diff --git a/components/rsyslog.yml b/components/rsyslog.yml
index ac9ed2be2f2..32163ad5dea 100644
--- a/components/rsyslog.yml
+++ b/components/rsyslog.yml
@@ -40,5 +40,8 @@ rules:
- service_rsyslog_enabled
- service_syslogng_enabled
- service_systemd-journald_enabled
+- service_systemd-journal-upload_enabled
- socket_systemd-journal-remote_disabled
+- systemd_journal_upload_url
+- systemd_journal_upload_server_tls
- timer_logrotate_enabled
diff --git a/components/systemd.yml b/components/systemd.yml
index 51e7f3c46f9..45470a5000a 100644
--- a/components/systemd.yml
+++ b/components/systemd.yml
@@ -30,8 +30,11 @@ rules:
- service_debug-shell_disabled
- service_systemd-coredump_disabled
- service_systemd-journald_enabled
+- service_systemd-journal-upload_enabled
- service_timesyncd_configured
- service_timesyncd_root_distance_configured
- service_timesyncd_enabled
- socket_systemd-journal-remote_disabled
- systemd_tmp_mount_enabled
+- systemd_journal_upload_server_tls
+- systemd_journal_upload_url
diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml
index 3492a947d12..4b02a96c192 100644
--- a/controls/stig_slmicro5.yml
+++ b/controls/stig_slmicro5.yml
@@ -17,14 +17,14 @@ controls:
rules:
- installed_OS_is_vendor_supported
status: automated
-
+
- id: SLEM-05-211015
levels:
- medium
title: SLEM 5 must implement an endpoint security tool.
rules: []
status: pending
-
+
- id: SLEM-05-211020
levels:
- medium
@@ -35,15 +35,15 @@ controls:
- banner_etc_issue
- login_banner_text=dod_banners
status: automated
-
+
- id: SLEM-05-211025
levels:
- high
title: SLEM 5 must disable the x86 Ctrl-Alt-Delete key sequence.
- rules:
+ rules:
- disable_ctrlaltdel_reboot
status: automated
-
+
- id: SLEM-05-212010
levels:
- high
@@ -53,7 +53,7 @@ controls:
rules:
- grub2_password
status: automated
-
+
- id: SLEM-05-212015
levels:
- high
@@ -63,7 +63,7 @@ controls:
rules:
- grub2_uefi_password
status: automated
-
+
- id: SLEM-05-213010
levels:
- medium
@@ -71,15 +71,15 @@ controls:
rules:
- sysctl_kernel_dmesg_restrict
status: automated
-
+
- id: SLEM-05-213015
levels:
- medium
title: SLEM 5 kernel core dumps must be disabled unless needed.
- rules:
+ rules:
- service_kdump_disabled
status: automated
-
+
- id: SLEM-05-213020
levels:
- medium
@@ -89,7 +89,7 @@ controls:
rules:
- sysctl_kernel_randomize_va_space
status: automated
-
+
- id: SLEM-05-213025
levels:
- medium
@@ -99,7 +99,7 @@ controls:
rules:
- sysctl_kernel_kptr_restrict
status: automated
-
+
- id: SLEM-05-214010
levels:
- medium
@@ -109,7 +109,7 @@ controls:
rules:
- security_patches_up_to_date
status: automated
-
+
- id: SLEM-05-214015
levels:
- high
@@ -117,7 +117,7 @@ controls:
rules:
- ensure_gpgcheck_globally_activated
status: automated
-
+
- id: SLEM-05-214020
levels:
- medium
@@ -127,7 +127,7 @@ controls:
rules:
- clean_components_post_updating
status: automated
-
+
- id: SLEM-05-215010
levels:
- medium
@@ -135,7 +135,7 @@ controls:
rules:
- vlock_installed
status: automated
-
+
- id: SLEM-05-215015
levels:
- high
@@ -143,7 +143,7 @@ controls:
rules:
- package_telnet-server_removed
status: automated
-
+
- id: SLEM-05-231010
levels:
- medium
@@ -153,7 +153,7 @@ controls:
rules:
- partition_for_home
status: automated
-
+
- id: SLEM-05-231015
levels:
- medium
@@ -161,7 +161,7 @@ controls:
rules:
- partition_for_var
status: automated
-
+
- id: SLEM-05-231020
levels:
- medium
@@ -169,7 +169,7 @@ controls:
rules:
- partition_for_var_log_audit
status: automated
-
+
- id: SLEM-05-231025
levels:
- medium
@@ -180,7 +180,7 @@ controls:
rules:
- mount_option_nosuid_remote_filesystems
status: automated
-
+
- id: SLEM-05-231030
levels:
- medium
@@ -190,7 +190,7 @@ controls:
rules:
- mount_option_noexec_remote_filesystems
status: automated
-
+
- id: SLEM-05-231035
levels:
- medium
@@ -200,7 +200,7 @@ controls:
rules:
- mount_option_nosuid_removable_partitions
status: automated
-
+
- id: SLEM-05-231040
levels:
- high
@@ -208,10 +208,10 @@ controls:
All SLEM 5 persistent disk partitions must implement cryptographic mechanisms
to prevent unauthorized disclosure or modification of all information that requires
at-rest protection.
- rules:
+ rules:
- encrypt_partitions
status: automated
-
+
- id: SLEM-05-231045
levels:
- medium
@@ -221,15 +221,15 @@ controls:
rules:
- mount_option_home_nosuid
status: automated
-
+
- id: SLEM-05-231050
levels:
- medium
title: SLEM 5 must disable the file system automounter unless required.
- rules:
+ rules:
- service_autofs_disabled
status: automated
-
+
- id: SLEM-05-232010
levels:
- medium
@@ -239,7 +239,7 @@ controls:
rules:
- dir_permissions_binary_dirs
status: automated
-
+
- id: SLEM-05-232015
levels:
- medium
@@ -247,7 +247,7 @@ controls:
rules:
- file_permissions_binary_dirs
status: automated
-
+
- id: SLEM-05-232020
levels:
- medium
@@ -255,7 +255,7 @@ controls:
rules:
- dir_permissions_library_dirs
status: automated
-
+
- id: SLEM-05-232025
levels:
- medium
@@ -263,25 +263,25 @@ controls:
rules:
- file_permissions_library_dirs
status: automated
-
+
- id: SLEM-05-232030
levels:
- medium
title:
All SLEM 5 local interactive user home directories must have mode 750 or
less permissive.
- rules:
+ rules:
- file_permissions_home_directories
status: automated
-
+
- id: SLEM-05-232035
levels:
- medium
title: All SLEM 5 local initialization files must have mode 740 or less permissive.
- rules:
+ rules:
- file_permission_user_init_files
status: automated
-
+
- id: SLEM-05-232040
levels:
- medium
@@ -289,7 +289,7 @@ controls:
rules:
- file_permissions_sshd_pub_key
status: automated
-
+
- id: SLEM-05-232045
levels:
- medium
@@ -297,7 +297,7 @@ controls:
rules:
- file_permissions_sshd_private_key
status: automated
-
+
- id: SLEM-05-232050
levels:
- medium
@@ -305,7 +305,7 @@ controls:
rules:
- file_ownership_library_dirs
status: automated
-
+
- id: SLEM-05-232055
levels:
- medium
@@ -313,7 +313,7 @@ controls:
rules:
- root_permissions_syslibrary_files
status: automated
-
+
- id: SLEM-05-232060
levels:
- medium
@@ -321,7 +321,7 @@ controls:
rules:
- dir_ownership_library_dirs
status: automated
-
+
- id: SLEM-05-232065
levels:
- medium
@@ -329,7 +329,7 @@ controls:
rules:
- dir_group_ownership_library_dirs
status: automated
-
+
- id: SLEM-05-232070
levels:
- medium
@@ -337,7 +337,7 @@ controls:
rules:
- file_ownership_binary_dirs
status: automated
-
+
- id: SLEM-05-232075
levels:
- medium
@@ -345,7 +345,7 @@ controls:
rules:
- file_groupownership_system_commands_dirs
status: automated
-
+
- id: SLEM-05-232080
levels:
- medium
@@ -353,7 +353,7 @@ controls:
rules:
- dir_system_commands_root_owned
status: automated
-
+
- id: SLEM-05-232085
levels:
- medium
@@ -363,7 +363,7 @@ controls:
rules:
- dir_system_commands_group_root_owned
status: automated
-
+
- id: SLEM-05-232090
levels:
- medium
@@ -371,7 +371,7 @@ controls:
rules:
- no_files_unowned_by_user
status: automated
-
+
- id: SLEM-05-232095
levels:
- medium
@@ -379,17 +379,17 @@ controls:
rules:
- file_permissions_ungroupowned
status: automated
-
+
- id: SLEM-05-232100
levels:
- medium
title:
All SLEM 5 local interactive user home directories must be group-owned by
the home directory owner's primary group.
- rules:
+ rules:
- file_groupownership_home_directories
status: automated
-
+
- id: SLEM-05-232105
levels:
- medium
@@ -399,7 +399,7 @@ controls:
rules:
- dir_perms_world_writable_system_owned_group
status: automated
-
+
- id: SLEM-05-232110
levels:
- medium
@@ -407,7 +407,7 @@ controls:
rules:
- dir_perms_world_writable_sticky_bits
status: automated
-
+
- id: SLEM-05-232115
levels:
- medium
@@ -415,7 +415,7 @@ controls:
rules:
- file_permissions_local_var_log_messages
status: automated
-
+
- id: SLEM-05-232120
levels:
- medium
@@ -425,7 +425,7 @@ controls:
rules:
- permissions_local_var_log
status: automated
-
+
- id: SLEM-05-251010
levels:
- medium
@@ -433,10 +433,10 @@ controls:
SLEM 5 must be configured to prohibit or restrict the use of functions, ports,
protocols, and/or services as defined in the Ports, Protocols, and Services Management
(PPSM) Category Assignments List (CAL) and vulnerability assessments.
- rules:
+ rules:
- service_firewalld_enabled
status: automated
-
+
- id: SLEM-05-252010
levels:
- medium
@@ -449,7 +449,8 @@ controls:
- var_multiple_time_servers=stig
- var_time_service_set_maxpoll=18_hours
status: automated
-
+
+
- id: SLEM-05-252015
levels:
- medium
@@ -459,7 +460,7 @@ controls:
rules:
- network_sniffer_disabled
status: automated
-
+
- id: SLEM-05-253010
levels:
- medium
@@ -469,7 +470,7 @@ controls:
rules:
- sysctl_net_ipv4_conf_all_accept_source_route
status: automated
-
+
- id: SLEM-05-253015
levels:
- medium
@@ -479,7 +480,7 @@ controls:
rules:
- sysctl_net_ipv4_conf_default_accept_source_route
status: automated
-
+
- id: SLEM-05-253020
levels:
- medium
@@ -489,7 +490,7 @@ controls:
rules:
- sysctl_net_ipv4_conf_all_accept_redirects
status: automated
-
+
- id: SLEM-05-253025
levels:
- medium
@@ -499,7 +500,7 @@ controls:
rules:
- sysctl_net_ipv4_conf_default_accept_redirects
status: automated
-
+
- id: SLEM-05-253030
levels:
- medium
@@ -509,7 +510,7 @@ controls:
rules:
- sysctl_net_ipv4_conf_all_send_redirects
status: automated
-
+
- id: SLEM-05-253035
levels:
- medium
@@ -519,7 +520,7 @@ controls:
rules:
- sysctl_net_ipv4_conf_default_send_redirects
status: automated
-
+
- id: SLEM-05-253040
levels:
- medium
@@ -529,7 +530,7 @@ controls:
rules:
- sysctl_net_ipv4_ip_forward
status: automated
-
+
- id: SLEM-05-253045
levels:
- medium
@@ -537,7 +538,7 @@ controls:
rules:
- sysctl_net_ipv4_tcp_syncookies
status: automated
-
+
- id: SLEM-05-254010
levels:
- medium
@@ -547,7 +548,7 @@ controls:
rules:
- sysctl_net_ipv6_conf_all_accept_source_route
status: automated
-
+
- id: SLEM-05-254015
levels:
- medium
@@ -557,7 +558,7 @@ controls:
rules:
- sysctl_net_ipv6_conf_default_accept_source_route
status: automated
-
+
- id: SLEM-05-254020
levels:
- medium
@@ -567,7 +568,7 @@ controls:
rules:
- sysctl_net_ipv6_conf_all_accept_redirects
status: automated
-
+
- id: SLEM-05-254025
levels:
- medium
@@ -577,7 +578,7 @@ controls:
rules:
- sysctl_net_ipv6_conf_default_accept_redirects
status: automated
-
+
- id: SLEM-05-254030
levels:
- medium
@@ -587,7 +588,7 @@ controls:
rules:
- sysctl_net_ipv6_conf_all_forwarding
status: automated
-
+
- id: SLEM-05-254035
levels:
- medium
@@ -597,27 +598,27 @@ controls:
rules:
- sysctl_net_ipv6_conf_default_forwarding
status: automated
-
+
- id: SLEM-05-255010
levels:
- high
title:
SLEM 5 must have SSH installed to protect the confidentiality and integrity
of transmitted information.
- rules:
+ rules:
- package_openssh-server_installed
status: automated
-
+
- id: SLEM-05-255015
levels:
- high
title:
SLEM 5 must use SSH to protect the confidentiality and integrity of transmitted
information.
- rules:
+ rules:
- service_sshd_enabled
status: automated
-
+
- id: SLEM-05-255020
levels:
- medium
@@ -627,7 +628,7 @@ controls:
rules:
- sshd_enable_warning_banner
status: automated
-
+
- id: SLEM-05-255025
levels:
- high
@@ -636,7 +637,7 @@ controls:
- sshd_disable_empty_passwords
- sshd_do_not_permit_user_env
status: automated
-
+
- id: SLEM-05-255030
levels:
- medium
@@ -647,7 +648,7 @@ controls:
- sshd_set_keepalive
- var_sshd_set_keepalive=1
status: automated
-
+
- id: SLEM-05-255035
levels:
- medium
@@ -658,7 +659,7 @@ controls:
- sshd_set_idle_timeout
- sshd_idle_timeout_value=10_minutes
status: automated
-
+
- id: SLEM-05-255040
levels:
- medium
@@ -668,7 +669,7 @@ controls:
rules:
- sshd_disable_x11_forwarding
status: automated
-
+
- id: SLEM-05-255045
levels:
- high
@@ -679,7 +680,7 @@ controls:
- sshd_use_approved_ciphers_ordered_stig
- sshd_use_approved_ciphers
status: automated
-
+
- id: SLEM-05-255050
levels:
- high
@@ -690,7 +691,7 @@ controls:
- sshd_use_approved_macs_ordered_stig
- sshd_use_approved_macs
status: automated
-
+
- id: SLEM-05-255055
levels:
- high
@@ -700,7 +701,7 @@ controls:
rules:
- sshd_use_approved_kex_ordered_stig
status: automated
-
+
- id: SLEM-05-255060
levels:
- medium
@@ -710,7 +711,7 @@ controls:
rules:
- sshd_disable_root_login
status: automated
-
+
- id: SLEM-05-255065
levels:
- medium
@@ -718,7 +719,7 @@ controls:
rules:
- sshd_set_loglevel_verbose
status: automated
-
+
- id: SLEM-05-255070
levels:
- medium
@@ -728,7 +729,7 @@ controls:
rules:
- sshd_print_last_log
status: automated
-
+
- id: SLEM-05-255075
levels:
- medium
@@ -738,7 +739,7 @@ controls:
rules:
- sshd_disable_user_known_hosts
status: automated
-
+
- id: SLEM-05-255080
levels:
- medium
@@ -748,7 +749,7 @@ controls:
rules:
- sshd_enable_strictmodes
status: automated
-
+
- id: SLEM-05-255085
levels:
- medium
@@ -763,18 +764,18 @@ controls:
levels:
- high
title: There must be no .shosts files on SLEM 5.
- rules:
+ rules:
- no_user_host_based_files
status: automated
-
+
- id: SLEM-05-255095
levels:
- high
title: There must be no shosts.equiv files on SLEM 5.
- rules:
- - no_host_based_files
+ rules:
+ - no_host_based_files
status: automated
-
+
- id: SLEM-05-272010
levels:
- high
@@ -784,7 +785,7 @@ controls:
rules:
- gnome_gdm_disable_unattended_automatic_login
status: automated
-
+
- id: SLEM-05-291010
levels:
- medium
@@ -792,7 +793,7 @@ controls:
rules:
- wireless_disable_interfaces
status: automated
-
+
- id: SLEM-05-291015
levels:
- medium
@@ -800,17 +801,17 @@ controls:
rules:
- kernel_module_usb-storage_disabled
status: automated
-
+
- id: SLEM-05-411010
levels:
- medium
title:
All SLEM 5 local interactive user accounts, upon creation, must be assigned
a home directory.
- rules:
+ rules:
- accounts_have_homedir_login_defs
status: automated
-
+
- id: SLEM-05-411015
levels:
- medium
@@ -820,7 +821,7 @@ controls:
rules:
- accounts_umask_etc_login_defs
status: automated
-
+
- id: SLEM-05-411020
levels:
- medium
@@ -831,27 +832,27 @@ controls:
- accounts_logon_fail_delay
- var_accounts_fail_delay=5
status: automated
-
+
- id: SLEM-05-411025
levels:
- medium
title:
All SLEM 5 local interactive users must have a home directory assigned in
the /etc/passwd file.
- rules:
+ rules:
- accounts_user_interactive_home_directory_defined
status: automated
-
+
- id: SLEM-05-411030
levels:
- medium
title:
All SLEM 5 local interactive user home directories defined in the /etc/passwd
file must exist.
- rules:
+ rules:
- accounts_user_interactive_home_directory_exists
status: automated
-
+
- id: SLEM-05-411035
levels:
- medium
@@ -861,7 +862,7 @@ controls:
rules:
- accounts_user_home_paths_only
status: automated
-
+
- id: SLEM-05-411040
levels:
- medium
@@ -869,7 +870,7 @@ controls:
rules:
- accounts_user_dot_no_world_writable_programs
status: automated
-
+
- id: SLEM-05-411045
levels:
- medium
@@ -877,7 +878,7 @@ controls:
rules:
- account_temp_expire_date
status: automated
-
+
- id: SLEM-05-411050
levels:
- medium
@@ -887,7 +888,7 @@ controls:
rules:
- account_emergency_admin
status: automated
-
+
- id: SLEM-05-411055
levels:
- medium
@@ -896,7 +897,7 @@ controls:
- accounts_authorized_local_users
- var_accounts_authorized_local_users_regex=slmicro5
status: automated
-
+
- id: SLEM-05-411060
levels:
- medium
@@ -904,7 +905,7 @@ controls:
rules:
- no_shelllogin_for_systemaccounts
status: automated
-
+
- id: SLEM-05-411065
levels:
- high
@@ -914,7 +915,7 @@ controls:
rules:
- accounts_no_uid_except_zero
status: automated
-
+
- id: SLEM-05-411070
levels:
- medium
@@ -924,7 +925,7 @@ controls:
rules:
- account_disable_post_pw_expiration
status: automated
-
+
- id: SLEM-05-411075
levels:
- medium
@@ -932,7 +933,7 @@ controls:
rules:
- account_unique_id
status: automated
-
+
- id: SLEM-05-412010
levels:
- medium
@@ -942,14 +943,14 @@ controls:
rules:
- display_login_attempts
status: automated
-
+
- id: SLEM-05-412015
levels:
- medium
title: SLEM 5 must initiate a session lock after a 15-minute period of inactivity.
rules: []
status: pending
-
+
- id: SLEM-05-412020
levels:
- medium
@@ -958,7 +959,7 @@ controls:
- accounts_passwords_pam_tally2
- var_password_pam_tally2=3
status: automated
-
+
- id: SLEM-05-412025
levels:
- medium
@@ -969,16 +970,16 @@ controls:
- accounts_passwords_pam_faildelay_delay
- var_password_pam_delay=4000000
status: automated
-
+
- id: SLEM-05-412030
levels:
- medium
title: SLEM 5 must use the default pam_tally2 tally directory.
- rules:
+ rules:
- accounts_passwords_pam_tally2_file
- accounts_passwords_pam_tally2_file_selinux
status: automated
-
+
- id: SLEM-05-412035
levels:
- low
@@ -989,7 +990,7 @@ controls:
- accounts_max_concurrent_login_sessions
- var_accounts_max_concurrent_login_sessions=10
status: automated
-
+
- id: SLEM-05-431010
levels:
- low
@@ -997,7 +998,7 @@ controls:
rules:
- package_policycoreutils_installed
status: automated
-
+
- id: SLEM-05-431015
levels:
- high
@@ -1008,7 +1009,7 @@ controls:
- selinux_state
- var_selinux_state=enforcing
status: automated
-
+
- id: SLEM-05-431020
levels:
- medium
@@ -1017,7 +1018,7 @@ controls:
- selinux_policytype
- var_selinux_policy_name=targeted
status: automated
-
+
- id: SLEM-05-431025
levels:
- medium
@@ -1037,7 +1038,7 @@ controls:
rules:
- sudoers_validate_passwd
status: automated
-
+
- id: SLEM-05-432015
levels:
- medium
@@ -1049,7 +1050,7 @@ controls:
- sudo_remove_nopasswd
- sudo_remove_no_authenticate
status: automated
-
+
- id: SLEM-05-432020
levels:
- medium
@@ -1057,7 +1058,7 @@ controls:
rules:
- sudo_require_reauthentication
status: automated
-
+
- id: SLEM-05-432025
levels:
- medium
@@ -1065,7 +1066,7 @@ controls:
rules:
- sudo_restrict_privilege_elevation_to_authorized
status: automated
-
+
- id: SLEM-05-432030
levels:
- medium
@@ -1075,39 +1076,39 @@ controls:
rules:
- sudoers_default_includedir
status: automated
-
+
- id: SLEM-05-611010
levels:
- medium
title: SLEM 5 must enforce passwords that contain at least one uppercase character.
- rules:
+ rules:
- cracklib_accounts_password_pam_ucredit
status: automated
-
+
- id: SLEM-05-611015
levels:
- medium
title: SLEM 5 must enforce passwords that contain at least one lowercase character.
- rules:
+ rules:
- cracklib_accounts_password_pam_lcredit
status: automated
-
+
- id: SLEM-05-611020
levels:
- medium
title: SLEM 5 must enforce passwords that contain at least one numeric character.
- rules:
+ rules:
- cracklib_accounts_password_pam_dcredit
status: automated
-
+
- id: SLEM-05-611025
levels:
- medium
title: SLEM 5 must enforce passwords that contain at least one special character.
- rules:
+ rules:
- cracklib_accounts_password_pam_ocredit
status: automated
-
+
- id: SLEM-05-611030
levels:
- medium
@@ -1116,25 +1117,25 @@ controls:
- cracklib_accounts_password_pam_retry
- var_password_pam_retry=3
status: automated
-
+
- id: SLEM-05-611035
levels:
- medium
title: SLEM 5 must employ passwords with a minimum of 15 characters.
- rules:
+ rules:
- cracklib_accounts_password_pam_minlen
status: automated
-
+
- id: SLEM-05-611040
levels:
- medium
title:
SLEM 5 must require the change of at least eight of the total number of characters
when passwords are changed.
- rules:
+ rules:
- cracklib_accounts_password_pam_difok
status: automated
-
+
- id: SLEM-05-611045
levels:
- medium
@@ -1154,7 +1155,7 @@ controls:
rules:
- set_password_hashing_algorithm_systemauth
status: automated
-
+
- id: SLEM-05-611055
levels:
- high
@@ -1162,15 +1163,15 @@ controls:
rules:
- no_empty_passwords
status: automated
-
+
- id: SLEM-05-611060
levels:
- high
title: SLEM 5 must not have accounts configured with blank or null passwords.
- rules:
+ rules:
- no_empty_passwords_etc_shadow
status: automated
-
+
- id: SLEM-05-611065
levels:
- medium
@@ -1181,7 +1182,7 @@ controls:
- accounts_password_set_min_life_existing
- var_accounts_minimum_age_login_defs=1
status: automated
-
+
- id: SLEM-05-611070
levels:
- medium
@@ -1190,7 +1191,7 @@ controls:
- accounts_password_set_max_life_existing
- var_accounts_maximum_age_login_defs=60
status: automated
-
+
- id: SLEM-05-611075
levels:
- medium
@@ -1198,7 +1199,7 @@ controls:
rules:
- file_etc_security_opasswd
status: automated
-
+
- id: SLEM-05-611080
levels:
- high
@@ -1208,7 +1209,7 @@ controls:
rules:
- accounts_password_all_shadowed_sha512
status: automated
-
+
- id: SLEM-05-611085
levels:
- high
@@ -1218,7 +1219,7 @@ controls:
rules:
- set_password_hashing_min_rounds_logindefs
status: automated
-
+
- id: SLEM-05-611090
levels:
- medium
@@ -1229,7 +1230,7 @@ controls:
- set_password_hashing_algorithm_logindefs
- var_password_hashing_algorithm=SHA512
status: automated
-
+
- id: SLEM-05-611095
levels:
- medium
@@ -1239,7 +1240,7 @@ controls:
rules:
- accounts_minimum_age_login_defs
status: automated
-
+
- id: SLEM-05-611100
levels:
- medium
@@ -1249,7 +1250,7 @@ controls:
rules:
- accounts_maximum_age_login_defs
status: automated
-
+
- id: SLEM-05-612010
levels:
- medium
@@ -1259,7 +1260,7 @@ controls:
rules:
- install_smartcard_packages
status: automated
-
+
- id: SLEM-05-612015
levels:
- medium
@@ -1269,7 +1270,7 @@ controls:
rules:
- smartcard_pam_enabled
status: automated
-
+
- id: SLEM-05-612020
levels:
- medium
@@ -1277,7 +1278,7 @@ controls:
rules:
- smartcard_configure_cert_checking
status: automated
-
+
- id: SLEM-05-631010
levels:
- medium
@@ -1288,7 +1289,7 @@ controls:
- sssd_memcache_timeout
- var_sssd_memcache_timeout=1_day
status: automated
-
+
- id: SLEM-05-631015
levels:
- medium
@@ -1298,7 +1299,7 @@ controls:
rules:
- sssd_offline_cred_expiration
status: automated
-
+
- id: SLEM-05-631020
levels:
- medium
@@ -1309,7 +1310,7 @@ controls:
rules:
- smartcard_configure_ca
status: automated
-
+
- id: SLEM-05-631025
levels:
- medium
@@ -1319,7 +1320,7 @@ controls:
rules:
- pam_disable_automatic_configuration
status: automated
-
+
- id: SLEM-05-651010
levels:
- medium
@@ -1330,25 +1331,25 @@ controls:
- package_aide_installed
- aide_build_database
status: automated
-
+
- id: SLEM-05-651015
levels:
- medium
title:
SLEM 5 file integrity tool must be configured to verify Access Control Lists
(ACLs).
- rules:
+ rules:
- aide_verify_acls
status: automated
-
+
- id: SLEM-05-651020
levels:
- medium
title: SLEM 5 file integrity tool must be configured to verify extended attributes.
- rules:
+ rules:
- aide_verify_ext_attributes
status: automated
-
+
- id: SLEM-05-651025
levels:
- medium
@@ -1358,7 +1359,7 @@ controls:
rules:
- aide_check_audit_tools
status: automated
-
+
- id: SLEM-05-651030
levels:
- medium
@@ -1368,7 +1369,7 @@ controls:
rules:
- aide_periodic_checking_systemd_timer
status: automated
-
+
- id: SLEM-05-651035
levels:
- medium
@@ -1379,16 +1380,20 @@ controls:
rules:
- aide_scan_notification
status: automated
-
+
- id: SLEM-05-652010
levels:
- medium
title:
SLEM 5 must offload rsyslog messages for networked systems in real time and
offload standalone systems at least weekly.
- rules: []
- status: pending
-
+ rules:
+ - package_systemd-journal-remote_installed
+ - service_systemd-journal-upload_enabled
+ - systemd_journal_upload_url
+ - systemd_journal_upload_server_tls
+ status: manual # do not assume anything set external variables before use
+
- id: SLEM-05-653010
levels:
- medium
@@ -1396,17 +1401,17 @@ controls:
rules:
- package_audit_installed
status: automated
-
+
- id: SLEM-05-653015
levels:
- medium
title:
SLEM 5 audit records must contain information to establish what type of events
occurred, the source of events, where events occurred, and the outcome of events.
- rules:
+ rules:
- service_auditd_enabled
status: automated
-
+
- id: SLEM-05-653020
levels:
- medium
@@ -1414,7 +1419,7 @@ controls:
rules:
- package_audit-audispd-plugins_installed
status: automated
-
+
- id: SLEM-05-653025
levels:
- medium
@@ -1425,7 +1430,7 @@ controls:
rules:
- auditd_audispd_configure_sufficiently_large_partition
status: automated
-
+
- id: SLEM-05-653030
levels:
- medium
@@ -1439,7 +1444,7 @@ controls:
- auditd_data_retention_space_left_action
- var_auditd_space_left_action=email
status: automated
-
+
- id: SLEM-05-653035
levels:
- medium
@@ -1449,33 +1454,33 @@ controls:
rules:
- auditd_data_disk_full_action
status: automated
-
+
- id: SLEM-05-653040
levels:
- medium
title:
SLEM 5 must offload audit records onto a different system or media from the
system being audited.
- rules:
+ rules:
- auditd_audispd_network_failure_action
status: automated
-
+
- id: SLEM-05-653045
levels:
- medium
title: Audispd must take appropriate action when SLEM 5 audit storage is full.
- rules:
+ rules:
- auditd_audispd_disk_full_action
status: automated
-
+
- id: SLEM-05-653050
levels:
- medium
title: SLEM 5 must protect audit rules from unauthorized modification.
- rules:
+ rules:
- permissions_local_var_log_audit
status: automated
-
+
- id: SLEM-05-653055
levels:
- medium
@@ -1485,7 +1490,7 @@ controls:
rules:
- permissions_local_audit_binaries
status: automated
-
+
- id: SLEM-05-653060
levels:
- medium
@@ -1494,7 +1499,7 @@ controls:
unauthorized access.
rules: []
status: pending
-
+
- id: SLEM-05-653065
levels:
- low
@@ -1502,7 +1507,7 @@ controls:
rules:
- auditd_audispd_encrypt_sent_records
status: automated
-
+
- id: SLEM-05-653070
levels:
- medium
@@ -1512,7 +1517,7 @@ controls:
rules:
- auditd_audispd_configure_remote_server
status: automated
-
+
- id: SLEM-05-653075
levels:
- medium
@@ -1523,7 +1528,7 @@ controls:
rules:
- postfix_client_configure_mail_alias
status: automated
-
+
- id: SLEM-05-653080
levels:
- medium
@@ -1533,7 +1538,7 @@ controls:
rules:
- auditd_data_retention_action_mail_acct
status: automated
-
+
- id: SLEM-05-654010
levels:
- medium
@@ -1541,7 +1546,7 @@ controls:
rules:
- audit_rules_execution_chacl
status: automated
-
+
- id: SLEM-05-654015
levels:
- medium
@@ -1549,7 +1554,7 @@ controls:
rules:
- audit_rules_privileged_commands_chage
status: automated
-
+
- id: SLEM-05-654020
levels:
- medium
@@ -1557,7 +1562,7 @@ controls:
rules:
- audit_rules_execution_chcon
status: automated
-
+
- id: SLEM-05-654025
levels:
- medium
@@ -1565,7 +1570,7 @@ controls:
rules:
- audit_rules_privileged_commands_chfn
status: automated
-
+
- id: SLEM-05-654030
levels:
- medium
@@ -1573,7 +1578,7 @@ controls:
rules:
- audit_rules_execution_chmod
status: automated
-
+
- id: SLEM-05-654035
levels:
- medium
@@ -1581,7 +1586,7 @@ controls:
rules:
- audit_rules_privileged_commands_chsh
status: automated
-
+
- id: SLEM-05-654040
levels:
- medium
@@ -1589,7 +1594,7 @@ controls:
rules:
- audit_rules_privileged_commands_crontab
status: automated
-
+
- id: SLEM-05-654045
levels:
- medium
@@ -1597,7 +1602,7 @@ controls:
rules:
- audit_rules_privileged_commands_gpasswd
status: automated
-
+
- id: SLEM-05-654050
levels:
- medium
@@ -1605,7 +1610,7 @@ controls:
rules:
- audit_rules_privileged_commands_insmod
status: automated
-
+
- id: SLEM-05-654055
levels:
- medium
@@ -1613,7 +1618,7 @@ controls:
rules:
- audit_rules_privileged_commands_kmod
status: automated
-
+
- id: SLEM-05-654060
levels:
- medium
@@ -1621,7 +1626,7 @@ controls:
rules:
- audit_rules_privileged_commands_modprobe
status: automated
-
+
- id: SLEM-05-654065
levels:
- medium
@@ -1629,7 +1634,7 @@ controls:
rules:
- audit_rules_privileged_commands_newgrp
status: automated
-
+
- id: SLEM-05-654070
levels:
- medium
@@ -1639,7 +1644,7 @@ controls:
rules:
- audit_rules_privileged_commands_pam_timestamp_check
status: automated
-
+
- id: SLEM-05-654075
levels:
- medium
@@ -1647,7 +1652,7 @@ controls:
rules:
- audit_rules_privileged_commands_passwd
status: automated
-
+
- id: SLEM-05-654080
levels:
- medium
@@ -1655,7 +1660,7 @@ controls:
rules:
- audit_rules_execution_rm
status: automated
-
+
- id: SLEM-05-654085
levels:
- medium
@@ -1663,7 +1668,7 @@ controls:
rules:
- audit_rules_privileged_commands_rmmod
status: automated
-
+
- id: SLEM-05-654090
levels:
- medium
@@ -1671,7 +1676,7 @@ controls:
rules:
- audit_rules_execution_setfacl
status: automated
-
+
- id: SLEM-05-654095
levels:
- medium
@@ -1679,7 +1684,7 @@ controls:
rules:
- audit_rules_privileged_commands_ssh_agent
status: automated
-
+
- id: SLEM-05-654100
levels:
- medium
@@ -1687,7 +1692,7 @@ controls:
rules:
- audit_rules_privileged_commands_ssh_keysign
status: automated
-
+
- id: SLEM-05-654105
levels:
- medium
@@ -1695,7 +1700,7 @@ controls:
rules:
- audit_rules_privileged_commands_su
status: automated
-
+
- id: SLEM-05-654110
levels:
- medium
@@ -1703,7 +1708,7 @@ controls:
rules:
- audit_rules_privileged_commands_sudo
status: automated
-
+
- id: SLEM-05-654115
levels:
- medium
@@ -1711,7 +1716,7 @@ controls:
rules:
- audit_rules_privileged_commands_sudoedit
status: automated
-
+
- id: SLEM-05-654120
levels:
- medium
@@ -1721,7 +1726,7 @@ controls:
rules:
- audit_rules_privileged_commands_unix_chkpwd
status: automated
-
+
- id: SLEM-05-654125
levels:
- medium
@@ -1729,7 +1734,7 @@ controls:
rules:
- audit_rules_privileged_commands_usermod
status: automated
-
+
- id: SLEM-05-654130
levels:
- medium
@@ -1739,7 +1744,7 @@ controls:
rules:
- audit_rules_usergroup_modification_group
status: automated
-
+
- id: SLEM-05-654135
levels:
- medium
@@ -1749,7 +1754,7 @@ controls:
rules:
- audit_rules_usergroup_modification_opasswd
status: automated
-
+
- id: SLEM-05-654140
levels:
- medium
@@ -1759,7 +1764,7 @@ controls:
rules:
- audit_rules_usergroup_modification_passwd
status: automated
-
+
- id: SLEM-05-654145
levels:
- medium
@@ -1769,7 +1774,7 @@ controls:
rules:
- audit_rules_usergroup_modification_shadow
status: automated
-
+
- id: SLEM-05-654150
levels:
- medium
@@ -1779,7 +1784,7 @@ controls:
rules:
- audit_rules_dac_modification_fchmod
status: automated
-
+
- id: SLEM-05-654155
levels:
- medium
@@ -1789,7 +1794,7 @@ controls:
rules:
- audit_rules_dac_modification_lchown
status: automated
-
+
- id: SLEM-05-654160
levels:
- medium
@@ -1799,7 +1804,7 @@ controls:
rules:
- audit_rules_unsuccessful_file_modification_open
status: automated
-
+
- id: SLEM-05-654165
levels:
- medium
@@ -1809,7 +1814,7 @@ controls:
rules:
- audit_rules_kernel_module_loading_delete
status: automated
-
+
- id: SLEM-05-654170
levels:
- medium
@@ -1819,7 +1824,7 @@ controls:
rules:
- audit_rules_kernel_module_loading_finit
status: automated
-
+
- id: SLEM-05-654175
levels:
- medium
@@ -1827,7 +1832,7 @@ controls:
rules:
- audit_rules_media_export
status: automated
-
+
- id: SLEM-05-654180
levels:
- medium
@@ -1837,7 +1842,7 @@ controls:
rules:
- audit_rules_dac_modification_fremovexattr
status: automated
-
+
- id: SLEM-05-654185
levels:
- medium
@@ -1845,7 +1850,7 @@ controls:
rules:
- audit_rules_dac_modification_umount2
status: automated
-
+
- id: SLEM-05-654190
levels:
- medium
@@ -1855,7 +1860,7 @@ controls:
rules:
- audit_rules_unsuccessful_file_modification_rename
status: automated
-
+
- id: SLEM-05-654195
levels:
- medium
@@ -1863,7 +1868,7 @@ controls:
rules:
- audit_rules_suid_privilege_function
status: automated
-
+
- id: SLEM-05-654200
levels:
- medium
@@ -1873,7 +1878,7 @@ controls:
rules:
- audit_rules_login_events_lastlog
status: automated
-
+
- id: SLEM-05-654205
levels:
- medium
@@ -1883,7 +1888,7 @@ controls:
rules:
- audit_rules_login_events_tallylog
status: automated
-
+
- id: SLEM-05-654210
levels:
- medium
@@ -1893,7 +1898,7 @@ controls:
rules:
- audit_rules_sysadmin_actions
status: automated
-
+
- id: SLEM-05-654215
levels:
- medium
@@ -1903,7 +1908,7 @@ controls:
rules:
- audit_rules_execution_setfiles
status: automated
-
+
- id: SLEM-05-654220
levels:
- medium
@@ -1914,7 +1919,7 @@ controls:
- package_policycoreutils-python-utils_installed
- audit_rules_execution_semanage
status: automated
-
+
- id: SLEM-05-654225
levels:
- medium
@@ -1924,7 +1929,7 @@ controls:
rules:
- audit_rules_execution_setsebool
status: automated
-
+
- id: SLEM-05-654230
levels:
- medium
@@ -1932,7 +1937,7 @@ controls:
rules:
- audit_rules_session_events_utmp
status: automated
-
+
- id: SLEM-05-654235
levels:
- medium
@@ -1940,7 +1945,7 @@ controls:
rules:
- audit_rules_session_events_btmp
status: automated
-
+
- id: SLEM-05-654240
levels:
- medium
@@ -1948,15 +1953,15 @@ controls:
rules:
- audit_rules_session_events_wtmp
status: automated
-
+
- id: SLEM-05-654245
levels:
- medium
title: SLEM 5 must not disable syscall auditing.
- rules:
+ rules:
- audit_rules_enable_syscall_auditing
status: automated
-
+
- id: SLEM-05-671010
levels:
- high
diff --git a/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml b/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml
index 5c3043eaa98..d561c9cbcd4 100644
--- a/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml
+++ b/linux_os/guide/system/logging/journald/package_systemd-journal-remote_installed/rule.yml
@@ -19,9 +19,11 @@ identifiers:
cce@rhel8: CCE-86467-8
cce@rhel9: CCE-86760-6
cce@rhel10: CCE-89465-9
+ cce@slmicro5: CCE-94085-8
references:
cis@ubuntu2204: 4.2.1.1.1
+ srg: SRG-OS-000479-GPOS-00224
ocil_clause: 'the package is not installed'
diff --git a/linux_os/guide/system/logging/journald/service_systemd-journal-upload_enabled/rule.yml b/linux_os/guide/system/logging/journald/service_systemd-journal-upload_enabled/rule.yml
new file mode 100644
index 00000000000..24840de053b
--- /dev/null
+++ b/linux_os/guide/system/logging/journald/service_systemd-journal-upload_enabled/rule.yml
@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: 'Enable systemd-journal-upload Service'
+
+description: |-
+ {{{ full_name }}} must offload rsyslog messages for networked systems in real time and
+ offload standalone systems at least weekly.
+ {{{ describe_service_enable(service="systemd-journal-upload") }}}
+
+rationale: |-
+ {{{ full_name }}} must offload rsyslog messages for networked systems in real time and
+ offload standalone systems at least weekly.
+
+severity: medium
+
+identifiers:
+ cce@slmicro5: CCE-94084-1
+
+references:
+ srg: SRG-OS-000479-GPOS-00224
+
+ocil_clause: 'the systemd-journal-upload service is not running'
+
+ocil: |-
+ {{{ ocil_service_enabled(service="systemd-journal-upload") }}}
+
+fixtext: |-
+ {{{ fixtext_service_enabled("systemd-journal-upload") }}}
+
+srg_requirement: '{{{ srg_requirement_service_enabled("systemd-journal-upload") }}}'
+
+platform: machine
+
+template:
+ name: service_enabled
+ vars:
+ servicename: systemd-journal-upload
+ packagename: systemd-journal-remote
diff --git a/linux_os/guide/system/logging/journald/systemd_journal_upload_server_tls/ansible/shared.yml b/linux_os/guide/system/logging/journald/systemd_journal_upload_server_tls/ansible/shared.yml
new file mode 100644
index 00000000000..ae37bb47178
--- /dev/null
+++ b/linux_os/guide/system/logging/journald/systemd_journal_upload_server_tls/ansible/shared.yml
@@ -0,0 +1,32 @@
+# platform = multi_platform_slmicro
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables("var_journal_upload_server_key_file") }}}
+
+- name: Set ServerKeyFile in /etc/systemd/journal-upload.conf
+ lineinfile:
+ dest: /etc/systemd/journal-upload.conf
+ regexp: "^#?ServerKeyFile="
+ line: ServerKeyFile={{ var_journal_upload_server_key_file }}
+ create: yes
+
+{{{ ansible_instantiate_variables("var_journal_upload_server_certificate_file") }}}
+
+- name: Set ServerCertificateFile in /etc/systemd/journal-upload.conf
+ lineinfile:
+ dest: /etc/systemd/journal-upload.conf
+ regexp: "^#?ServerCertificateFile="
+ line: ServerCertificateFile={{ var_journal_upload_server_certificate_file }}
+ create: yes
+
+{{{ ansible_instantiate_variables("var_journal_upload_server_trusted_certificate_file") }}}
+
+- name: Set TrustedCertificateFile in /etc/systemd/journal-upload.conf
+ lineinfile:
+ dest: /etc/systemd/journal-upload.conf
+ regexp: "^#?TrustedCertificateFile="
+ line: TrustedCertificateFile={{ var_journal_upload_server_trusted_certificate_file }}
+ create: yes
diff --git a/linux_os/guide/system/logging/journald/systemd_journal_upload_server_tls/bash/shared.sh b/linux_os/guide/system/logging/journald/systemd_journal_upload_server_tls/bash/shared.sh
new file mode 100644
index 00000000000..716e7f28006
--- /dev/null
+++ b/linux_os/guide/system/logging/journald/systemd_journal_upload_server_tls/bash/shared.sh
@@ -0,0 +1,10 @@
+# platform = multi_platform_slmicro
+
+{{{ bash_instantiate_variables("var_journal_upload_server_key_file") }}}
+{{{ bash_replace_or_append('/etc/systemd/journal-upload.conf', '^ServerKeyFile', "$var_journal_upload_server_key_file", '%s=%s') }}}
+
+{{{ bash_instantiate_variables("var_journal_upload_server_certificate_file") }}}
+{{{ bash_replace_or_append('/etc/systemd/journal-upload.conf', '^ServerCertificateFile', "$var_journal_upload_server_certificate_file", '%s=%s') }}}
+
+{{{ bash_instantiate_variables("var_journal_upload_server_trusted_certificate_file") }}}
+{{{ bash_replace_or_append('/etc/systemd/journal-upload.conf', '^TrustedCertificateFile', "$var_journal_upload_server_trusted_certificate_file", '%s=%s') }}}
diff --git a/linux_os/guide/system/logging/journald/systemd_journal_upload_server_tls/oval/shared.xml b/linux_os/guide/system/logging/journald/systemd_journal_upload_server_tls/oval/shared.xml
new file mode 100644
index 00000000000..363fe273890
--- /dev/null
+++ b/linux_os/guide/system/logging/journald/systemd_journal_upload_server_tls/oval/shared.xml
@@ -0,0 +1,72 @@
+
+
+ {{{ oval_metadata("systemd-journal-upload server TLS configuration in /etc/systemd/journal-upload.conf") }}}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ /etc/systemd/journal-upload.conf
+ ^\s*ServerKeyFile\s*=\s*(.*)\s*$
+ 1
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ /etc/systemd/journal-upload.conf
+ ^\s*ServerCertificateFile\s*=\s*(.*)\s*$
+ 1
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ /etc/systemd/journal-upload.conf
+ ^\s*TrustedCertificateFile\s*=\s*(.*)\s*$
+ 1
+
+
+
+
+
+
+
+
+
diff --git a/linux_os/guide/system/logging/journald/systemd_journal_upload_server_tls/rule.yml b/linux_os/guide/system/logging/journald/systemd_journal_upload_server_tls/rule.yml
new file mode 100644
index 00000000000..a4d29c259a9
--- /dev/null
+++ b/linux_os/guide/system/logging/journald/systemd_journal_upload_server_tls/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+title: 'Configure systemd-journal-upload TLS parameters: ServerKeyFile,ServerCertificateFile and TrustedCertificateFile'
+
+description: |-
+ {{{ full_name }}} must offload rsyslog messages for networked systems in real time and
+ offload standalone systems at least weekly
+
+rationale: |-
+ Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+ Offloading is a common process in information systems with limited audit storage capacity
+
+severity: medium
+
+identifiers:
+ cce@slmicro5: CCE-94080-9
+
+references:
+ srg: SRG-OS-000479-GPOS-00224
+
+ocil_clause: 'systemd-journal-upload TLS configuration is missing or commented in /etc/systemd/journal-upload.conf'
+
+ocil: |-
+ To ensure logs are sent securely to a remote host, examine the file
+ /etc/systemd/journal-upload.conf.
+ ServerKeyFile should be present:
+ ServerKeyFile={{{ xccdf_value("var_journal_upload_server_key_file") }}}
+ ServerCertificateFile should be present:
+ ServerCertificateFile={{{ xccdf_value("var_journal_upload_server_certificate_file") }}}
+ TrustedCertificateFile should be present:
+ TrustedCertificateFile={{{ xccdf_value("var_journal_upload_server_trusted_certificate_file") }}}
+
+fixtext: |-
+ Configure systemd-journal-upload ServerKeyFile to {{{ xccdf_value("var_journal_upload_server_key_file") }}}
+ Configure systemd-journal-upload ServerCertificateFile to {{{ xccdf_value("var_journal_upload_server_certificate_file") }}}
+ Configure systemd-journal-upload TrustedCertificateFile to {{{ xccdf_value("var_journal_upload_server_trusted_certificate_file") }}}
diff --git a/linux_os/guide/system/logging/journald/systemd_journal_upload_url/ansible/shared.yml b/linux_os/guide/system/logging/journald/systemd_journal_upload_url/ansible/shared.yml
new file mode 100644
index 00000000000..4d7a089c805
--- /dev/null
+++ b/linux_os/guide/system/logging/journald/systemd_journal_upload_url/ansible/shared.yml
@@ -0,0 +1,13 @@
+# platform = multi_platform_slmicro
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("var_journal_upload_url") }}}
+
+- name: Set URL in /etc/systemd/journal-upload.conf
+ lineinfile:
+ dest: /etc/systemd/journal-upload.conf
+ regexp: "^#?URL="
+ line: URL={{ var_journal_upload_url }}
+ create: yes
diff --git a/linux_os/guide/system/logging/journald/systemd_journal_upload_url/bash/shared.sh b/linux_os/guide/system/logging/journald/systemd_journal_upload_url/bash/shared.sh
new file mode 100644
index 00000000000..a67949ce82b
--- /dev/null
+++ b/linux_os/guide/system/logging/journald/systemd_journal_upload_url/bash/shared.sh
@@ -0,0 +1,4 @@
+# platform = multi_platform_slmicro
+
+{{{ bash_instantiate_variables("var_journal_upload_url") }}}
+{{{ bash_replace_or_append('/etc/systemd/journal-upload.conf', '^URL', "$var_journal_upload_url", '%s=%s') }}}
diff --git a/linux_os/guide/system/logging/journald/systemd_journal_upload_url/oval/shared.xml b/linux_os/guide/system/logging/journald/systemd_journal_upload_url/oval/shared.xml
new file mode 100644
index 00000000000..64b985cc391
--- /dev/null
+++ b/linux_os/guide/system/logging/journald/systemd_journal_upload_url/oval/shared.xml
@@ -0,0 +1,27 @@
+
+
+ {{{ oval_metadata("systemd-journal-upload URL in /etc/systemd/journal-upload.conf is configured") }}}
+
+
+
+
+
+
+
+
+
+
+
+ /etc/systemd/journal-upload.conf
+ ^\s*URL\s*=\s*(.*)\s*$
+ 1
+
+
+
+
+
+
+
+
+
diff --git a/linux_os/guide/system/logging/journald/systemd_journal_upload_url/rule.yml b/linux_os/guide/system/logging/journald/systemd_journal_upload_url/rule.yml
new file mode 100644
index 00000000000..6001dd7338e
--- /dev/null
+++ b/linux_os/guide/system/logging/journald/systemd_journal_upload_url/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+
+title: 'Configure systemd-journal-upload URL'
+
+description: |-
+ {{{ full_name }}} must offload rsyslog messages for networked systems in real time and
+ offload standalone systems at least weekly
+
+rationale: |-
+ Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+ Offloading is a common process in information systems with limited audit storage capacity
+
+severity: medium
+
+identifiers:
+ cce@slmicro5: CCE-94081-7
+
+references:
+ srg: SRG-OS-000479-GPOS-00224
+
+ocil_clause: 'systemd-journal-upload URL is missing or commented in /etc/systemd/journal-upload.conf'
+
+ocil: |-
+ To ensure logs are sent to a remote host, examine the file
+ /etc/systemd/journal-upload.conf.
+ URL should be present:
+ URL={{{ xccdf_value("var_journal_upload_url") }}}
+
+fixtext: |-
+ Configure systemd-journal-upload URL to {{{ xccdf_value("var_journal_upload_url") }}}
diff --git a/linux_os/guide/system/logging/journald/var_journal_upload_server_certificate_file.var b/linux_os/guide/system/logging/journald/var_journal_upload_server_certificate_file.var
new file mode 100644
index 00000000000..11a4be7d4fc
--- /dev/null
+++ b/linux_os/guide/system/logging/journald/var_journal_upload_server_certificate_file.var
@@ -0,0 +1,13 @@
+documentation_complete: true
+
+title: 'Remote server SSL CA certificate in PEM format for systemd-journal-upload service'
+
+description: |-
+ The setting for ServerCertificateFile in /etc/systemd/journal-upload.conf
+
+type: string
+
+interactive: true
+
+options:
+ default: /etc/pki/systemd/certs/journal-upload.pem
diff --git a/linux_os/guide/system/logging/journald/var_journal_upload_server_key_file.var b/linux_os/guide/system/logging/journald/var_journal_upload_server_key_file.var
new file mode 100644
index 00000000000..38ab1692ea5
--- /dev/null
+++ b/linux_os/guide/system/logging/journald/var_journal_upload_server_key_file.var
@@ -0,0 +1,13 @@
+documentation_complete: true
+
+title: 'Remote server SSL key in PEM format for systemd-journal-upload service'
+
+description: |-
+ The setting for ServerKeyFile in /etc/systemd/journal-upload.conf
+
+type: string
+
+interactive: true
+
+options:
+ default: /etc/pki/systemd/private/journal-upload.pem
diff --git a/linux_os/guide/system/logging/journald/var_journal_upload_server_trusted_certificate_file.var b/linux_os/guide/system/logging/journald/var_journal_upload_server_trusted_certificate_file.var
new file mode 100644
index 00000000000..c65f20267fa
--- /dev/null
+++ b/linux_os/guide/system/logging/journald/var_journal_upload_server_trusted_certificate_file.var
@@ -0,0 +1,13 @@
+documentation_complete: true
+
+title: 'Remote server SSL CA certificate for systemd-journal-upload service'
+
+description: |-
+ The setting for TrustedCertificateFile in /etc/systemd/journal-upload.conf
+
+type: string
+
+interactive: true
+
+options:
+ default: /etc/pki/systemd/ca/trusted.pem
diff --git a/linux_os/guide/system/logging/journald/var_journal_upload_url.var b/linux_os/guide/system/logging/journald/var_journal_upload_url.var
new file mode 100644
index 00000000000..4912affc9fb
--- /dev/null
+++ b/linux_os/guide/system/logging/journald/var_journal_upload_url.var
@@ -0,0 +1,13 @@
+documentation_complete: true
+
+title: 'Remote server for systemd-journal-upload service'
+
+description: |-
+ The setting for URL in /etc/systemd/journal-upload.conf
+
+type: string
+
+interactive: true
+
+options:
+ default: remotelogserver
diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt
index 50e9e6a2a60..4bc2b69a1b9 100644
--- a/shared/references/cce-slmicro5-avail.txt
+++ b/shared/references/cce-slmicro5-avail.txt
@@ -281,8 +281,3 @@ CCE-94076-7
CCE-94077-5
CCE-94078-3
CCE-94079-1
-CCE-94080-9
-CCE-94081-7
-CCE-94083-3
-CCE-94084-1
-CCE-94085-8
diff --git a/shared/templates/service_enabled/bash.template b/shared/templates/service_enabled/bash.template
index 00fd1ee2f42..d290a399ab5 100644
--- a/shared/templates/service_enabled/bash.template
+++ b/shared/templates/service_enabled/bash.template
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
# reboot = false
# strategy = enable
# complexity = low