From 60e5be2001a6e2d31d58fab3190cf31246453fdf Mon Sep 17 00:00:00 2001 From: guangyee Date: Wed, 9 Dec 2020 01:19:54 +0100 Subject: [PATCH 1/6] Add rules for SLES-12-010650 STIG --- .../root_logins/accounts_no_uid_except_zero/bash/shared.sh | 2 +- .../root_logins/accounts_no_uid_except_zero/rule.yml | 2 ++ sle12/profiles/stig.profile | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/bash/shared.sh index f1820214c760..02277be1cb4c 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/bash/shared.sh @@ -1,2 +1,2 @@ -# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_rhv,multi_platform_sle awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs --max-lines=1 passwd -l diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml index 7ed6a8dfbccc..7fd291caea0d 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml @@ -25,6 +25,7 @@ identifiers: cce@rhel7: CCE-82054-8 cce@rhel8: CCE-80649-7 cce@rhcos4: CCE-82699-0 + cce@sle12: CCE-83020-8 references: stigid@ol7: OL07-00-020310 @@ -35,6 +36,7 @@ references: nist-csf: PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-020310 + stigid@sle12: SLES-12-010650 isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 5.2' isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4 cobit5: APO01.06,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.02,DSS06.03,DSS06.10 diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile index 02461707fa1f..28e7784cbdef 100644 --- a/sle12/profiles/stig.profile +++ b/sle12/profiles/stig.profile @@ -13,3 +13,4 @@ selections: - sudo_remove_no_authenticate - sshd_disable_empty_passwords - sshd_do_not_permit_user_env + - accounts_no_uid_except_zero From edc56a7ffa44fea72bceb73450885edc0a29d661 Mon Sep 17 00:00:00 2001 From: Alexander Bergmann Date: Wed, 9 Dec 2020 10:47:11 +0000 Subject: [PATCH 2/6] SLES-12-020000: audit package must be installed --- .../guide/system/auditing/package_audit_installed/rule.yml | 5 +++++ sle12/profiles/stig.profile | 1 + 2 files changed, 6 insertions(+) diff --git a/linux_os/guide/system/auditing/package_audit_installed/rule.yml b/linux_os/guide/system/auditing/package_audit_installed/rule.yml index d1d20a0cd144..2fc431c1aec6 100644 --- a/linux_os/guide/system/auditing/package_audit_installed/rule.yml +++ b/linux_os/guide/system/auditing/package_audit_installed/rule.yml @@ -12,6 +12,7 @@ identifiers: cce@rhel7: CCE-81042-4 cce@rhel8: CCE-81043-2 cce@rhcos4: CCE-82669-3 + cce@sle12: CCE-83023-2 ocil_clause: 'the package is not installed' @@ -21,6 +22,10 @@ references: srg: SRG-OS-000480-GPOS-00227,SRG-OS-000122-GPOS-00063 cis@rhel8: 4.1.1.1 cis@ubuntu2004: 4.1.1.1 + stigid@sle12: SLES-12-020000 + srg@sle12: SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146,SRG-OS-000365-GPOS-00152,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220 + disa@sle12: CCI-000172,CCI-001814,CCI-001875,CCI-001877,CCI-001878,CCI-001879,CCI-001880,CCI-001881,CCI-001882,CCI-001889,CCI-001914 + nist@sle12: AU-7(a),AU-7(b),AU-8(b),AU-12.1(iv),AU-12(3),AU-12(c),CM-5(1) template: name: package_installed diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile index 5084aefb6af9..13ba7a49628e 100644 --- a/sle12/profiles/stig.profile +++ b/sle12/profiles/stig.profile @@ -15,3 +15,4 @@ selections: - sshd_do_not_permit_user_env - sshd_enable_x11_forwarding - gnome_gdm_disable_automatic_login + - package_audit_installed From 565afd7f0b7285a82607bd14fee676fef5e2d209 Mon Sep 17 00:00:00 2001 From: guangyee Date: Wed, 9 Dec 2020 00:06:21 +0100 Subject: [PATCH 3/6] Add rules for SLES-12-010610 and SLES-12-010611 --- .../disable_ctrlaltdel_reboot/ansible/shared.yml | 2 +- .../accounts-physical/disable_ctrlaltdel_reboot/rule.yml | 5 ++++- sle12/profiles/stig.profile | 1 + 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml index c9a66bb5d106..8ea1de865ae9 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol +# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_sle # reboot = false # strategy = disable # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml index be34780bb78a..5824f7b2ca20 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Disable Ctrl-Alt-Del Reboot Activation' @@ -29,6 +29,7 @@ identifiers: cce@rhel7: CCE-27511-5 cce@rhel8: CCE-80785-9 cce@rhcos4: CCE-82493-8 + cce@sle12: CCE-83018-2 references: stigid@ol7: OL07-00-020230 @@ -39,6 +40,8 @@ references: nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000324-GPOS-00125,SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-020230 + stigid@sle12: SLES-12-010610 + stigid@sle12: SLES-12-010611 isa-62443-2013: 'SR 2.1,SR 5.2' isa-62443-2009: 4.3.3.7.3 cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile index 02461707fa1f..e71c7f99eae6 100644 --- a/sle12/profiles/stig.profile +++ b/sle12/profiles/stig.profile @@ -13,3 +13,4 @@ selections: - sudo_remove_no_authenticate - sshd_disable_empty_passwords - sshd_do_not_permit_user_env + - disable_ctrlaltdel_reboot From b9965fb11d1424407bc7a824cb9bda77a28fa3a8 Mon Sep 17 00:00:00 2001 From: Alexander Bergmann Date: Wed, 9 Dec 2020 22:14:59 +0000 Subject: [PATCH 4/6] SLES-12-020010: Enable auditd Service --- .../guide/system/auditing/service_auditd_enabled/rule.yml | 5 +++++ sle12/profiles/stig.profile | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml index 81d5f80daa13..0696ce915a42 100644 --- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml +++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml @@ -27,6 +27,7 @@ identifiers: cce@rhel7: CCE-27407-6 cce@rhel8: CCE-80872-5 cce@rhcos4: CCE-82463-1 + cce@sle12: CCE-83024-0 references: stigid@ol7: OL07-00-030000 @@ -47,6 +48,10 @@ references: cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2 cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 + stigid@sle12: SLES-12-020010 + srg@sle12: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00021,SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000122-GPOS-00063,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000392-GPOS-00172,SRG-OS-000480-GPOS-00227 + disa@sle12: CCI-000130,CCI-000131,CCI-000132,CCI-000133,CCI-000134,CCI-000135,CCI-000154,CCI-000158,CCI-000366,CCI-001464,CCI-001487,CCI-001876,CCI-002884 + nist@sle12: AU-3,AU-3(1),AU-3(1).1(ii),AU-3.1,AU-6(4),AU-6(4).1,AU-7(1),AU-7(1).1,AU-7(a),AU-14(1),AU-14(1).1,CM-6(b),CM-6.1(iv),MA-4(1)(a) ocil: '{{{ ocil_service_enabled(service="auditd") }}}' diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile index e68ec1fa01f4..76c0d5f2595e 100644 --- a/sle12/profiles/stig.profile +++ b/sle12/profiles/stig.profile @@ -15,4 +15,4 @@ selections: - sshd_do_not_permit_user_env - sshd_enable_x11_forwarding - gnome_gdm_disable_automatic_login - - no_user_host_based_files \ No newline at end of file + - service_auditd_enabled From deade299594e4f9d33edd853c01dbe5eed33d148 Mon Sep 17 00:00:00 2001 From: Alexander Bergmann Date: Wed, 9 Dec 2020 22:41:16 +0000 Subject: [PATCH 5/6] Add SLE for bash service enable/disable --- shared/templates/service_disabled/bash.template | 2 +- shared/templates/service_enabled/bash.template | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/templates/service_disabled/bash.template b/shared/templates/service_disabled/bash.template index 0de34240dc98..b9bf1b5bd810 100644 --- a/shared/templates/service_disabled/bash.template +++ b/shared/templates/service_disabled/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_sle # reboot = false # strategy = disable # complexity = low diff --git a/shared/templates/service_enabled/bash.template b/shared/templates/service_enabled/bash.template index 31b0b713637d..5a6b09f98710 100644 --- a/shared/templates/service_enabled/bash.template +++ b/shared/templates/service_enabled/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle # reboot = false # strategy = enable # complexity = low From 13a3607825855ad15e2b9aa76d9e2f0bd263b999 Mon Sep 17 00:00:00 2001 From: Alexander Bergmann Date: Thu, 10 Dec 2020 00:07:56 +0000 Subject: [PATCH 6/6] SLES-12-020030 auditd_data_retention_space_left --- .../auditd_data_retention_space_left/ansible/shared.yml | 2 +- .../auditd_data_retention_space_left/bash/shared.sh | 2 +- .../auditd_data_retention_space_left/rule.yml | 7 ++++++- sle12/profiles/stig.profile | 3 ++- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml index 6db7ffbd34bd..ab0bea58ee72 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh index 77e622c1ac67..9b79489ba66c 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol +# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol,multi_platform_sle . /usr/share/scap-security-guide/remediation_functions {{{ bash_instantiate_variables("var_auditd_space_left") }}} diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml index 9db279ae245d..6b9d2e5f837f 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Configure auditd space_left on Low Disk Space' @@ -22,6 +22,7 @@ severity: medium identifiers: cce@rhel7: CCE-80537-4 cce@rhcos4: CCE-82681-8 + cce@sle12: CCE-83026-5 references: stigid@ol7: OL07-00-030330 @@ -37,6 +38,10 @@ references: cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01 iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1 cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8 + stigid@sle12: SLES-12-020030 + srg@sle12: SRG-OS-000343-GPOS-00134 + disa@sle12: CCI-001855 + nist@sle12: AU-5(1) ocil_clause: 'the system is not configured a specfic size in MB to notify administrators of an issue' diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile index e68ec1fa01f4..4012cbb2869f 100644 --- a/sle12/profiles/stig.profile +++ b/sle12/profiles/stig.profile @@ -15,4 +15,5 @@ selections: - sshd_do_not_permit_user_env - sshd_enable_x11_forwarding - gnome_gdm_disable_automatic_login - - no_user_host_based_files \ No newline at end of file + - no_user_host_based_files + - auditd_data_retention_space_left