Merge pull request ComplianceAsCode#27 from SUSE/SLES-12-010231

Add rules for SLES-12-010231 STIG
guangyee · Dec 11, 2020 · 17e111a · 17e111a
2 parents 558d1e3 + 38b01d4
commit 17e111a
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 0 deletions.
diff --git a/...stem/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/sle12.yml b/...stem/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/sle12.yml
@@ -0,0 +1,17 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+- name: Find files in /etc/pam.d/ with password auth
+  find:
+    paths: /etc/pam.d
+    contains: ".*pam_unix\\.so.*nullok.*"
+    recurse: yes
+  register: find_pam_conf_files_result
+
+- name: Prevent Log In to Accounts with Empty Password
+  replace:
+    dest: "{{ item.path }}"
+    regexp: nullok
+  with_items: "{{ find_pam_conf_files_result.files }}"
diff --git a/...system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml b/...system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml
@@ -9,7 +9,11 @@
     <ind:object object_ref="object_no_empty_passwords" />
   </ind:textfilecontent54_test>
   <ind:textfilecontent54_object id="object_no_empty_passwords" version="1">
+{{% if product == "sle12" %}}
+    <ind:filepath operation="pattern match">^/etc/pam.d/.*$</ind:filepath>
+{{% else %}}
     <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
+{{% endif %}}
     <ind:pattern operation="pattern match">^[^#]*\bnullok\b.*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>

diff --git a/.../guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/.../guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel7: CCE-27286-4
     cce@rhel8: CCE-80841-0
     cce@rhcos4: CCE-82553-9
+    cce@sle12: CCE-83039-8
 
 references:
     stigid@ol7: OL07-00-010290
@@ -33,6 +34,7 @@ references:
     pcidss: Req-8.2.3
     srg: SRG-OS-000480-GPOS-00227
     stigid@rhel7: RHEL-07-010290
+    stigid@sle12: SLES-12-010231
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 5.2'
     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4
     cobit5: APO01.06,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.02,DSS06.03,DSS06.10

diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile
@@ -30,6 +30,7 @@ selections:
     - auditd_data_retention_space_left
     - auditd_data_retention_action_mail_acct
     - set_password_hashing_algorithm_logindefs
+    - no_empty_passwords
     - account_disable_post_pw_expiration
     - accounts_maximum_age_login_defs
     - accounts_minimum_age_login_defs