Merge branch 'development' into SLES-12-010030

guangyee · Dec 10, 2020 · 179b5e7 · 179b5e7
2 parents 46f6e01 + c4d8374
commit 179b5e7
Show file tree

Hide file tree

Showing 12 changed files with 35 additions and 9 deletions.
diff --git a/...x_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml b/...x_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_sle
 # reboot = false
 # strategy = disable
 # complexity = low

diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
 
 title: 'Disable Ctrl-Alt-Del Reboot Activation'
 
@@ -29,6 +29,7 @@ identifiers:
     cce@rhel7: CCE-27511-5
     cce@rhel8: CCE-80785-9
     cce@rhcos4: CCE-82493-8
+    cce@sle12: CCE-83018-2
 
 references:
     stigid@ol7: OL07-00-020230
@@ -39,6 +40,8 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000324-GPOS-00125,SRG-OS-000480-GPOS-00227
     stigid@rhel7: RHEL-07-020230
+    stigid@sle12: SLES-12-010610
+    stigid@sle12: SLES-12-010611
     isa-62443-2013: 'SR 2.1,SR 5.2'
     isa-62443-2009: 4.3.3.7.3
     cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02

diff --git a/...tem/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/bash/shared.sh b/...tem/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/bash/shared.sh
@@ -1,2 +1,2 @@
-# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_rhv,multi_platform_sle
 awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs --max-lines=1 passwd -l
diff --git a/...de/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/...de/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml
@@ -25,6 +25,7 @@ identifiers:
     cce@rhel7: CCE-82054-8
     cce@rhel8: CCE-80649-7
     cce@rhcos4: CCE-82699-0
+    cce@sle12: CCE-83020-8
 
 references:
     stigid@ol7: OL07-00-020310
@@ -35,6 +36,7 @@ references:
     nist-csf: PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
     stigid@rhel7: RHEL-07-020310
+    stigid@sle12: SLES-12-010650
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 5.2'
     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4
     cobit5: APO01.06,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.02,DSS06.03,DSS06.10

diff --git a/...iting/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml b/...iting/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/.../auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh b/.../auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol
+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol,multi_platform_sle
 . /usr/share/scap-security-guide/remediation_functions
 {{{ bash_instantiate_variables("var_auditd_space_left") }}}
 

diff --git a/...system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/...system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
 
 title: 'Configure auditd space_left on Low Disk Space'
 
@@ -22,6 +22,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-80537-4
     cce@rhcos4: CCE-82681-8
+    cce@sle12: CCE-83026-5
 
 references:
     stigid@ol7: OL07-00-030330
@@ -37,6 +38,10 @@ references:
     cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01
     iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1
     cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8
+    stigid@sle12: SLES-12-020030
+    srg@sle12: SRG-OS-000343-GPOS-00134
+    disa@sle12: CCI-001855
+    nist@sle12: AU-5(1)
 
 ocil_clause: 'the system is not configured a specfic size in MB to notify administrators of an issue'
 

diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml
@@ -12,6 +12,7 @@ identifiers:
     cce@rhel7: CCE-81042-4
     cce@rhel8: CCE-81043-2
     cce@rhcos4: CCE-82669-3
+    cce@sle12: CCE-83023-2
 
 ocil_clause: 'the package is not installed'
 
@@ -21,6 +22,10 @@ references:
     srg: SRG-OS-000480-GPOS-00227,SRG-OS-000122-GPOS-00063
     cis@rhel8: 4.1.1.1
     cis@ubuntu2004: 4.1.1.1
+    stigid@sle12: SLES-12-020000
+    srg@sle12: SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146,SRG-OS-000365-GPOS-00152,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220
+    disa@sle12: CCI-000172,CCI-001814,CCI-001875,CCI-001877,CCI-001878,CCI-001879,CCI-001880,CCI-001881,CCI-001882,CCI-001889,CCI-001914
+    nist@sle12: AU-7(a),AU-7(b),AU-8(b),AU-12.1(iv),AU-12(3),AU-12(c),CM-5(1)
 
 template:
     name: package_installed

diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
@@ -27,6 +27,7 @@ identifiers:
     cce@rhel7: CCE-27407-6
     cce@rhel8: CCE-80872-5
     cce@rhcos4: CCE-82463-1
+    cce@sle12: CCE-83024-0
 
 references:
     stigid@ol7: OL07-00-030000
@@ -47,6 +48,10 @@ references:
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2
     cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9
+    stigid@sle12: SLES-12-020010
+    srg@sle12: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00021,SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000122-GPOS-00063,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000392-GPOS-00172,SRG-OS-000480-GPOS-00227
+    disa@sle12: CCI-000130,CCI-000131,CCI-000132,CCI-000133,CCI-000134,CCI-000135,CCI-000154,CCI-000158,CCI-000366,CCI-001464,CCI-001487,CCI-001876,CCI-002884
+    nist@sle12: AU-3,AU-3(1),AU-3(1).1(ii),AU-3.1,AU-6(4),AU-6(4).1,AU-7(1),AU-7(1).1,AU-7(a),AU-14(1),AU-14(1).1,CM-6(b),CM-6.1(iv),MA-4(1)(a)
 
 ocil: '{{{ ocil_service_enabled(service="auditd") }}}'
 

diff --git a/shared/templates/service_disabled/bash.template b/shared/templates/service_disabled/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_sle
 # reboot = false
 # strategy = disable
 # complexity = low

diff --git a/shared/templates/service_enabled/bash.template b/shared/templates/service_enabled/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
 # reboot = false
 # strategy = enable
 # complexity = low

diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile
@@ -13,8 +13,14 @@ selections:
     - sudo_remove_no_authenticate
     - sshd_disable_empty_passwords
     - sshd_do_not_permit_user_env
+    - disable_ctrlaltdel_reboot
     - sshd_enable_x11_forwarding
     - gnome_gdm_disable_automatic_login
     - no_user_host_based_files
     - banner_etc_motd
-
+    - accounts_no_uid_except_zero
+    - no_user_host_based_files
+    - no_user_host_based_files
+    - package_audit_installed
+    - service_auditd_enabled
+    - auditd_data_retention_space_left