Merge pull request #12332 from svet-se/slmicro5-stig-add-accounts-and…

…-integrity-rules-support Slmicro5 stig add accounts and integrity rules support
ComplianceAsCode · Aug 27, 2024 · 6a1c4f6 · 6a1c4f6
2 parents d507b7a + f7d6705
commit 6a1c4f6
Show file tree

Hide file tree

Showing 17 changed files with 40 additions and 39 deletions.
diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml
@@ -127,15 +127,17 @@ controls:
       levels:
           - medium
       title: SLEM 5 must use vlock to allow for session locking.
-      rules: []
-      status: pending
+      rules:
+          - vlock_installed
+      status: automated
 
     - id: SLEM-05-215015
       levels:
           - high
       title: SLEM 5 must not have the telnet-server package installed.
-      rules: []
-      status: pending
+      rules:
+          - package_telnet-server_removed
+      status: automated
 
     - id: SLEM-05-231010
       levels:
@@ -275,8 +277,9 @@ controls:
       levels:
           - medium
       title: SLEM 5 SSH daemon private host key files must have mode 640 or less permissive.
-      rules: []
-      status: pending
+      rules:
+          - file_permissions_sshd_private_key
+      status: automated
 
     - id: SLEM-05-232050
       levels:
@@ -430,8 +433,9 @@ controls:
       title:
           SLEM 5 must not have network interfaces in promiscuous mode unless approved
           and documented.
-      rules: []
-      status: pending
+      rules:
+          - network_sniffer_disabled
+      status: automated
 
     - id: SLEM-05-253010
       levels:
@@ -751,8 +755,9 @@ controls:
       title:
           SLEM 5 must not allow unattended or automatic logon via the graphical user
           interface (GUI).
-      rules: []
-      status: pending
+      rules:
+          - gnome_gdm_disable_unattended_automatic_login
+      status: automated
 
     - id: SLEM-05-291010
       levels:
@@ -784,8 +789,9 @@ controls:
       title:
           SLEM 5 default permissions must be defined in such a way that all authenticated
           users can only read and modify their own files.
-      rules: []
-      status: pending
+      rules:
+          - accounts_umask_etc_login_defs
+      status: automated
 
     - id: SLEM-05-411020
       levels:
@@ -1265,8 +1271,9 @@ controls:
       title:
           SLEM 5 must be configured to not overwrite Pluggable Authentication Modules
           (PAM) configuration on package changes.
-      rules: []
-      status: pending
+      rules:
+          - pam_disable_automatic_configuration
+      status: automated
 
     - id: SLEM-05-651010
       levels:
@@ -1340,8 +1347,9 @@ controls:
       levels:
           - medium
       title: SLEM 5 must have the auditing package installed.
-      rules: []
-      status: pending
+      rules:
+          - package_audit_installed
+      status: automated
 
     - id: SLEM-05-653015
       levels:

diff --git a/linux_os/guide/auditing/package_audit_installed/rule.yml b/linux_os/guide/auditing/package_audit_installed/rule.yml
@@ -15,6 +15,7 @@ identifiers:
     cce@rhel10: CCE-88240-7
     cce@sle12: CCE-83023-2
     cce@sle15: CCE-85612-0
+    cce@slmicro5: CCE-93756-5
 
 references:
     cis@sle12: 4.1.1.1

diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/ansible/shared.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/ansible/shared.yml
@@ -7,7 +7,7 @@
 {{% set find_command_base = 'find -H /etc/ssh/ -maxdepth 1 -user root -regex ".*_key$" -type f' %}}
 {{% set dedicated_ssh_groupname = groups.get("dedicated_ssh_keyowner", {}).get("name") %}}
 
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["sle12", "sle15", "slmicro5"] %}}
 {{% set find_command_permissions = 'u+xs,g+xws,o+xwrt' %}}
 {{% set permissions_mode = 'u-xs,g-xws,o-xwrt' %}}
 {{% else %}}

diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/bash/shared.sh b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/bash/shared.sh
@@ -8,7 +8,7 @@ test root:{{{ groupname }}} = "$(stat -c "%U:%G" "$keyfile")"
 for keyfile in /etc/ssh/*_key; do
     test -f "$keyfile" || continue
     if {{{ keyfile_owned_by("root") }}}; then
-    {{% if product in ["sle12", "sle15"] %}}
+    {{% if product in ["sle12", "sle15", "slmicro5"] %}}
 	chmod u-xs,g-xws,o-xwrt "$keyfile"
     {{% else %}}
 	chmod u-xs,g-xwrs,o-xwrt "$keyfile"

diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/oval/shared.xml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/oval/shared.xml
@@ -59,7 +59,7 @@
       {{# intentionally not considered: <unix:uwrite datatype="boolean">true</unix:uwrite> #}}
       <unix:uexec datatype="boolean">false</unix:uexec>
 
-      {{% if product in ["sle12", "sle15"] -%}}
+      {{% if product in ["sle12", "sle15", "slmicro5"] -%}}
       {{# intentionally not considered: <unix:gread datatype="boolean">true</unix:gread> #}}
       {{%- else %}}
       <unix:gread datatype="boolean">false</unix:gread>

diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
@@ -4,7 +4,7 @@ title: 'Verify Permissions on SSH Server Private *_key Key Files'
 
 {{% set dedicated_ssh_groupname = groups.get("dedicated_ssh_keyowner", {}).get("name") %}}
 
-{{% if product in ["rhcos4", "sle12", "sle15"] %}}
+{{% if product in ["rhcos4", "sle12", "sle15", "slmicro5"] %}}
 {{# CoreOS is special - it is immutable, so it is more predictable, and it uses the dedicated group as key owner by default #}}
 {{% set perms = "-rw-r-----" %}}
 {{% set perms_num = "0640" %}}
@@ -32,6 +32,7 @@ identifiers:
     cce@rhel10: CCE-88018-7
     cce@sle12: CCE-83058-8
     cce@sle15: CCE-85644-3
+    cce@slmicro5: CCE-93751-6
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5

diff --git a/...guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/ansible/shared.yml b/...guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_slmicro
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/..._os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/bash/shared.sh b/..._os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_slmicro
 
 {{% call iterate_over_find_output("link", '/etc/pam.d/ -type l -iname "common-*"') -%}}
 target=$(readlink -f "$link")

diff --git a/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml
@@ -20,6 +20,7 @@ severity: medium
 identifiers:
     cce@sle12: CCE-83113-1
     cce@sle15: CCE-85641-9
+    cce@slmicro5: CCE-93750-8
 
 references:
     disa: CCI-000366

diff --git a/...accounts/accounts-physical/screen_locking/console_screen_locking/vlock_installed/rule.yml b/...accounts/accounts-physical/screen_locking/console_screen_locking/vlock_installed/rule.yml
@@ -31,6 +31,7 @@ severity: medium
 identifiers:
     cce@sle12: CCE-83009-1
     cce@sle15: CCE-83268-3
+    cce@slmicro5: CCE-93755-7
 
 references:
     disa: CCI-000056,CCI-000057,CCI-000058,CCI-000060

diff --git a/.../guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/.../guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@rhel10: CCE-89314-9
     cce@sle12: CCE-83052-1
     cce@sle15: CCE-85659-1
+    cce@slmicro5: CCE-93753-2
 
 references:
     cis-csc: 11,18,3,9

diff --git a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml
@@ -31,6 +31,7 @@ identifiers:
     cce@rhel10: CCE-88985-7
     cce@sle12: CCE-83147-9
     cce@sle15: CCE-85656-7
+    cce@slmicro5: CCE-93752-4
 
 references:
     cis-csc: 1,11,14,3,9

diff --git a/.../gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/ansible/shared.yml b/.../gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_slmicro
 # reboot = false
 # strategy = unknown
 # complexity = low

diff --git a/...ware/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/bash/shared.sh b/...ware/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_slmicro
 
 if ! (sed -n '/^DISPLAYMANAGER_AUTOLOGIN=\"\"/p' /etc/sysconfig/displaymanager)
 then

diff --git a/...m/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml b/...m/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml
@@ -22,6 +22,7 @@ severity: high
 identifiers:
     cce@sle12: CCE-83245-1
     cce@sle15: CCE-85723-5
+    cce@slmicro5: CCE-93754-0
 
 references:
     disa: CCI-000366

diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt
@@ -19,22 +19,8 @@ CCE-93712-8
 CCE-93721-9
 CCE-93722-7
 CCE-93726-8
-CCE-93727-6
-CCE-93728-4
-CCE-93736-7
-CCE-93737-5
-CCE-93738-3
-CCE-93739-1
 CCE-93743-3
-CCE-93750-8
-CCE-93751-6
-CCE-93752-4
-CCE-93753-2
-CCE-93754-0
-CCE-93755-7
-CCE-93756-5
 CCE-93757-3
-CCE-93759-9
 CCE-93760-7
 CCE-93762-3
 CCE-93763-1

diff --git a/shared/templates/package_installed/bash.template b/shared/templates/package_installed/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_slmicro,multi_platform_debian
 # reboot = false
 # strategy = enable
 # complexity = low