From a050df59825379e7793b5f31c40fc1936585a4a6 Mon Sep 17 00:00:00 2001 From: Guang Yee Date: Wed, 3 Feb 2021 16:17:14 -0800 Subject: [PATCH] Enable checks and remediations for the following SLES-12 STIGs: - SLES-12-010890 'file_permissions_var_log_messages' - SLES-12-010910 'pam_disable_automatic_configuration' - SLES-12-020020 'auditd_audispd_configure_sufficiently_large_partition' - SLES-12-020100 'auditd_audispd_network_failure_action' - SLES-12-020110 'auditd_audispd_disk_full_action' - SLES-12-020120 'permissions_local_var_log_audit' - SLES-12-020130 'permissions_local_audit_binaries' - SLES-12-020199 'audit_rules_enable_syscall_auditing' - SLES-12-020200 'audit_rules_usergroup_modification_passwd' - SLES-12-020210 'audit_rules_usergroup_modification_group' - SLES-12-020220 'audit_rules_usergroup_modification_shadow' - SLES-12-020230 'audit_rules_usergroup_modification_opasswd' - SLES-12-020250 'audit_rules_privileged_commands_su' - SLES-12-020260 'audit_rules_privileged_commands_sudo' - SLES-12-020290 'audit_rules_privileged_commands_mount' - SLES-12-020300 'audit_rules_privileged_commands_umount' - SLES-12-020370 'audit_rules_dac_modification_setxattr' - SLES-12-020380 'audit_rules_dac_modification_fsetxattr' - SLES-12-020390 'audit_rules_dac_modification_removexattr' - SLES-12-020400 'audit_rules_dac_modification_lremovexattr' - SLES-12-020410 'audit_rules_dac_modification_fremovexattr' - SLES-12-020430 'audit_rules_dac_modification_fchown' - SLES-12-020440 'audit_rules_dac_modification_lchown' - SLES-12-020450 'audit_rules_dac_modification_fchownat' - SLES-12-020460 'audit_rules_dac_modification_chown' - SLES-12-020470 'audit_rules_dac_modification_fchmod' - SLES-12-020480 'audit_rules_dac_modification_fchmodat' - SLES-12-020490 'audit_rules_unsuccessful_file_modification_open' - SLES-12-020710 'audit_rules_privileged_commands_crontab' - SLES-12-020720 'audit_rules_privileged_commands_pam_timestamp_check' - SLES-12-020730 'audit_rules_kernel_module_loading_delete' - SLES-12-020740 'audit_rules_kernel_module_loading_finit' - SLES-12-020750 'audit_rules_kernel_module_loading_init' - SLES-12-030300 'chronyd_or_ntpd_set_maxpoll' Corrections: - The STIG ID for audit_rules_dac_modification_chmod was incorrect. It should've been SLES-12-020460 instead of SLES-12-020600. - The STIG ID for sshd_do_not_permit_user_env was incorrect. It should've been SLES-12-030151 instead of SLES-12-030150. --- .../ansible/shared.yml | 49 +++++++++++++ .../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 5 +- .../sshd_do_not_permit_user_env/rule.yml | 2 +- .../ansible/shared.yml | 19 +++++ .../bash/shared.sh | 6 ++ .../oval/shared.xml | 29 ++++++++ .../rule.yml | 37 ++++++++++ .../rule.yml | 2 +- .../rule.yml | 3 + .../rule.yml | 2 + .../rule.yml | 2 + .../rule.yml | 3 + .../rule.yml | 3 + .../rule.yml | 3 + .../rule.yml | 3 + .../rule.yml | 3 + .../rule.yml | 3 + .../rule.yml | 3 + .../rule.yml | 3 + .../rule.yml | 2 + .../ansible/shared.yml | 2 +- .../rule.yml | 2 + .../ansible/shared.yml | 2 +- .../rule.yml | 2 + .../ansible/shared.yml | 2 +- .../rule.yml | 3 +- .../rule.yml | 4 +- .../rule.yml | 5 +- .../rule.yml | 4 +- .../rule.yml | 4 +- .../rule.yml | 4 +- .../rule.yml | 5 +- .../ansible/shared.yml | 53 ++++++++++++++ .../bash/shared.sh | 19 +++++ .../oval/shared.xml | 46 ++++++++++++ .../rule.yml | 35 +++++++++ .../rule.yml | 4 +- .../rule.yml | 5 +- .../rule.yml | 4 +- .../rule.yml | 5 +- .../oval/shared.xml | 34 +++++++++ .../rule.yml | 69 ++++++++++++++++++ .../auditd_audispd_disk_full_action/rule.yml | 5 +- .../rule.yml | 4 +- .../ansible/shared.yml | 12 ++++ .../oval/shared.xml | 45 ++++++++++++ .../rule.yml | 53 ++++++++++++++ .../permissions_local_audit_binaries/rule.yml | 72 +++++++++++++++++++ .../permissions_local_var_log_audit/rule.yml | 57 +++++++++++++++ shared/templates/extra_ovals.yml | 6 ++ sle12/profiles/stig.profile | 37 +++++++++- 51 files changed, 766 insertions(+), 20 deletions(-) create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml create mode 100644 linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/ansible/shared.yml create mode 100644 linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/oval/shared.xml create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/oval/shared.xml create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml create mode 100644 linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/ansible/shared.yml create mode 100644 linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/oval/shared.xml create mode 100644 linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/rule.yml create mode 100644 linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml create mode 100644 linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml new file mode 100644 index 0000000000..3c83850a05 --- /dev/null +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml @@ -0,0 +1,49 @@ +# platform = multi_platform_sle +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +{{{ ansible_instantiate_variables('var_time_service_set_maxpoll') }}} + +- name: Check that /etc/ntp.conf exist + stat: + path: /etc/ntp.conf + register: ntp_conf_exist_result + +- name: Check that /etc/chrony.conf exist + stat: + path: /etc/chrony.conf + register: chrony_conf_exist_result + +- name: Update the maxpoll values in /etc/ntp.conf + lineinfile: + path: /etc/ntp.conf + regex: '^(server.*maxpoll) [0-9]+(\s+.*)$' + line: '\1 {{ var_time_service_set_maxpoll }}\2' + backrefs: yes + when: ntp_conf_exist_result.stat.exists + +- name: Update the maxpoll values in /etc/chrony.conf + lineinfile: + path: /etc/chrony.conf + regex: '^(server.*maxpoll) [0-9]+(\s+.*)$' + line: '\1 {{ var_time_service_set_maxpoll }}\2' + backrefs: yes + when: chrony_conf_exist_result.stat.exists + +- name: Set the maxpoll values in /etc/ntp.conf + lineinfile: + path: /etc/ntp.conf + regex: '(^server\s+((?!maxpoll).)*)$' + line: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n' + backrefs: yes + when: ntp_conf_exist_result.stat.exists + +- name: Set the maxpoll values in /etc/chrony.conf + lineinfile: + path: /etc/chrony.conf + regex: '(^server\s+((?!maxpoll).)*)$' + line: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n' + backrefs: yes + when: chrony_conf_exist_result.stat.exists diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml index d5f8b9125e..4e4be3002f 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Configure Time Service Maxpoll Interval' @@ -26,6 +26,7 @@ platform: machine # The check uses service_... extended definition, which doesn identifiers: cce@rhel7: CCE-80439-3 cce@rhcos4: CCE-82684-2 + cce@sle12: CCE-83124-8 references: stigid@ol7: OL07-00-040500 @@ -39,6 +40,8 @@ references: cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01 iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1 cis-csc: 1,14,15,16,3,5,6 + stigid@sle12: SLES-12-030300 + nist@sle12: AU-8(1)(a),AU-8(1)(b) ocil_clause: 'it does not exist or maxpoll has not been set to the expected value' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml index 0c17411fad..e5d54261d3 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml @@ -33,7 +33,7 @@ references: srg: SRG-OS-000480-GPOS-00229 vmmsrg: SRG-OS-000480-VMM-002000 stigid@rhel7: RHEL-07-010460 - stigid@sle12: SLES-12-030150 + stigid@sle12: SLES-12-030151 isa-62443-2013: 'SR 7.6' isa-62443-2009: 4.3.4.3.2,4.3.4.3.3 cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05 diff --git a/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/ansible/shared.yml new file mode 100644 index 0000000000..04e889199f --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/ansible/shared.yml @@ -0,0 +1,19 @@ +# platform = multi_platform_sle +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: Find soft links /etc/pam.d/ + find: + paths: /etc/pam.d + file_type: link + patterns: common-.* + use_regex: yes + register: find_pam_soft_links_result + +- name: Remove soft links in /etc/pam.d/ + shell: | + target=$(readlink -f "{{ item.path }}") + cp -p --remove-destination "$target" "{{ item.path }}" + with_items: "{{ find_pam_soft_links_result.files }}" diff --git a/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/bash/shared.sh new file mode 100644 index 0000000000..ef195d3ac2 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/bash/shared.sh @@ -0,0 +1,6 @@ +# platform = multi_platform_sle + +for link in $(find /etc/pam.d/ -type l -iname "common-*") ; do + target=$(readlink -f "$link") + cp -p --remove-destination "$target" "$link" +done diff --git a/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/oval/shared.xml new file mode 100644 index 0000000000..0a8f356e7a --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/oval/shared.xml @@ -0,0 +1,29 @@ + + + + The PAM configuration should not be changed automatically + + multi_platform_sle + + Verify the SUSE operating system is configured to not overwrite Pluggable + Authentication Modules (PAM) configuration on package changes. + + + + + + + + + + + + + /etc/pam.d + ^common-.*$ + + + + regular + + diff --git a/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml new file mode 100644 index 0000000000..fe02158220 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml @@ -0,0 +1,37 @@ +documentation_complete: true + +prodtype: sle12 + +title: 'The PAM configuration should not be changed automatically' + +description: |- + Verify the SUSE operating system is configured to not overwrite Pluggable + Authentication Modules (PAM) configuration on package changes. + + +rationale: |- + pam-config is a command line utility that automatically generates + a system PAM configuration as packages are installed, updated or removed + from the system. pam-config removes configurations for PAM modules + and parameters that it does not know about. It may render ineffective PAM + configuration by the system administrator and thus impact system security. + +severity: medium + +identifiers: + cce@sle12: CCE-83113-1 + +references: + stigid@sle12: SLES-12-010910 + disa@sle12: CCI-000366 + srg@sle12: SRG-OS-000480-GPOS-00227 + nist@sle12: CM-6(b),CM-6.1(iv) + +ocil_clause: 'that is not the case' + +ocil: |- + Check that soft links between PAM configuration files are removed with the following command: + + 
# find /etc/pam.d/ -type l -iname "common-*"
+ + If any results are returned, this is a finding. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml index 22031b6517..b1d9dfbc4c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml @@ -46,7 +46,7 @@ references: srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 stigid@rhel7: RHEL-07-030410 - stigid@sle12: SLES-12-020600 + stigid@sle12: SLES-12-020460 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml index 8c8ccf405f..27e9d98617 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml @@ -30,6 +30,7 @@ identifiers: cce@rhel7: CCE-27364-9 cce@rhel8: CCE-80686-9 cce@rhcos4: CCE-82557-0 + cce@sle12: CCE-83137-0 references: stigid@ol7: OL07-00-030370 @@ -43,8 +44,10 @@ references: ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 + srg@sle12: SRG-OS-000037-GPOS-00015 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 stigid@rhel7: RHEL-07-030370 + stigid@sle12: SLES-12-020420 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml index 7b66511acc..6d55b59af4 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml @@ -30,6 +30,7 @@ identifiers: cce@rhel7: CCE-27393-8 cce@rhel8: CCE-80687-7 cce@rhcos4: CCE-82558-8 + cce@sle12: CCE-83133-9 references: stigid@ol7: OL07-00-030420 @@ -45,6 +46,7 @@ references: srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 stigid@rhel7: RHEL-07-030420 + stigid@sle12: SLES-12-020470 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml index 3882d0db26..d5b87320a7 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml @@ -30,6 +30,7 @@ identifiers: cce@rhel7: CCE-27388-8 cce@rhel8: CCE-80688-5 cce@rhcos4: CCE-82559-6 + cce@sle12: CCE-83132-1 references: stigid@ol7: OL07-00-030430 @@ -45,6 +46,7 @@ references: srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 stigid@rhel7: RHEL-07-030430 + stigid@sle12: SLES-12-020480 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml index 7950e714f6..d75447dab4 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml @@ -33,6 +33,7 @@ identifiers: cce@rhel7: CCE-27356-5 cce@rhel8: CCE-80689-3 cce@rhcos4: CCE-82560-4 + cce@sle12: CCE-83136-2 references: stigid@ol7: OL07-00-030380 @@ -46,8 +47,10 @@ references: ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 + srg@sle12: SRG-OS-000037-GPOS-00015 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 stigid@rhel7: RHEL-07-030380 + stigid@sle12: SLES-12-020430 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml index b35b2d7298..214f7e95c0 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml @@ -30,6 +30,7 @@ identifiers: cce@rhel7: CCE-27387-0 cce@rhel8: CCE-80690-1 cce@rhcos4: CCE-82561-2 + cce@sle12: CCE-83134-7 references: stigid@ol7: OL07-00-030400 @@ -43,8 +44,10 @@ references: ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 + srg@sle12: SRG-OS-000037-GPOS-00015 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 stigid@rhel7: RHEL-07-030400 + stigid@sle12: SLES-12-020450 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml index fb936a04b6..af1eea1a36 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml @@ -35,6 +35,7 @@ identifiers: cce@rhel7: CCE-27353-2 cce@rhel8: CCE-80691-9 cce@rhcos4: CCE-82562-0 + cce@sle12: CCE-83138-8 references: stigid@ol7: OL07-00-030480 @@ -48,8 +49,10 @@ references: ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 + srg@sle12: SRG-OS-000037-GPOS-00015 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 stigid@rhel7: RHEL-07-030480 + stigid@sle12: SLES-12-020410 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml index 6d6216122d..33de1d53eb 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml @@ -30,6 +30,7 @@ identifiers: cce@rhel7: CCE-27389-6 cce@rhel8: CCE-80692-7 cce@rhcos4: CCE-82563-8 + cce@sle12: CCE-83141-2 references: stigid@ol7: OL07-00-030450 @@ -43,8 +44,10 @@ references: ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 + srg@sle12: SRG-OS-000037-GPOS-00015 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 stigid@rhel7: RHEL-07-030450 + stigid@sle12: SLES-12-020380 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml index 53d680a29c..04e8ae5d99 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml @@ -30,6 +30,7 @@ identifiers: cce@rhel7: CCE-27083-5 cce@rhel8: CCE-80693-5 cce@rhcos4: CCE-82564-6 + cce@sle12: CCE-83135-4 references: stigid@ol7: OL07-00-030390 @@ -43,8 +44,10 @@ references: ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219 + srg@sle12: SRG-OS-000037-GPOS-00015 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 stigid@rhel7: RHEL-07-030390 + stigid@sle12: SLES-12-020440 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml index bbce29648d..55bc1502d6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml @@ -35,6 +35,7 @@ identifiers: cce@rhel7: CCE-27410-0 cce@rhel8: CCE-80694-3 cce@rhcos4: CCE-82565-3 + cce@sle12: CCE-83139-6 references: stigid@ol7: OL07-00-030490 @@ -48,8 +49,10 @@ references: ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 + srg@sle12: SRG-OS-000037-GPOS-00015 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 stigid@rhel7: RHEL-07-030490 + stigid@sle12: SLES-12-020400 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml index f8890cea0d..abbe9269fe 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml @@ -34,6 +34,7 @@ identifiers: cce@rhel7: CCE-27367-2 cce@rhel8: CCE-80696-8 cce@rhcos4: CCE-82567-9 + cce@sle12: CCE-83140-4 references: stigid@ol7: OL07-00-030470 @@ -47,8 +48,10 @@ references: ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 + srg@sle12: SRG-OS-000037-GPOS-00015 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 stigid@rhel7: RHEL-07-030470 + stigid@sle12: SLES-12-020390 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml index 4bcbaf54b4..a74756bfbd 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml @@ -30,6 +30,7 @@ identifiers: cce@rhel7: CCE-27213-8 cce@rhel8: CCE-80697-6 cce@rhcos4: CCE-82568-7 + cce@sle12: CCE-83142-0 references: stigid@ol7: OL07-00-030440 @@ -43,8 +44,10 @@ references: ospp: FAU_GEN.1.1.c pcidss: Req-10.5.5 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 + srg@sle12: SRG-OS-000037-GPOS-00015 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 stigid@rhel7: RHEL-07-030440 + stigid@sle12: SLES-12-020370 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml index ebccc4dbbf..97aa771056 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml @@ -39,6 +39,7 @@ identifiers: cce@rhel7: CCE-80386-6 cce@rhel8: CCE-80753-7 cce@rhcos4: CCE-82633-9 + cce@sle12: CCE-83131-3 references: stigid@ol7: OL07-00-030510 @@ -53,6 +54,7 @@ references: srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 stigid@rhel7: RHEL-07-030510 + stigid@sle12: SLES-12-020490 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml index 4759760bc1..c7b605ec31 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle # reboot = false # complexity = low # disruption = low diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml index d53927fcab..0997c1c6a5 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml @@ -27,6 +27,7 @@ identifiers: cce@rhel7: CCE-80415-3 cce@rhel8: CCE-80711-5 cce@rhcos4: CCE-82580-2 + cce@sle12: CCE-83128-9 references: stigid@ol7: OL07-00-030830 @@ -41,6 +42,7 @@ references: srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 vmmsrg: SRG-OS-000477-VMM-001970 stigid@rhel7: RHEL-07-030830 + stigid@sle12: SLES-12-020730 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml index 62220a2294..3f3c3e3d94 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # complexity = low # disruption = low diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml index a6c457485c..f54035bfcb 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml @@ -27,6 +27,7 @@ identifiers: cce@rhel7: CCE-80547-3 cce@rhel8: CCE-80712-3 cce@rhcos4: CCE-82581-0 + cce@sle12: CCE-83129-7 references: stigid@ol7: OL07-00-030821 @@ -41,6 +42,7 @@ references: srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 vmmsrg: SRG-OS-000477-VMM-001970 stigid@rhel7: RHEL-07-030821 + stigid@sle12: SLES-12-020740 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml index ee6aa0ba59..d804bbd09e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle # reboot = false # complexity = low # disruption = low diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml index b81ca09151..829f3b2c8a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml @@ -27,7 +27,7 @@ identifiers: cce@rhel7: CCE-80414-6 cce@rhel8: CCE-80713-1 cce@rhcos4: CCE-82582-8 - + cce@sle12: CCE-83130-5 references: stigid@ol7: OL07-00-030820 cis: 5.2.17 @@ -41,6 +41,7 @@ references: srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222 vmmsrg: SRG-OS-000477-VMM-001970 stigid@rhel7: RHEL-07-030820 + stigid@sle12: SLES-12-020750 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml index 53be8f4928..0cd92027b1 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - crontab' @@ -34,6 +34,7 @@ identifiers: cce@rhel7: CCE-80410-4 cce@rhel8: CCE-80727-1 cce@rhcos4: CCE-82593-5 + cce@sle12: CCE-83126-3 references: stigid@ol7: OL07-00-030800 @@ -45,6 +46,7 @@ references: srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 vmmsrg: SRG-OS-000471-VMM-001910 stigid@rhel7: RHEL-07-030800 + stigid@sle12: SLES-12-020710 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml index 471a920ed4..4941b38aac 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,sle12 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - mount' @@ -34,6 +34,7 @@ identifiers: cce@rhel7: CCE-81064-8 cce@rhel8: CCE-80989-7 cce@rhcos4: CCE-82595-0 + cce@sle12: CCE-83145-3 references: disa: CCI-000135,CCI-000172,CCI-002884 @@ -41,8 +42,10 @@ references: ospp: FAU_GEN.1.1.c vmmsrg: SRG-OS-000471-VMM-001910 srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172 + srg@sle12: SRG-OS-000037-GPOS-00015 stigid@rhel7: RHEL-07-030740 stigid@ol7: OL07-00-030740 + stigid@sle12: SLES-12-020290 ocil_clause: 'it is not the case' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml index 824e7470ec..d6780b0156 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check' @@ -34,6 +34,7 @@ identifiers: cce@rhel7: CCE-80411-2 cce@rhel8: CCE-80730-5 cce@rhcos4: CCE-82599-2 + cce@sle12: CCE-83127-1 references: stigid@ol7: OL07-00-030810 @@ -45,6 +46,7 @@ references: srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 vmmsrg: SRG-OS-000471-VMM-001910 stigid@rhel7: RHEL-07-030810 + stigid@sle12: SLES-12-020720 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml index 4de737ddf1..86c423dd28 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - su' @@ -34,6 +34,7 @@ identifiers: cce@rhel7: CCE-80400-5 cce@rhel8: CCE-80736-2 cce@rhcos4: CCE-82605-7 + cce@sle12: CCE-83143-8 references: stigid@ol7: OL07-00-030680 @@ -46,6 +47,7 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 vmmsrg: SRG-OS-000471-VMM-001910 stigid@rhel7: RHEL-07-030680 + stigid@sle12: SLES-12-020250 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml index 382c66cc88..9e9e892789 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - sudo' @@ -34,6 +34,7 @@ identifiers: cce@rhel7: CCE-80401-3 cce@rhel8: CCE-80737-0 cce@rhcos4: CCE-82606-5 + cce@sle12: CCE-83144-6 references: stigid@ol7: OL07-00-030690 @@ -46,6 +47,7 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 vmmsrg: SRG-OS-000471-VMM-001910 stigid@rhel7: RHEL-07-030690 + stigid@sle12: SLES-12-020260 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml index e8a7ef5f9d..2ce9d62aaf 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - umount' @@ -34,6 +34,7 @@ identifiers: cce@rhel7: CCE-80405-4 cce@rhel8: CCE-80739-6 cce@rhcos4: CCE-82608-1 + cce@sle12: CCE-83158-6 references: stigid@ol7: OL07-00-030750 @@ -43,8 +44,10 @@ references: nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 + srg@sle12: SRG-OS-000037-GPOS-00015 vmmsrg: SRG-OS-000471-VMM-001910 stigid@rhel7: RHEL-07-030750 + stigid@sle12: SLES-12-020300 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml new file mode 100644 index 0000000000..8286d51cf2 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml @@ -0,0 +1,53 @@ +# platform = multi_platform_sle +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: Service facts + service_facts: + +- name: Check the rules script being used + command: + grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service + register: check_rules_scripts_result + +- name: Find audit rules in /etc/audit/rules.d + find: + paths: /etc/audit/rules.d + file_type: file + follow: yes + register: find_audit_rules_result + when: + - '"auditd.service" in ansible_facts.services' + - '"augenrules" in check_rules_scripts_result.stdout' + +- name: Enable syscall auditing (augenrules) + lineinfile: + path: "{{ item.path }}" + regex: ^(?i)(\s*-a\s+task,never)\s*$ + line: '#-a task,never' + with_items: "{{ find_audit_rules_result.files }}" + when: + - '"auditd.service" in ansible_facts.services' + - '"augenrules" in check_rules_scripts_result.stdout' + register: augenrules_syscall_auditing_rule_update_result + +- name: Enable syscall auditing (auditctl) + lineinfile: + path: /etc/audit/audit.rules + regex: ^(?i)(\s*-a\s+task,never)\s*$ + line: '#-a task,never' + when: + - '"auditd.service" in ansible_facts.services' + - '"auditctl" in check_rules_scripts_result.stdout' + register: auditctl_syscall_auditing_rule_update_result + +- name: Restart auditd.service + systemd: + name: auditd.service + state: restarted + when: + - ansible_facts.services["auditd.service"].state == "running" + - (augenrules_syscall_auditing_rule_update_result.changed or + auditctl_syscall_auditing_rule_update_result.changed) diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh new file mode 100644 index 0000000000..501095bb85 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh @@ -0,0 +1,19 @@ +# platform = multi_platform_sle + +if [ -f "/usr/lib/systemd/system/auditd.service" ] ; then + EXECSTARTPOST_SCRIPT=$(grep '^ExecStartPost=' /usr/lib/systemd/system/auditd.service | sed 's/ExecStartPost=//') + + if [[ "$EXECSTARTPOST_SCRIPT" == *"augenrules"* ]] ; then + for f in /etc/audit/rules.d/*.rules ; do + sed -E -i --follow-symlinks 's/^(\s*-a\s+task,never)/#\1/' "$f" + done + else + # auditctl is used + sed -E -i --follow-symlinks 's/^(\s*-a\s+task,never)/#\1/' /etc/audit/audit.rules + fi + + systemctl is-active --quiet auditd.service + if [ $? -ne 0 ] ; then + systemctl restart auditd.service + fi +fi diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/oval/shared.xml new file mode 100644 index 0000000000..f871e0195c --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/oval/shared.xml @@ -0,0 +1,46 @@ + + + + Enable Syscall Auditing + + multi_platform_all + + Syscall auditing should not be disabled. + + + + + + + + + + + + + + + + + + + + + + + + ^/etc/audit/rules\.d/.*\.rules$ + ^[\s]*-a[\s]+task,never[\s]*$ + 1 + + + + + + + /etc/audit/audit.rules + ^[\s]*-a[\s]+task,never[\s]*$ + 1 + + + diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml new file mode 100644 index 0000000000..9c23291d62 --- /dev/null +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml @@ -0,0 +1,35 @@ +documentation_complete: true + +prodtype: sle12 + +title: 'Remove Default Configuration to Disable Syscall Auditing' + +description: |- + By default, {{{ full_name }}} ships an audit rule to disable syscall + auditing for performance reasons. + + To make sure that syscall auditing works, this line must be removed from + /etc/audit/rules.d/audit.rules and /etc/audit/audit.rules: + + 
-a task,never
+ +rationale: |- + Audit rules for syscalls do not take effect unless this line is removed. + +severity: medium + +identifiers: + cce@sle12: CCE-83119-8 + +references: + stigid@sle12: SLES-12-020199 + srg@sle12: SRG-OS-000480-GPOS-00227 + disa@sle12: CCI-000366 + +ocil_clause: 'syscall auditing is still disabled' + +ocil: |- + To check for the offending line, run the following command: + 
$ grep task,never /etc/audit/{rules.d,.}/audit.rules
+ There must not be any output, or else these lines must be removed from + the matching files. diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml index 750fba65bb..e4b2b8dcb8 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Record Events that Modify User/Group Information - /etc/group' @@ -31,6 +31,7 @@ identifiers: cce@rhel7: CCE-80433-6 cce@rhel8: CCE-80758-6 cce@rhcos4: CCE-82654-5 + cce@sle12: CCE-83121-4 references: stigid@ol7: OL07-00-030871 @@ -51,6 +52,7 @@ references: cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 + stigid@sle12: SLES-12-020210 ocil_clause: 'the system is not configured to audit account changes' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml index adf9f616b8..41434f664a 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Record Events that Modify User/Group Information - /etc/security/opasswd' @@ -31,6 +31,7 @@ identifiers: cce@rhel7: CCE-80430-2 cce@rhel8: CCE-80760-2 cce@rhcos4: CCE-82656-0 + cce@sle12: CCE-83123-0 references: stigid@ol7: OL07-00-030874 @@ -51,6 +52,8 @@ references: cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 + srg@sle12: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221 + stigid@sle12: SLES-12-020230 ocil_clause: 'the system is not configured to audit account changes' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml index c0e3b4b23a..bae0a29903 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Record Events that Modify User/Group Information - /etc/passwd' @@ -31,6 +31,7 @@ identifiers: cce@rhel7: CCE-80435-1 cce@rhel8: CCE-80761-0 cce@rhcos4: CCE-82657-8 + cce@sle12: CCE-83120-6 references: stigid@ol7: OL07-00-030870 @@ -51,6 +52,7 @@ references: cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 + stigid@sle12: SLES-12-020200 ocil_clause: 'the system is not configured to audit account changes' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml index 6545282c8a..f3d9cf9cd2 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Record Events that Modify User/Group Information - /etc/shadow' @@ -31,6 +31,7 @@ identifiers: cce@rhel7: CCE-80431-0 cce@rhel8: CCE-80762-8 cce@rhcos4: CCE-82658-6 + cce@sle12: CCE-83122-2 references: stigid@ol7: OL07-00-030873 @@ -51,6 +52,8 @@ references: cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 + stigid@sle12: SLES-12-020220 + srg@sle12: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221 ocil_clause: 'the system is not configured to audit account changes' diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/oval/shared.xml new file mode 100644 index 0000000000..8aa7b04f7c --- /dev/null +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/oval/shared.xml @@ -0,0 +1,34 @@ +{{% if target_oval_version >= [5, 11.2] %}} + + + {{{ oval_metadata("Configure a sufficiently large partition for audit logs.") }}} + + + + + + + + /var/log/audit + + + + + + + + + + var_aacsflp_audit_partition_size + + + + + + + + 10000000000 + + + +{{% endif %}} diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml new file mode 100644 index 0000000000..421b410446 --- /dev/null +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml @@ -0,0 +1,69 @@ +documentation_complete: true + +prodtype: sle12 + +title: 'Configure a Sufficiently Large Partition for Audit Logs' + +description: |- + The SUSE operating system must allocate audit record storage capacity to + store at least one weeks worth of audit records when audit records are not + immediately sent to a central audit record storage facility. + + The partition size needed to capture a week's worth of audit records is + based on the activity level of the system and the total storage capacity + available. In normal circumstances, 10.0 GB of storage space for audit + records will be sufficient. + + Determine which partition the audit records are being written to with the + following command: + + 
# grep log_file /etc/audit/auditd.conf
+    log_file = /var/log/audit/audit.log
+ + Check the size of the partition that audit records are written to with the + following command: + + 
# df -h /var/log/audit/
+    /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
+ +rationale: |- + Information stored in one location is vulnerable to accidental or incidental + deletion or alteration.Off-loading is a common process in information + systems with limited audit storage capacity. + +severity: medium + +identifiers: + cce@sle12: CCE-83114-9 + +references: + disa@sle12: CCI-001849 + srg@sle12: SRG-OS-000342-GPOS-00133 + stigid@sle12: SLES-12-020020 + +ocil_clause: 'audispd is not sending logs to a remote system and the local partition has inadequate' + +ocil: |- + To verify whether audispd plugin off-loads audit records onto a different + system or media from the system being audited, run the following command: + + 
# grep -i remote_server /etc/audisp/audisp-remote.conf
+ + The output should return something similar to where REMOTE_SYSTEM + is an IP address or hostname: + 
remote_server = REMOTE_SYSTEM
+ + Determine which partition the audit records are being written to with the + following command: + + 
# grep log_file /etc/audit/auditd.conf
+    log_file = /var/log/audit/audit.log
+ + Check the size of the partition that audit records are written to with the + following command and verify whether it is sufficiently large: + + 
# df -h /var/log/audit/
+    /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
+ + +platform: machine diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml index 5b9baa2858..d3bf2845ef 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Configure audispd''s Plugin disk_full_action When Disk Is Full' @@ -23,6 +23,7 @@ severity: medium identifiers: cce@rhel7: CCE-80539-0 + cce@sle12: CCE-83116-4 references: stigid@ol7: OL07-00-030320 @@ -30,6 +31,8 @@ references: disa: CCI-001851 srg: SRG-OS-000342-GPOS-00133 stigid@rhel7: RHEL-07-030320 + srg@sle12: SRG-OS-000479-GPOS-00224 + stigid@sle12: SLES-12-020110 ocil_clause: 'the system is not configured to switch to single user mode for corrective action' diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml index 9e677d225c..f756e47969 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Configure audispd''s Plugin network_failure_action On Network Failure' @@ -24,6 +24,7 @@ severity: medium identifiers: cce@rhel7: CCE-80538-2 + cce@sle12: CCE-83115-6 references: stigid@ol7: OL07-00-030321 @@ -31,6 +32,7 @@ references: disa: CCI-001851 srg: SRG-OS-000342-GPOS-00133 stigid@rhel7: RHEL-07-030321 + stigid@sle12: SLES-12-020100 ocil_clause: 'the system is not configured to switch to single user mode for corrective action' diff --git a/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/ansible/shared.yml b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/ansible/shared.yml new file mode 100644 index 0000000000..7ee0817b30 --- /dev/null +++ b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/ansible/shared.yml @@ -0,0 +1,12 @@ +# platform = multi_platform_sle +# reboot = false +# complexity = low +# strategy = configure +# disruption = low + +{{{ ansible_lineinfile(msg='Configure permission for /var/log/messages', path='/etc/permissions.local', regex='^\/var\/log\/messages\s+root.*', new_line='/var/log/messages root:root 640', create='yes', state='present', register='update_permissions_local_result') }}} + +- name: "Correct file permissions after update /etc/permissions.local" + shell: > + chkstat --set --system + when: update_permissions_local_result.changed diff --git a/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/oval/shared.xml b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/oval/shared.xml new file mode 100644 index 0000000000..c0af07f781 --- /dev/null +++ b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/oval/shared.xml @@ -0,0 +1,45 @@ + + + + Verify that /var/log/messages is readable only by root + + multi_platform_sle + + + Checks that /var/log/messages is only readable by root. + + + + + + + + + + + + + + + + /var/log/messages + + + + 0 + 0 + + + + false + false + false + false + false + false + false + false + false + + + diff --git a/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/rule.yml b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/rule.yml new file mode 100644 index 0000000000..e0569758a9 --- /dev/null +++ b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/rule.yml @@ -0,0 +1,53 @@ +documentation_complete: true + +prodtype: sle12 + +title: 'Verify that local /var/log/messages is not world-readable' + +description: |- + Files containing sensitive informations should be protected by restrictive + permissions. Most of the time, there is no need that these files need to be read by any non-root user + {{{ describe_file_permissions(file="/var/log/messages", perms="0640") }}} + + Check that "permissions.local" file contains the correct permissions rules with the following command: + + 
# grep -i messages /etc/permissions.local
+
+    /var/log/messages root:root 640
+ +rationale: |- + The /var/log/messages file contains system error messages. Only + authorized personnel should be aware of errors and the details of the + errors. Error messages are an indicator of an organization's operational + state or can identify the SUSE operating system or platform. Additionally, + Personally Identifiable Information (PII) and operational information must + not be revealed through error messages to unauthorized personnel or their + designated representatives. + +severity: medium + +identifiers: + cce@sle12: CCE-83112-3 + +references: + disa@sle12: CCI-001314 + nist@sle12: SI-11(c) + stigid@sle12: SLES-12-010890 + srg@sle12: SRG-OS-000206-GPOS-00084 + +ocil_clause: 'Make sure /var/log/messages is not world-readable' + +ocil: |- + {{{ ocil_file_permissions(file="/var/log/messages", perms="-rw-r-----") }}} + + Check that permissions.local file contains the correct permissions rules with the following command: + + 
# grep -i messages /etc/permissions.local
+
+    /var/log/messages root:root 640
+ + If the command does not return any or different output, this is a finding. + + Run the following command to correct the permissions after adding the missing entry: + + 
# sudo chkstat --set --system
diff --git a/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml b/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml new file mode 100644 index 0000000000..b66a44452f --- /dev/null +++ b/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml @@ -0,0 +1,72 @@ +documentation_complete: true + +prodtype: sle12 + +title: 'Verify Permissions of Local Logs of audit Tools' + +description: |- + The SUSE operating system audit tools must have the proper permissions + configured to protect against unauthorized access. + + Check that "permissions.local" file contains the correct permissions rules + with the following command: + + 
grep "^/usr/sbin/au" /etc/permissions.local
+
+    /usr/sbin/audispd root:root 0750
+    /usr/sbin/auditctl root:root 0750
+    /usr/sbin/auditd root:root 0750
+    /usr/sbin/ausearch root:root 0755
+    /usr/sbin/aureport root:root 0755
+    /usr/sbin/autrace root:root 0750
+    /usr/sbin/augenrules root:root 0750
+
+ + Audit tools include but are not limited to vendor-provided and open-source + audit tools needed to successfully view and manipulate audit information + system activity and records. Audit tools include custom queries and report + generators. + +rationale: |- + Protecting audit information also includes identifying and protecting the + tools used to view and manipulate log data. Therefore, protecting audit + tools is necessary to prevent unauthorized operation on audit information. + + SUSE operating systems providing tools to interface with audit information + will leverage user permissions and roles identifying the user accessing the + tools and the corresponding rights the user enjoys to make access decisions + regarding the access to audit tools. + +severity: medium + +identifiers: + cce@sle12: CCE-83118-0 + +references: + disa@sle12: CCI-001493,CCI-001494,CCI-001495 + nisti@sle12: AU-9 + srg@sle12: SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099 + stigid@sle12: SLES-12-020130 + +ocil: |- + Check that permissions.local file contains the correct permissions + rules with the following command: + + 
grep "^/usr/sbin/au" /etc/permissions.local
+
+    /usr/sbin/audispd root:root 0750
+    /usr/sbin/auditctl root:root 0750
+    /usr/sbin/auditd root:root 0750
+    /usr/sbin/ausearch root:root 0755
+    /usr/sbin/aureport root:root 0755
+    /usr/sbin/autrace root:root 0750
+    /usr/sbin/augenrules root:root 0750
+
+ + If the command does not return all the above lines, the missing ones need + to be added. + + Run the following command to correct the permissions after adding missing + entries: + + 
# sudo chkstat --set --system
diff --git a/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml new file mode 100644 index 0000000000..0eb6bfc893 --- /dev/null +++ b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml @@ -0,0 +1,57 @@ +documentation_complete: true + +prodtype: sle12 + +title: 'Verify that Local Logs of the audit Daemon are not World-Readable' + +description: |- + Files containing sensitive informations should be protected by restrictive + permissions. Most of the time, there is no need that these files need to bei + read by any non-root user. + + Check that "permissions.local" file contains the correct permissions rules with the following command: + + 
# grep -i audit /etc/permissions.local
+
+    /var/log/audit/ root:root 600
+    /var/log/audit/audit.log root:root 600
+    /etc/audit/audit.rules root:root 640
+    /etc/audit/rules.d/audit.rules root:root 640
+ +rationale: |- + Without the capability to restrict which roles and individuals can select + which events are audited, unauthorized personnel may be able to prevent the + auditing of critical events. Misconfigured audits may degrade the system's + performance by overwhelming the audit log. Misconfigured audits may also + make it more difficult to establish, correlate, and investigate the events + relating to an incident or identify those responsible for one. + +severity: medium + +identifiers: + cce@sle12: CCE-83117-2 + +references: + disa@sle12: CCI-000164 + nist: AU-9 + srg@sle12: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029 + stigid@sle12: SLES-12-020120 + +ocil: |- + Check that permissions.local file contains the correct permissionsi + rules with the following command: + + 
# grep -i audit /etc/permissions.local
+
+    /var/log/audit/ root:root 600
+    /var/log/audit/audit.log root:root 600
+    /etc/audit/audit.rules root:root 640
+    /etc/audit/rules.d/audit.rules root:root 640
+ + If the command does not return all the above lines, the missing ones need + to be added. + + Run the following command to correct the permissions after adding missing + entries: + + 
# sudo chkstat --set --system
diff --git a/shared/templates/extra_ovals.yml b/shared/templates/extra_ovals.yml index 2d305f56d4..89dbe31beb 100644 --- a/shared/templates/extra_ovals.yml +++ b/shared/templates/extra_ovals.yml @@ -43,3 +43,9 @@ service_sssd_disabled: vars: servicename: sssd packagename: sssd-common + +service_syslog_disabled: + name: service_disabled + vars: + servicename: syslog + packagename: rsyslog diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile index 4c8b361226..095be4febe 100644 --- a/sle12/profiles/stig.profile +++ b/sle12/profiles/stig.profile @@ -8,8 +8,10 @@ description: |- selections: - sshd_approved_macs=stig + - var_account_disable_post_pw_expiration=35 - var_accounts_fail_delay=4 - var_removable_partition=dev_cdrom + - var_time_service_set_maxpoll=system_default - account_disable_post_pw_expiration - account_temp_expire_date - accounts_have_homedir_login_defs @@ -27,22 +29,52 @@ selections: - accounts_user_interactive_home_directory_exists - aide_scan_notification - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lchown + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + - audit_rules_enable_syscall_auditing + - audit_rules_kernel_module_loading_delete + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init - audit_rules_login_events_lastlog - audit_rules_login_events_tallylog - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_crontab + - audit_rules_privileged_commands_mount + - audit_rules_privileged_commands_pam_timestamp_check + - audit_rules_privileged_commands_su + - audit_rules_privileged_commands_sudo + - audit_rules_privileged_commands_umount - audit_rules_privileged_commands_unix_chkpwd - audit_rules_unsuccessful_file_modification_creat - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open - audit_rules_unsuccessful_file_modification_open_by_handle_at - audit_rules_unsuccessful_file_modification_openat - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_usergroup_modification_group - audit_rules_usergroup_modification_gshadow + - audit_rules_usergroup_modification_opasswd + - audit_rules_usergroup_modification_passwd + - audit_rules_usergroup_modification_shadow + - auditd_audispd_configure_sufficiently_large_partition + - auditd_audispd_disk_full_action - auditd_audispd_encrypt_sent_records + - auditd_audispd_network_failure_action - auditd_data_disk_full_action - auditd_data_retention_action_mail_acct - auditd_data_retention_space_left - banner_etc_issue - banner_etc_motd + - chronyd_or_ntpd_set_maxpoll - dir_perms_world_writable_sticky_bits - dir_perms_world_writable_system_owned_group - disable_ctrlaltdel_reboot @@ -54,6 +86,7 @@ selections: - file_permissions_sshd_private_key - file_permissions_sshd_pub_key - file_permissions_ungroupowned + - file_permissions_var_log_messages - ftp_present_banner - gnome_gdm_disable_automatic_login - grub2_password @@ -74,6 +107,9 @@ selections: - package_audit-audispd-plugins_installed - package_audit_installed - package_telnet-server_removed + - pam_disable_automatic_configuration + - permissions_local_audit_binaries + - permissions_local_var_log_audit - postfix_client_configure_mail_alias - run_chkstat - security_patches_up_to_date @@ -106,4 +142,3 @@ selections: - sysctl_net_ipv4_ip_forward - sysctl_net_ipv6_conf_all_accept_source_route - sysctl_net_ipv6_conf_default_accept_source_route -