844 lines
40 KiB
Diff
844 lines
40 KiB
Diff
From c5f46d9166d0629740deb3cc5c45d3925345df09 Mon Sep 17 00:00:00 2001
|
|
From: Guang Yee <guang.yee@suse.com>
|
|
Date: Mon, 11 Jan 2021 12:55:43 -0800
|
|
Subject: [PATCH] Enable checks and remediations for the following SLES-12
|
|
STIGs:
|
|
|
|
- SLES-12-010030 'banner_etc_issue'
|
|
- SLES-12-010120 'accounts_max_concurrent_login_sessions'
|
|
- SLES-12-010450 'encrypt_partitions'
|
|
- SLES-12-010460 'dir_perms_world_writable_sticky_bits'
|
|
- SLES-12-010500 'package_aide_installed'
|
|
- SLES-12-010550 'ensure_gpgcheck_globally_activated'
|
|
- SLES-12-010580 'kernel_module_usb-storage_disabled'
|
|
- SLES-12-010599 'package_MFEhiplsm_installed'
|
|
- SLES-12-010690 'no_files_unowned_by_user'
|
|
- SLES-12-030000 'package_telnet-server_removed'
|
|
- SLES-12-030010 'ftp_present_banner'
|
|
- SLES-12-030050 'sshd_enable_warning_banner'
|
|
- SLES-12-030110 'sshd_set_loglevel_verbose'
|
|
- SLES-12-030130 'sshd_print_last_log'
|
|
- SLES-12-030210 'file_permissions_sshd_pub_key'
|
|
- SLES-12-030220 'file_permissions_sshd_private_key'
|
|
- SLES-12-030230 'sshd_enable_strictmodes'
|
|
- SLES-12-030240 'sshd_use_priv_separation'
|
|
- SLES-12-030250 'sshd_disable_compression'
|
|
- SLES-12-030340 'auditd_audispd_encrypt_sent_records'
|
|
- SLES-12-030360 'sysctl_net_ipv4_conf_all_accept_source_route'
|
|
- SLES-12-030361 'sysctl_net_ipv6_conf_all_accept_source_route'
|
|
- SLES-12-030370 'sysctl_net_ipv4_conf_default_accept_source_route'
|
|
- SLES-12-030420 'sysctl_net_ipv4_conf_default_send_redirects'
|
|
---
|
|
.../ftp_present_banner/rule.yml | 1 +
|
|
.../package_telnet-server_removed/rule.yml | 1 +
|
|
.../rule.yml | 1 +
|
|
.../file_permissions_sshd_pub_key/rule.yml | 1 +
|
|
.../ansible/shared.yml | 2 +-
|
|
.../sshd_disable_compression/rule.yml | 1 +
|
|
.../sshd_enable_strictmodes/rule.yml | 1 +
|
|
.../sshd_enable_warning_banner/rule.yml | 1 +
|
|
.../ssh_server/sshd_print_last_log/rule.yml | 1 +
|
|
.../sshd_set_loglevel_verbose/rule.yml | 1 +
|
|
.../sshd_use_priv_separation/rule.yml | 1 +
|
|
.../banner_etc_issue/ansible/shared.yml | 2 +-
|
|
.../banner_etc_issue/rule.yml | 4 ++-
|
|
.../ansible/shared.yml | 2 +-
|
|
.../rule.yml | 2 ++
|
|
.../ansible/shared.yml | 2 +-
|
|
.../rule.yml | 4 ++-
|
|
.../rule.yml | 4 ++-
|
|
.../rule.yml | 4 ++-
|
|
.../rule.yml | 4 ++-
|
|
.../rule.yml | 4 ++-
|
|
.../bash/shared.sh | 2 +-
|
|
.../rule.yml | 2 ++
|
|
.../files/no_files_unowned_by_user/rule.yml | 4 ++-
|
|
.../rule.yml | 4 ++-
|
|
.../encrypt_partitions/rule.yml | 8 +++++-
|
|
.../package_MFEhiplsm_installed/rule.yml | 2 ++
|
|
.../aide/package_aide_installed/rule.yml | 3 +++
|
|
.../ansible/sle12.yml | 13 ++++++++++
|
|
.../rule.yml | 8 +++++-
|
|
shared/applicability/general.yml | 4 +++
|
|
.../oval/installed_env_has_zypper_package.xml | 25 +++++++++++++++++++
|
|
.../kernel_module_disabled/ansible.template | 12 +++++++--
|
|
.../kernel_module_disabled/bash.template | 9 ++++++-
|
|
.../kernel_module_disabled/oval.template | 5 ++++
|
|
sle12/product.yml | 1 +
|
|
sle12/profiles/stig.profile | 25 +++++++++++++++++++
|
|
37 files changed, 153 insertions(+), 18 deletions(-)
|
|
create mode 100644 linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
|
|
create mode 100644 shared/checks/oval/installed_env_has_zypper_package.xml
|
|
|
|
diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
|
|
index 35ba09b0d0..3590a085b6 100644
|
|
--- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
|
|
+++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml
|
|
@@ -19,6 +19,7 @@ severity: medium
|
|
|
|
identifiers:
|
|
cce@rhel7: CCE-80248-8
|
|
+ cce@sle12: CCE-83059-6
|
|
|
|
references:
|
|
stigid@sle12: SLES-12-030010
|
|
diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
|
index 317eecdc3d..619b3f0b7d 100644
|
|
--- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
|
+++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml
|
|
@@ -27,6 +27,7 @@ severity: high
|
|
identifiers:
|
|
cce@rhel7: CCE-27165-0
|
|
cce@rhel8: CCE-82182-7
|
|
+ cce@sle12: CCE-83084-4
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-021710
|
|
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
|
index 2e52219ece..d460411667 100644
|
|
--- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml
|
|
@@ -18,6 +18,7 @@ severity: medium
|
|
identifiers:
|
|
cce@rhel7: CCE-27485-2
|
|
cce@rhel8: CCE-82424-3
|
|
+ cce@sle12: CCE-83058-8
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-040420
|
|
diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
|
index e59ddc0770..b9e07d71af 100644
|
|
--- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml
|
|
@@ -13,6 +13,7 @@ severity: medium
|
|
identifiers:
|
|
cce@rhel7: CCE-27311-0
|
|
cce@rhel8: CCE-82428-4
|
|
+ cce@sle12: CCE-83057-0
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-040410
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
|
|
index e07e436d60..f8d422c6c4 100644
|
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml
|
|
@@ -1,4 +1,4 @@
|
|
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
|
|
# reboot = false
|
|
# strategy = restrict
|
|
# complexity = low
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
|
|
index fe7e67c1c2..f8eec6a074 100644
|
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
|
|
@@ -21,6 +21,7 @@ severity: medium
|
|
identifiers:
|
|
cce@rhel7: CCE-80224-9
|
|
cce@rhel8: CCE-80895-6
|
|
+ cce@sle12: CCE-83062-0
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-040470
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
|
|
index 22b98c71a2..601f6a0ca2 100644
|
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml
|
|
@@ -18,6 +18,7 @@ severity: medium
|
|
identifiers:
|
|
cce@rhel7: CCE-80222-3
|
|
cce@rhel8: CCE-80904-6
|
|
+ cce@sle12: CCE-83060-4
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-040450
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
|
index 2199d61ca9..c93ef6340f 100644
|
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml
|
|
@@ -20,6 +20,7 @@ severity: medium
|
|
identifiers:
|
|
cce@rhel7: CCE-27314-4
|
|
cce@rhel8: CCE-80905-3
|
|
+ cce@sle12: CCE-83066-1
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-040170
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
|
|
index a0b8ed38ae..0ce5da30b2 100644
|
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml
|
|
@@ -17,6 +17,7 @@ severity: medium
|
|
identifiers:
|
|
cce@rhel7: CCE-80225-6
|
|
cce@rhel8: CCE-82281-7
|
|
+ cce@sle12: CCE-83083-6
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-040360
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
|
|
index 28ce48de8e..2180398855 100644
|
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
|
|
@@ -22,6 +22,7 @@ severity: medium
|
|
identifiers:
|
|
cce@rhel7: CCE-82419-3
|
|
cce@rhel8: CCE-82420-1
|
|
+ cce@sle12: CCE-83077-8
|
|
|
|
references:
|
|
srg: SRG-OS-000032-GPOS-00013
|
|
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
|
|
index 14d1acfd22..d65ddb6cd1 100644
|
|
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
|
|
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
|
|
@@ -18,6 +18,7 @@ severity: medium
|
|
identifiers:
|
|
cce@rhel7: CCE-80223-1
|
|
cce@rhel8: CCE-80908-7
|
|
+ cce@sle12: CCE-83061-2
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-040460
|
|
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
|
|
index f3a0c85ea5..ff6b6eab42 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
|
|
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
|
|
@@ -1,4 +1,4 @@
|
|
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
|
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
|
|
# reboot = false
|
|
# strategy = unknown
|
|
# complexity = low
|
|
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
|
|
index a86ede70f8..637d8ee528 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
|
|
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
|
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
|
|
|
title: 'Modify the System Login Banner'
|
|
|
|
@@ -52,6 +52,7 @@ identifiers:
|
|
cce@rhel7: CCE-27303-7
|
|
cce@rhel8: CCE-80763-6
|
|
cce@rhcos4: CCE-82555-4
|
|
+ cce@sle12: CCE-83054-7
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-010050
|
|
@@ -64,6 +65,7 @@ references:
|
|
srg: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007
|
|
vmmsrg: SRG-OS-000023-VMM-000060,SRG-OS-000024-VMM-000070
|
|
stigid@rhel7: RHEL-07-010050
|
|
+ stigid@sle12: SLES-12-010030
|
|
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
|
|
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
|
|
cobit5: DSS05.04,DSS05.10,DSS06.10
|
|
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
|
|
index 9d50a9d20c..536ac29569 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
|
|
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
|
|
@@ -1,4 +1,4 @@
|
|
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
|
|
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
|
|
# reboot = false
|
|
# strategy = restrict
|
|
# complexity = low
|
|
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
|
index e598f4e8cb..32412aa482 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
|
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
|
|
@@ -20,6 +20,7 @@ severity: low
|
|
identifiers:
|
|
cce@rhel7: CCE-82041-5
|
|
cce@rhel8: CCE-80955-8
|
|
+ cce@sle12: CCE-83065-3
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-040000
|
|
@@ -30,6 +31,7 @@ references:
|
|
srg: SRG-OS-000027-GPOS-00008
|
|
vmmsrg: SRG-OS-000027-VMM-000080
|
|
stigid@rhel7: RHEL-07-040000
|
|
+ stigid@sle12: SLES-12-010120
|
|
isa-62443-2013: 'SR 3.1,SR 3.8'
|
|
isa-62443-2009: 4.3.3.4
|
|
cobit5: DSS01.05,DSS05.02
|
|
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
|
|
index 23bcdf8641..007b23ba24 100644
|
|
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
|
|
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml
|
|
@@ -1,4 +1,4 @@
|
|
-# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4
|
|
+# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_sle
|
|
# reboot = false
|
|
# complexity = low
|
|
# disruption = low
|
|
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
|
|
index 4c27eb11fd..1943a00fb2 100644
|
|
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
|
|
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
|
|
|
title: 'Encrypt Audit Records Sent With audispd Plugin'
|
|
|
|
@@ -26,6 +26,7 @@ severity: medium
|
|
identifiers:
|
|
cce@rhel7: CCE-80540-8
|
|
cce@rhel8: CCE-80926-9
|
|
+ cce@sle12: CCE-83063-8
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-030310
|
|
@@ -33,6 +34,7 @@ references:
|
|
nist: AU-9(3),CM-6(a)
|
|
srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
|
|
stigid@rhel7: RHEL-07-030310
|
|
+ stigid@sle12: SLES-12-030340
|
|
ospp: FAU_GEN.1.1.c
|
|
|
|
ocil_clause: 'audispd is not encrypting audit records when sent over the network'
|
|
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
|
index a3f78cb910..8767a5226f 100644
|
|
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
+prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
|
|
|
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces'
|
|
|
|
@@ -22,6 +22,7 @@ identifiers:
|
|
cce@rhel7: CCE-80179-5
|
|
cce@rhel8: CCE-81013-5
|
|
cce@rhcos4: CCE-82480-5
|
|
+ cce@sle12: CCE-83078-6
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-040830
|
|
@@ -33,6 +34,7 @@ references:
|
|
nist-csf: DE.AE-1,ID.AM-3,PR.AC-5,PR.DS-5,PR.PT-4
|
|
srg: SRG-OS-000480-GPOS-00227
|
|
stigid@rhel7: RHEL-07-040830
|
|
+ stigid@sle12: SLES-12-030361
|
|
isa-62443-2013: 'SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
|
|
isa-62443-2009: 4.2.3.4,4.3.3.4,4.4.3.3
|
|
cobit5: APO01.06,APO13.01,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.07,DSS06.02
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
|
index 0cd3dbc143..7bc4e3b9b7 100644
|
|
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
|
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
|
|
|
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces'
|
|
|
|
@@ -22,6 +22,7 @@ identifiers:
|
|
cce@rhel7: CCE-27434-0
|
|
cce@rhel8: CCE-81011-9
|
|
cce@rhcos4: CCE-82478-9
|
|
+ cce@sle12: CCE-83064-6
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-040610
|
|
@@ -33,6 +34,7 @@ references:
|
|
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
|
|
srg: SRG-OS-000480-GPOS-00227
|
|
stigid@rhel7: RHEL-07-040610
|
|
+ stigid@sle12: SLES-12-030360
|
|
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
|
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
|
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
|
|
index c48ec8de3d..f7ee2e9818 100644
|
|
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
|
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
|
|
|
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default'
|
|
|
|
@@ -22,6 +22,7 @@ identifiers:
|
|
cce@rhel7: CCE-80162-1
|
|
cce@rhel8: CCE-80920-2
|
|
cce@rhcos4: CCE-82479-7
|
|
+ cce@sle12: CCE-83079-4
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-040620
|
|
@@ -34,6 +35,7 @@ references:
|
|
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
|
|
srg: SRG-OS-000480-GPOS-00227
|
|
stigid@rhel7: RHEL-07-040620
|
|
+ stigid@sle12: SLES-12-030370
|
|
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
|
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
|
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
|
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
|
index ddf6b07758..861c3485f3 100644
|
|
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
|
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
|
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
|
|
|
title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default'
|
|
|
|
@@ -19,6 +19,7 @@ identifiers:
|
|
cce@rhel7: CCE-80999-6
|
|
cce@rhel8: CCE-80921-0
|
|
cce@rhcos4: CCE-82485-4
|
|
+ cce@sle12: CCE-83086-9
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-040650
|
|
@@ -31,6 +32,7 @@ references:
|
|
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
|
|
srg: SRG-OS-000480-GPOS-00227
|
|
stigid@rhel7: RHEL-07-040650
|
|
+ stigid@sle12: SLES-12-030420
|
|
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
|
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
|
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
|
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
|
|
index 0a829df187..e49942d1cc 100644
|
|
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
|
|
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh
|
|
@@ -1,4 +1,4 @@
|
|
-# platform = Red Hat Virtualization 4,multi_platform_rhel
|
|
+# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_sle
|
|
df --local -P | awk '{if (NR!=1) print $6}' \
|
|
| xargs -I '{}' find '{}' -xdev -type d \
|
|
\( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \
|
|
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
|
|
index d04df8df86..5bb3cf3713 100644
|
|
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
|
|
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml
|
|
@@ -34,6 +34,7 @@ identifiers:
|
|
cce@rhel7: CCE-80130-8
|
|
cce@rhel8: CCE-80783-4
|
|
cce@rhcos4: CCE-82753-5
|
|
+ cce@sle12: CCE-83047-1
|
|
|
|
references:
|
|
cis@rhe8: 1.1.21
|
|
@@ -46,6 +47,7 @@ references:
|
|
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
|
cis-csc: 12,13,14,15,16,18,3,5
|
|
cis@sle15: 1.1.22
|
|
+ stigid@sle12: SLES-12-010460
|
|
|
|
ocil_clause: 'any world-writable directories are missing the sticky bit'
|
|
|
|
diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
|
|
index e664cf9215..faab0b8822 100644
|
|
--- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
|
|
+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
|
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
|
|
|
|
title: 'Ensure All Files Are Owned by a User'
|
|
|
|
@@ -24,6 +24,7 @@ severity: medium
|
|
identifiers:
|
|
cce@rhel7: CCE-80134-0
|
|
cce@rhel8: CCE-83499-4
|
|
+ cce@sle12: CCE-83072-9
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-020320
|
|
@@ -40,6 +41,7 @@ references:
|
|
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
|
cis-csc: 11,12,13,14,15,16,18,3,5,9
|
|
cis@sle15: 6.1.11
|
|
+ stigid@sle12: SLES-12-010690
|
|
|
|
ocil_clause: 'files exist that are not owned by a valid user'
|
|
|
|
diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
|
index c78b570efb..24e77cc74e 100644
|
|
--- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
|
+++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
|
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
|
|
|
|
title: 'Disable Modprobe Loading of USB Storage Driver'
|
|
|
|
@@ -22,6 +22,7 @@ identifiers:
|
|
cce@rhel7: CCE-27277-3
|
|
cce@rhel8: CCE-80835-2
|
|
cce@rhcos4: CCE-82719-6
|
|
+ cce@sle12: CCE-83069-5
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-020100
|
|
@@ -39,6 +40,7 @@ references:
|
|
cis-csc: 1,12,15,16,5
|
|
cis@rhel8: 1.1.23
|
|
cis@sle15: 1.1.3
|
|
+ stigid@sle12: SLES-12-010580
|
|
|
|
{{{ complete_ocil_entry_module_disable(module="usb-storage") }}}
|
|
|
|
diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
|
index 80d1856778..fe370a4323 100644
|
|
--- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
|
+++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4
|
|
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4,sle12
|
|
|
|
title: 'Encrypt Partitions'
|
|
|
|
@@ -14,6 +14,7 @@ description: |-
|
|
option is selected the system will prompt for a passphrase to use in
|
|
decrypting the partition. The passphrase will subsequently need to be entered manually
|
|
every time the system boots.
|
|
+ {{% if product != "sle12" %}}
|
|
<br /><br />
|
|
For automated/unattended installations, it is possible to use Kickstart by adding
|
|
the <tt>--encrypted</tt> and <tt>--passphrase=</tt> options to the definition of each partition to be
|
|
@@ -26,11 +27,14 @@ description: |-
|
|
<br /><br />
|
|
By default, the <tt>Anaconda</tt> installer uses <tt>aes-xts-plain64</tt> cipher
|
|
with a minimum <tt>512</tt> bit key size which should be compatible with FIPS enabled.
|
|
+ {{% endif %}}
|
|
<br /><br />
|
|
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
|
|
the {{{ full_name }}} Documentation web site:<br />
|
|
{{% if product in ["ol7", "ol8"] %}}
|
|
{{{ weblink(link="https://docs.oracle.com/cd/E52668_01/E54670/html/ol7-encrypt-sec.html") }}}.
|
|
+ {{% elif product == "sle12" %}}
|
|
+ {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}}
|
|
{{% else %}}
|
|
{{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}.
|
|
{{% endif %}}
|
|
@@ -45,6 +49,7 @@ severity: high
|
|
identifiers:
|
|
cce@rhel7: CCE-27128-8
|
|
cce@rhel8: CCE-80789-1
|
|
+ cce@sle12: CCE-83046-3
|
|
|
|
references:
|
|
cui: 3.13.16
|
|
@@ -58,6 +63,7 @@ references:
|
|
isa-62443-2013: 'SR 3.4,SR 4.1,SR 5.2'
|
|
cobit5: APO01.06,BAI02.01,BAI06.01,DSS04.07,DSS05.03,DSS05.04,DSS05.07,DSS06.02,DSS06.06
|
|
cis-csc: 13,14
|
|
+ stigid@sle12: SLES-12-010450
|
|
|
|
ocil_clause: 'partitions do not have a type of crypto_LUKS'
|
|
|
|
diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
|
|
index f96cfc925b..c0bf1ee908 100644
|
|
--- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
|
|
+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
|
|
@@ -18,6 +18,7 @@ severity: medium
|
|
|
|
identifiers:
|
|
cce@rhel7: CCE-80368-4
|
|
+ cce@sle12: CCE-83071-1
|
|
|
|
references:
|
|
disa: CCI-000366,CCI-001263
|
|
@@ -31,6 +32,7 @@ references:
|
|
iso27001-2013: 'A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.3,A.12.5.1,A.12.6.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.7,A.14.2.8,A.15.2.1,A.16.1.1,A.16.1.2,A.16.1.3,A.16.1.4,A.16.1.5,A.16.1.6,A.16.1.7,A.18.1.4,A.18.2.2,A.18.2.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,Clause 16.1.2,Clause 7.4'
|
|
cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
|
|
stigid@rhel7: RHEL-07-020019
|
|
+ stigid@sle12: SLES-12-010599
|
|
|
|
ocil_clause: 'the HBSS HIPS module is not installed'
|
|
|
|
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
|
index 699992b48c..23e939bbec 100644
|
|
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
|
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
|
@@ -14,6 +14,7 @@ severity: medium
|
|
identifiers:
|
|
cce@rhel7: CCE-27096-7
|
|
cce@rhel8: CCE-80844-4
|
|
+ cce@sle12: CCE-83048-9
|
|
|
|
references:
|
|
cis@rhel8: 1.4.1
|
|
@@ -30,6 +31,8 @@ references:
|
|
srg: SRG-OS-000363-GPOS-00150
|
|
cis@sle15: 1.4.1
|
|
ism: 1034,1288,1341,1417
|
|
+ stigid@sle12: SLES-12-010500
|
|
+ disa@sle12: CCI-002699
|
|
|
|
ocil_clause: 'the package is not installed'
|
|
|
|
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
|
|
new file mode 100644
|
|
index 0000000000..6fca48166a
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml
|
|
@@ -0,0 +1,13 @@
|
|
+# platform = multi_platform_sle
|
|
+# reboot = false
|
|
+# strategy = unknown
|
|
+# complexity = low
|
|
+# disruption = medium
|
|
+- name: Ensure GPG check is globally activated (zypper)
|
|
+ ini_file:
|
|
+ dest: /etc/zypp/zypp.conf
|
|
+ section: main
|
|
+ option: gpgcheck
|
|
+ value: 1
|
|
+ no_extra_spaces: yes
|
|
+ create: False
|
|
diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
|
index 24cef5499c..1f86aff1e9 100644
|
|
--- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
|
+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml
|
|
@@ -1,6 +1,6 @@
|
|
documentation_complete: true
|
|
|
|
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15
|
|
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15
|
|
|
|
title: 'Ensure gpgcheck Enabled In Main {{{ pkg_manager }}} Configuration'
|
|
|
|
@@ -33,6 +33,7 @@ severity: high
|
|
identifiers:
|
|
cce@rhel7: CCE-26989-4
|
|
cce@rhel8: CCE-80790-9
|
|
+ cce@sle12: CCE-83068-7
|
|
|
|
references:
|
|
stigid@ol7: OL07-00-020050
|
|
@@ -54,6 +55,7 @@ references:
|
|
iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4
|
|
cis-csc: 11,2,3,9
|
|
anssi: BP28(R15)
|
|
+ stigid@sle12: SLES-12-010550
|
|
|
|
ocil_clause: 'GPG checking is not enabled'
|
|
|
|
@@ -66,4 +68,8 @@ ocil: |-
|
|
<tt>gpgcheck</tt> line or a setting of <tt>0</tt> indicates that it is
|
|
disabled.
|
|
|
|
+{{% if product == 'sle12' %}}
|
|
+platform: zypper
|
|
+{{% else %}}
|
|
platform: yum
|
|
+{{% endif %}}
|
|
diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml
|
|
index a6581fd713..7382b7dd30 100644
|
|
--- a/shared/applicability/general.yml
|
|
+++ b/shared/applicability/general.yml
|
|
@@ -74,3 +74,7 @@ cpes:
|
|
title: "Package yum is installed"
|
|
check_id: installed_env_has_yum_package
|
|
|
|
+ - zypper:
|
|
+ name: "cpe:/a:zypper"
|
|
+ title: "Package zypper is installed"
|
|
+ check_id: installed_env_has_zypper_package
|
|
diff --git a/shared/checks/oval/installed_env_has_zypper_package.xml b/shared/checks/oval/installed_env_has_zypper_package.xml
|
|
new file mode 100644
|
|
index 0000000000..cf14e6af3c
|
|
--- /dev/null
|
|
+++ b/shared/checks/oval/installed_env_has_zypper_package.xml
|
|
@@ -0,0 +1,25 @@
|
|
+<def-group>
|
|
+ <definition class="inventory"
|
|
+ id="installed_env_has_zypper_package" version="1">
|
|
+ <metadata>
|
|
+ <title>Package zypper is installed</title>
|
|
+ <affected family="unix">
|
|
+ <platform>multi_platform_sle</platform>
|
|
+ </affected>
|
|
+ <description>Checks if package zypper is installed.</description>
|
|
+ <reference ref_id="cpe:/a:zypper" source="CPE" />
|
|
+ </metadata>
|
|
+ <criteria>
|
|
+ <criterion comment="Package zypper is installed" test_ref="test_env_has_zypper_installed" />
|
|
+ </criteria>
|
|
+ </definition>
|
|
+
|
|
+ <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
|
|
+ id="test_env_has_zypper_installed" version="1"
|
|
+ comment="system has package zypper installed">
|
|
+ <linux:object object_ref="obj_env_has_zypper_installed" />
|
|
+ </linux:rpminfo_test>
|
|
+ <linux:rpminfo_object id="obj_env_has_zypper_installed" version="1">
|
|
+ <linux:name>zypper</linux:name>
|
|
+ </linux:rpminfo_object>
|
|
+</def-group>
|
|
diff --git a/shared/templates/kernel_module_disabled/ansible.template b/shared/templates/kernel_module_disabled/ansible.template
|
|
index 47deee6e54..c4a83ad325 100644
|
|
--- a/shared/templates/kernel_module_disabled/ansible.template
|
|
+++ b/shared/templates/kernel_module_disabled/ansible.template
|
|
@@ -1,12 +1,20 @@
|
|
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
|
|
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
|
# reboot = true
|
|
# strategy = disable
|
|
# complexity = low
|
|
# disruption = medium
|
|
+{{% if product == "sle12" %}}
|
|
+- name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled
|
|
+ lineinfile:
|
|
+ create: yes
|
|
+ dest: "/etc/modprobe.d/50-blacklist.conf"
|
|
+ regexp: '^blacklist {{{ KERNMODULE }}}$'
|
|
+ line: "blacklist {{{ KERNMODULE }}}"
|
|
+{{% else %}}
|
|
- name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled
|
|
lineinfile:
|
|
create: yes
|
|
dest: "/etc/modprobe.d/{{{ KERNMODULE }}}.conf"
|
|
regexp: '{{{ KERNMODULE }}}'
|
|
line: "install {{{ KERNMODULE }}} /bin/true"
|
|
-
|
|
+{{% endif %}}
|
|
diff --git a/shared/templates/kernel_module_disabled/bash.template b/shared/templates/kernel_module_disabled/bash.template
|
|
index 42c0830b5f..f70a9925cd 100644
|
|
--- a/shared/templates/kernel_module_disabled/bash.template
|
|
+++ b/shared/templates/kernel_module_disabled/bash.template
|
|
@@ -1,11 +1,18 @@
|
|
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu
|
|
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
|
|
# reboot = true
|
|
# strategy = disable
|
|
# complexity = low
|
|
# disruption = medium
|
|
+{{% if product == "sle12" %}}
|
|
+if ! LC_ALL=C grep -q -m 1 "^blacklist {{{ KERNMODULE }}}$" /etc/modprobe.d/50-blacklist.conf ; then
|
|
+ echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/50-blacklist.conf
|
|
+ echo "blacklist {{{ KERNMODULE }}}" >> /etc/modprobe.d/50-blacklist.conf
|
|
+fi
|
|
+{{% else %}}
|
|
if LC_ALL=C grep -q -m 1 "^install {{{ KERNMODULE }}}" /etc/modprobe.d/{{{ KERNMODULE }}}.conf ; then
|
|
sed -i 's/^install {{{ KERNMODULE }}}.*/install {{{ KERNMODULE }}} /bin/true/g' /etc/modprobe.d/{{{ KERNMODULE }}}.conf
|
|
else
|
|
echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf
|
|
echo "install {{{ KERNMODULE }}} /bin/true" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf
|
|
fi
|
|
+{{% endif %}}
|
|
diff --git a/shared/templates/kernel_module_disabled/oval.template b/shared/templates/kernel_module_disabled/oval.template
|
|
index e5a7aaa8b4..737ae3c796 100644
|
|
--- a/shared/templates/kernel_module_disabled/oval.template
|
|
+++ b/shared/templates/kernel_module_disabled/oval.template
|
|
@@ -54,9 +54,14 @@
|
|
|
|
<ind:textfilecontent54_object id="obj_kernmod_{{{ KERNMODULE }}}_disabled"
|
|
version="1" comment="kernel module {{{ KERNMODULE }}} disabled">
|
|
+ {{% if product == "sle12" %}}
|
|
+ <ind:filepath>/etc/modprobe.d/50-blacklist.conf</ind:filepath>
|
|
+ <ind:pattern operation="pattern match">^blacklist\s+{{{ KERNMODULE }}}$</ind:pattern>
|
|
+ {{% else %}}
|
|
<ind:path>/etc/modprobe.d</ind:path>
|
|
<ind:filename operation="pattern match">^.*\.conf$</ind:filename>
|
|
<ind:pattern operation="pattern match">^\s*install\s+{{{ KERNMODULE }}}\s+(/bin/false|/bin/true)$</ind:pattern>
|
|
+ {{% endif %}}
|
|
<ind:instance datatype="int">1</ind:instance>
|
|
</ind:textfilecontent54_object>
|
|
|
|
diff --git a/sle12/product.yml b/sle12/product.yml
|
|
index e465a6d687..d83ad88c21 100644
|
|
--- a/sle12/product.yml
|
|
+++ b/sle12/product.yml
|
|
@@ -9,6 +9,7 @@ profiles_root: "./profiles"
|
|
init_system: "systemd"
|
|
|
|
pkg_manager: "zypper"
|
|
+pkg_manager_config_file: "/etc/zypp/zypp.conf"
|
|
oval_feed_url: "https://support.novell.com/security/oval/suse.linux.enterprise.12.xml"
|
|
|
|
cpes_root: "../shared/applicability"
|
|
diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile
|
|
index 6cf3339569..15c4f70336 100644
|
|
--- a/sle12/profiles/stig.profile
|
|
+++ b/sle12/profiles/stig.profile
|
|
@@ -12,34 +12,59 @@ selections:
|
|
- account_temp_expire_date
|
|
- accounts_have_homedir_login_defs
|
|
- accounts_logon_fail_delay
|
|
+ - accounts_max_concurrent_login_sessions
|
|
- accounts_maximum_age_login_defs
|
|
+ - accounts_minimum_age_login_defs
|
|
- accounts_no_uid_except_zero
|
|
- accounts_password_set_max_life_existing
|
|
- accounts_password_set_min_life_existing
|
|
- accounts_umask_etc_login_defs
|
|
+ - auditd_audispd_encrypt_sent_records
|
|
- auditd_data_disk_full_action
|
|
- auditd_data_retention_action_mail_acct
|
|
- auditd_data_retention_space_left
|
|
+ - banner_etc_issue
|
|
- banner_etc_motd
|
|
+ - dir_perms_world_writable_sticky_bits
|
|
- disable_ctrlaltdel_reboot
|
|
+ - encrypt_partitions
|
|
+ - ensure_gpgcheck_globally_activated
|
|
+ - file_permissions_sshd_private_key
|
|
+ - file_permissions_sshd_pub_key
|
|
+ - ftp_present_banner
|
|
- gnome_gdm_disable_automatic_login
|
|
- grub2_password
|
|
- grub2_uefi_password
|
|
- installed_OS_is_vendor_supported
|
|
+ - kernel_module_usb-storage_disabled
|
|
- no_empty_passwords
|
|
+ - no_files_unowned_by_user
|
|
- no_host_based_files
|
|
- no_user_host_based_files
|
|
+ - package_MFEhiplsm_installed
|
|
+ - package_aide_installed
|
|
- package_audit-audispd-plugins_installed
|
|
- package_audit_installed
|
|
+ - package_telnet-server_removed
|
|
- postfix_client_configure_mail_alias
|
|
- security_patches_up_to_date
|
|
- service_auditd_enabled
|
|
- set_password_hashing_algorithm_logindefs
|
|
+ - sshd_disable_compression
|
|
- sshd_disable_empty_passwords
|
|
- sshd_disable_user_known_hosts
|
|
- sshd_do_not_permit_user_env
|
|
+ - sshd_enable_strictmodes
|
|
+ - sshd_enable_warning_banner
|
|
- sshd_enable_x11_forwarding
|
|
+ - sshd_print_last_log
|
|
- sshd_set_idle_timeout
|
|
- sshd_set_keepalive
|
|
+ - sshd_set_loglevel_verbose
|
|
+ - sshd_use_priv_separation
|
|
- sudo_remove_no_authenticate
|
|
- sudo_remove_nopasswd
|
|
+ - sysctl_net_ipv4_conf_all_accept_source_route
|
|
+ - sysctl_net_ipv4_conf_default_accept_source_route
|
|
+ - sysctl_net_ipv4_conf_default_send_redirects
|
|
+ - sysctl_net_ipv6_conf_all_accept_source_route
|