Merge pull request #12265 from svet-se/slmicro5-stig-add-sysctl-based…

…-rules-support Slmicro5 add sysctl based rules support for STIG profile
ComplianceAsCode · Aug 9, 2024 · 05e8617 · 05e8617
2 parents 12411ea + f9a6838
commit 05e8617
Show file tree

Hide file tree

Showing 23 changed files with 76 additions and 57 deletions.
diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml
@@ -64,8 +64,9 @@ controls:
       levels:
           - medium
       title: SLEM 5 must restrict access to the kernel message buffer.
-      rules: []
-      status: pending
+      rules:
+          - sysctl_kernel_dmesg_restrict
+      status: automated
 
     - id: SLEM-05-213015
       levels:
@@ -80,17 +81,19 @@ controls:
       title:
           Address space layout randomization (ASLR) must be implemented by SLEM 5 to
           protect memory from unauthorized code execution.
-      rules: []
-      status: pending
+      rules:
+          - sysctl_kernel_randomize_va_space
+      status: automated
 
     - id: SLEM-05-213025
       levels:
           - medium
       title:
           SLEM 5 must implement kptr-restrict to prevent the leaking of internal kernel
           addresses.
-      rules: []
-      status: pending
+      rules:
+          - sysctl_kernel_kptr_restrict
+      status: automated
 
     - id: SLEM-05-214010
       levels:
@@ -421,123 +424,137 @@ controls:
       title:
           SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed
           packets.
-      rules: []
-      status: pending
+      rules:
+          - sysctl_net_ipv4_conf_all_accept_source_route
+      status: automated
 
     - id: SLEM-05-253015
       levels:
           - medium
       title:
           SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed
           packets by default.
-      rules: []
-      status: pending
+      rules:
+          - sysctl_net_ipv4_conf_default_accept_source_route
+      status: automated
 
     - id: SLEM-05-253020
       levels:
           - medium
       title:
           SLEM 5 must prevent Internet Protocol version 4 (IPv4) Internet Control Message
           Protocol (ICMP) redirect messages from being accepted.
-      rules: []
-      status: pending
+      rules:
+          - sysctl_net_ipv4_conf_all_accept_redirects
+      status: automated
 
     - id: SLEM-05-253025
       levels:
           - medium
       title:
           SLEM 5 must not allow interfaces to accept Internet Protocol version 4 (IPv4)
           Internet Control Message Protocol (ICMP) redirect messages by default.
-      rules: []
-      status: pending
+      rules:
+          - sysctl_net_ipv4_conf_default_accept_redirects
+      status: automated
 
     - id: SLEM-05-253030
       levels:
           - medium
       title:
           SLEM 5 must not send Internet Protocol version 4 (IPv4) Internet Control
           Message Protocol (ICMP) redirects.
-      rules: []
-      status: pending
+      rules:
+          - sysctl_net_ipv4_conf_all_send_redirects
+      status: automated
 
     - id: SLEM-05-253035
       levels:
           - medium
       title:
           SLEM 5 must not allow interfaces to send Internet Protocol version 4 (IPv4)
           Internet Control Message Protocol (ICMP) redirect messages by default.
-      rules: []
-      status: pending
+      rules:
+          - sysctl_net_ipv4_conf_default_send_redirects
+      status: automated
 
     - id: SLEM-05-253040
       levels:
           - medium
       title:
           SLEM 5 must not be performing Internet Protocol version 4 (IPv4) packet forwarding
           unless the system is a router.
-      rules: []
-      status: pending
+      rules:
+          - sysctl_net_ipv4_ip_forward
+      status: automated
 
     - id: SLEM-05-253045
       levels:
           - medium
       title: SLEM 5 must be configured to use TCP syncookies.
-      rules: []
-      status: pending
+      rules:
+          - sysctl_net_ipv4_tcp_syncookies
+      status: automated
 
     - id: SLEM-05-254010
       levels:
           - medium
       title:
           SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed
           packets.
-      rules: []
-      status: pending
+      rules:
+          - sysctl_net_ipv6_conf_all_accept_source_route
+      status: automated
 
     - id: SLEM-05-254015
       levels:
           - medium
       title:
           SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed
           packets by default.
-      rules: []
-      status: pending
+      rules:
+          - sysctl_net_ipv6_conf_default_accept_source_route
+      status: automated
 
     - id: SLEM-05-254020
       levels:
           - medium
       title:
           SLEM 5 must prevent Internet Protocol version 6 (IPv6) Internet Control Message
           Protocol (ICMP) redirect messages from being accepted.
-      rules: []
-      status: pending
+      rules:
+          - sysctl_net_ipv6_conf_all_accept_redirects
+      status: automated
 
     - id: SLEM-05-254025
       levels:
           - medium
       title:
           SLEM 5 must not allow interfaces to accept Internet Protocol version 6 (IPv6)
           Internet Control Message Protocol (ICMP) redirect messages by default.
-      rules: []
-      status: pending
+      rules:
+          - sysctl_net_ipv6_conf_default_accept_redirects
+      status: automated
 
     - id: SLEM-05-254030
       levels:
           - medium
       title:
           SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding
           unless the system is a router.
-      rules: []
-      status: pending
+      rules:
+          - sysctl_net_ipv6_conf_all_forwarding
+      status: automated
 
     - id: SLEM-05-254035
       levels:
           - medium
       title:
           SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding
           by default unless the system is a router.
-      rules: []
-      status: pending
+      rules:
+          - sysctl_net_ipv6_conf_default_forwarding
+      status: automated
 
     - id: SLEM-05-255010
       levels:

diff --git a/.../network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/.../network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel10: CCE-90083-7
     cce@sle12: CCE-83246-9
     cce@sle15: CCE-85708-6
+    cce@slmicro5: CCE-93635-1
 
 references:
     cis-csc: 11,14,3,9

diff --git a/...twork/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/...twork/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-90450-8
     cce@sle12: CCE-83078-6
     cce@sle15: CCE-85649-2
+    cce@slmicro5: CCE-93630-2
 
 references:
     cis-csc: 1,12,13,14,15,16,18,4,6,8,9

diff --git a/...system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/...system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml
@@ -18,6 +18,7 @@ identifiers:
     cce@rhel10: CCE-86882-8
     cce@sle12: CCE-83247-7
     cce@sle15: CCE-85713-6
+    cce@slmicro5: CCE-93640-1
 
 references:
     cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9

diff --git a/...work/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/...work/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml
@@ -16,6 +16,7 @@ identifiers:
     cce@rhel10: CCE-89486-5
     cce@sle12: CCE-83223-8
     cce@sle15: CCE-85722-7
+    cce@slmicro5: CCE-93636-9
 
 references:
     cis-csc: 11,14,3,9
@@ -33,6 +34,7 @@ references:
     nist-csf: PR.IP-1,PR.PT-3
     nist@sle12: CM-6(b),CM-6.1(iv)
     nist@sle15: CM-6(b),CM-6.1(iv)
+    nist@slmicro5: CM-6(b),CM-6.1(iv)
     srg: SRG-OS-000480-GPOS-00227
     stigid@ol8: OL08-00-040210
     stigid@rhel8: RHEL-08-040210

diff --git a/...k/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/...k/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-89135-8
     cce@sle12: CCE-83227-9
     cce@sle15: CCE-85653-4
+    cce@slmicro5: CCE-93632-8
 
 references:
     cis-csc: 1,12,13,14,15,16,18,4,6,8,9

diff --git a/...em/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml b/...em/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml
@@ -15,6 +15,7 @@ severity: medium
 identifiers:
     cce@sle12: CCE-83248-5
     cce@sle15: CCE-85725-0
+    cce@slmicro5: CCE-93641-9
 
 references:
     disa: CCI-000366

diff --git a/...nel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/...nel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
@@ -23,6 +23,7 @@ identifiers:
     cce@rhel10: CCE-90409-4
     cce@sle12: CCE-83090-1
     cce@sle15: CCE-85651-8
+    cce@slmicro5: CCE-93633-6
 
 references:
     cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9

diff --git a/.../network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/.../network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-90165-2
     cce@sle12: CCE-83064-6
     cce@sle15: CCE-85648-4
+    cce@slmicro5: CCE-93629-4
 
 references:
     cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9

diff --git a/...network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/...network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel10: CCE-86820-8
     cce@sle12: CCE-83081-0
     cce@sle15: CCE-85652-6
+    cce@slmicro5: CCE-93634-4
 
 references:
     cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9

diff --git a/...work_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/...work_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-88071-6
     cce@sle12: CCE-83079-4
     cce@sle15: CCE-85650-0
+    cce@slmicro5: CCE-93631-0
 
 references:
     cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9

diff --git a/...network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/...network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel10: CCE-88084-9
     cce@sle12: CCE-83179-2
     cce@sle15: CCE-83283-2
+    cce@slmicro5: CCE-93626-0
 
 references:
     cis-csc: 1,12,13,14,15,16,18,2,4,6,7,8,9

diff --git a/...k/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/...k/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel10: CCE-88360-3
     cce@sle12: CCE-83089-3
     cce@sle15: CCE-85655-9
+    cce@slmicro5: CCE-93638-5
 
 references:
     cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9

diff --git a/...twork-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/...twork-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel10: CCE-89177-0
     cce@sle12: CCE-83086-9
     cce@sle15: CCE-85654-2
+    cce@slmicro5: CCE-93637-7
 
 references:
     cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9

diff --git a/...system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/...system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
@@ -19,6 +19,7 @@ identifiers:
     cce@rhel10: CCE-87377-8
     cce@sle12: CCE-83088-5
     cce@sle15: CCE-85709-4
+    cce@slmicro5: CCE-93639-3
 
 references:
     cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9
@@ -36,6 +37,7 @@ references:
     nist: CM-7(a),CM-7(b),SC-5,CM-6(a),SC-7(a)
     nist-csf: DE.CM-1,PR.DS-4,PR.IP-1,PR.PT-3,PR.PT-4
     nist@sle15: CM-6(b),CM-6.1(iv)
+    nist@slmicro5: CM-6(b),CM-6.1(iv)
     pcidss: Req-1.3.1,Req-1.3.2
     srg: SRG-OS-000480-GPOS-00227
     stigid@ol7: OL07-00-040740

diff --git a/.../permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/.../permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel10: CCE-88686-1
     cce@sle12: CCE-83125-5
     cce@sle15: CCE-83299-8
+    cce@slmicro5: CCE-93627-8
 
 references:
     disa: CCI-002824,CCI-000366

diff --git a/...issions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/...issions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml
@@ -21,6 +21,7 @@ identifiers:
     cce@rhel10: CCE-87876-9
     cce@sle12: CCE-83146-1
     cce@sle15: CCE-83300-4
+    cce@slmicro5: CCE-93628-6
 
 references:
     cis@sle12: 1.6.3

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
@@ -18,6 +18,7 @@ identifiers:
     cce@rhel10: CCE-89000-4
     cce@sle12: CCE-91565-2
     cce@sle15: CCE-91448-1
+    cce@slmicro5: CCE-93625-2
 
 references:
     cui: 3.1.5

diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt
@@ -1,20 +1,3 @@
-CCE-93625-2
-CCE-93626-0
-CCE-93627-8
-CCE-93628-6
-CCE-93629-4
-CCE-93630-2
-CCE-93631-0
-CCE-93632-8
-CCE-93633-6
-CCE-93634-4
-CCE-93635-1
-CCE-93636-9
-CCE-93637-7
-CCE-93638-5
-CCE-93639-3
-CCE-93640-1
-CCE-93641-9
 CCE-93651-8
 CCE-93652-6
 CCE-93653-4

diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template
@@ -5,7 +5,7 @@
 # disruption = medium
 
 - name: List /etc/sysctl.d/*.conf files
-{{% if product in ["sle12","sle15"] %}}
+{{% if product in ["sle12", "sle15", "slmicro5"] %}}
   find:
     paths:
       - "/run/sysctl.d/"
@@ -19,7 +19,7 @@
       - "/run/sysctl.d/"
       - "/usr/local/lib/sysctl.d/"
 {{% endif %}}
-{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}}
       - "/usr/lib/sysctl.d/"
 {{% endif %}}
     contains: '^[\s]*{{{ SYSCTLVAR }}}.*$'