Merge pull request #12269 from svet-se/update-sle15-stig-version-to-v2r1

Update SLE15 STIG version to V2R1
ComplianceAsCode · Aug 7, 2024 · 33a358e · 33a358e
2 parents 5f6001d + 2d8290c
commit 33a358e
Show file tree

Hide file tree

Showing 12 changed files with 284 additions and 326 deletions.
diff --git a/...-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml b/...-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml
@@ -13,7 +13,7 @@
 {{% set module='pam_unix.so' %}}
 {{% set option='remember' %}}
 {{% set value='{{ var_password_pam_unix_remember }}' %}}
-{{% elif product in [ "sle12", "sle15" ] %}}
+{{% elif "sle12" in product %}}
 {{% set pam_file='/etc/pam.d/common-password' %}}
 {{% else %}}
 {{% set pam_file='/etc/pam.d/system-auth' %}}

diff --git a/...unts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/...unts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
@@ -2,7 +2,7 @@
 
 {{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}
 
-{{% if "debian" in product or "ubuntu" in product or product in ["sle12", "sle15" ] %}}
+{{% if "debian" in product or "ubuntu" in product or "sle12" in product %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
 {{% else %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}

diff --git a/...nts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml b/...nts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
@@ -1,4 +1,4 @@
-{{% if product in [ "sle12", "sle15" ] or "debian" in product or "ubuntu" in product %}}
+{{% if "sle12" in product or "debian" in product or "ubuntu" in product %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}}
 {{% else %}}
 {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}}

diff --git a/...s/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/...s/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
@@ -38,10 +38,8 @@ references:
     iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
     nist: IA-5(f),IA-5(1)(e)
     nist-csf: PR.AC-1,PR.AC-6,PR.AC-7
-    nist@sle15: IA-5(1)(e),IA-5(1).1(v)
     pcidss: Req-8.2.5
     srg: SRG-OS-000077-GPOS-00045
-    stigid@sle15: SLES-15-020250
     stigid@ubuntu2004: UBTU-20-010070
     stigid@ubuntu2204: UBTU-22-611050
 

diff --git a/..._out_password_attempts/accounts_password_pam_unix_remember/tests/argument_missing.fail.sh b/..._out_password_attempts/accounts_password_pam_unix_remember/tests/argument_missing.fail.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
-# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_sle
+# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,SUSE Linux Enterprise 12
 
-{{% if product in [ "sle12", "sle15" ] %}}
+{{% if "sle12" in product %}}
 for auth_file in common-password password-auth; do
 {{% else %}}
 for auth_file in system-auth password-auth; do

diff --git a/...ing_out_password_attempts/accounts_password_pam_unix_remember/tests/correct_value.pass.sh b/...ing_out_password_attempts/accounts_password_pam_unix_remember/tests/correct_value.pass.sh
@@ -1,9 +1,9 @@
 #!/bin/bash
-# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_sle
+# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,SUSE Linux Enterprise 12
 # variables = var_password_pam_unix_remember=5
 
 remember_cnt=5
-{{% if product in [ "sle12", "sle15" ] %}}
+{{% if "sle12" in product %}}
 for auth_file in common-password password-auth
 {{% else %}}
 for auth_file in system-auth password-auth

diff --git a/...cking_out_password_attempts/accounts_password_pam_unix_remember/tests/wrong_value.fail.sh b/...cking_out_password_attempts/accounts_password_pam_unix_remember/tests/wrong_value.fail.sh
@@ -1,9 +1,9 @@
 #!/bin/bash
-# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_sle
+# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,SUSE Linux Enterprise 12
 # variables = var_password_pam_unix_remember=5
 
 remember_cnt=3
-{{% if product in [ "sle12", "sle15" ] %}}
+{{% if "sle12" in product %}}
 for auth_file in common-password password-auth
 {{% else %}}
 for auth_file in system-auth password-auth

diff --git a/.../permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml b/.../permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml
@@ -25,7 +25,6 @@ references:
     nist@sle12: IA-5(1)(e),IA-5(1).1(v)
     srg: SRG-OS-000077-GPOS-00045
     stigid@sle12: SLES-12-010300
-    stigid@sle15: SLES-15-020240
 
 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/security/opasswd", owner="root") }}} and {{{ ocil_clause_file_group_owner(file="/etc/security/opasswd", group="root") }}} and {{{ ocil_clause_file_permissions(file="/etc/security/opasswd", perms="0600") }}}'
 

diff --git a/.../mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml b/.../mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml
@@ -27,7 +27,6 @@ references:
     stigid@ol7: OL07-00-020019
     stigid@rhel8: RHEL-08-010001
     stigid@sle12: SLES-12-010599
-    stigid@sle15: SLES-15-010001
 
 ocil_clause: 'virus scanning software is not running'
 

diff --git a/...e_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml b/...e_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml
@@ -36,7 +36,6 @@ references:
     stigid@ol7: OL07-00-020019
     stigid@rhel8: RHEL-08-010001
     stigid@sle12: SLES-12-010599
-    stigid@sle15: SLES-15-010001
     stigid@ubuntu2004: UBTU-20-010415
     stigid@ubuntu2204: UBTU-22-211010
 

diff --git a/products/sle15/profiles/stig.profile b/products/sle15/profiles/stig.profile
@@ -1,7 +1,7 @@
 documentation_complete: true
 
 metadata:
-    version: V1R13
+    version: V2R1
     SMEs:
         - abergmann
 
@@ -11,7 +11,7 @@ title: 'DISA STIG for SUSE Linux Enterprise 15'
 
 description: |-
     This profile contains configuration checks that align to the
-    DISA STIG for SUSE Linux Enterprise 15 V1R13.
+    DISA STIG for SUSE Linux Enterprise 15 V2R1.
 
 
 selections:
@@ -59,7 +59,6 @@ selections:
     - accounts_passwords_pam_faildelay_delay
     - accounts_passwords_pam_tally2
     - var_password_pam_tally2=3
-    - accounts_password_pam_unix_remember
     - accounts_tmout
     - accounts_umask_etc_login_defs
     - accounts_user_dot_no_world_writable_programs
@@ -193,7 +192,6 @@ selections:
     - encrypt_partitions
     - ensure_gpgcheck_globally_activated
     - ensure_rtc_utc_configuration
-    - file_etc_security_opasswd
     - file_groupownership_home_directories
     - file_groupownership_system_commands_dirs
     - file_ownership_binary_dirs
@@ -230,7 +228,6 @@ selections:
     - package_audit-audispd-plugins_installed
     - package_audit_installed
     - package_mailx_installed
-    - package_mcafeetp_installed
     - package_pam_apparmor_installed
     - package_telnet-server_removed
     - package_firewalld_installed

diff --git a/...es/disa-stig-sle15-v1r13-xccdf-manual.xml → ...ces/disa-stig-sle15-v2r1-xccdf-manual.xml b/...es/disa-stig-sle15-v1r13-xccdf-manual.xml → ...ces/disa-stig-sle15-v2r1-xccdf-manual.xml