Merge pull request #12193 from rumch-se/slmicro5_audit_rules_usergrou…

…p_modification_passwd Add SSH related STIG rule to slmicro5 platform
ComplianceAsCode · Jul 24, 2024 · 597d9ab · 597d9ab
2 parents 6344f25 + 41b28b2
commit 597d9ab
Show file tree

Hide file tree

Showing 13 changed files with 43 additions and 32 deletions.
diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml
@@ -28,8 +28,9 @@ controls:
   - medium
   title: SLEM 5 must display the Standard Mandatory DOD Notice and Consent Banner
     before granting any local or remote connection to the system.
-  rules: []
-  status: pending
+  rules:
+  - sshd_enable_warning_banner
+  status: automated
 - id: SLEM-05-211025
   levels:
   - high
@@ -458,8 +459,10 @@ controls:
   levels:
   - high
   title: SLEM 5 must not allow unattended or automatic logon via SSH.
-  rules: []
-  status: pending
+  rules:
+  - sshd_disable_empty_passwords
+  - sshd_do_not_permit_user_env
+  status: automated
 - id: SLEM-05-255030
   levels:
   - medium
@@ -479,8 +482,9 @@ controls:
   - medium
   title: SLEM 5 SSH daemon must disable forwarded remote X connections for interactive
     users, unless to fulfill documented and validated mission requirements.
-  rules: []
-  status: pending
+  rules:
+  - sshd_disable_x11_forwarding
+  status: automated
 - id: SLEM-05-255045
   levels:
   - high
@@ -507,35 +511,40 @@ controls:
   - medium
   title: SLEM 5 must deny direct logons to the root account using remote access via
     SSH.
-  rules: []
-  status: pending
+  rules:
+  - sshd_disable_root_login
+  status: automated
 - id: SLEM-05-255065
   levels:
   - medium
   title: SLEM 5 must log SSH connection attempts and failures to the server.
-  rules: []
-  status: pending
+  rules:
+  - sshd_set_loglevel_verbose
+  status: automated
 - id: SLEM-05-255070
   levels:
   - medium
   title: SLEM 5 must display the date and time of the last successful account logon
     upon an SSH logon.
-  rules: []
-  status: pending
+  rules:
+  - sshd_print_last_log
+  status: automated
 - id: SLEM-05-255075
   levels:
   - medium
   title: SLEM 5 SSH daemon must be configured to not allow authentication using known
     hosts authentication.
-  rules: []
-  status: pending
+  rules:
+  - sshd_disable_user_known_hosts
+  status: automated
 - id: SLEM-05-255080
   levels:
   - medium
   title: SLEM 5 SSH daemon must perform strict mode checking of home directory configuration
     files.
-  rules: []
-  status: pending
+  rules:
+  - sshd_enable_strictmodes
+  status: automated
 - id: SLEM-05-255085
   levels:
   - medium
@@ -825,8 +834,9 @@ controls:
   levels:
   - high
   title: SLEM 5 must not be configured to allow blank or null passwords.
-  rules: []
-  status: pending
+  rules:
+  - sshd_disable_empty_passwords
+  status: automated
 - id: SLEM-05-611060
   levels:
   - high
@@ -1253,8 +1263,9 @@ controls:
   - medium
   title: SLEM 5 must generate audit records for all account creations, modifications,
     disabling, and termination events that affect /etc/passwd.
-  rules: []
-  status: pending
+  rules:
+  - audit_rules_usergroup_modification_passwd
+  status: automated
 - id: SLEM-05-654145
   levels:
   - medium

diff --git a/.../guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/.../guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
@@ -33,6 +33,7 @@ identifiers:
     cce@rhel10: CCE-88286-0
     cce@sle12: CCE-83120-6
     cce@sle15: CCE-85577-5
+    cce@slmicro5: CCE-93656-7
 
 references:
     cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml
@@ -28,6 +28,7 @@ identifiers:
     cce@rhel10: CCE-86753-1
     cce@sle12: CCE-83014-1
     cce@sle15: CCE-85667-4
+    cce@slmicro5: CCE-93650-0
 
 references:
     cis-csc: 11,12,13,14,15,16,18,3,5,9

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
@@ -25,6 +25,7 @@ identifiers:
     cce@rhel10: CCE-89730-6
     cce@sle12: CCE-83035-6
     cce@sle15: CCE-85557-7
+    cce@slmicro5: CCE-93644-3
 
 references:
     cis-csc: 1,11,12,13,14,15,16,18,3,5

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml
@@ -23,6 +23,7 @@ identifiers:
     cce@rhel10: CCE-87313-3
     cce@sle12: CCE-83056-2
     cce@sle15: CCE-85642-7
+    cce@slmicro5: CCE-93646-8
 
 references:
     cis-csc: 11,3,9

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
@@ -30,6 +30,7 @@ identifiers:
     cce@rhel10: CCE-89476-6
     cce@sle12: CCE-91675-9
     cce@sle15: CCE-85707-8
+    cce@slmicro5: CCE-93648-4
 
 references:
     cis@sle12: 5.2.6

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-87395-0
     cce@sle12: CCE-83015-8
     cce@sle15: CCE-85666-6
+    cce@slmicro5: CCE-93649-2
 
 references:
     cis-csc: 11,3,9

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
@@ -26,6 +26,7 @@ identifiers:
     cce@rhel10: CCE-88037-7
     cce@sle12: CCE-83060-4
     cce@sle15: CCE-85645-0
+    cce@slmicro5: CCE-93647-6
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-86539-4
     cce@sle12: CCE-83066-1
     cce@sle15: CCE-83263-4
+    cce@slmicro5: CCE-93642-7
 
 references:
     cis-csc: 1,12,15,16

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-88362-9
     cce@sle12: CCE-83083-6
     cce@sle15: CCE-85563-5
+    cce@slmicro5: CCE-93645-0
 
 references:
     cis-csc: 1,12,15,16

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
@@ -26,6 +26,7 @@ identifiers:
     cce@rhel10: CCE-86241-7
     cce@sle12: CCE-83077-8
     cce@sle15: CCE-83270-9
+    cce@slmicro5: CCE-93643-5
 
 references:
     cis@sle12: 5.2.5

diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt
@@ -39,21 +39,11 @@ CCE-93638-5
 CCE-93639-3
 CCE-93640-1
 CCE-93641-9
-CCE-93642-7
-CCE-93643-5
-CCE-93644-3
-CCE-93645-0
-CCE-93646-8
-CCE-93647-6
-CCE-93648-4
-CCE-93649-2
-CCE-93650-0
 CCE-93651-8
 CCE-93652-6
 CCE-93653-4
 CCE-93654-2
 CCE-93655-9
-CCE-93656-7
 CCE-93657-5
 CCE-93658-3
 CCE-93659-1
@@ -497,4 +487,4 @@ CCE-94096-5
 CCE-94097-3
 CCE-94098-1
 CCE-94099-9
-CCE-94100-5
+CCE-94100-5
diff --git a/shared/templates/audit_rules_usergroup_modification/ansible.template b/shared/templates/audit_rules_usergroup_modification/ansible.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 # reboot = true
 # strategy = restrict
 # complexity = low