Slmicro5 stig add accounts and services rules support

controls/stig_slmicro5.yml

@@ -372,15 +372,17 @@ controls:
       levels:
           - medium
       title: The sticky bit must be set on all SLEM 5 world-writable directories.
-      rules: []
-      status: pending
+      rules:
+          - dir_perms_world_writable_sticky_bits
+      status: automated
 
     - id: SLEM-05-232115
       levels:
           - medium
       title: SLEM 5 must prevent unauthorized users from accessing system error messages.
-      rules: []
-      status: pending
+      rules:
+          - file_permissions_local_var_log_messages
+      status: automated
 
     - id: SLEM-05-232120
       levels:
@@ -600,17 +602,21 @@ controls:
       title:
           SLEM 5 must be configured so that all network connections associated with
           SSH traffic terminate after becoming unresponsive.
-      rules: []
-      status: pending
+      rules:
+          - sshd_set_keepalive
+          - var_sshd_set_keepalive=1
+      status: automated
 
     - id: SLEM-05-255035
       levels:
           - medium
       title:
           SLEM 5 must be configured so that all network connections associated with
           SSH traffic are terminated after 10 minutes of becoming unresponsive.
-      rules: []
-      status: pending
+      rules:
+          - sshd_set_idle_timeout
+          - sshd_idle_timeout_value=10_minutes
+      status: automated
 
     - id: SLEM-05-255040
       levels:
@@ -639,17 +645,20 @@ controls:
       title:
           SLEM 5 SSH daemon must be configured to only use Message Authentication Codes
           (MACs) employing FIPS 140-2/140-3 approved cryptographic hash algorithms.
-      rules: []
-      status: pending
+      rules:
+          - sshd_use_approved_macs_ordered_stig
+          - sshd_use_approved_macs
+      status: automated
 
     - id: SLEM-05-255055
       levels:
           - high
       title:
           SLEM 5 SSH server must be configured to use only FIPS 140-2/140-3 validated
           key exchange algorithms.
-      rules: []
-      status: pending
+      rules:
+          - sshd_use_approved_kex_ordered_stig
+      status: automated
 
     - id: SLEM-05-255060
       levels:
@@ -853,8 +862,9 @@ controls:
       title:
           SLEM 5 must disable account identifiers (individuals, groups, roles, and
           devices) after 35 days of inactivity after password expiration.
-      rules: []
-      status: pending
+      rules:
+          - account_disable_post_pw_expiration
+      status: automated
 
     - id: SLEM-05-411075
       levels:
@@ -1100,8 +1110,9 @@ controls:
       levels:
           - medium
       title: SLEM 5 must employ a password history file.
-      rules: []
-      status: pending
+      rules:
+          - file_etc_security_opasswd
+      status: automated
 
     - id: SLEM-05-611080
       levels:
@@ -1127,8 +1138,10 @@ controls:
       title:
           SLEM 5 must employ FIPS 140-2/140-3 approved cryptographic hashing algorithm
           for system authentication (login.defs).
-      rules: []
-      status: pending
+      rules:
+          - set_password_hashing_algorithm_logindefs
+          - var_password_hashing_algorithm=SHA512
+      status: automated
 
     - id: SLEM-05-611095
       levels:

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml

@@ -7,7 +7,7 @@
       <criteria comment="sshd is not installed" operator="AND">
         <extend_definition comment="sshd is not required or requirement is unset"
         definition_ref="sshd_not_required_or_unset" />
-        {{% if product in ['opensuse', 'sle12', 'sle15'] %}}
+        {{% if product in ['opensuse', 'sle12', 'sle15', 'slmicro5'] %}}
         <extend_definition comment="rpm package openssh removed"
         definition_ref="package_openssh_removed" />
         {{% else %}}
@@ -18,7 +18,7 @@
       <criteria comment="sshd is installed and configured" operator="AND">
         <extend_definition comment="sshd is required or requirement is unset"
         definition_ref="sshd_required_or_unset" />
-        {{% if product in ['opensuse', 'sle12', 'sle15'] %}}
+        {{% if product in ['opensuse', 'sle12', 'sle15', 'slmicro5'] %}}
         <extend_definition comment="rpm package openssh installed"
         definition_ref="package_openssh_installed" />
         {{% else %}}

linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml

@@ -31,6 +31,7 @@ identifiers:
     cce@rhel10: CCE-90362-5
     cce@sle12: CCE-83027-3
     cce@sle15: CCE-83281-6
+    cce@slmicro5: CCE-93692-2
 
 references:
     cis-csc: 1,12,13,14,15,16,18,3,5,7,8

linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml

@@ -30,6 +30,7 @@ identifiers:
     cce@rhel10: CCE-86794-5
     cce@sle12: CCE-83034-9
     cce@sle15: CCE-91228-7
+    cce@slmicro5: CCE-93694-8
 
 references:
     cis-csc: 1,12,13,14,15,16,18,3,5,7,8

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu
+# platform = Oracle Linux 7,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 # reboot = false
 # strategy = restrict
 # complexity = low

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu
+# platform = Oracle Linux 7,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 KEX_ALGOS="ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,\
 diffie-hellman-group-exchange-sha256"

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/oval/shared.xml

@@ -1,12 +1,12 @@
-{{% if product in ['ol8','rhel8'] %}}
+{{% if product in ['ol8', 'rhel8'] %}}
 {{% set path='/etc/crypto-policies/back-ends/opensshserver.config' %}}
 {{% set prefix_conf="^\s*CRYPTO_POLICY\s*=.*-oKexAlgorithms=" %}}
 {{% set kex_algos=["ecdh-sha2-nistp256","ecdh-sha2-nistp384",
              "ecdh-sha2-nistp521","diffie-hellman-group-exchange-sha256",
              "diffie-hellman-group14-sha256","diffie-hellman-group16-sha512",
              "diffie-hellman-group18-sha512"] %}}
 {{% set sufix_conf="(\s.*)?'" %}}
-{{% elif product in ['ol7', 'sle12','sle15','ubuntu2004'] %}}
+{{% elif product in ['ol7', 'sle12', 'sle15', 'slmicro5', 'ubuntu2004'] %}}
 {{% set path='/etc/ssh/sshd_config' %}}
 {{% set prefix_conf="^\s*KexAlgorithms\s*" %}}
 {{% set kex_algos=["ecdh-sha2-nistp256","ecdh-sha2-nistp384","ecdh-sha2-nistp521",
@@ -26,7 +26,7 @@
         <criteria comment="sshd is not installed" operator="AND">
           <extend_definition comment="sshd is not required or requirement is unset"
             definition_ref="sshd_not_required_or_unset" />
-          {{% if product in ['sle12', 'sle15'] %}}
+          {{% if product in ['sle12', 'sle15', 'slmicro5'] %}}
           <extend_definition comment="package openssh removed"
             definition_ref="package_openssh_removed" />
           {{% else %}}
@@ -37,7 +37,7 @@
         <criteria comment="sshd is installed and configured" operator="AND">
           <extend_definition comment="sshd is required or requirement is unset"
             definition_ref="sshd_required_or_unset" />
-          {{% if product in ['sle12', 'sle15'] %}}
+          {{% if product in ['sle12', 'sle15', 'slmicro5'] %}}
           <extend_definition comment="package openssh installed"
             definition_ref="package_openssh_installed" />
           {{% else %}}

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml

@@ -1,4 +1,4 @@
-{{% if product in ['ol8','rhel8'] %}}
+{{% if product in ['ol8', 'rhel8'] %}}
 {{% set path='/etc/crypto-policies/back-ends/opensshserver.config' %}}
 {{% set conf="CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384" ~
              ",ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" ~
@@ -8,7 +8,7 @@
 {{% set path='/etc/ssh/sshd_config' %}}
 {{% set conf="KexAlgorithms ecdh-sha1-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521" ~
              ",diffie-hellman-group-exchange-sha256"  %}}
-{{% elif product in ['sle12','sle15','ubuntu2004', 'ubuntu2204'] %}}
+{{% elif product in ['sle12', 'sle15', 'slmicro5', 'ubuntu2004', 'ubuntu2204'] %}}
 {{% set path='/etc/ssh/sshd_config' %}}
 {{% set conf="KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521" ~
              ",diffie-hellman-group-exchange-sha256"  %}}
@@ -39,6 +39,7 @@ identifiers:
     cce@rhel8: CCE-86059-3
     cce@sle12: CCE-92336-7
     cce@sle15: CCE-92505-7
+    cce@slmicro5: CCE-93696-3
 
 references:
     disa: CCI-001453

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/comment.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 source common.sh
 

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/common.sh

@@ -1,11 +1,11 @@
 #!/bin/bash
-{{% if product in ['ol8','rhel8'] %}}
+{{% if product in ['ol8', 'rhel8'] %}}
 FILE_PATH='/etc/crypto-policies/back-ends/opensshserver.config'
 CONF_PREFIX="CRYPTO_POLICY='-oKexAlgorithms="
 KEX_ALGOS="ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512"
 CONF_SUFIX="'"
 CONF_PREFIX_REGEX="^\s*CRYPTO_POLICY"
-{{% elif product in ['ol7', 'sle12','sle15','ubuntu2004', 'ubuntu2204'] %}}
+{{% elif product in ['ol7', 'sle12', 'sle15', 'slmicro5', 'ubuntu2004', 'ubuntu2204'] %}}
 FILE_PATH='/etc/ssh/sshd_config'
 FILE_PATH_CONFIGDIR='/etc/ssh/sshd_config.d'
 CONF_PREFIX="KexAlgorithms "

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_reduced_list.pass.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro
 
 source common.sh
 

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_scrambled.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 source common.sh
 

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/correct_value.pass.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 source common.sh
 

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/line_not_there.fail.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 source common.sh

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/no_parameters.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 source common.sh
 

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/tests/wrong_value.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 source common.sh
 

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = Oracle Linux 7,multi_platform_sle
+# platform = Oracle Linux 7,multi_platform_sle,multi_platform_slmicro
 # reboot = false
 # strategy = restrict
 # complexity = low

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu
+# platform = Oracle Linux 7,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 {{{ bash_instantiate_variables("sshd_approved_macs") }}}
 

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml

@@ -8,7 +8,7 @@
         <criteria comment="sshd is not installed" operator="AND">
           <extend_definition comment="sshd is not required or requirement is unset"
           definition_ref="sshd_not_required_or_unset" />
-          {{% if product in ['opensuse', 'sle12', 'sle15'] %}}
+          {{% if product in ['opensuse', 'sle12', 'sle15', 'slmicro5'] %}}
           <extend_definition comment="rpm package openssh removed"
           definition_ref="package_openssh_removed" />
           {{% else %}}
@@ -19,7 +19,7 @@
         <criteria comment="sshd is installed and configured" operator="AND">
           <extend_definition comment="sshd is required or requirement is unset"
           definition_ref="sshd_required_or_unset" />
-          {{% if product in ['opensuse', 'sle12', 'sle15'] %}}
+          {{% if product in ['opensuse', 'sle12', 'sle15', 'slmicro5'] %}}
           <extend_definition comment="rpm package openssh installed"
           definition_ref="package_openssh_installed" />
           {{% else %}}

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml

@@ -7,7 +7,7 @@ description: |-
     Limit the MACs to those hash algorithms which are FIPS-approved.
     The following line in <tt>/etc/ssh/sshd_config</tt>
     demonstrates use of FIPS-approved MACs:
-{{% if product in ["sle12", "sle15"] %}}
+{{% if product in ["sle12", "sle15", "slmicro5"] %}}
     <pre>MACs hmac-sha2-512,hmac-sha2-256</pre>
 {{% else %}}
     <pre>MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1</pre>
@@ -43,6 +43,7 @@ identifiers:
     cce@rhel8: CCE-82198-3
     cce@sle12: CCE-83036-4
     cce@sle15: CCE-91338-4
+    cce@slmicro5: CCE-93691-4
 
 references:
     cis-csc: 1,12,13,15,16,5,8

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu
+# platform = Oracle Linux 7,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 # reboot = false
 # strategy = restrict
 # complexity = low

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = Oracle Linux 7,multi_platform_sle,multi_platform_ubuntu
+# platform = Oracle Linux 7,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 {{%- if 'ubuntu' in product %}}
 {{{ bash_instantiate_variables('sshd_approved_macs') }}}

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml

@@ -24,6 +24,7 @@ severity: medium
 
 identifiers:
     cce@sle15: CCE-83280-8
+    cce@slmicro5: CCE-93690-6
 
 references:
     disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123

linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro
 
 if grep -q "^MACs" /etc/ssh/sshd_config; then
 	sed -i "s/^MACs.*/MACs hmac-sha2-512/" /etc/ssh/sshd_config

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro
 # reboot = false
 # strategy = restrict
 # complexity = low

linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml

@@ -23,6 +23,7 @@ identifiers:
     cce@rhel10: CCE-89508-6
     cce@sle12: CCE-83029-9
     cce@sle15: CCE-83279-0
+    cce@slmicro5: CCE-93689-8
 
 references:
     cis-csc: 1,12,15,16,5

linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro
 # reboot = false
 # strategy = restrict
 # complexity = low

linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_slmicro
 
 {{{ bash_instantiate_variables("var_account_disable_post_pw_expiration") }}}
 

linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml

@@ -30,6 +30,7 @@ identifiers:
     cce@rhel10: CCE-88966-7
     cce@sle12: CCE-83051-3
     cce@sle15: CCE-85558-5
+    cce@slmicro5: CCE-93688-0
 
 references:
     cis-csc: 1,12,13,14,15,16,18,3,5,7,8

linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_ol,multi_platform_rhel
+# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_ol,multi_platform_rhel
 # reboot = false
 # strategy = restrict
 # complexity = low

linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 df --local -P | awk '{if (NR!=1) print $6}' \
 | xargs -I '$6' find '$6' -xdev -type d \
 \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \