|
|
b5e178 |
From 0e28027e3094a219956bbd8d9f6ead1375b901fe Mon Sep 17 00:00:00 2001
|
|
|
b5e178 |
From: Guang Yee <guang.yee@suse.com>
|
|
|
b5e178 |
Date: Fri, 22 Jan 2021 12:20:03 -0800
|
|
|
b5e178 |
Subject: [PATCH] Enable checks and remediations for the following SLES-12
|
|
|
b5e178 |
STIGs:
|
|
|
b5e178 |
|
|
|
b5e178 |
- SLES-12-010510 'aide_scan_notification'
|
|
|
b5e178 |
- SLES-12-010700 'file_permissions_ungroupowned'
|
|
|
b5e178 |
- SLES-12-010710 'accounts_user_interactive_home_directory_defined'
|
|
|
b5e178 |
- SLES-12-010730 'accounts_user_interactive_home_directory_exists'
|
|
|
b5e178 |
- SLES-12-010740 'file_permissions_home_directories'
|
|
|
b5e178 |
- SLES-12-010750 'file_groupownership_home_directories'
|
|
|
b5e178 |
- SLES-12-010760 'file_permission_user_init_files'
|
|
|
b5e178 |
- SLES-12-010770 'accounts_user_home_paths_only'
|
|
|
b5e178 |
- SLES-12-010780 'accounts_user_dot_no_world_writable_programs'
|
|
|
b5e178 |
- SLES-12-010790 'mount_option_home_nosuid'
|
|
|
b5e178 |
- SLES-12-010800 'mount_option_nosuid_removable_partitions'
|
|
|
b5e178 |
- SLES-12-010810 'mount_option_nosuid_remote_filesystems'
|
|
|
b5e178 |
- SLES-12-010820 'mount_option_noexec_remote_filesystems'
|
|
|
b5e178 |
- SLES-12-010830 'dir_perms_world_writable_system_owned_group'
|
|
|
b5e178 |
- SLES-12-010840 'service_kdump_disabled'
|
|
|
b5e178 |
- SLES-12-010880 'run_chkstat'
|
|
|
b5e178 |
- SLES-12-020500 'audit_rules_unsuccessful_file_modification_truncate'
|
|
|
b5e178 |
- SLES-12-020510 'audit_rules_unsuccessful_file_modification_ftruncate'
|
|
|
b5e178 |
- SLES-12-020520 'audit_rules_unsuccessful_file_modification_creat'
|
|
|
b5e178 |
- SLES-12-020530 'audit_rules_unsuccessful_file_modification_openat'
|
|
|
b5e178 |
- SLES-12-020540 'audit_rules_unsuccessful_file_modification_open_by_handle_at'
|
|
|
b5e178 |
- SLES-12-020590 'audit_rules_usergroup_modification_gshadow'
|
|
|
b5e178 |
- SLES-12-020600 'audit_rules_dac_modification_chmod'
|
|
|
b5e178 |
- SLES-12-020650 'audit_rules_login_events_tallylog'
|
|
|
b5e178 |
- SLES-12-020660 'audit_rules_login_events_lastlog'
|
|
|
b5e178 |
- SLES-12-020680 'audit_rules_privileged_commands_unix_chkpwd'
|
|
|
b5e178 |
- SLES-12-020690 'audit_rules_privileged_commands_chage'
|
|
|
b5e178 |
- SLES-12-030030 'kernel_module_dccp_disabled'
|
|
|
b5e178 |
- SLES-12-030140 'sshd_disable_root_login'
|
|
|
b5e178 |
- SLES-12-030180 'sshd_use_approved_macs'
|
|
|
b5e178 |
- SLES-12-030380 'sysctl_net_ipv4_icmp_echo_ignore_broadcasts'
|
|
|
b5e178 |
- SLES-12-030390 'sysctl_net_ipv4_conf_all_accept_redirects'
|
|
|
b5e178 |
- SLES-12-030400 'sysctl_net_ipv4_conf_default_accept_redirects'
|
|
|
b5e178 |
- SLES-12-030401 'sysctl_net_ipv6_conf_default_accept_source_route'
|
|
|
b5e178 |
- SLES-12-030420 'sysctl_net_ipv4_conf_all_send_redirects'
|
|
|
b5e178 |
- SLES-12-030430 'sysctl_net_ipv4_ip_forward'
|
|
|
b5e178 |
|
|
|
b5e178 |
Corrections:
|
|
|
b5e178 |
|
|
|
b5e178 |
- Rule 'sysctl_net_ipv4_conf_default_send_redirects' was originally submitted
|
|
|
b5e178 |
with an incorrect SLES12 STIG ID. The correct SLES12 STIG ID should
|
|
|
b5e178 |
be 'SLES-12-030410'.
|
|
|
b5e178 |
---
|
|
|
b5e178 |
.../base/service_kdump_disabled/rule.yml | 1 +
|
|
|
b5e178 |
.../rule.yml | 4 +-
|
|
|
b5e178 |
.../rule.yml | 4 +-
|
|
|
b5e178 |
.../sshd_disable_root_login/rule.yml | 1 +
|
|
|
b5e178 |
.../sshd_use_approved_macs/ansible/shared.yml | 2 +-
|
|
|
b5e178 |
.../sshd_use_approved_macs/rule.yml | 1 +
|
|
|
b5e178 |
.../rule.yml | 6 ++-
|
|
|
b5e178 |
.../accounts_user_home_paths_only/rule.yml | 4 +-
|
|
|
b5e178 |
.../rule.yml | 4 +-
|
|
|
b5e178 |
.../rule.yml | 4 +-
|
|
|
b5e178 |
.../rule.yml | 4 +-
|
|
|
b5e178 |
.../file_permission_user_init_files/rule.yml | 4 +-
|
|
|
b5e178 |
.../rule.yml | 4 +-
|
|
|
b5e178 |
.../rule.yml | 2 +
|
|
|
b5e178 |
.../rule.yml | 2 +
|
|
|
b5e178 |
.../rule.yml | 2 +
|
|
|
b5e178 |
.../rule.yml | 2 +
|
|
|
b5e178 |
.../rule.yml | 2 +
|
|
|
b5e178 |
.../rule.yml | 2 +
|
|
|
b5e178 |
.../audit_rules_login_events_lastlog/rule.yml | 2 +
|
|
|
b5e178 |
.../rule.yml | 2 +
|
|
|
b5e178 |
.../rule.yml | 4 +-
|
|
|
b5e178 |
.../rule.yml | 4 +-
|
|
|
b5e178 |
.../rule.yml | 4 +-
|
|
|
b5e178 |
.../rule.yml | 4 +-
|
|
|
b5e178 |
.../rule.yml | 4 +-
|
|
|
b5e178 |
.../rule.yml | 5 +-
|
|
|
b5e178 |
.../rule.yml | 4 +-
|
|
|
b5e178 |
.../rule.yml | 4 +-
|
|
|
b5e178 |
.../rule.yml | 2 +-
|
|
|
b5e178 |
.../sysctl_net_ipv4_ip_forward/rule.yml | 4 +-
|
|
|
b5e178 |
.../kernel_module_dccp_disabled/rule.yml | 4 +-
|
|
|
b5e178 |
.../rule.yml | 9 ++--
|
|
|
b5e178 |
.../file_permissions_ungroupowned/rule.yml | 4 +-
|
|
|
b5e178 |
.../mount_option_home_nosuid/rule.yml | 4 +-
|
|
|
b5e178 |
.../rule.yml | 4 +-
|
|
|
b5e178 |
.../permissions/permissions_local/group.yml | 12 +++++
|
|
|
b5e178 |
.../permissions_local/run_chkstat/rule.yml | 50 +++++++++++++++++++
|
|
|
b5e178 |
.../aide_scan_notification/bash/shared.sh | 13 ++++-
|
|
|
b5e178 |
.../aide_scan_notification/oval/shared.xml | 12 +++--
|
|
|
b5e178 |
.../aide/aide_scan_notification/rule.yml | 8 ++-
|
|
|
b5e178 |
.../aide/package_aide_installed/rule.yml | 2 +-
|
|
|
b5e178 |
.../ansible.template | 2 +-
|
|
|
b5e178 |
.../audit_rules_login_events/ansible.template | 2 +-
|
|
|
b5e178 |
.../ansible.template | 2 +-
|
|
|
b5e178 |
.../ansible.template | 2 +-
|
|
|
b5e178 |
.../ansible.template | 2 +-
|
|
|
b5e178 |
sle12/profiles/stig.profile | 39 +++++++++++++++
|
|
|
b5e178 |
48 files changed, 229 insertions(+), 40 deletions(-)
|
|
|
b5e178 |
create mode 100644 linux_os/guide/system/permissions/permissions_local/group.yml
|
|
|
b5e178 |
create mode 100644 linux_os/guide/system/permissions/permissions_local/run_chkstat/rule.yml
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml
|
|
|
b5e178 |
index 3737b264ce..ff9d439b4f 100644
|
|
|
b5e178 |
--- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml
|
|
|
b5e178 |
@@ -22,6 +22,7 @@ severity: medium
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80258-7
|
|
|
b5e178 |
cce@rhel8: CCE-80878-2
|
|
|
b5e178 |
+ cce@sle12: CCE-83105-7
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-021300
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml
|
|
|
b5e178 |
index a4a8160aa9..d9c17fb416 100644
|
|
|
b5e178 |
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
b5e178 |
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Mount Remote Filesystems with noexec'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -16,6 +16,7 @@ severity: medium
|
|
|
b5e178 |
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80436-9
|
|
|
b5e178 |
+ cce@sle12: CCE-83103-2
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-021021
|
|
|
b5e178 |
@@ -29,6 +30,7 @@ references:
|
|
|
b5e178 |
cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
|
|
|
b5e178 |
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
|
|
b5e178 |
cis-csc: 12,13,14,15,16,18,3,5
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-010820
|
|
|
b5e178 |
|
|
|
b5e178 |
ocil_clause: 'the setting does not show'
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml
|
|
|
b5e178 |
index 7a40ea2b27..c14b0aeefb 100644
|
|
|
b5e178 |
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
b5e178 |
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Mount Remote Filesystems with nosuid'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -14,6 +14,7 @@ severity: medium
|
|
|
b5e178 |
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80240-5
|
|
|
b5e178 |
+ cce@sle12: CCE-83102-4
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-021020
|
|
|
b5e178 |
@@ -27,6 +28,7 @@ references:
|
|
|
b5e178 |
cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
|
|
|
b5e178 |
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
|
|
b5e178 |
cis-csc: 12,13,14,15,16,18,3,5
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-010810
|
|
|
b5e178 |
|
|
|
b5e178 |
ocil_clause: 'the setting does not show'
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
|
|
|
b5e178 |
index 74002ded9a..287954db61 100644
|
|
|
b5e178 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml
|
|
|
b5e178 |
@@ -21,6 +21,7 @@ severity: medium
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-27445-6
|
|
|
b5e178 |
cce@rhel8: CCE-80901-2
|
|
|
b5e178 |
+ cce@sle12: CCE-83035-6
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-040370
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml
|
|
|
b5e178 |
index 1a9b6990e9..2c5cf7e1c7 100644
|
|
|
b5e178 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml
|
|
|
b5e178 |
@@ -1,4 +1,4 @@
|
|
|
b5e178 |
-# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
|
|
|
b5e178 |
+# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle
|
|
|
b5e178 |
# reboot = false
|
|
|
b5e178 |
# strategy = restrict
|
|
|
b5e178 |
# complexity = low
|
|
|
b5e178 |
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
|
|
b5e178 |
index 394c733f51..a0bc4578a6 100644
|
|
|
b5e178 |
--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
|
|
|
b5e178 |
@@ -43,6 +43,7 @@ severity: medium
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-27455-5
|
|
|
b5e178 |
cce@rhel8: CCE-82198-3
|
|
|
b5e178 |
+ cce@sle12: CCE-83036-4
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-040400
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml
|
|
|
b5e178 |
index ad337e982c..77f3a12148 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
b5e178 |
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'User Initialization Files Must Not Run World-Writable Programs'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -20,17 +20,19 @@ severity: medium
|
|
|
b5e178 |
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80523-4
|
|
|
b5e178 |
+ cce@sle12: CCE-83099-2
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-020730
|
|
|
b5e178 |
disa: CCI-000366
|
|
|
b5e178 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-020730
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-010780
|
|
|
b5e178 |
|
|
|
b5e178 |
ocil_clause: 'files are executing world-writable programs'
|
|
|
b5e178 |
|
|
|
b5e178 |
ocil: |-
|
|
|
b5e178 |
To verify that local initialization files do not execute world-writable programs,
|
|
|
b5e178 |
execute the following command:
|
|
|
b5e178 |
- $ sudo find /home -perm -002 -type f -exec ls -ld {} -name ".[^.]*" \;
|
|
|
b5e178 |
+ $ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \;
|
|
|
b5e178 |
There should be no output.
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml
|
|
|
b5e178 |
index 9c9dd92fb0..0154c1d73b 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
b5e178 |
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Ensure that Users Path Contains Only Local Directories'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -24,12 +24,14 @@ severity: medium
|
|
|
b5e178 |
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80524-2
|
|
|
b5e178 |
+ cce@sle12: CCE-83098-4
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-020720
|
|
|
b5e178 |
disa: CCI-000366
|
|
|
b5e178 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-020720
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-010770
|
|
|
b5e178 |
|
|
|
b5e178 |
ocil_clause: 'paths contain more than local home directories'
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
|
|
|
b5e178 |
index 6d6c28eb85..9ee21744b2 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
b5e178 |
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'All Interactive Users Must Have A Home Directory Defined'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -16,12 +16,14 @@ severity: medium
|
|
|
b5e178 |
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80528-3
|
|
|
b5e178 |
+ cce@sle12: CCE-83075-2
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-020600
|
|
|
b5e178 |
disa: CCI-000366
|
|
|
b5e178 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-020600
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-010710
|
|
|
b5e178 |
|
|
|
b5e178 |
ocil_clause: 'users home directory is not defined'
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
|
|
|
b5e178 |
index 42dfdeabed..a262abba7a 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
b5e178 |
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'All Interactive Users Home Directories Must Exist'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -22,6 +22,7 @@ severity: medium
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80529-1
|
|
|
b5e178 |
cce@rhel8: CCE-83424-2
|
|
|
b5e178 |
+ cce@sle12: CCE-83074-5
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-020620
|
|
|
b5e178 |
@@ -29,6 +30,7 @@ references:
|
|
|
b5e178 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-020620
|
|
|
b5e178 |
cis@rhel8: 6.2.20
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-010730
|
|
|
b5e178 |
|
|
|
b5e178 |
ocil_clause: 'users home directory does not exist'
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
|
|
b5e178 |
index 0efb03da74..820a942220 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
b5e178 |
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'All Interactive User Home Directories Must Be Group-Owned By The Primary User'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -21,6 +21,7 @@ severity: medium
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80532-5
|
|
|
b5e178 |
cce@rhel8: CCE-83434-1
|
|
|
b5e178 |
+ cce@sle12: CCE-83096-8
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-020650
|
|
|
b5e178 |
@@ -28,6 +29,7 @@ references:
|
|
|
b5e178 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-020650
|
|
|
b5e178 |
cis@rhel8: 6.2.8
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-010750
|
|
|
b5e178 |
|
|
|
b5e178 |
ocil_clause: 'the group ownership is incorrect'
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
|
|
|
b5e178 |
index 6d719039a3..4810c941d6 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
b5e178 |
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Ensure All User Initialization Files Have Mode 0740 Or Less Permissive'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -18,12 +18,14 @@ severity: medium
|
|
|
b5e178 |
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80525-9
|
|
|
b5e178 |
+ cce@sle12: CCE-83097-6
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-020710
|
|
|
b5e178 |
disa: CCI-000366
|
|
|
b5e178 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-020710
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-010760
|
|
|
b5e178 |
|
|
|
b5e178 |
ocil_clause: 'they are not 0740 or more permissive'
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml
|
|
|
b5e178 |
index edb1b821d3..4898bfa6b6 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
b5e178 |
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'All Interactive User Home Directories Must Have mode 0750 Or Less Permissive'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -18,12 +18,14 @@ severity: medium
|
|
|
b5e178 |
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80530-9
|
|
|
b5e178 |
+ cce@sle12: CCE-83076-0
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-020630
|
|
|
b5e178 |
disa: CCI-000366
|
|
|
b5e178 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-020630
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-010740
|
|
|
b5e178 |
|
|
|
b5e178 |
ocil_clause: 'they are more permissive'
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
|
|
|
b5e178 |
index 5dc589b5fc..22031b6517 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
|
|
|
b5e178 |
@@ -30,6 +30,7 @@ identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-27339-1
|
|
|
b5e178 |
cce@rhel8: CCE-80685-1
|
|
|
b5e178 |
cce@rhcos4: CCE-82556-2
|
|
|
b5e178 |
+ cce@sle12: CCE-83106-5
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-030410
|
|
|
b5e178 |
@@ -45,6 +46,7 @@ references:
|
|
|
b5e178 |
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203
|
|
|
b5e178 |
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-030410
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-020600
|
|
|
b5e178 |
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
|
|
|
b5e178 |
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
|
|
|
b5e178 |
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
|
|
|
b5e178 |
index cd550e7c0a..b5abef23d9 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml
|
|
|
b5e178 |
@@ -36,6 +36,7 @@ identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80385-8
|
|
|
b5e178 |
cce@rhel8: CCE-80751-1
|
|
|
b5e178 |
cce@rhcos4: CCE-82621-4
|
|
|
b5e178 |
+ cce@sle12: CCE-83092-7
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-030500
|
|
|
b5e178 |
@@ -50,6 +51,7 @@ references:
|
|
|
b5e178 |
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
|
|
|
b5e178 |
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-030500
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-020520
|
|
|
b5e178 |
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
|
|
|
b5e178 |
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
|
|
|
b5e178 |
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
|
|
|
b5e178 |
index 9696633f7e..9ed6b36699 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml
|
|
|
b5e178 |
@@ -39,6 +39,7 @@ identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80390-8
|
|
|
b5e178 |
cce@rhel8: CCE-80752-9
|
|
|
b5e178 |
cce@rhcos4: CCE-82629-7
|
|
|
b5e178 |
+ cce@sle12: CCE-83091-9
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-030550
|
|
|
b5e178 |
@@ -53,6 +54,7 @@ references:
|
|
|
b5e178 |
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
|
|
|
b5e178 |
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-030550
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-020510
|
|
|
b5e178 |
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
|
|
|
b5e178 |
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
|
|
|
b5e178 |
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
|
|
|
b5e178 |
index 08cd7a656c..28076744c3 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml
|
|
|
b5e178 |
@@ -36,6 +36,7 @@ identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80388-2
|
|
|
b5e178 |
cce@rhel8: CCE-80755-2
|
|
|
b5e178 |
cce@rhcos4: CCE-82640-4
|
|
|
b5e178 |
+ cce@sle12: CCE-83094-3
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-030530
|
|
|
b5e178 |
@@ -50,6 +51,7 @@ references:
|
|
|
b5e178 |
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
|
|
|
b5e178 |
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-030530
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-020540
|
|
|
b5e178 |
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
|
|
|
b5e178 |
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
|
|
|
b5e178 |
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
|
|
|
b5e178 |
index 32501fd295..f1699ab14e 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml
|
|
|
b5e178 |
@@ -39,6 +39,7 @@ identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80387-4
|
|
|
b5e178 |
cce@rhel8: CCE-80754-5
|
|
|
b5e178 |
cce@rhcos4: CCE-82634-7
|
|
|
b5e178 |
+ cce@sle12: CCE-83093-5
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-030520
|
|
|
b5e178 |
@@ -53,6 +54,7 @@ references:
|
|
|
b5e178 |
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
|
|
|
b5e178 |
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-030520
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-020530
|
|
|
b5e178 |
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
|
|
|
b5e178 |
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
|
|
|
b5e178 |
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
|
|
|
b5e178 |
index 037812a685..60d98c5803 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml
|
|
|
b5e178 |
@@ -39,6 +39,7 @@ identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80389-0
|
|
|
b5e178 |
cce@rhel8: CCE-80756-0
|
|
|
b5e178 |
cce@rhcos4: CCE-82651-1
|
|
|
b5e178 |
+ cce@sle12: CCE-83085-1
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-030540
|
|
|
b5e178 |
@@ -53,6 +54,7 @@ references:
|
|
|
b5e178 |
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
|
|
|
b5e178 |
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-030540
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-020500
|
|
|
b5e178 |
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
|
|
|
b5e178 |
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
|
|
|
b5e178 |
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
|
|
|
b5e178 |
index 7590cb2353..54e820c309 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml
|
|
|
b5e178 |
@@ -28,6 +28,7 @@ identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80384-1
|
|
|
b5e178 |
cce@rhel8: CCE-80719-8
|
|
|
b5e178 |
cce@rhcos4: CCE-82584-4
|
|
|
b5e178 |
+ cce@sle12: CCE-83108-1
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
cis@rhel7: 4.1.8
|
|
|
b5e178 |
@@ -43,6 +44,7 @@ references:
|
|
|
b5e178 |
srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218
|
|
|
b5e178 |
vmmsrg: SRG-OS-000473-VMM-001930,SRG-OS-000470-VMM-001900
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-030620
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-020660
|
|
|
b5e178 |
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
|
|
|
b5e178 |
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
|
|
|
b5e178 |
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
|
|
|
b5e178 |
index 267cafb758..730b7d7201 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
|
|
|
b5e178 |
@@ -28,6 +28,7 @@ identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80994-7
|
|
|
b5e178 |
cce@rhel8: CCE-80720-6
|
|
|
b5e178 |
cce@rhcos4: CCE-82585-1
|
|
|
b5e178 |
+ cce@sle12: CCE-83107-3
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
cis: 5.2.8
|
|
|
b5e178 |
@@ -41,6 +42,7 @@ references:
|
|
|
b5e178 |
srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218
|
|
|
b5e178 |
vmmsrg: SRG-OS-000473-VMM-001930,SRG-OS-000470-VMM-001900
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-030600
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-020650
|
|
|
b5e178 |
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
|
|
|
b5e178 |
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
|
|
|
b5e178 |
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
|
|
|
b5e178 |
index 9503765c88..0fcf3fb9f6 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
b5e178 |
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Ensure auditd Collects Information on the Use of Privileged Commands - chage'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -34,6 +34,7 @@ identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80398-1
|
|
|
b5e178 |
cce@rhel8: CCE-80725-5
|
|
|
b5e178 |
cce@rhcos4: CCE-82591-9
|
|
|
b5e178 |
+ cce@sle12: CCE-83110-7
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-030660
|
|
|
b5e178 |
@@ -45,6 +46,7 @@ references:
|
|
|
b5e178 |
srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
|
|
|
b5e178 |
vmmsrg: SRG-OS-000471-VMM-001910
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-030660
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-020690
|
|
|
b5e178 |
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
|
|
|
b5e178 |
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
|
|
|
b5e178 |
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
|
|
|
b5e178 |
index 0171bd3758..b458ed6d8c 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
b5e178 |
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -34,6 +34,7 @@ identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80396-5
|
|
|
b5e178 |
cce@rhel8: CCE-80740-4
|
|
|
b5e178 |
cce@rhcos4: CCE-82609-9
|
|
|
b5e178 |
+ cce@sle12: CCE-83109-9
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-030640
|
|
|
b5e178 |
@@ -46,6 +47,7 @@ references:
|
|
|
b5e178 |
srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
|
|
|
b5e178 |
vmmsrg: SRG-OS-000471-VMM-001910
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-030640
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-020680
|
|
|
b5e178 |
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
|
|
|
b5e178 |
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
|
|
|
b5e178 |
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
|
|
|
b5e178 |
index 9ee6de4b51..0b5707f596 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
b5e178 |
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Record Events that Modify User/Group Information - /etc/gshadow'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -31,6 +31,7 @@ identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80432-8
|
|
|
b5e178 |
cce@rhel8: CCE-80759-4
|
|
|
b5e178 |
cce@rhcos4: CCE-82655-2
|
|
|
b5e178 |
+ cce@sle12: CCE-83095-0
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-030872
|
|
|
b5e178 |
@@ -46,6 +47,7 @@ references:
|
|
|
b5e178 |
srg: SRG-OS-000004-GPOS-00004
|
|
|
b5e178 |
vmmsrg: SRG-OS-000004-VMM-000040,SRG-OS-000239-VMM-000810,SRG-OS-000240-VMM-000820,SRG-OS-000241-VMM-000830,SRG-OS-000274-VMM-000960,SRG-OS-000275-VMM-000970,SRG-OS-000276-VMM-000980,SRG-OS-000277-VMM-000990,SRG-OS-000303-VMM-001090,SRG-OS-000304-VMM-001100,SRG-OS-000476-VMM-001960
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-030872
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-020590
|
|
|
b5e178 |
isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
|
|
|
b5e178 |
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
|
|
|
b5e178 |
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
|
|
|
b5e178 |
index 76aed7c565..af6be9505a 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4
|
|
|
b5e178 |
+prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -22,6 +22,7 @@ identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80355-1
|
|
|
b5e178 |
cce@rhel8: CCE-81015-0
|
|
|
b5e178 |
cce@rhcos4: CCE-82481-3
|
|
|
b5e178 |
+ cce@sle12: CCE-83087-7
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
anssi: BP28(R22)
|
|
|
b5e178 |
@@ -35,6 +36,7 @@ references:
|
|
|
b5e178 |
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
|
|
b5e178 |
cis-csc: 1,12,13,14,15,16,18,4,6,8,9
|
|
|
b5e178 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-030401
|
|
|
b5e178 |
cis@rhel8: 3.2.1
|
|
|
b5e178 |
|
|
|
b5e178 |
{{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_source_route", value="0") }}}
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
|
|
|
b5e178 |
index 5a529710db..361073e99c 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
|
|
b5e178 |
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Disable Accepting ICMP Redirects for All IPv4 Interfaces'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -21,6 +21,7 @@ identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80158-9
|
|
|
b5e178 |
cce@rhel8: CCE-80917-8
|
|
|
b5e178 |
cce@rhcos4: CCE-82469-8
|
|
|
b5e178 |
+ cce@sle12: CCE-83090-1
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-040641
|
|
|
b5e178 |
@@ -33,6 +34,7 @@ references:
|
|
|
b5e178 |
nist-csf: DE.CM-1,PR.DS-4,PR.IP-1,PR.PT-3
|
|
|
b5e178 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-040641
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-030390
|
|
|
b5e178 |
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
|
|
b5e178 |
isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3
|
|
|
b5e178 |
cobit5: APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.05,DSS05.07,DSS06.06
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
|
|
|
b5e178 |
index d3336d246f..ed4a024797 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15
|
|
|
b5e178 |
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -20,6 +20,7 @@ identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80163-9
|
|
|
b5e178 |
cce@rhel8: CCE-80919-4
|
|
|
b5e178 |
cce@rhcos4: CCE-82470-6
|
|
|
b5e178 |
+ cce@sle12: CCE-83081-0
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-040640
|
|
|
b5e178 |
@@ -32,6 +33,8 @@ references:
|
|
|
b5e178 |
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
|
|
|
b5e178 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-040640
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-030400
|
|
|
b5e178 |
+
|
|
|
b5e178 |
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
|
|
b5e178 |
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
|
|
b5e178 |
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
|
|
|
b5e178 |
index a7f24853f6..ef659ec1c2 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
|
|
b5e178 |
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -19,6 +19,7 @@ identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80165-4
|
|
|
b5e178 |
cce@rhel8: CCE-80922-8
|
|
|
b5e178 |
cce@rhcos4: CCE-82491-2
|
|
|
b5e178 |
+ cce@sle12: CCE-83080-2
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-040630
|
|
|
b5e178 |
@@ -30,6 +31,7 @@ references:
|
|
|
b5e178 |
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
|
|
|
b5e178 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-040630
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-030380
|
|
|
b5e178 |
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
|
|
b5e178 |
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
|
|
b5e178 |
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
|
|
|
b5e178 |
index d610f022fe..f49353c25c 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
|
|
b5e178 |
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -19,6 +19,7 @@ identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80156-3
|
|
|
b5e178 |
cce@rhel8: CCE-80918-6
|
|
|
b5e178 |
cce@rhcos4: CCE-82484-7
|
|
|
b5e178 |
+ cce@sle12: CCE-83089-3
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-040660
|
|
|
b5e178 |
@@ -31,6 +32,7 @@ references:
|
|
|
b5e178 |
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
|
|
|
b5e178 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-040660
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-030420
|
|
|
b5e178 |
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
|
|
b5e178 |
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
|
|
b5e178 |
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
|
|
b5e178 |
index 861c3485f3..d7d5bfe607 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml
|
|
|
b5e178 |
@@ -32,7 +32,7 @@ references:
|
|
|
b5e178 |
nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
|
|
|
b5e178 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-040650
|
|
|
b5e178 |
- stigid@sle12: SLES-12-030420
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-030410
|
|
|
b5e178 |
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
|
|
b5e178 |
isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3
|
|
|
b5e178 |
cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
|
|
b5e178 |
index 12d84a2604..b9f3d060d5 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,rhcos4
|
|
|
b5e178 |
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,rhcos4,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -17,6 +17,7 @@ severity: medium
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80157-1
|
|
|
b5e178 |
cce@rhel8: CCE-81024-2
|
|
|
b5e178 |
+ cce@sle12: CCE-83088-5
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-040740
|
|
|
b5e178 |
@@ -28,6 +29,7 @@ references:
|
|
|
b5e178 |
nist-csf: DE.CM-1,PR.DS-4,PR.IP-1,PR.PT-3,PR.PT-4
|
|
|
b5e178 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-040740
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-030430
|
|
|
b5e178 |
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6'
|
|
|
b5e178 |
isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3
|
|
|
b5e178 |
cobit5: APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.05,DSS05.07,DSS06.06
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
|
|
|
b5e178 |
index ee7140be4b..d9db321b70 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
|
|
b5e178 |
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Disable DCCP Support'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -19,10 +19,12 @@ severity: medium
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-82024-1
|
|
|
b5e178 |
cce@rhel8: CCE-80833-7
|
|
|
b5e178 |
+ cce@sle12: CCE-83055-4
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-020101
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-020101
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-030030
|
|
|
b5e178 |
cis@rhel8: 3.3.1
|
|
|
b5e178 |
cjis: 5.10.1
|
|
|
b5e178 |
cui: 3.4.6
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml
|
|
|
b5e178 |
index 1e3c60b7e3..8578172a99 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
b5e178 |
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Ensure All World-Writable Directories Are Group Owned by a System Account'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -22,14 +22,17 @@ severity: medium
|
|
|
b5e178 |
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-83923-3
|
|
|
b5e178 |
+ cce@sle12: CCE-83104-0
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-021030
|
|
|
b5e178 |
disa: CCI-000366
|
|
|
b5e178 |
nist: CM-6(a),AC-6(1)
|
|
|
b5e178 |
+ nist@sle12: CM-6(b)
|
|
|
b5e178 |
nist-csf: PR.AC-4,PR.DS-5
|
|
|
b5e178 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
b5e178 |
stigid@rhel7: RHEL-07-021030
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-010830
|
|
|
b5e178 |
isa-62443-2013: 'SR 2.1,SR 5.2'
|
|
|
b5e178 |
isa-62443-2009: 4.3.3.7.3
|
|
|
b5e178 |
cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
|
|
|
b5e178 |
@@ -41,5 +44,5 @@ ocil_clause: 'there is output'
|
|
|
b5e178 |
ocil: |-
|
|
|
b5e178 |
The following command will discover and print world-writable directories that
|
|
|
b5e178 |
are not group owned by a system account, given the assumption that only system
|
|
|
b5e178 |
- accounts have a gid lower than 500. Run it once for each local partition PART:
|
|
|
b5e178 |
- $ sudo find PART -xdev -type d -perm -0002 -gid +499 -print
|
|
|
b5e178 |
+ accounts have a gid lower than {{{ auid }}}. Run it once for each local partition PART:
|
|
|
b5e178 |
+ $ sudo find PART -xdev -type d -perm -0002 -gid +{{{ auid - 1 }}} -print
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
|
|
|
b5e178 |
index 68fd6821b8..79594c701f 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019
|
|
|
b5e178 |
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Ensure All Files Are Owned by a Group'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -24,6 +24,7 @@ severity: medium
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80135-7
|
|
|
b5e178 |
cce@rhel8: CCE-83497-8
|
|
|
b5e178 |
+ cce@sle12: CCE-83073-7
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-020330
|
|
|
b5e178 |
@@ -40,6 +41,7 @@ references:
|
|
|
b5e178 |
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
|
|
|
b5e178 |
cis-csc: 1,11,12,13,14,15,16,18,3,5
|
|
|
b5e178 |
cis@sle15: 6.1.12
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-010700
|
|
|
b5e178 |
|
|
|
b5e178 |
ocil_clause: 'there is output'
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
|
|
|
b5e178 |
index dadd3fa3e9..3652cf9f2b 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,rhcos4
|
|
|
b5e178 |
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,rhcos4,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Add nosuid Option to /home'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -21,6 +21,7 @@ severity: medium
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-81153-9
|
|
|
b5e178 |
cce@rhel8: CCE-81050-7
|
|
|
b5e178 |
+ cce@sle12: CCE-83100-8
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-021000
|
|
|
b5e178 |
@@ -36,6 +37,7 @@ references:
|
|
|
b5e178 |
cis-csc: 11,13,14,3,8,9
|
|
|
b5e178 |
anssi: BP28(R12)
|
|
|
b5e178 |
srg: SRG-OS-000368-GPOS-00154,SRG-OS-000480-GPOS-00227
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-010790
|
|
|
b5e178 |
|
|
|
b5e178 |
platform: machine
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml
|
|
|
b5e178 |
index e507bb4465..5f19864ded 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,rhcos4,ubuntu1804
|
|
|
b5e178 |
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019,rhcos4,ubuntu1804
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Add nosuid Option to Removable Media Partitions'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -23,6 +23,7 @@ identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80148-0
|
|
|
b5e178 |
cce@rhel8: CCE-82744-4
|
|
|
b5e178 |
cce@rhcos4: CCE-82745-1
|
|
|
b5e178 |
+ cce@sle12: CCE-83101-6
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
cis@rhel8: 1.1.19
|
|
|
b5e178 |
@@ -39,6 +40,7 @@ references:
|
|
|
b5e178 |
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.11.2.6,A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
|
|
|
b5e178 |
cis-csc: 11,12,13,14,15,16,18,3,5,8,9
|
|
|
b5e178 |
cis@sle15: 1.1.21
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-010800
|
|
|
b5e178 |
|
|
|
b5e178 |
platform: machine
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/permissions/permissions_local/group.yml b/linux_os/guide/system/permissions/permissions_local/group.yml
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..6e13c74f51
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/system/permissions/permissions_local/group.yml
|
|
|
b5e178 |
@@ -0,0 +1,12 @@
|
|
|
b5e178 |
+documentation_complete: true
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+title: |-
|
|
|
b5e178 |
+ Verify Permissions on Important Files and
|
|
|
b5e178 |
+ Directories Are Configured in /etc/permissions.local
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+description: |-
|
|
|
b5e178 |
+ Permissions for many files on a system must be set
|
|
|
b5e178 |
+ restrictively to ensure sensitive information is properly protected.
|
|
|
b5e178 |
+ This section discusses the <tt>/etc/permissions.local</tt> file, where
|
|
|
b5e178 |
+ expected permissions can be configured to be checked and fixed through
|
|
|
b5e178 |
+ usage of the <tt>chkstat</tt> command.
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/permissions/permissions_local/run_chkstat/rule.yml b/linux_os/guide/system/permissions/permissions_local/run_chkstat/rule.yml
|
|
|
b5e178 |
new file mode 100644
|
|
|
b5e178 |
index 0000000000..8c28313067
|
|
|
b5e178 |
--- /dev/null
|
|
|
b5e178 |
+++ b/linux_os/guide/system/permissions/permissions_local/run_chkstat/rule.yml
|
|
|
b5e178 |
@@ -0,0 +1,50 @@
|
|
|
b5e178 |
+documentation_complete: true
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+prodtype: sle12
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+title: 'OS commands and libraries must have the proper permissions to protect from unauthorized access'
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+description: |-
|
|
|
b5e178 |
+ Verify that the SUSE operating system prevents unauthorized users from
|
|
|
b5e178 |
+ accessing system command and library files.
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ Check that all of the audit information files and folders have the correct
|
|
|
b5e178 |
+ permissions with the following command:
|
|
|
b5e178 |
+ # sudo chkstat --warn --system
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ Set the correct permissions with the following command:
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ # sudo chkstat --set --system
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+rationale: |-
|
|
|
b5e178 |
+ If the SUSE operating system were to allow any user to make changes to
|
|
|
b5e178 |
+ software libraries, those changes might be implemented without undergoing
|
|
|
b5e178 |
+ the appropriate testing and approvals that are part of a robust change
|
|
|
b5e178 |
+ management process.
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ This requirement applies to SUSE operating systems with software libraries
|
|
|
b5e178 |
+ that are accessible and configurable, as in the case of interpreted
|
|
|
b5e178 |
+ languages. Software libraries also include privileged programs that execute
|
|
|
b5e178 |
+ with escalated privileges. Only qualified and authorized individuals must
|
|
|
b5e178 |
+ be allowed to obtain access to information system components to initiate
|
|
|
b5e178 |
+ changes, including upgrades and modifications.
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+severity: medium
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+identifiers:
|
|
|
b5e178 |
+ cce@sle12: CCE-83111-5
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+references:
|
|
|
b5e178 |
+ disa@sle12: CCI-001499
|
|
|
b5e178 |
+ nist@sle12: CM-5(6)
|
|
|
b5e178 |
+ srg@sle12: SRG-OS-000259-GPOS-00100
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-010880
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ocil: |-
|
|
|
b5e178 |
+ Check that all of the audit information files and folders have the correct
|
|
|
b5e178 |
+ permissions with the following command:
|
|
|
b5e178 |
+ # sudo chkstat --warn --system
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ If you get any warnings, set the correct permissions with the following command:
|
|
|
b5e178 |
+
|
|
|
b5e178 |
+ # sudo chkstat --set --system
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh
|
|
|
b5e178 |
index 9b2e235311..fbe9ddbb3e 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh
|
|
|
b5e178 |
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh
|
|
|
b5e178 |
@@ -1,15 +1,24 @@
|
|
|
b5e178 |
-# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_wrlinux,multi_platform_ol
|
|
|
b5e178 |
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_wrlinux,multi_platform_ol,multi_platform_sle
|
|
|
b5e178 |
|
|
|
b5e178 |
{{{ bash_package_install("aide") }}}
|
|
|
b5e178 |
|
|
|
b5e178 |
CRONTAB=/etc/crontab
|
|
|
b5e178 |
CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
|
|
|
b5e178 |
|
|
|
b5e178 |
+# NOTE: on some platforms, /etc/crontab may not exist
|
|
|
b5e178 |
+if [ -f /etc/crontab ]; then
|
|
|
b5e178 |
+ CRONTAB_EXIST=/etc/crontab
|
|
|
b5e178 |
+fi
|
|
|
b5e178 |
+
|
|
|
b5e178 |
if [ -f /var/spool/cron/root ]; then
|
|
|
b5e178 |
VARSPOOL=/var/spool/cron/root
|
|
|
b5e178 |
fi
|
|
|
b5e178 |
|
|
|
b5e178 |
-if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then
|
|
|
b5e178 |
+if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
|
|
|
b5e178 |
+{{% if product == "sle12" %}}
|
|
|
b5e178 |
+ echo '0 5 * * * root /usr/bin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB
|
|
|
b5e178 |
+{{% else %}}
|
|
|
b5e178 |
echo '0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB
|
|
|
b5e178 |
+{{% endif %}}
|
|
|
b5e178 |
fi
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml
|
|
|
b5e178 |
index d6d9f2542e..7f557bd6a3 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml
|
|
|
b5e178 |
@@ -1,3 +1,9 @@
|
|
|
b5e178 |
+{{% if product in ["sle12", "sle15"] %}}
|
|
|
b5e178 |
+{{% set aide_bin_path = "/usr/bin/aide" %}}
|
|
|
b5e178 |
+{{% else %}}
|
|
|
b5e178 |
+{{% set aide_bin_path = "/usr/sbin/aide" %}}
|
|
|
b5e178 |
+{{% endif %}}
|
|
|
b5e178 |
+
|
|
|
b5e178 |
<def-group>
|
|
|
b5e178 |
<definition class="compliance" id="aide_scan_notification" version="1">
|
|
|
b5e178 |
{{{ oval_metadata("AIDE should notify appropriate personnel of the details
|
|
|
b5e178 |
@@ -17,7 +23,7 @@
|
|
|
b5e178 |
</ind:textfilecontent54_test>
|
|
|
b5e178 |
<ind:textfilecontent54_object comment="notify personnel when aide completes" id="object_test_aide_scan_notification" version="1">
|
|
|
b5e178 |
<ind:filepath>/etc/crontab</ind:filepath>
|
|
|
b5e178 |
- <ind:pattern operation="pattern match">^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$</ind:pattern>
|
|
|
b5e178 |
+ <ind:pattern operation="pattern match">^.*{{{ aide_bin_path }}}[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$</ind:pattern>
|
|
|
b5e178 |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
b5e178 |
</ind:textfilecontent54_object>
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -26,7 +32,7 @@
|
|
|
b5e178 |
</ind:textfilecontent54_test>
|
|
|
b5e178 |
<ind:textfilecontent54_object comment="notify personnel when aide completes" id="object_aide_var_cron_notification" version="1">
|
|
|
b5e178 |
<ind:filepath>/var/spool/cron/root</ind:filepath>
|
|
|
b5e178 |
- <ind:pattern operation="pattern match">^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$</ind:pattern>
|
|
|
b5e178 |
+ <ind:pattern operation="pattern match">^.*{{{ aide_bin_path }}}[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$</ind:pattern>
|
|
|
b5e178 |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
b5e178 |
</ind:textfilecontent54_object>
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -36,7 +42,7 @@
|
|
|
b5e178 |
<ind:textfilecontent54_object comment="notify personnel when aide completes in cron.(d|daily|weekly|monthly)" id="object_aide_crontabs_notification" version="1">
|
|
|
b5e178 |
<ind:path operation="pattern match">^/etc/cron.(d|daily|weekly|monthly)$</ind:path>
|
|
|
b5e178 |
<ind:filename operation="pattern match">^.*$</ind:filename>
|
|
|
b5e178 |
- <ind:pattern operation="pattern match">^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$</ind:pattern>
|
|
|
b5e178 |
+ <ind:pattern operation="pattern match">^.*{{{ aide_bin_path }}}[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$</ind:pattern>
|
|
|
b5e178 |
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
b5e178 |
</ind:textfilecontent54_object>
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
|
|
|
b5e178 |
index 3ed6a7bb37..cc696141f6 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml
|
|
|
b5e178 |
@@ -1,6 +1,6 @@
|
|
|
b5e178 |
documentation_complete: true
|
|
|
b5e178 |
|
|
|
b5e178 |
-prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
|
|
|
b5e178 |
+prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
|
|
|
b5e178 |
|
|
|
b5e178 |
title: 'Configure Notification of Post-AIDE Scan Details'
|
|
|
b5e178 |
|
|
|
b5e178 |
@@ -30,6 +30,7 @@ severity: medium
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-80374-2
|
|
|
b5e178 |
cce@rhel8: CCE-82891-3
|
|
|
b5e178 |
+ cce@sle12: CCE-83048-9
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
stigid@ol7: OL07-00-020040
|
|
|
b5e178 |
@@ -44,6 +45,11 @@ references:
|
|
|
b5e178 |
cobit5: BAI01.06,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.05,DSS05.07
|
|
|
b5e178 |
iso27001-2013: A.12.1.2,A.12.4.1,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1
|
|
|
b5e178 |
cis-csc: 1,11,12,13,15,16,2,3,5,7,8,9
|
|
|
b5e178 |
+ disa@sle12: CCI-002702
|
|
|
b5e178 |
+ nist@sle12: SI-6d
|
|
|
b5e178 |
+ stigid@sle12: SLES-12-010510
|
|
|
b5e178 |
+ srg@sle12: SRG-OS-000447-GPOS-00201
|
|
|
b5e178 |
+ disa@sle12: CCI-002702
|
|
|
b5e178 |
|
|
|
b5e178 |
ocil_clause: 'AIDE has not been configured or has not been configured to notify personnel of scan details'
|
|
|
b5e178 |
|
|
|
b5e178 |
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
|
|
b5e178 |
index 23e939bbec..abf13a274a 100644
|
|
|
b5e178 |
--- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
|
|
b5e178 |
+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml
|
|
|
b5e178 |
@@ -14,7 +14,7 @@ severity: medium
|
|
|
b5e178 |
identifiers:
|
|
|
b5e178 |
cce@rhel7: CCE-27096-7
|
|
|
b5e178 |
cce@rhel8: CCE-80844-4
|
|
|
b5e178 |
- cce@sle12: CCE-83048-9
|
|
|
b5e178 |
+ cce@sle12: CCE-83067-9
|
|
|
b5e178 |
|
|
|
b5e178 |
references:
|
|
|
b5e178 |
cis@rhel8: 1.4.1
|
|
|
b5e178 |
diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template
|
|
|
b5e178 |
index 49e4258cd2..70101ca777 100644
|
|
|
b5e178 |
--- a/shared/templates/audit_rules_dac_modification/ansible.template
|
|
|
b5e178 |
+++ b/shared/templates/audit_rules_dac_modification/ansible.template
|
|
|
b5e178 |
@@ -1,4 +1,4 @@
|
|
|
b5e178 |
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
|
|
b5e178 |
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
|
|
|
b5e178 |
# reboot = true
|
|
|
b5e178 |
# strategy = restrict
|
|
|
b5e178 |
# complexity = low
|
|
|
b5e178 |
diff --git a/shared/templates/audit_rules_login_events/ansible.template b/shared/templates/audit_rules_login_events/ansible.template
|
|
|
b5e178 |
index e36d4b3371..4b32771c3f 100644
|
|
|
b5e178 |
--- a/shared/templates/audit_rules_login_events/ansible.template
|
|
|
b5e178 |
+++ b/shared/templates/audit_rules_login_events/ansible.template
|
|
|
b5e178 |
@@ -1,4 +1,4 @@
|
|
|
b5e178 |
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
|
|
b5e178 |
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
|
|
|
b5e178 |
# reboot = true
|
|
|
b5e178 |
# strategy = restrict
|
|
|
b5e178 |
# complexity = low
|
|
|
b5e178 |
diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template
|
|
|
b5e178 |
index a992b47960..1c5a8b6b2a 100644
|
|
|
b5e178 |
--- a/shared/templates/audit_rules_privileged_commands/ansible.template
|
|
|
b5e178 |
+++ b/shared/templates/audit_rules_privileged_commands/ansible.template
|
|
|
b5e178 |
@@ -1,4 +1,4 @@
|
|
|
b5e178 |
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
|
|
b5e178 |
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
|
|
|
b5e178 |
# reboot = false
|
|
|
b5e178 |
# strategy = restrict
|
|
|
b5e178 |
# complexity = low
|
|
|
b5e178 |
diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
|
|
|
b5e178 |
index 3737145add..8e8e003a5b 100644
|
|
|
b5e178 |
--- a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
|
|
|
b5e178 |
+++ b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template
|
|
|
b5e178 |
@@ -1,4 +1,4 @@
|
|
|
b5e178 |
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
|
|
b5e178 |
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
|
|
|
b5e178 |
# reboot = true
|
|
|
b5e178 |
# strategy = restrict
|
|
|
b5e178 |
# complexity = low
|
|
|
b5e178 |
diff --git a/shared/templates/audit_rules_usergroup_modification/ansible.template b/shared/templates/audit_rules_usergroup_modification/ansible.template
|
|
|
b5e178 |
index 2fab63ae44..ea9738ecb2 100644
|
|
|
b5e178 |
--- a/shared/templates/audit_rules_usergroup_modification/ansible.template
|
|
|
b5e178 |
+++ b/shared/templates/audit_rules_usergroup_modification/ansible.template
|
|
|
b5e178 |
@@ -1,4 +1,4 @@
|
|
|
b5e178 |
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
|
|
b5e178 |
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
|
|
|
b5e178 |
# reboot = true
|
|
|
b5e178 |
# strategy = restrict
|
|
|
b5e178 |
# complexity = low
|
|
|
b5e178 |
diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile
|
|
|
b5e178 |
index 15c4f70336..4c8b361226 100644
|
|
|
b5e178 |
--- a/sle12/profiles/stig.profile
|
|
|
b5e178 |
+++ b/sle12/profiles/stig.profile
|
|
|
b5e178 |
@@ -7,7 +7,9 @@ description: |-
|
|
|
b5e178 |
DISA STIG for SUSE Linux Enterprise 12 V1R2.
|
|
|
b5e178 |
|
|
|
b5e178 |
selections:
|
|
|
b5e178 |
+ - sshd_approved_macs=stig
|
|
|
b5e178 |
- var_accounts_fail_delay=4
|
|
|
b5e178 |
+ - var_removable_partition=dev_cdrom
|
|
|
b5e178 |
- account_disable_post_pw_expiration
|
|
|
b5e178 |
- account_temp_expire_date
|
|
|
b5e178 |
- accounts_have_homedir_login_defs
|
|
|
b5e178 |
@@ -19,6 +21,22 @@ selections:
|
|
|
b5e178 |
- accounts_password_set_max_life_existing
|
|
|
b5e178 |
- accounts_password_set_min_life_existing
|
|
|
b5e178 |
- accounts_umask_etc_login_defs
|
|
|
b5e178 |
+ - accounts_user_dot_no_world_writable_programs
|
|
|
b5e178 |
+ - accounts_user_home_paths_only
|
|
|
b5e178 |
+ - accounts_user_interactive_home_directory_defined
|
|
|
b5e178 |
+ - accounts_user_interactive_home_directory_exists
|
|
|
b5e178 |
+ - aide_scan_notification
|
|
|
b5e178 |
+ - audit_rules_dac_modification_chmod
|
|
|
b5e178 |
+ - audit_rules_login_events_lastlog
|
|
|
b5e178 |
+ - audit_rules_login_events_tallylog
|
|
|
b5e178 |
+ - audit_rules_privileged_commands_chage
|
|
|
b5e178 |
+ - audit_rules_privileged_commands_unix_chkpwd
|
|
|
b5e178 |
+ - audit_rules_unsuccessful_file_modification_creat
|
|
|
b5e178 |
+ - audit_rules_unsuccessful_file_modification_ftruncate
|
|
|
b5e178 |
+ - audit_rules_unsuccessful_file_modification_open_by_handle_at
|
|
|
b5e178 |
+ - audit_rules_unsuccessful_file_modification_openat
|
|
|
b5e178 |
+ - audit_rules_unsuccessful_file_modification_truncate
|
|
|
b5e178 |
+ - audit_rules_usergroup_modification_gshadow
|
|
|
b5e178 |
- auditd_audispd_encrypt_sent_records
|
|
|
b5e178 |
- auditd_data_disk_full_action
|
|
|
b5e178 |
- auditd_data_retention_action_mail_acct
|
|
|
b5e178 |
@@ -26,17 +44,27 @@ selections:
|
|
|
b5e178 |
- banner_etc_issue
|
|
|
b5e178 |
- banner_etc_motd
|
|
|
b5e178 |
- dir_perms_world_writable_sticky_bits
|
|
|
b5e178 |
+ - dir_perms_world_writable_system_owned_group
|
|
|
b5e178 |
- disable_ctrlaltdel_reboot
|
|
|
b5e178 |
- encrypt_partitions
|
|
|
b5e178 |
- ensure_gpgcheck_globally_activated
|
|
|
b5e178 |
+ - file_groupownership_home_directories
|
|
|
b5e178 |
+ - file_permission_user_init_files
|
|
|
b5e178 |
+ - file_permissions_home_directories
|
|
|
b5e178 |
- file_permissions_sshd_private_key
|
|
|
b5e178 |
- file_permissions_sshd_pub_key
|
|
|
b5e178 |
+ - file_permissions_ungroupowned
|
|
|
b5e178 |
- ftp_present_banner
|
|
|
b5e178 |
- gnome_gdm_disable_automatic_login
|
|
|
b5e178 |
- grub2_password
|
|
|
b5e178 |
- grub2_uefi_password
|
|
|
b5e178 |
- installed_OS_is_vendor_supported
|
|
|
b5e178 |
+ - kernel_module_dccp_disabled
|
|
|
b5e178 |
- kernel_module_usb-storage_disabled
|
|
|
b5e178 |
+ - mount_option_home_nosuid
|
|
|
b5e178 |
+ - mount_option_noexec_remote_filesystems
|
|
|
b5e178 |
+ - mount_option_nosuid_remote_filesystems
|
|
|
b5e178 |
+ - mount_option_nosuid_removable_partitions
|
|
|
b5e178 |
- no_empty_passwords
|
|
|
b5e178 |
- no_files_unowned_by_user
|
|
|
b5e178 |
- no_host_based_files
|
|
|
b5e178 |
@@ -47,11 +75,14 @@ selections:
|
|
|
b5e178 |
- package_audit_installed
|
|
|
b5e178 |
- package_telnet-server_removed
|
|
|
b5e178 |
- postfix_client_configure_mail_alias
|
|
|
b5e178 |
+ - run_chkstat
|
|
|
b5e178 |
- security_patches_up_to_date
|
|
|
b5e178 |
- service_auditd_enabled
|
|
|
b5e178 |
+ - service_kdump_disabled
|
|
|
b5e178 |
- set_password_hashing_algorithm_logindefs
|
|
|
b5e178 |
- sshd_disable_compression
|
|
|
b5e178 |
- sshd_disable_empty_passwords
|
|
|
b5e178 |
+ - sshd_disable_root_login
|
|
|
b5e178 |
- sshd_disable_user_known_hosts
|
|
|
b5e178 |
- sshd_do_not_permit_user_env
|
|
|
b5e178 |
- sshd_enable_strictmodes
|
|
|
b5e178 |
@@ -61,10 +92,18 @@ selections:
|
|
|
b5e178 |
- sshd_set_idle_timeout
|
|
|
b5e178 |
- sshd_set_keepalive
|
|
|
b5e178 |
- sshd_set_loglevel_verbose
|
|
|
b5e178 |
+ - sshd_use_approved_macs
|
|
|
b5e178 |
- sshd_use_priv_separation
|
|
|
b5e178 |
- sudo_remove_no_authenticate
|
|
|
b5e178 |
- sudo_remove_nopasswd
|
|
|
b5e178 |
+ - sysctl_net_ipv4_conf_all_accept_redirects
|
|
|
b5e178 |
- sysctl_net_ipv4_conf_all_accept_source_route
|
|
|
b5e178 |
+ - sysctl_net_ipv4_conf_all_send_redirects
|
|
|
b5e178 |
+ - sysctl_net_ipv4_conf_default_accept_redirects
|
|
|
b5e178 |
- sysctl_net_ipv4_conf_default_accept_source_route
|
|
|
b5e178 |
- sysctl_net_ipv4_conf_default_send_redirects
|
|
|
b5e178 |
+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
|
|
|
b5e178 |
+ - sysctl_net_ipv4_ip_forward
|
|
|
b5e178 |
- sysctl_net_ipv6_conf_all_accept_source_route
|
|
|
b5e178 |
+ - sysctl_net_ipv6_conf_default_accept_source_route
|
|
|
b5e178 |
+
|