Merge branch 'development' into SLES-12-020050

linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml

@@ -22,7 +22,7 @@ severity: high
 
 identifiers:
     cce@rhel7: CCE-80513-5
-
+    cce@sle12: CCE-83022-4
 references:
     stigid@ol7: OL07-00-040550
     disa: CCI-000366

linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
 # reboot = false
 # strategy = unknown
 # complexity = low

linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
 
 title: 'Modify the System Message of the Day Banner'
 
@@ -51,10 +51,14 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-83394-7
     cce@rhel8: CCE-83496-0
+    cce@sle12: CCE-83025-7
 
 references:
     cis@rhel8: 1.8.1.1
-
+    stigid@sle12: SLES-12-010030
+    srg@sle12: SRG-OS-000023-GPOS-00006
+    disa@sle12: CCI-000048
+    nist@sle12: AC-8(a),AC-8.1(ii)
 
 ocil_clause: 'it does not display the required banner'
 

linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_sle
 # reboot = false
 # strategy = disable
 # complexity = low

linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
 
 title: 'Disable Ctrl-Alt-Del Reboot Activation'
 
@@ -29,6 +29,7 @@ identifiers:
     cce@rhel7: CCE-27511-5
     cce@rhel8: CCE-80785-9
     cce@rhcos4: CCE-82493-8
+    cce@sle12: CCE-83018-2
 
 references:
     stigid@ol7: OL07-00-020230
@@ -39,6 +40,8 @@ references:
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000324-GPOS-00125,SRG-OS-000480-GPOS-00227
     stigid@rhel7: RHEL-07-020230
+    stigid@sle12: SLES-12-010610
+    stigid@sle12: SLES-12-010611
     isa-62443-2013: 'SR 2.1,SR 5.2'
     isa-62443-2009: 4.3.3.7.3
     cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02

linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/bash/shared.sh

@@ -1,2 +1,2 @@
-# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_rhv,multi_platform_sle
 awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs --max-lines=1 passwd -l

linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml

@@ -25,6 +25,7 @@ identifiers:
     cce@rhel7: CCE-82054-8
     cce@rhel8: CCE-80649-7
     cce@rhcos4: CCE-82699-0
+    cce@sle12: CCE-83020-8
 
 references:
     stigid@ol7: OL07-00-020310
@@ -35,6 +36,7 @@ references:
     nist-csf: PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
     stigid@rhel7: RHEL-07-020310
+    stigid@sle12: SLES-12-010650
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 5.2'
     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4
     cobit5: APO01.06,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.02,DSS06.03,DSS06.10

linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_rhel
+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_sle
 # disruption = low
 # strategy = restrict
 # complexity = low

linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml

@@ -15,6 +15,7 @@ severity: medium
 
 identifiers:
     cce@rhel7: CCE-80352-8
+    cce@sle12: CCE-83028-1
 
 references:
     stigid@ol7: OL07-00-010430
@@ -23,6 +24,7 @@ references:
     nist-csf: PR.IP-1
     srg: SRG-OS-000480-GPOS-00226
     stigid@rhel7: RHEL-07-010430
+    stigid@sle12: SLES-12-010140
     isa-62443-2013: 'SR 7.6'
     isa-62443-2009: 4.3.4.3.2,4.3.4.3.3
     cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05

linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
 # reboot = false
 # strategy = restrict
 # complexity = low

linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux,multi_platform_sle
 . /usr/share/scap-security-guide/remediation_functions
 {{{ bash_instantiate_variables("var_auditd_action_mail_acct") }}}
 

linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml

@@ -19,6 +19,7 @@ identifiers:
     cce@rhel7: CCE-27394-6
     cce@rhel8: CCE-80678-6
     cce@rhcos4: CCE-82675-0
+    cce@sle12: CCE-83030-7
 
 references:
     stigid@ol7: OL07-00-030350
@@ -38,6 +39,10 @@ references:
     isa-62443-2009: 4.2.3.10,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
     cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01
     cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8
+    stigid@sle12: SLES-12-020040
+    srg@sle12: SRG-OS-000046-GPOS-00022
+    disa@sle12: CCI-000139
+    nist@sle12: AU-5(a),AU-5.1(ii)
 
 ocil_clause: 'auditd is not configured to send emails per identified actions'
 

linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle
 # reboot = false
 # strategy = restrict
 # complexity = low

linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol
+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol,multi_platform_sle
 . /usr/share/scap-security-guide/remediation_functions
 {{{ bash_instantiate_variables("var_auditd_space_left") }}}
 

linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
 
 title: 'Configure auditd space_left on Low Disk Space'
 
@@ -22,6 +22,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-80537-4
     cce@rhcos4: CCE-82681-8
+    cce@sle12: CCE-83026-5
 
 references:
     stigid@ol7: OL07-00-030330
@@ -37,6 +38,10 @@ references:
     cobit5: APO11.04,APO12.06,APO13.01,BAI03.05,BAI04.04,BAI08.02,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS05.04,DSS05.07,MEA02.01
     iso27001-2013: A.12.1.3,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.16.1.4,A.16.1.5,A.16.1.7,A.17.2.1
     cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8
+    stigid@sle12: SLES-12-020030
+    srg@sle12: SRG-OS-000343-GPOS-00134
+    disa@sle12: CCI-001855
+    nist@sle12: AU-5(1)
 
 ocil_clause: 'the system is not configured a specfic size in MB to notify administrators of an issue'
 

linux_os/guide/system/auditing/package_audit_installed/rule.yml

@@ -12,6 +12,7 @@ identifiers:
     cce@rhel7: CCE-81042-4
     cce@rhel8: CCE-81043-2
     cce@rhcos4: CCE-82669-3
+    cce@sle12: CCE-83023-2
 
 ocil_clause: 'the package is not installed'
 
@@ -21,6 +22,10 @@ references:
     srg: SRG-OS-000480-GPOS-00227,SRG-OS-000122-GPOS-00063
     cis@rhel8: 4.1.1.1
     cis@ubuntu2004: 4.1.1.1
+    stigid@sle12: SLES-12-020000
+    srg@sle12: SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000359-GPOS-00146,SRG-OS-000365-GPOS-00152,SRG-OS-000474-GPOS-00219,SRG-OS-000475-GPOS-00220
+    disa@sle12: CCI-000172,CCI-001814,CCI-001875,CCI-001877,CCI-001878,CCI-001879,CCI-001880,CCI-001881,CCI-001882,CCI-001889,CCI-001914
+    nist@sle12: AU-7(a),AU-7(b),AU-8(b),AU-12.1(iv),AU-12(3),AU-12(c),CM-5(1)
 
 template:
     name: package_installed

linux_os/guide/system/auditing/service_auditd_enabled/rule.yml

@@ -27,6 +27,7 @@ identifiers:
     cce@rhel7: CCE-27407-6
     cce@rhel8: CCE-80872-5
     cce@rhcos4: CCE-82463-1
+    cce@sle12: CCE-83024-0
 
 references:
     stigid@ol7: OL07-00-030000
@@ -47,6 +48,10 @@ references:
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.2.1,A.6.2.2
     cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9
+    stigid@sle12: SLES-12-020010
+    srg@sle12: SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00021,SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000122-GPOS-00063,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000392-GPOS-00172,SRG-OS-000480-GPOS-00227
+    disa@sle12: CCI-000130,CCI-000131,CCI-000132,CCI-000133,CCI-000134,CCI-000135,CCI-000154,CCI-000158,CCI-000366,CCI-001464,CCI-001487,CCI-001876,CCI-002884
+    nist@sle12: AU-3,AU-3(1),AU-3(1).1(ii),AU-3.1,AU-6(4),AU-6(4).1,AU-7(1),AU-7(1).1,AU-7(a),AU-14(1),AU-14(1).1,CM-6(b),CM-6.1(iv),MA-4(1)(a)
 
 ocil: '{{{ ocil_service_enabled(service="auditd") }}}'
 

shared/checks/oval/installed_env_has_login_defs.xml

@@ -17,11 +17,15 @@
 {{% if pkg_system == "rpm" %}}
   <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
   id="test_env_has_login_defs_installed" version="1"
+  {{% if product == "sle12" %}}
+  comment="system has package shadow installed, which provides the /etc/login.defs file.">
+  {{% else %}}
   comment="system has package shadow-utils installed, which provides the /etc/login.defs file.">
+  {{% endif %}}
     <linux:object object_ref="obj_env_has_login_defs_installed" />
   </linux:rpminfo_test>
   <linux:rpminfo_object id="obj_env_has_login_defs_installed" version="1">
-    <linux:name>shadow-utils</linux:name>
+    <linux:name>{{% if product == "sle12" %}}shadow{{% else %}}shadow-utils{{% endif %}}</linux:name>
   </linux:rpminfo_object>
 {{% elif pkg_system == "dpkg" %}}
   <linux:dpkginfo_test check="all" check_existence="all_exist"

shared/templates/service_disabled/bash.template

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_sle
 # reboot = false
 # strategy = disable
 # complexity = low

shared/templates/service_enabled/bash.template

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
 # reboot = false
 # strategy = enable
 # complexity = low

sle12/product.yml

@@ -21,3 +21,6 @@ cpes:
       name: "cpe:/o:suse:linux_enterprise_desktop:12"
       title: "SUSE Linux Enterprise Desktop 12"
       check_id: installed_OS_is_sle12
+
+platform_package_overrides:
+  login_defs: "shadow"

sle12/profiles/stig.profile

@@ -7,13 +7,24 @@ description: |-
     DISA STIG for SUSE Linux Enterprise 12 V1R2.
 
 selections:
+    - var_accounts_fail_delay=4
     - installed_OS_is_vendor_supported
     - security_patches_up_to_date
     - sudo_remove_nopasswd
     - sudo_remove_no_authenticate
     - sshd_disable_empty_passwords
     - sshd_do_not_permit_user_env
+    - disable_ctrlaltdel_reboot
     - sshd_enable_x11_forwarding
     - gnome_gdm_disable_automatic_login
     - no_user_host_based_files
     - postfix_client_configure_mail_alias
+    - accounts_logon_fail_delay 
+    - no_host_based_files
+    - banner_etc_motd
+    - accounts_no_uid_except_zero
+    - no_user_host_based_files
+    - no_user_host_based_files
+    - package_audit_installed
+    - service_auditd_enabled
+    - auditd_data_retention_space_left