Merge pull request #12295 from svet-se/slmicro5-stig-add-accounts-and…

…-auditing-rules-support Slmicro5 stig add accounts and auditing rules support
ComplianceAsCode · Aug 20, 2024 · bcf8dae · bcf8dae
2 parents d484bc7 + e778622
commit bcf8dae
Show file tree

Hide file tree

Showing 31 changed files with 109 additions and 55 deletions.
diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml
@@ -1063,8 +1063,9 @@ controls:
       title:
           SLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to
           only store encrypted representations of passwords.
-      rules: []
-      status: pending
+      rules:
+          - set_password_hashing_algorithm_systemauth
+      status: automated
 
     - id: SLEM-05-611055
       levels:
@@ -1087,15 +1088,19 @@ controls:
       title:
           SLEM 5 must employ user passwords with a minimum lifetime of 24 hours (one
           day).
-      rules: []
-      status: pending
+      rules:
+          - accounts_password_set_min_life_existing
+          - var_accounts_minimum_age_login_defs=1
+      status: automated
 
     - id: SLEM-05-611070
       levels:
           - medium
       title: SLEM 5 must employ user passwords with a maximum lifetime of 60 days.
-      rules: []
-      status: pending
+      rules:
+          - accounts_password_set_max_life_existing
+          - var_accounts_maximum_age_login_defs=60
+      status: automated
 
     - id: SLEM-05-611075
       levels:
@@ -1119,8 +1124,9 @@ controls:
       title:
           SLEM 5 shadow password suite must be configured to use a sufficient number
           of hashing rounds.
-      rules: []
-      status: pending
+      rules:
+          - set_password_hashing_min_rounds_logindefs
+      status: automated
 
     - id: SLEM-05-611090
       levels:
@@ -1137,26 +1143,29 @@ controls:
       title:
           SLEM 5 must be configured to create or update passwords with a minimum lifetime
           of 24 hours (one day).
-      rules: []
-      status: pending
+      rules:
+          - accounts_minimum_age_login_defs
+      status: automated
 
     - id: SLEM-05-611100
       levels:
           - medium
       title:
           SLEM 5 must be configured to create or update passwords with a maximum lifetime
           of 60 days.
-      rules: []
-      status: pending
+      rules:
+          - accounts_maximum_age_login_defs
+      status: automated
 
     - id: SLEM-05-612010
       levels:
           - medium
       title:
           SLEM 5 must have the packages required for multifactor authentication to
           be installed.
-      rules: []
-      status: pending
+      rules:
+          - install_smartcard_packages
+      status: automated
 
     - id: SLEM-05-612015
       levels:
@@ -1199,8 +1208,9 @@ controls:
           SLEM 5, for PKI-based authentication, must validate certificates by constructing
           a certification path (which includes status information) to an accepted trust
           anchor.
-      rules: []
-      status: pending
+      rules:
+          - smartcard_configure_ca
+      status: automated
 
     - id: SLEM-05-631025
       levels:
@@ -1328,8 +1338,9 @@ controls:
       title:
           SLEM 5 audit system must take appropriate action when the audit storage volume
           is full.
-      rules: []
-      status: pending
+      rules:
+          - auditd_data_disk_full_action
+      status: automated
 
     - id: SLEM-05-653040
       levels:
@@ -1397,17 +1408,19 @@ controls:
           The information system security officer (ISSO) and system administrator (SA),
           at a minimum, must have mail aliases to be notified of a SLEM 5 audit processing
           failure.
-      rules: []
-      status: pending
+      rules:
+          - postfix_client_configure_mail_alias
+      status: automated
 
     - id: SLEM-05-653080
       levels:
           - medium
       title:
           The information system security officer (ISSO) and system administrator (SA),
           at a minimum, must be alerted of a SLEM 5 audit processing failure event.
-      rules: []
-      status: pending
+      rules:
+          - auditd_data_retention_action_mail_acct
+      status: automated
 
     - id: SLEM-05-654010
       levels:

diff --git a/.../auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml b/.../auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/...uide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh b/...uide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 {{{ bash_instantiate_variables("var_auditd_disk_full_action") }}}
 

diff --git a/...x_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/...x_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml
@@ -31,6 +31,7 @@ identifiers:
     cce@rhel10: CCE-88198-7
     cce@sle12: CCE-83032-3
     cce@sle15: CCE-85606-2
+    cce@slmicro5: CCE-93679-9
 
 references:
     cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8

diff --git a/...configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml b/...configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/...ing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh b/...ing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 {{{ bash_instantiate_variables("var_auditd_action_mail_acct") }}}
 

diff --git a/.../auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/.../auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
@@ -22,6 +22,7 @@ identifiers:
     cce@rhel10: CCE-89081-4
     cce@sle12: CCE-83030-7
     cce@sle15: CCE-85604-7
+    cce@slmicro5: CCE-93677-3
 
 references:
     cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8

diff --git a/...guide/services/mail/postfix_client/postfix_client_configure_mail_alias/ansible/shared.yml b/...guide/services/mail/postfix_client/postfix_client_configure_mail_alias/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_debian
+# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_debian
 # reboot = false
 # strategy = configure
 # complexity = low

diff --git a/..._os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh b/..._os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_debian
+# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_debian
 
 {{{ bash_instantiate_variables("var_postfix_root_mail_alias") }}}
 

diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-87937-9
     cce@sle12: CCE-83031-5
     cce@sle15: CCE-85605-4
+    cce@slmicro5: CCE-93678-1
 
 references:
     disa: CCI-000139,CCI-000366

diff --git a/...t_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/ansible/shared.yml b/...t_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/ansible/shared.yml
@@ -4,7 +4,7 @@
 # complexity = low
 # disruption = medium
 
-{{% if product in ["sle15", "sle12"] -%}}
+{{% if product in ["sle15", "sle12", "slmicro5"] -%}}
 {{%- set pam_file="/etc/pam.d/common-password" %}}
 {{%- set control="required" %}}
 {{%- else -%}}

diff --git a/...m/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh b/...m/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/bash/shared.sh
@@ -2,7 +2,7 @@
 
 {{{ bash_instantiate_variables("var_password_hashing_algorithm_pam") }}}
 
-{{% if 'sle' in product -%}}
+{{% if 'sle' in product or 'slmicro' in product -%}}
 PAM_FILE_PATH="/etc/pam.d/common-password"
 CONTROL="required"
 {{%- elif 'ubuntu' in product -%}}

diff --git a/.../set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/.../set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
@@ -6,7 +6,7 @@
     </criteria>
   </definition>
 
-  {{% if product in ['sle12', 'sle15'] %}}
+  {{% if product in ['sle12', 'sle15', 'slmicro5'] %}}
     {{% set pam_file = "/etc/pam.d/common-password" %}}
     {{% set line_pattern = "^[\s]*password[\s]+(?:(?:required))[\s]+pam_unix\.so[\s]+" %}}
   {{% elif 'ubuntu' in product %}}

diff --git a/...nts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/...nts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 title: "Set PAM''s Password Hashing Algorithm"
 
-{{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}}
+{{% if product in ["sle12", "sle15", "slmicro5"] or 'ubuntu' in product %}}
 {{% set pam_passwd_file_path = "/etc/pam.d/common-password" %}}
 {{% else %}}
 {{% set pam_passwd_file_path = "/etc/pam.d/system-auth" %}}
@@ -17,7 +17,7 @@ description: |-
     <tt>{{{ xccdf_value("var_password_hashing_algorithm_pam") }}}</tt> and no other hashing
     algorithms as shown below:
     <br />
-    {{% if product in ["sle12", "sle15"] %}}
+    {{% if product in ["sle12", "sle15", "slmicro5"] %}}
     <pre>password    required    pam_unix.so {{{ xccdf_value("var_password_hashing_algorithm_pam") }}} <i>other arguments...</i></pre>
     {{% elif 'ubuntu' in product %}}
     <pre>password    [success=1 default=ignore]   pam_unix.so {{{ xccdf_value("var_password_hashing_algorithm_pam") }}} <i>other arguments...</i></pre>
@@ -47,6 +47,7 @@ identifiers:
     cce@rhel10: CCE-88697-8
     cce@sle12: CCE-83184-2
     cce@sle15: CCE-85565-0
+    cce@slmicro5: CCE-93681-5
 
 references:
     cis-csc: 1,12,15,16,5
@@ -77,7 +78,7 @@ ocil: |-
     <tt>{{{ xccdf_value("var_password_hashing_algorithm_pam") }}}</tt>:
 
     <pre>$ sudo grep "^password.*pam_unix\.so.*{{{ xccdf_value("var_password_hashing_algorithm_pam") }}}" {{{ pam_passwd_file_path }}}
-    {{% if product in ["sle12", "sle15"] -%}}
+    {{% if product in ["sle12", "sle15", "slmicro5"] -%}}
     password required pam_unix.so {{{ xccdf_value("var_password_hashing_algorithm_pam") }}}
     {{% elif 'ubuntu' in product %}}
     password [success=1 default=ignore] pam_unix.so {{{ xccdf_value("var_password_hashing_algorithm_pam") }}}
@@ -97,7 +98,7 @@ fixtext: |-
 
     Edit/modify the following line in the "{{{ pam_passwd_file_path }}}" file to include the {{{ xccdf_value("var_password_hashing_algorithm_pam") }}}
     option for pam_unix.so:
-    {{% if product in ['sle12', 'sle15'] -%}}
+    {{% if product in ['sle12', 'sle15', 'slmicro5'] -%}}
     password required pam_unix.so {{{ xccdf_value("var_password_hashing_algorithm_pam") }}}
     {{% elif 'ubuntu' in product %}}
     password [success=1 default=ignore] pam_unix.so {{{ xccdf_value("var_password_hashing_algorithm_pam") }}}

diff --git a/...nts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml b/...nts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml
@@ -29,6 +29,7 @@ identifiers:
     cce@rhel10: CCE-90508-3
     cce@sle12: CCE-83171-9
     cce@sle15: CCE-85567-6
+    cce@slmicro5: CCE-93682-3
 
 references:
     disa: CCI-000196,CCI-000803

diff --git a/...-physical/screen_locking/smart_card_login/install_smartcard_packages/ansible/slmicro5.yml b/...-physical/screen_locking/smart_card_login/install_smartcard_packages/ansible/slmicro5.yml
@@ -0,0 +1,22 @@
+# platform = multi_platform_slmicro
+# reboot = false
+# strategy = enable
+# complexity = low
+# disruption = low
+
+- name: Set smartcard packages fact
+  set_fact:
+    smartcard_packages:
+      - pam_pkcs11
+      - mozilla-nss
+      - mozilla-nss-tools
+      - pcsc-ccid
+      - pcsc-lite
+      - pcsc-tools
+      - opensc
+      - coolkey
+
+- name: Ensure {{ smartcard_packages }} are installed
+  package:
+    name: "{{ smartcard_packages }}"
+    state: present
diff --git a/...unts-physical/screen_locking/smart_card_login/install_smartcard_packages/bash/slmicro5.sh b/...unts-physical/screen_locking/smart_card_login/install_smartcard_packages/bash/slmicro5.sh
@@ -0,0 +1,12 @@
+# platform = multi_platform_slmicro
+# reboot = false
+# strategy = enable
+# complexity = low
+# disruption = low
+
+SMARTCARD_PACKAGES=( "pam_pkcs11"  "mozilla-nss"  "mozilla-nss-tools"  "pcsc-ccid"  "pcsc-lite"  "pcsc-tools"  "opensc" "coolkey")
+
+for PKGNAME in "${SMARTCARD_PACKAGES[@]}"
+do
+    {{{ bash_package_install(package="$PKGNAME") }}}
+done
diff --git a/...ounts-physical/screen_locking/smart_card_login/install_smartcard_packages/oval/shared.xml b/...ounts-physical/screen_locking/smart_card_login/install_smartcard_packages/oval/shared.xml
@@ -1,4 +1,4 @@
-{{% if product in ["sle12"] %}}
+{{% if product in ["sle12", "slmicro5"] %}}
 {{% set smartcard_packages = ['pam_pkcs11', 'mozilla-nss', 'mozilla-nss-tools', 'pcsc-ccid', 'pcsc-lite', 'pcsc-tools', 'opensc', 'coolkey'] %}}
 {{% elif product in ["sle15"] %}}
 {{% set smartcard_packages = ['pam_pkcs11', 'mozilla-nss', 'mozilla-nss-tools', 'pcsc-ccid', 'pcsc-lite', 'pcsc-tools', 'opensc'] %}}
@@ -13,7 +13,7 @@
 <def-group>
   <definition class="compliance" id="install_smartcard_packages"
   version="1">
-    {{{ oval_metadata("The " + pkg_system|upper + " packages " + smartcard_packages|join(',') + " should be installed.", affected_platforms=["multi_platform_sle"]) }}}
+    {{{ oval_metadata("The " + pkg_system|upper + " packages " + smartcard_packages|join(',') + " should be installed.", affected_platforms=["multi_platform_sle", "multi_platform_slmicro"]) }}}
     <criteria operator="AND" comment="Make sure all smartcard packages are installed">
 {{% for pkg in smartcard_packages %}}
       <criterion comment="package {{{ pkg }}} is installed"

diff --git a/...nts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/...nts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
@@ -1,4 +1,4 @@
-{{% if product in ["sle12"] %}}
+{{% if product in ["sle12", "slmicro5"] %}}
 {{% set smartcard_packages = ['pam_pkcs11', 'mozilla-nss', 'mozilla-nss-tools', 'pcsc-ccid', 'pcsc-lite', 'pcsc-tools', 'opensc', 'coolkey'] %}}
 {{% elif product in ["sle15"] %}}
 {{% set smartcard_packages = ['pam_pkcs11', 'mozilla-nss', 'mozilla-nss-tools', 'pcsc-ccid', 'pcsc-lite', 'pcsc-tools', 'opensc'] %}}
@@ -44,6 +44,7 @@ identifiers:
     cce@rhel10: CCE-86642-6
     cce@sle12: CCE-83177-6
     cce@sle15: CCE-83292-3
+    cce@slmicro5: CCE-93761-5
 
 references:
     disa: CCI-000765,CCI-001948,CCI-001953,CCI-001954
@@ -66,7 +67,7 @@ ocil: |-
     {{{ ocil_package(package=pkg) }}}
     {{% endfor %}}
 
-{{% if product not in ["sle12", "sle15"] %}}
+{{% if product not in ["sle12", "sle15", "slmicro5"] %}}
 template:
     name: package_installed
     vars:

diff --git a/...counts-physical/screen_locking/smart_card_login/smartcard_configure_ca/ansible/shared.yml b/...counts-physical/screen_locking/smart_card_login/smartcard_configure_ca/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_slmicro
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/...ogin/smartcard_configure_ca/bash/sle15.sh → ...gin/smartcard_configure_ca/bash/shared.sh b/...ogin/smartcard_configure_ca/bash/sle15.sh → ...gin/smartcard_configure_ca/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_slmicro
 
 if rpm -qa pam_pkcs11; then
     if grep "^\s*cert_policy" /etc/pam_pkcs11/pam_pkcs11.conf | grep -q "ca"; then

diff --git a/...ccounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_ca/rule.yml b/...ccounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_ca/rule.yml
@@ -26,6 +26,7 @@ severity: medium
 identifiers:
     cce@sle12: CCE-83198-2
     cce@sle15: CCE-83272-5
+    cce@slmicro5: CCE-93680-7
 
 references:
     disa: CCI-000185,CCI-001991

diff --git a/...ounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml b/...ounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_debian
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_debian
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/...counts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/...counts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
@@ -30,6 +30,7 @@ identifiers:
     cce@rhel10: CCE-87961-9
     cce@sle12: CCE-83050-5
     cce@sle15: CCE-85570-0
+    cce@slmicro5: CCE-93685-6
 
 references:
     cis-csc: 1,12,15,16,5

diff --git a/...ounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml b/...ounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/...counts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/...counts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
@@ -29,6 +29,7 @@ identifiers:
     cce@rhel10: CCE-89307-3
     cce@sle12: CCE-83042-2
     cce@sle15: CCE-85720-1
+    cce@slmicro5: CCE-93683-1
 
 references:
     cis-csc: 1,12,15,16,5

diff --git a/...strictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml b/...strictions/password_expiration/accounts_password_set_max_life_existing/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_sle,multi_platform_ol
+# platform = multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ol
 # reboot = false
 # strategy = restrict
 # complexity = low