diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml index be1d7c5e0f2..a496237ac0f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml @@ -13,7 +13,7 @@ {{% set module='pam_unix.so' %}} {{% set option='remember' %}} {{% set value='{{ var_password_pam_unix_remember }}' %}} -{{% elif product in [ "sle12", "sle15" ] %}} +{{% elif "sle12" in product %}} {{% set pam_file='/etc/pam.d/common-password' %}} {{% else %}} {{% set pam_file='/etc/pam.d/system-auth' %}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh index d012e29c415..fe43d9d396f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh @@ -2,7 +2,7 @@ {{{ bash_instantiate_variables("var_password_pam_unix_remember") }}} -{{% if "debian" in product or "ubuntu" in product or product in ["sle12", "sle15" ] %}} +{{% if "debian" in product or "ubuntu" in product or "sle12" in product %}} {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}} {{% else %}} {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml index 945e014deb0..c6c41987231 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml @@ -1,4 +1,4 @@ -{{% if product in [ "sle12", "sle15" ] or "debian" in product or "ubuntu" in product %}} +{{% if "sle12" in product or "debian" in product or "ubuntu" in product %}} {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/common-password' -%}} {{% else %}} {{%- set accounts_password_pam_unix_remember_file = '/etc/pam.d/system-auth' -%}} diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml index dccda1d7367..c5201817916 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml @@ -38,10 +38,8 @@ references: iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3 nist: IA-5(f),IA-5(1)(e) nist-csf: PR.AC-1,PR.AC-6,PR.AC-7 - nist@sle15: IA-5(1)(e),IA-5(1).1(v) pcidss: Req-8.2.5 srg: SRG-OS-000077-GPOS-00045 - stigid@sle15: SLES-15-020250 stigid@ubuntu2004: UBTU-20-010070 stigid@ubuntu2204: UBTU-22-611050 diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/argument_missing.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/argument_missing.fail.sh index a2b834282ff..85fe609541b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/argument_missing.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/argument_missing.fail.sh @@ -1,7 +1,7 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_sle +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,SUSE Linux Enterprise 12 -{{% if product in [ "sle12", "sle15" ] %}} +{{% if "sle12" in product %}} for auth_file in common-password password-auth; do {{% else %}} for auth_file in system-auth password-auth; do diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/correct_value.pass.sh index 718e601ba7b..b19e09e67e1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/correct_value.pass.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/correct_value.pass.sh @@ -1,9 +1,9 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_sle +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,SUSE Linux Enterprise 12 # variables = var_password_pam_unix_remember=5 remember_cnt=5 -{{% if product in [ "sle12", "sle15" ] %}} +{{% if "sle12" in product %}} for auth_file in common-password password-auth {{% else %}} for auth_file in system-auth password-auth diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/wrong_value.fail.sh index 70facde801c..b50a7081438 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/wrong_value.fail.sh +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/tests/wrong_value.fail.sh @@ -1,9 +1,9 @@ #!/bin/bash -# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_sle +# platform = Oracle Linux 7,Red Hat Virtualization 4,multi_platform_fedora,SUSE Linux Enterprise 12 # variables = var_password_pam_unix_remember=5 remember_cnt=3 -{{% if product in [ "sle12", "sle15" ] %}} +{{% if "sle12" in product %}} for auth_file in common-password password-auth {{% else %}} for auth_file in system-auth password-auth diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml index 57d07cfc2df..8a09a58837d 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml @@ -25,7 +25,6 @@ references: nist@sle12: IA-5(1)(e),IA-5(1).1(v) srg: SRG-OS-000077-GPOS-00045 stigid@sle12: SLES-12-010300 - stigid@sle15: SLES-15-020240 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/security/opasswd", owner="root") }}} and {{{ ocil_clause_file_group_owner(file="/etc/security/opasswd", group="root") }}} and {{{ ocil_clause_file_permissions(file="/etc/security/opasswd", perms="0600") }}}' diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml index 65b5ded0ca1..5b7e3f2d475 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml @@ -27,7 +27,6 @@ references: stigid@ol7: OL07-00-020019 stigid@rhel8: RHEL-08-010001 stigid@sle12: SLES-12-010599 - stigid@sle15: SLES-15-010001 ocil_clause: 'virus scanning software is not running' diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml index 73d3894f425..3ca4b628f12 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml @@ -36,7 +36,6 @@ references: stigid@ol7: OL07-00-020019 stigid@rhel8: RHEL-08-010001 stigid@sle12: SLES-12-010599 - stigid@sle15: SLES-15-010001 stigid@ubuntu2004: UBTU-20-010415 stigid@ubuntu2204: UBTU-22-211010 diff --git a/products/sle15/profiles/stig.profile b/products/sle15/profiles/stig.profile index 700a04ab618..68da4c680ae 100644 --- a/products/sle15/profiles/stig.profile +++ b/products/sle15/profiles/stig.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V1R13 + version: V2R1 SMEs: - abergmann @@ -11,7 +11,7 @@ title: 'DISA STIG for SUSE Linux Enterprise 15' description: |- This profile contains configuration checks that align to the - DISA STIG for SUSE Linux Enterprise 15 V1R13. + DISA STIG for SUSE Linux Enterprise 15 V2R1. selections: @@ -59,7 +59,6 @@ selections: - accounts_passwords_pam_faildelay_delay - accounts_passwords_pam_tally2 - var_password_pam_tally2=3 - - accounts_password_pam_unix_remember - accounts_tmout - accounts_umask_etc_login_defs - accounts_user_dot_no_world_writable_programs @@ -193,7 +192,6 @@ selections: - encrypt_partitions - ensure_gpgcheck_globally_activated - ensure_rtc_utc_configuration - - file_etc_security_opasswd - file_groupownership_home_directories - file_groupownership_system_commands_dirs - file_ownership_binary_dirs @@ -230,7 +228,6 @@ selections: - package_audit-audispd-plugins_installed - package_audit_installed - package_mailx_installed - - package_mcafeetp_installed - package_pam_apparmor_installed - package_telnet-server_removed - package_firewalld_installed diff --git a/shared/references/disa-stig-sle15-v1r13-xccdf-manual.xml b/shared/references/disa-stig-sle15-v2r1-xccdf-manual.xml similarity index 84% rename from shared/references/disa-stig-sle15-v1r13-xccdf-manual.xml rename to shared/references/disa-stig-sle15-v2r1-xccdf-manual.xml index cff8edd9725..21787df0faf 100644 --- a/shared/references/disa-stig-sle15-v1r13-xccdf-manual.xml +++ b/shared/references/disa-stig-sle15-v2r1-xccdf-manual.xml @@ -1,4 +1,4 @@ -acceptedSUSE Linux Enterprise Server 15 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 13 Benchmark Date: 24 Apr 20243.4.1.229161.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-15-010000The SUSE operating system must be a vendor-supported release.<VulnDiscussion>A SUSE operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 15DISADPMS TargetSUSE Linux Enterprise Server 155274CCI-001230Upgrade the SUSE operating system to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription. +acceptedSUSE Linux Enterprise Server 15 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 24 Jul 20243.51.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>