Merge pull request #12329 from svet-se/slmicro5-stig-add-integrity-an…

…d-auditing-rules-support

Slmicro5 stig add integrity and auditing rules support

controls/stig_slmicro5.yml

@@ -846,24 +846,28 @@ controls:
       levels:
           - medium
       title: SLEM 5 must not have unnecessary accounts.
-      rules: []
-      status: pending
+      rules:
+          - accounts_authorized_local_users
+          - var_accounts_authorized_local_users_regex=slmicro5
+      status: automated
 
     - id: SLEM-05-411060
       levels:
           - medium
       title: SLEM 5 must not have unnecessary account capabilities.
-      rules: []
-      status: pending
+      rules:
+          - no_shelllogin_for_systemaccounts
+      status: automated
 
     - id: SLEM-05-411065
       levels:
           - high
       title:
           SLEM 5 root account must be the only account with unrestricted access to
           the system.
-      rules: []
-      status: pending
+      rules:
+          - accounts_no_uid_except_zero
+      status: automated
 
     - id: SLEM-05-411070
       levels:
@@ -888,8 +892,9 @@ controls:
       title:
           SLEM 5 must display the date and time of the last successful account logon
           upon logon.
-      rules: []
-      status: pending
+      rules:
+          - display_login_attempts
+      status: automated
 
     - id: SLEM-05-412015
       levels:
@@ -980,8 +985,9 @@ controls:
       title:
           SLEM 5 must use the invoking user's password for privilege escalation when
           using "sudo".
-      rules: []
-      status: pending
+      rules:
+          - sudoers_validate_passwd
+      status: automated
 
     - id: SLEM-05-432015
       levels:
@@ -1016,8 +1022,9 @@ controls:
       title:
           SLEM 5 must specify the default "include" directory for the /etc/sudoers
           file.
-      rules: []
-      status: pending
+      rules:
+          - sudoers_default_includedir
+      status: automated
 
     - id: SLEM-05-611010
       levels:
@@ -1051,8 +1058,10 @@ controls:
       levels:
           - medium
       title: SLEM 5 must prevent the use of dictionary words for passwords.
-      rules: []
-      status: pending
+      rules:
+          - cracklib_accounts_password_pam_retry
+          - var_password_pam_retry=3
+      status: automated
 
     - id: SLEM-05-611035
       levels:
@@ -1844,22 +1853,25 @@ controls:
       levels:
           - medium
       title: SLEM 5 must generate audit records for the "/run/utmp file".
-      rules: []
-      status: pending
+      rules:
+          - audit_rules_session_events_utmp
+      status: automated
 
     - id: SLEM-05-654235
       levels:
           - medium
       title: SLEM 5 must generate audit records for the "/var/log/btmp" file.
-      rules: []
-      status: pending
+      rules:
+          - audit_rules_session_events_btmp
+      status: automated
 
     - id: SLEM-05-654240
       levels:
           - medium
       title: SLEM 5 must generate audit records for the "/var/log/wtmp" file.
-      rules: []
-      status: pending
+      rules:
+          - audit_rules_session_events_wtmp
+      status: automated
 
     - id: SLEM-05-654245
       levels:

linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_btmp/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_slmicro
 # reboot = true
 # strategy = restrict
 # complexity = low

linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_btmp/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 {{{ bash_fix_audit_watch_rule("auditctl", "/var/log/btmp", "wa", "session") }}}

linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_btmp/rule.yml

@@ -25,6 +25,7 @@ severity: medium
 
 identifiers:
     cce@sle15: CCE-85758-1
+    cce@slmicro5: CCE-93725-0
 
 references:
     disa: CCI-000172

linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_utmp/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_slmicro
 # reboot = true
 # strategy = restrict
 # complexity = low

linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_utmp/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 {{{ bash_fix_audit_watch_rule("auditctl", "/run/utmp", "wa", "session") }}}

linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_utmp/rule.yml

@@ -25,6 +25,7 @@ severity: medium
 
 identifiers:
     cce@sle15: CCE-85714-4
+    cce@slmicro5: CCE-93723-5
 
 references:
     disa: CCI-000172

linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_slmicro
 # reboot = true
 # strategy = restrict
 # complexity = low

linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 # Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
 {{{ bash_fix_audit_watch_rule("auditctl", "/var/log/wtmp", "wa", "session") }}}

linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml

@@ -25,6 +25,7 @@ severity: medium
 
 identifiers:
     cce@sle15: CCE-85757-3
+    cce@slmicro5: CCE-93724-3
 
 references:
     disa: CCI-000172

linux_os/guide/system/accounts/accounts-pam/display_login_attempts/ansible/shared.yml

@@ -1,18 +1,18 @@
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,Red Hat Virtualization 4
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,Red Hat Virtualization 4
 # reboot = false
 # strategy = configure
 # complexity = low
 # disruption = low
 
-{{%- if "sle" in product or "ubuntu" in product %}}
+{{%- if "sle" in product or "slmicro" in product or "ubuntu" in product %}}
 {{%- set pam_lastlog_path = "/etc/pam.d/login" %}}
 {{%- set after_match = "^\s*session.*include\s+common-session$" %}}
 {{%- else %}}
 {{%- set pam_lastlog_path = "/etc/pam.d/postlogin" %}}
 {{%- set after_match = "^\s*session\s+.*pam_succeed_if\.so.*" %}}
 {{%- endif %}}
 
-{{%- if "ol" in product or "ubuntu" in product %}}
+{{%- if "ol" in product or "slmicro" in product or "ubuntu" in product %}}
 {{%- set control = "required" %}}
 {{%- elif "sle" in product %}}
 {{%- set control = "optional" %}}

linux_os/guide/system/accounts/accounts-pam/display_login_attempts/bash/shared.sh

@@ -1,14 +1,14 @@
-# platform = multi_platform_sle,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_slmicro,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_ubuntu
 
-{{%- if "sle" in product or "ubuntu" in product %}}
+{{%- if "sle" in product or "slmicro" in product or "ubuntu" in product %}}
 {{%- set pam_lastlog_path = "/etc/pam.d/login" %}}
 {{%- set after_match = "^\s*session.*include\s+common-session$" %}}
 {{%- else %}}
 {{%- set pam_lastlog_path = "/etc/pam.d/postlogin" %}}
 {{%- set after_match = "^\s*session\s+.*pam_succeed_if\.so.*" %}}
 {{%- endif %}}
 
-{{%- if "ol" in product or "ubuntu" in product %}}
+{{%- if "ol" in product or "slmicro" in product or "ubuntu" in product %}}
 {{%- set control = "required" %}}
 {{%- elif "sle" in product %}}
 {{%- set control = "optional" %}}

linux_os/guide/system/accounts/accounts-pam/display_login_attempts/oval/shared.xml

@@ -1,4 +1,4 @@
-{{%- if "sle" in product or "ubuntu" in product %}}
+{{%- if "sle" in product or "slmicro" in product or "ubuntu" in product %}}
 {{% set pam_lastlog_path = "/etc/pam.d/login" %}}
 {{% else %}}
 {{% set pam_lastlog_path = "/etc/pam.d/postlogin" %}}

linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml

@@ -1,10 +1,10 @@
-{{%- if "sle" in product or "ubuntu" in product %}}
+{{%- if "sle" in product or "slmicro" in product or "ubuntu" in product %}}
 {{%- set pam_lastlog_path = "/etc/pam.d/login" %}}
 {{%- else %}}
 {{%- set pam_lastlog_path = "/etc/pam.d/postlogin" %}}
 {{%- endif %}}
 
-{{%- if "ol" in product or "ubuntu" in product %}}
+{{%- if "ol" in product or "slmicro" in product or "ubuntu" in product %}}
 {{%- set control = "required" %}}
 {{%- elif "sle" in product %}}
 {{%- set control = "optional" %}}
@@ -37,6 +37,7 @@ identifiers:
     cce@rhel10: CCE-88650-7
     cce@sle12: CCE-83149-5
     cce@sle15: CCE-85560-1
+    cce@slmicro5: CCE-93730-0
 
 references:
     cis-csc: 1,12,15,16

linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/commented_line.fail.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
-# platform = multi_platform_sle,multi_platform_ubuntu,Oracle Linux 7
+# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,Oracle Linux 7
 
-{{%- if "sle" in product or "ubuntu" in product %}}
+{{%- if "sle" in product or "slmicro" in product or "ubuntu" in product %}}
 {{% set pam_lastlog_path = "/etc/pam.d/login" %}}
 {{% else %}}
 {{% set pam_lastlog_path = "/etc/pam.d/postlogin" %}}

linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/correct_value.pass.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 # platform = multi_platform_all
 
-{{%- if "sle" in product or "ubuntu" in product %}}
+{{%- if "sle" in product or "slmicro" in product or "ubuntu" in product %}}
 {{% set pam_lastlog_path = "/etc/pam.d/login" %}}
 {{% else %}}
 {{% set pam_lastlog_path = "/etc/pam.d/postlogin" %}}

linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/no_silent_all.pass.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 # platform = multi_platform_all
 
-{{%- if "sle" in product or "ubuntu" in product %}}
+{{%- if "sle" in product or "slmicro" in product or "ubuntu" in product %}}
 {{% set pam_lastlog_path = "/etc/pam.d/login" %}}
 {{% else %}}
 {{% set pam_lastlog_path = "/etc/pam.d/postlogin" %}}

linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/no_space_before_showfailed.fail.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
-# platform = multi_platform_sle,multi_platform_ubuntu,Oracle Linux 7
+# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,Oracle Linux 7
 
-{{%- if "sle" in product or "ubuntu" in product %}}
+{{%- if "sle" in product or "slmicro" in product or "ubuntu" in product %}}
 {{% set pam_lastlog_path = "/etc/pam.d/login" %}}
 {{% else %}}
 {{% set pam_lastlog_path = "/etc/pam.d/postlogin" %}}

linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/no_space_before_silent.pass.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 # platform = multi_platform_all
 
-{{%- if "sle" in product or "ubuntu" in product %}}
+{{%- if "sle" in product or "slmicro" in product or "ubuntu" in product %}}
 {{% set pam_lastlog_path = "/etc/pam.d/login" %}}
 {{% else %}}
 {{% set pam_lastlog_path = "/etc/pam.d/postlogin" %}}

linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/silent_present.fail.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
-# platform = multi_platform_sle,multi_platform_ubuntu,Oracle Linux 7
+# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,Oracle Linux 7
 
-{{%- if "sle" in product or "ubuntu" in product %}}
+{{%- if "sle" in product or "slmicro" in product or "ubuntu" in product %}}
 {{% set pam_lastlog_path = "/etc/pam.d/login" %}}
 {{% else %}}
 {{% set pam_lastlog_path = "/etc/pam.d/postlogin" %}}

linux_os/guide/system/accounts/accounts-pam/display_login_attempts/tests/wrong_value.fail.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
-# platform = multi_platform_sle,multi_platform_ubuntu,Oracle Linux 7
+# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,Oracle Linux 7
 
-{{%- if "sle" in product or "ubuntu" in product %}}
+{{%- if "sle" in product or "slmicro" in product or "ubuntu" in product %}}
 {{% set pam_lastlog_path = "/etc/pam.d/login" %}}
 {{% else %}}
 {{% set pam_lastlog_path = "/etc/pam.d/postlogin" %}}

linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml

@@ -17,6 +17,7 @@ severity: medium
 identifiers:
     cce@sle12: CCE-83174-3
     cce@sle15: CCE-85575-9
+    cce@slmicro5: CCE-93729-2
 
 references:
     cis@sle12: 5.3.1

linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml

@@ -30,6 +30,7 @@ identifiers:
     cce@rhel10: CCE-88135-9
     cce@sle12: CCE-83195-8
     cce@sle15: CCE-85561-9
+    cce@slmicro5: CCE-93731-8
 
 references:
     disa: CCI-000366
@@ -43,7 +44,7 @@ references:
 
 ocil_clause: 'there are unauthorized local user accounts on the system'
 
-{{% if 'rhel' in product or 'ol' in product %}}
+{{% if 'rhel' in product or 'ol' in product or 'slmicro5' in product %}}
 warnings:
     - general: |-
         Automatic remediation of this control is not available due to the unique

linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml

@@ -28,6 +28,7 @@ identifiers:
     cce@rhel10: CCE-87552-6
     cce@sle12: CCE-83020-8
     cce@sle15: CCE-85664-1
+    cce@slmicro5: CCE-93734-2
 
 references:
     cis-csc: 1,12,13,14,15,16,18,3,5

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml

@@ -71,7 +71,7 @@
   <!-- Get all /etc/passwd entries having shell defined as OVAL object -->
   <ind:textfilecontent54_object id="object_etc_passwd_entries" version="1">
     <ind:filepath>/etc/passwd</ind:filepath>
-{{% if "ubuntu" in product or "sle" in product %}}
+{{% if "ubuntu" in product or "sle" in product or "slmicro" in product %}}
     <ind:pattern operation="pattern match">^(?!root).*:x:([\d]+):[\d]+:[^:]*:[^:]*:(?!\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt|\/bin\/false|\/usr\/bin\/false).*$</ind:pattern>
 {{% else %}}
     <ind:pattern operation="pattern match">^(?!root).*:x:([\d]+):[\d]+:[^:]*:[^:]*:(?!\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt).*$</ind:pattern>

linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml

@@ -27,6 +27,7 @@ identifiers:
     cce@rhel10: CCE-87448-7
     cce@sle12: CCE-83232-9
     cce@sle15: CCE-85672-4
+    cce@slmicro5: CCE-93732-6
 
 references:
     cis-csc: 1,12,13,14,15,16,18,3,5,7,8

linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var

@@ -30,4 +30,5 @@ options:
     rhel9: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|tss|systemd-coredump|dbus|polkitd|avahi|colord|rtkit|pipewire|clevis|sssd|geoclue|flatpak|setroubleshoot|libstoragemgmt|systemd-oom|gdm|cockpit-ws|cockpit-wsinstance|gnome-initial-setup|sshd|chrony|dnsmasq|tcpdump|admin)$"
     sle12: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd|man|systemd-timesync|scard|hacluster|statd|at|dockremap|vnc)$"
     sle15: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd|man|systemd-timesync|scard|hacluster|statd|at|dockremap|vnc|messagebus|nscd|flatpak|srvGeoClue|tftp|wsdd|dnsmasq|usbmux|brltty)$"
+    slmicro5: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd|man|systemd-timesync|scard|hacluster|statd|at|dockremap|vnc|messagebus|nscd|flatpak|srvGeoClue|tftp|wsdd|dnsmasq|usbmux|brltty|salt|cockpit-ws|cockpit-wsinstance)$"
     default: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|tss|systemd-coredump|dbus|polkitd|avahi|colord|rtkit|pipewire|clevis|sssd|geoclue|flatpak|setroubleshoot|libstoragemgmt|systemd-oom|gdm|cockpit-ws|cockpit-wsinstance|gnome-initial-setup|sshd|chrony|dnsmasq|tcpdump|admin)$"

linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml

@@ -27,6 +27,7 @@ identifiers:
     cce@rhel9: CCE-86477-7
     cce@sle12: CCE-83255-0
     cce@sle15: CCE-91151-1
+    cce@slmicro5: CCE-93733-4
 
 references:
     disa: CCI-000366

linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml

@@ -29,6 +29,7 @@ identifiers:
     cce@rhel10: CCE-88855-2
     cce@sle12: CCE-83230-3
     cce@sle15: CCE-85747-4
+    cce@slmicro5: CCE-93735-9
 
 references:
     disa: CCI-000366,CCI-002227

linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.pass.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15,multi_platform_slmicro
 # packages = sudo
 
 echo 'Defaults !targetpw' >> /etc/sudoers

linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15,multi_platform_slmicro
 # packages = sudo
 
 touch /etc/sudoers.d/empty

linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15,multi_platform_slmicro
 # packages = sudo
 
 echo 'Defaults !targetpw' >> /etc/sudoers