>
+    <linux:name>{{% if product == "sle12" %}}grub2{{% else %}}grub2-common{{% endif %}}</linux:name>
   </linux:rpminfo_object>
 {{% elif pkg_system == "dpkg" %}}
   <linux:dpkginfo_test check="all" check_existence="all_exist"

diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile
@@ -40,3 +40,4 @@ selections:
     - account_temp_expire_date
     - accounts_umask_etc_login_defs
     - accounts_have_homedir_login_defs
+    - grub2_password