Merge pull request #12339 from svet-se/slmicro5-stig-add-accounts-and…

…-permissions-rules-support

Slmicro5 stig add accounts and permissions rules support

controls/stig_slmicro5.yml

@@ -49,17 +49,19 @@ controls:
       title:
           SLEM 5 with a basic input/output system (BIOS) must require authentication
           upon booting into single-user and maintenance modes.
-      rules: []
-      status: pending
+      rules:
+          - grub2_password
+      status: automated
 
     - id: SLEM-05-212015
       levels:
           - high
       title:
           SLEM 5 with Unified Extensible Firmware Interface (UEFI) implemented must
           require authentication upon booting into single-user mode and maintenance.
-      rules: []
-      status: pending
+      rules:
+          - grub2_uefi_password
+      status: automated
 
     - id: SLEM-05-213010
       levels:
@@ -160,8 +162,9 @@ controls:
       levels:
           - medium
       title: SLEM 5 must use a separate file system for the system audit data path.
-      rules: []
-      status: pending
+      rules:
+          - partition_for_var_log_audit
+      status: automated
 
     - id: SLEM-05-231025
       levels:
@@ -777,8 +780,9 @@ controls:
       levels:
           - medium
       title: SLEM 5 must disable the USB mass storage kernel module.
-      rules: []
-      status: pending
+      rules:
+          - kernel_module_usb-storage_disabled
+      status: automated
 
     - id: SLEM-05-411010
       levels:
@@ -850,17 +854,19 @@ controls:
       levels:
           - medium
       title: SLEM 5 must automatically expire temporary accounts within 72 hours.
-      rules: []
-      status: pending
+      rules:
+          - account_temp_expire_date
+      status: automated
 
     - id: SLEM-05-411050
       levels:
           - medium
       title:
           SLEM 5 must never automatically remove or disable emergency administrator
           accounts.
-      rules: []
-      status: pending
+      rules:
+          - account_emergency_admin
+      status: automated
 
     - id: SLEM-05-411055
       levels:
@@ -903,8 +909,9 @@ controls:
       levels:
           - medium
       title: SLEM 5 must not have duplicate User IDs (UIDs) for interactive users.
-      rules: []
-      status: pending
+      rules:
+          - account_unique_id
+      status: automated
 
     - id: SLEM-05-412010
       levels:
@@ -927,7 +934,9 @@ controls:
       levels:
           - medium
       title: SLEM 5 must lock an account after three consecutive invalid access attempts.
-      rules: []
+      rules:
+          - accounts_passwords_pam_tally2
+          - var_password_pam_tally2=3
       status: pending
 
     - id: SLEM-05-412025
@@ -1033,8 +1042,9 @@ controls:
       levels:
           - medium
       title: SLEM 5 must restrict privilege elevation to authorized personnel.
-      rules: []
-      status: pending
+      rules:
+          - sudo_restrict_privilege_elevation_to_authorized
+      status: automated
 
     - id: SLEM-05-432030
       levels:
@@ -1168,8 +1178,9 @@ controls:
       title:
           SLEM 5 must employ FIPS 140-2/140-3-approved cryptographic hashing algorithms
           for system authentication.
-      rules: []
-      status: pending
+      rules:
+          - accounts_password_all_shadowed_sha512
+      status: automated
 
     - id: SLEM-05-611085
       levels:
@@ -1917,5 +1928,6 @@ controls:
       levels:
           - high
       title: FIPS 140-2/140-3 mode must be enabled on SLEM 5.
-      rules: []
-      status: pending
+      rules:
+          - is_fips_mode_enabled
+      status: automated

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/ansible/shared.yml

@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 # reboot = false
 # strategy = configure
 # complexity = low

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 {{{ bash_instantiate_variables("var_password_pam_tally2") }}}
 # Use a non-number regexp to force update of the value of the deny option

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/rule.yml

@@ -38,6 +38,7 @@ severity: medium
 identifiers:
     cce@sle12: CCE-83055-4
     cce@sle15: CCE-85554-4
+    cce@slmicro5: CCE-93775-5
 
 references:
     cis@sle12: 5.3.2

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/tests/missing_pam_tally2.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_sle,Ubuntu 20.04
+# platform = multi_platform_sle,multi_platform_slmicro,Ubuntu 20.04
 
 {{% if product in ["sle12","sle15"] %}}
 {{% set cfg_file = '/etc/pam.d/login' %}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/tests/pam_tally2_big_deny.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_sle,Ubuntu 20.04
+# platform = multi_platform_sle,multi_platform_slmicro,Ubuntu 20.04
 
 {{% if product in ["sle12","sle15"] %}}
 {{% set cfg_file = '/etc/pam.d/login' %}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/tests/pam_tally2_commented.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_sle,Ubuntu 20.04
+# platform = multi_platform_sle,multi_platform_slmicro,Ubuntu 20.04
 
 {{% if product in ["sle12","sle15"] %}}
 {{% set cfg_file = '/etc/pam.d/login' %}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/tests/pam_tally2_configured.pass.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_sle,Ubuntu 20.04
+# platform = multi_platform_sle,multi_platform_slmicro,Ubuntu 20.04
 
 {{% if product in ["sle12","sle15"] %}}
 {{% set cfg_file = '/etc/pam.d/login' %}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/tests/pam_tally2_empty_deny.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_sle,Ubuntu 20.04
+# platform = multi_platform_sle,multi_platform_slmicro,Ubuntu 20.04
 
 {{% if product in ["sle12","sle15"] %}}
 {{% set cfg_file = '/etc/pam.d/login' %}}

linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/tests/pam_tally2_zero_deny.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_sle,Ubuntu 20.04
+# platform = multi_platform_sle,multi_platform_slmicro,Ubuntu 20.04
 
 {{% if product in ["sle12","sle15"] %}}
 {{% set cfg_file = '/etc/pam.d/login' %}}

linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_admin/rule.yml

@@ -40,6 +40,7 @@ severity: medium
 identifiers:
     cce@sle12: CCE-83175-0
     cce@sle15: CCE-85559-3
+    cce@slmicro5: CCE-93781-3
 
 references:
     disa: CCI-001682

linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml

@@ -31,6 +31,7 @@ identifiers:
     cce@rhel10: CCE-89470-9
     cce@sle12: CCE-83043-0
     cce@sle15: CCE-85553-6
+    cce@slmicro5: CCE-93782-1
 
 references:
     cis-csc: 1,12,13,14,15,16,18,3,5,7,8

linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml

@@ -15,6 +15,7 @@ identifiers:
     cce@rhel10: CCE-89811-4
     cce@sle12: CCE-83196-6
     cce@sle15: CCE-83277-4
+    cce@slmicro5: CCE-93780-5
 
 references:
     cis@sle12: 6.2.14

linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed_sha512/rule.yml

@@ -29,6 +29,7 @@ identifiers:
     cce@rhel10: CCE-90070-4
     cce@sle12: CCE-83038-0
     cce@sle15: CCE-85566-8
+    cce@slmicro5: CCE-93774-8
 
 references:
     cis@sle12: 5.4.1.1

linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml

@@ -9,14 +9,14 @@ description: |-
     <br /><br />
     Since plaintext passwords are a security risk, generate a hash for the password
     by running the following command:
-    {{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}}
+    {{% if product in ["sle12", "sle15", "slmicro5"] or 'ubuntu' in product %}}
     <pre># grub2-mkpasswd-pbkdf2</pre>
     {{% else %}}
     <pre># grub2-setpassword</pre>
     {{% endif %}}
     When prompted, enter the password that was selected.
     <br /><br />
-    {{% if product in ["sle12", "sle15"] or 'ubuntu' in product %}}
+    {{% if product in ["sle12", "sle15", "slmicro5"] or 'ubuntu' in product %}}
     Using the hash from the output, modify the <tt>/etc/grub.d/40_custom</tt>
     file with the following content:
     <pre>set superusers="boot"
@@ -44,6 +44,7 @@ identifiers:
     cce@rhel10: CCE-87614-4
     cce@sle12: CCE-83044-8
     cce@sle15: CCE-83274-1
+    cce@slmicro5: CCE-93778-9
 
 references:
     cis-csc: 1,11,12,14,15,16,18,3,5

linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml

@@ -9,14 +9,14 @@ description: |-
     <br /><br />
     Since plaintext passwords are a security risk, generate a hash for the password
     by running the following command:
-    {{% if product in ["sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+    {{% if product in ["sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}}
     <pre># grub2-mkpasswd-pbkdf2</pre>
     {{% else %}}
     <pre># grub2-setpassword</pre>
     {{% endif %}}
     When prompted, enter the password that was selected.
     <br /><br />
-    {{% if product in ["sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+    {{% if product in ["sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}}
     Using the hash from the output, modify the <tt>/etc/grub.d/40_custom</tt>
     file with the following content:
     <pre>set superusers="boot"
@@ -45,6 +45,7 @@ identifiers:
     cce@rhel10: CCE-89236-4
     cce@sle12: CCE-83045-5
     cce@sle15: CCE-83275-8
+    cce@slmicro5: CCE-93779-7
 
 references:
     cis-csc: 11,12,14,15,16,18,3,5

linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml

@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-89301-6
     cce@sle12: CCE-83069-5
     cce@sle15: CCE-83294-9
+    cce@slmicro5: CCE-93784-7
 
 references:
     cis-csc: 1,12,15,16,5

linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml

@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-89211-7
     cce@sle12: CCE-83154-5
     cce@sle15: CCE-85618-7
+    cce@slmicro5: CCE-93787-0
 
 references:
     cis-csc: 1,12,13,14,15,16,2,3,5,6,8

linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml

@@ -19,6 +19,7 @@ severity: high
 identifiers:
     cce@sle12: CCE-83224-6
     cce@sle15: CCE-85763-1
+    cce@slmicro5: CCE-93785-4
 
 references:
     disa: CCI-002450

linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml

@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-87421-4
     cce@sle12: CCE-83229-5
     cce@sle15: CCE-85712-8
+    cce@slmicro5: CCE-93786-2
 
 references:
     disa: CCI-000366

shared/references/cce-slmicro5-avail.txt

@@ -20,20 +20,9 @@ CCE-93764-9
 CCE-93765-6
 CCE-93766-4
 CCE-93767-2
-CCE-93774-8
-CCE-93775-5
 CCE-93776-3
 CCE-93777-1
-CCE-93778-9
-CCE-93779-7
-CCE-93780-5
-CCE-93781-3
-CCE-93782-1
 CCE-93783-9
-CCE-93784-7
-CCE-93785-4
-CCE-93786-2
-CCE-93787-0
 CCE-93789-6
 CCE-93790-4
 CCE-93791-2

shared/templates/kernel_module_disabled/ansible.template

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_slmicro
 # reboot = true
 # strategy = disable
 # complexity = low
@@ -9,7 +9,7 @@
     dest: "/etc/modprobe.d/{{{ KERNMODULE }}}.conf"
     regexp: 'install\s+{{{ KERNMODULE }}}'
     line: "install {{{ KERNMODULE }}} /bin/false"
-{{% if product in ["sle12", "sle15"] or 'ol' in product or 'rhel' in product or 'ubuntu' in product %}}
+{{% if product in ["sle12", "sle15", "slmicro5"] or 'ol' in product or 'rhel' in product or 'ubuntu' in product %}}
 - name: Ensure kernel module '{{{ KERNMODULE }}}' is blacklisted
   lineinfile:
     create: yes

shared/templates/kernel_module_disabled/bash.template

@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_slmicro
 # reboot = true
 # strategy = disable
 # complexity = low
@@ -12,7 +12,7 @@ else
 	echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf
 	echo "install {{{ KERNMODULE }}} /bin/false" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf
 fi
-{{% if product in ["sle12", "sle15"] or 'ol' in product or 'rhel' in product or 'ubuntu' in product %}}
+{{% if product in ["sle12", "sle15", "slmicro5"] or 'ol' in product or 'rhel' in product or 'ubuntu' in product %}}
 if ! LC_ALL=C grep -q -m 1 "^blacklist {{{ KERNMODULE }}}$" /etc/modprobe.d/{{{ KERNMODULE }}}.conf ; then
 	echo "blacklist {{{ KERNMODULE }}}" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf
 fi

shared/templates/kernel_module_disabled/oval.template

@@ -3,7 +3,7 @@
   id="kernel_module_{{{ KERNMODULE }}}_disabled" version="1">
     {{{ oval_metadata("The kernel module " + KERNMODULE + " should be disabled.") }}}
     <criteria operator="OR">
-      {{% if product in ["rhcos4", "sle12", "sle15"] or 'ol' in product or 'rhel' in product or 'ubuntu' in product %}}
+      {{% if product in ["rhcos4", "sle12", "sle15", "slmicro5"] or 'ol' in product or 'rhel' in product or 'ubuntu' in product %}}
       <criteria operator="AND">
         <criterion test_ref="test_kernmod_{{{ KERNMODULE }}}_blacklisted"
         comment="kernel module {{{ KERNMODULE }}} blacklisted in modprobe.d" />
@@ -44,7 +44,7 @@
     <value>/usr/lib/modules-load.d</value>
   </constant_variable>
 
-{{% if product in ["rhcos4", "sle12", "sle15"] or 'ol' in product or 'rhel' in product  or 'ubuntu' in product %}}
+{{% if product in ["rhcos4", "sle12", "sle15", "slmicro5"] or 'ol' in product or 'rhel' in product  or 'ubuntu' in product %}}
   <ind:textfilecontent54_test id="test_kernmod_{{{ KERNMODULE }}}_blacklisted" version="1" check="all"
   comment="kernel module {{{ KERNMODULE }}} blacklisted">
     <ind:object object_ref="obj_kernmod_{{{ KERNMODULE }}}_blacklisted" />