diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml
index 21c5ee370a6..adca4d1a24f 100644
--- a/controls/stig_slmicro5.yml
+++ b/controls/stig_slmicro5.yml
@@ -118,8 +118,9 @@ controls:
title:
SLEM 5 must remove all outdated software components after updated versions
have been installed.
- rules: []
- status: pending
+ rules:
+ - clean_components_post_updating
+ status: automated
- id: SLEM-05-215010
levels:
@@ -970,15 +971,19 @@ controls:
title:
SLEM 5 must reauthenticate users when changing authenticators, roles, or
escalating privileges.
- rules: []
- status: pending
+ rules:
+ - sudo_require_authentication
+ - sudo_remove_nopasswd
+ - sudo_remove_no_authenticate
+ status: automated
- id: SLEM-05-432020
levels:
- medium
title: SLEM 5 must require reauthentication when using the "sudo" command.
- rules: []
- status: pending
+ rules:
+ - sudo_require_reauthentication
+ status: automated
- id: SLEM-05-432025
levels:
@@ -1171,8 +1176,9 @@ controls:
levels:
- medium
title: SLEM 5 must implement certificate status checking for multifactor authentication.
- rules: []
- status: pending
+ rules:
+ - smartcard_configure_cert_checking
+ status: automated
- id: SLEM-05-631010
levels:
@@ -1180,8 +1186,10 @@ controls:
title:
If Network Security Services (NSS) is being used by SLEM 5 it must prohibit
the use of cached authentications after one day.
- rules: []
- status: pending
+ rules:
+ - sssd_memcache_timeout
+ - var_sssd_memcache_timeout=1_day
+ status: automated
- id: SLEM-05-631015
levels:
@@ -1189,8 +1197,9 @@ controls:
title:
SLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to
prohibit the use of cached offline authentications after one day.
- rules: []
- status: pending
+ rules:
+ - sssd_offline_cred_expiration
+ status: automated
- id: SLEM-05-631020
levels:
diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
index efd5408e476..0817b532e67 100644
--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro
# reboot = false
# strategy = unknown
# complexity = low
diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh
index e7d5d391651..6a8a818170b 100644
--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh
+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro
{{{ bash_instantiate_variables("var_sssd_memcache_timeout") }}}
diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml
index 2a93eb787b2..cf13cb3bd2e 100644
--- a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml
+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml
@@ -27,6 +27,7 @@ identifiers:
cce@rhel8: CCE-80910-3
cce@sle12: CCE-83040-6
cce@sle15: CCE-83295-6
+ cce@slmicro5: CCE-93718-5
references:
cis-csc: 1,12,15,16,5
diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml
index c7a0a5cf87e..c17f18d3d5a 100644
--- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml
+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml
@@ -34,6 +34,7 @@ identifiers:
cce@rhel10: CCE-90741-0
cce@sle12: CCE-83206-3
cce@sle15: CCE-83296-4
+ cce@slmicro5: CCE-93719-3
references:
cis-csc: 1,12,15,16,5
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml
index 18231e23a12..08b89bf8f59 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_rhel
+# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_rhel
# reboot = false
# strategy = restrict
# complexity = low
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/bash/shared.sh
index a22adcde950..2efee65ed67 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_sle
+# platform = Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_sle,multi_platform_slmicro
{{{ bash_package_install("pam_pkcs11") }}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml
index ba57aa26da0..f7033aed678 100644
--- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml
@@ -30,6 +30,7 @@ identifiers:
cce@rhel8: CCE-82475-5
cce@sle12: CCE-83178-4
cce@sle15: CCE-83293-1
+ cce@slmicro5: CCE-93717-7
references:
disa: CCI-001948,CCI-001953,CCI-001954
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml
index 2769e9747d9..2094a7db635 100644
--- a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml
@@ -23,6 +23,7 @@ identifiers:
cce@rhel10: CCE-88892-5
cce@sle12: CCE-83013-3
cce@sle15: CCE-83291-5
+ cce@slmicro5: CCE-93715-1
references:
cis-csc: 1,12,15,16,5
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml
index 2cb08174d9e..6afd63dcd79 100644
--- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml
@@ -24,6 +24,7 @@ identifiers:
cce@rhel10: CCE-87015-4
cce@sle12: CCE-83012-5
cce@sle15: CCE-85663-3
+ cce@slmicro5: CCE-93714-4
references:
cis-csc: 1,12,15,16,5
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml
index 586d501b1bb..d7137c2a138 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml
@@ -24,6 +24,7 @@ identifiers:
cce@rhel9: CCE-83543-9
cce@rhel10: CCE-87457-8
cce@sle15: CCE-85673-2
+ cce@slmicro5: CCE-93713-6
references:
cis-csc: 1,12,15,16,5
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
index 46763f8f00f..594578e1082 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
@@ -28,6 +28,7 @@ identifiers:
cce@rhel10: CCE-88136-7
cce@sle12: CCE-83231-1
cce@sle15: CCE-85764-9
+ cce@slmicro5: CCE-93716-9
references:
cis@ubuntu2204: 5.3.6
diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/ansible/shared.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/ansible/shared.yml
index 71b66ebaba0..e25b2e61527 100644
--- a/linux_os/guide/system/software/updating/clean_components_post_updating/ansible/shared.yml
+++ b/linux_os/guide/system/software/updating/clean_components_post_updating/ansible/shared.yml
@@ -1,10 +1,10 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro
# reboot = false
# strategy = restrict
# complexity = low
# disruption = low
-{{% if 'sle' in product %}}
+{{% if 'sle' in product or 'slmicro' in product %}}
- name: "{{{ rule_title }}} - Ensure Zypper Removes Previous Package Versions"
ansible.builtin.ini_file:
dest: /etc/zypp/zypp.conf
diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/bash/shared.sh b/linux_os/guide/system/software/updating/clean_components_post_updating/bash/shared.sh
index 34127fd17bb..742c2e45292 100644
--- a/linux_os/guide/system/software/updating/clean_components_post_updating/bash/shared.sh
+++ b/linux_os/guide/system/software/updating/clean_components_post_updating/bash/shared.sh
@@ -1,6 +1,6 @@
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro
-{{% if 'sle' in product %}}
+{{% if 'sle' in product or 'slmicro' in product %}}
{{{ bash_replace_or_append('/etc/zypp/zypp.conf', '^solver.upgradeRemoveDroppedPackages', 'true', '%s=%s') }}}
{{% else %}}
if grep --silent ^clean_requirements_on_remove {{{ pkg_manager_config_file }}} ; then
diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/oval/slmicro5.xml b/linux_os/guide/system/software/updating/clean_components_post_updating/oval/slmicro5.xml
new file mode 100644
index 00000000000..3a2cfa2373b
--- /dev/null
+++ b/linux_os/guide/system/software/updating/clean_components_post_updating/oval/slmicro5.xml
@@ -0,0 +1,24 @@
+
+
+
+ Ensure Zypper Removes Previous Package Versions
+
+ SUSE Linux Enterprise Micro 5
+
+ The solver.upgradeRemoveDroppedPackages option should be used to ensure that old
+ versions of software components are removed after updating.
+
+
+
+
+
+
+
+
+
+ /etc/zypp/zypp.conf
+ ^solver.upgradeRemoveDroppedPackages\s*=\s*(?i)true(?-i)\s*$
+ 1
+
+
+
diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
index ef3543c4868..e247a676214 100644
--- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
+++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
@@ -6,7 +6,7 @@ title: 'Ensure {{{ pkg_manager }}} Removes Previous Package Versions'
description: |-
{{{ pkg_manager }}} should be configured to remove previous software components after
new versions have been installed. To configure {{{ pkg_manager }}} to remove the
- {{% if 'sle' in product %}}
+ {{% if 'sle' in product or 'slmicro' in product %}}
previous software components after updating, set the solver.upgradeRemoveDroppedPackages
{{% elif 'ubuntu' in product %}}
previous software components after updating, set the ::Remove-Unused-Dependencies and
@@ -32,6 +32,7 @@ identifiers:
cce@rhel10: CCE-88515-2
cce@sle12: CCE-83186-7
cce@sle15: CCE-85551-0
+ cce@slmicro5: CCE-93720-1
references:
cis-csc: 18,20,4
@@ -52,7 +53,7 @@ references:
stigid@ubuntu2204: UBTU-22-214015
ocil_clause: |-
- {{%- if 'sle' in product %}}
+ {{%- if 'sle' in product or 'slmicro' in product %}}
'solver.upgradeRemoveDroppedPackages is not enabled or configured correctly'
{{%- elif 'ubuntu' in product %}}
'::Remove-Unused-Dependencies and ::Remove-Unused-Kernel-Packages is not
@@ -64,7 +65,7 @@ ocil_clause: |-
ocil: |-
Verify {{{ full_name }}} removes all software components after updated versions have been installed.
- {{% if 'sle' in product %}}
+ {{% if 'sle' in product or 'slmicro' in product %}}
To verify that solver.upgradeRemoveDroppedPackages is configured properly, run the
following command:
$ grep -i upgradeRemoveDroppedPackages {{{ pkg_manager_config_file }}}
diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt
index 0db22fc3610..6c43ce5e659 100644
--- a/shared/references/cce-slmicro5-avail.txt
+++ b/shared/references/cce-slmicro5-avail.txt
@@ -42,13 +42,8 @@ CCE-93704-5
CCE-93709-4
CCE-93710-2
CCE-93713-6
-CCE-93714-4
-CCE-93715-1
-CCE-93716-9
-CCE-93717-7
-CCE-93718-5
-CCE-93719-3
-CCE-93720-1
+CCE-93711-0
+CCE-93712-8
CCE-93721-9
CCE-93722-7
CCE-93723-5