From a050df59825379e7793b5f31c40fc1936585a4a6 Mon Sep 17 00:00:00 2001
From: Guang Yee <guang.yee@suse.com>
Date: Wed, 3 Feb 2021 16:17:14 -0800
Subject: [PATCH] Enable checks and remediations for the following SLES-12
STIGs:
- SLES-12-010890 'file_permissions_var_log_messages'
- SLES-12-010910 'pam_disable_automatic_configuration'
- SLES-12-020020 'auditd_audispd_configure_sufficiently_large_partition'
- SLES-12-020100 'auditd_audispd_network_failure_action'
- SLES-12-020110 'auditd_audispd_disk_full_action'
- SLES-12-020120 'permissions_local_var_log_audit'
- SLES-12-020130 'permissions_local_audit_binaries'
- SLES-12-020199 'audit_rules_enable_syscall_auditing'
- SLES-12-020200 'audit_rules_usergroup_modification_passwd'
- SLES-12-020210 'audit_rules_usergroup_modification_group'
- SLES-12-020220 'audit_rules_usergroup_modification_shadow'
- SLES-12-020230 'audit_rules_usergroup_modification_opasswd'
- SLES-12-020250 'audit_rules_privileged_commands_su'
- SLES-12-020260 'audit_rules_privileged_commands_sudo'
- SLES-12-020290 'audit_rules_privileged_commands_mount'
- SLES-12-020300 'audit_rules_privileged_commands_umount'
- SLES-12-020370 'audit_rules_dac_modification_setxattr'
- SLES-12-020380 'audit_rules_dac_modification_fsetxattr'
- SLES-12-020390 'audit_rules_dac_modification_removexattr'
- SLES-12-020400 'audit_rules_dac_modification_lremovexattr'
- SLES-12-020410 'audit_rules_dac_modification_fremovexattr'
- SLES-12-020430 'audit_rules_dac_modification_fchown'
- SLES-12-020440 'audit_rules_dac_modification_lchown'
- SLES-12-020450 'audit_rules_dac_modification_fchownat'
- SLES-12-020460 'audit_rules_dac_modification_chown'
- SLES-12-020470 'audit_rules_dac_modification_fchmod'
- SLES-12-020480 'audit_rules_dac_modification_fchmodat'
- SLES-12-020490 'audit_rules_unsuccessful_file_modification_open'
- SLES-12-020710 'audit_rules_privileged_commands_crontab'
- SLES-12-020720 'audit_rules_privileged_commands_pam_timestamp_check'
- SLES-12-020730 'audit_rules_kernel_module_loading_delete'
- SLES-12-020740 'audit_rules_kernel_module_loading_finit'
- SLES-12-020750 'audit_rules_kernel_module_loading_init'
- SLES-12-030300 'chronyd_or_ntpd_set_maxpoll'
Corrections:
- The STIG ID for audit_rules_dac_modification_chmod was incorrect.
It should've been SLES-12-020460 instead of SLES-12-020600.
- The STIG ID for sshd_do_not_permit_user_env was incorrect.
It should've been SLES-12-030151 instead of SLES-12-030150.
---
.../ansible/shared.yml | 49 +++++++++++++
.../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 5 +-
.../sshd_do_not_permit_user_env/rule.yml | 2 +-
.../ansible/shared.yml | 19 +++++
.../bash/shared.sh | 6 ++
.../oval/shared.xml | 29 ++++++++
.../rule.yml | 37 ++++++++++
.../rule.yml | 2 +-
.../rule.yml | 3 +
.../rule.yml | 2 +
.../rule.yml | 2 +
.../rule.yml | 3 +
.../rule.yml | 3 +
.../rule.yml | 3 +
.../rule.yml | 3 +
.../rule.yml | 3 +
.../rule.yml | 3 +
.../rule.yml | 3 +
.../rule.yml | 3 +
.../rule.yml | 2 +
.../ansible/shared.yml | 2 +-
.../rule.yml | 2 +
.../ansible/shared.yml | 2 +-
.../rule.yml | 2 +
.../ansible/shared.yml | 2 +-
.../rule.yml | 3 +-
.../rule.yml | 4 +-
.../rule.yml | 5 +-
.../rule.yml | 4 +-
.../rule.yml | 4 +-
.../rule.yml | 4 +-
.../rule.yml | 5 +-
.../ansible/shared.yml | 53 ++++++++++++++
.../bash/shared.sh | 19 +++++
.../oval/shared.xml | 46 ++++++++++++
.../rule.yml | 35 +++++++++
.../rule.yml | 4 +-
.../rule.yml | 5 +-
.../rule.yml | 4 +-
.../rule.yml | 5 +-
.../oval/shared.xml | 34 +++++++++
.../rule.yml | 69 ++++++++++++++++++
.../auditd_audispd_disk_full_action/rule.yml | 5 +-
.../rule.yml | 4 +-
.../ansible/shared.yml | 12 ++++
.../oval/shared.xml | 45 ++++++++++++
.../rule.yml | 53 ++++++++++++++
.../permissions_local_audit_binaries/rule.yml | 72 +++++++++++++++++++
.../permissions_local_var_log_audit/rule.yml | 57 +++++++++++++++
shared/templates/extra_ovals.yml | 6 ++
sle12/profiles/stig.profile | 37 +++++++++-
51 files changed, 766 insertions(+), 20 deletions(-)
create mode 100644 linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/ansible/shared.yml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/bash/shared.sh
create mode 100644 linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/oval/shared.xml
create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml
create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/oval/shared.xml
create mode 100644 linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml
create mode 100644 linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/ansible/shared.yml
create mode 100644 linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/oval/shared.xml
create mode 100644 linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/rule.yml
create mode 100644 linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml
create mode 100644 linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
new file mode 100644
index 0000000000..3c83850a05
--- /dev/null
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
@@ -0,0 +1,49 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables('var_time_service_set_maxpoll') }}}
+
+- name: Check that /etc/ntp.conf exist
+ stat:
+ path: /etc/ntp.conf
+ register: ntp_conf_exist_result
+
+- name: Check that /etc/chrony.conf exist
+ stat:
+ path: /etc/chrony.conf
+ register: chrony_conf_exist_result
+
+- name: Update the maxpoll values in /etc/ntp.conf
+ lineinfile:
+ path: /etc/ntp.conf
+ regex: '^(server.*maxpoll) [0-9]+(\s+.*)$'
+ line: '\1 {{ var_time_service_set_maxpoll }}\2'
+ backrefs: yes
+ when: ntp_conf_exist_result.stat.exists
+
+- name: Update the maxpoll values in /etc/chrony.conf
+ lineinfile:
+ path: /etc/chrony.conf
+ regex: '^(server.*maxpoll) [0-9]+(\s+.*)$'
+ line: '\1 {{ var_time_service_set_maxpoll }}\2'
+ backrefs: yes
+ when: chrony_conf_exist_result.stat.exists
+
+- name: Set the maxpoll values in /etc/ntp.conf
+ lineinfile:
+ path: /etc/ntp.conf
+ regex: '(^server\s+((?!maxpoll).)*)$'
+ line: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n'
+ backrefs: yes
+ when: ntp_conf_exist_result.stat.exists
+
+- name: Set the maxpoll values in /etc/chrony.conf
+ lineinfile:
+ path: /etc/chrony.conf
+ regex: '(^server\s+((?!maxpoll).)*)$'
+ line: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n'
+ backrefs: yes
+ when: chrony_conf_exist_result.stat.exists
diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
index d5f8b9125e..4e4be3002f 100644
--- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
title: 'Configure Time Service Maxpoll Interval'
@@ -26,6 +26,7 @@ platform: machine # The check uses service_... extended definition, which doesn
identifiers:
cce@rhel7: CCE-80439-3
cce@rhcos4: CCE-82684-2
+ cce@sle12: CCE-83124-8
references:
stigid@ol7: OL07-00-040500
@@ -39,6 +40,8 @@ references:
cobit5: APO11.04,BAI03.05,DSS05.04,DSS05.07,MEA02.01
iso27001-2013: A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1
cis-csc: 1,14,15,16,3,5,6
+ stigid@sle12: SLES-12-030300
+ nist@sle12: AU-8(1)(a),AU-8(1)(b)
ocil_clause: 'it does not exist or maxpoll has not been set to the expected value'
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
index 0c17411fad..e5d54261d3 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml
@@ -33,7 +33,7 @@ references:
srg: SRG-OS-000480-GPOS-00229
vmmsrg: SRG-OS-000480-VMM-002000
stigid@rhel7: RHEL-07-010460
- stigid@sle12: SLES-12-030150
+ stigid@sle12: SLES-12-030151
isa-62443-2013: 'SR 7.6'
isa-62443-2009: 4.3.4.3.2,4.3.4.3.3
cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05
diff --git a/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/ansible/shared.yml
new file mode 100644
index 0000000000..04e889199f
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/ansible/shared.yml
@@ -0,0 +1,19 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Find soft links /etc/pam.d/
+ find:
+ paths: /etc/pam.d
+ file_type: link
+ patterns: common-.*
+ use_regex: yes
+ register: find_pam_soft_links_result
+
+- name: Remove soft links in /etc/pam.d/
+ shell: |
+ target=$(readlink -f "{{ item.path }}")
+ cp -p --remove-destination "$target" "{{ item.path }}"
+ with_items: "{{ find_pam_soft_links_result.files }}"
diff --git a/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/bash/shared.sh
new file mode 100644
index 0000000000..ef195d3ac2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_sle
+
+for link in $(find /etc/pam.d/ -type l -iname "common-*") ; do
+ target=$(readlink -f "$link")
+ cp -p --remove-destination "$target" "$link"
+done
diff --git a/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/oval/shared.xml
new file mode 100644
index 0000000000..0a8f356e7a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/oval/shared.xml
@@ -0,0 +1,29 @@
+<def-group>
+ <definition class="compliance" id="pam_disable_automatic_configuration" version="1">
+ <metadata>
+ <title>The PAM configuration should not be changed automatically</title>
+ <affected family="unix">
+ <platform>multi_platform_sle</platform>
+ </affected>
+ <description>Verify the SUSE operating system is configured to not overwrite Pluggable
+ Authentication Modules (PAM) configuration on package changes.</description>
+ </metadata>
+ <criteria>
+ <criterion comment="/etc/pam.d/common-* are not symbolic links" test_ref="test_pam_disable_automatic_configuration" />
+ </criteria>
+ </definition>
+
+ <unix:file_test check="all" check_existence="all_exist" comment="/etc/pam.d/common-* are not symbolic links" id="test_pam_disable_automatic_configuration" version="1">
+ <unix:object object_ref="obj_pam_disable_automatic_configuration" />
+ <unix:state state_ref="state_pam_disable_automatic_configuration_no_symlink" />
+ </unix:file_test>
+
+ <unix:file_object comment="/etc/pam.d/common-* files" id="obj_pam_disable_automatic_configuration" version="1">
+ <unix:path operation="equals">/etc/pam.d</unix:path>
+ <unix:filename operation="pattern match">^common-.*$</unix:filename>
+ </unix:file_object>
+
+ <unix:file_state id="state_pam_disable_automatic_configuration_no_symlink" version="1">
+ <unix:type>regular</unix:type>
+ </unix:file_state>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml
new file mode 100644
index 0000000000..fe02158220
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml
@@ -0,0 +1,37 @@
+documentation_complete: true
+
+prodtype: sle12
+
+title: 'The PAM configuration should not be changed automatically'
+
+description: |-
+ Verify the SUSE operating system is configured to not overwrite Pluggable
+ Authentication Modules (PAM) configuration on package changes.
+
+
+rationale: |-
+ <tt>pam-config</tt> is a command line utility that automatically generates
+ a system PAM configuration as packages are installed, updated or removed
+ from the system. <tt>pam-config</tt> removes configurations for PAM modules
+ and parameters that it does not know about. It may render ineffective PAM
+ configuration by the system administrator and thus impact system security.
+
+severity: medium
+
+identifiers:
+ cce@sle12: CCE-83113-1
+
+references:
+ stigid@sle12: SLES-12-010910
+ disa@sle12: CCI-000366
+ srg@sle12: SRG-OS-000480-GPOS-00227
+ nist@sle12: CM-6(b),CM-6.1(iv)
+
+ocil_clause: 'that is not the case'
+
+ocil: |-
+ Check that soft links between PAM configuration files are removed with the following command:
+
+ <pre># find /etc/pam.d/ -type l -iname "common-*"</pre>
+
+ If any results are returned, this is a finding.
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
index 22031b6517..b1d9dfbc4c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml
@@ -46,7 +46,7 @@ references:
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
stigid@rhel7: RHEL-07-030410
- stigid@sle12: SLES-12-020600
+ stigid@sle12: SLES-12-020460
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
index 8c8ccf405f..27e9d98617 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml
@@ -30,6 +30,7 @@ identifiers:
cce@rhel7: CCE-27364-9
cce@rhel8: CCE-80686-9
cce@rhcos4: CCE-82557-0
+ cce@sle12: CCE-83137-0
references:
stigid@ol7: OL07-00-030370
@@ -43,8 +44,10 @@ references:
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
+ srg@sle12: SRG-OS-000037-GPOS-00015
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
stigid@rhel7: RHEL-07-030370
+ stigid@sle12: SLES-12-020420
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
index 7b66511acc..6d55b59af4 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml
@@ -30,6 +30,7 @@ identifiers:
cce@rhel7: CCE-27393-8
cce@rhel8: CCE-80687-7
cce@rhcos4: CCE-82558-8
+ cce@sle12: CCE-83133-9
references:
stigid@ol7: OL07-00-030420
@@ -45,6 +46,7 @@ references:
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
stigid@rhel7: RHEL-07-030420
+ stigid@sle12: SLES-12-020470
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
index 3882d0db26..d5b87320a7 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml
@@ -30,6 +30,7 @@ identifiers:
cce@rhel7: CCE-27388-8
cce@rhel8: CCE-80688-5
cce@rhcos4: CCE-82559-6
+ cce@sle12: CCE-83132-1
references:
stigid@ol7: OL07-00-030430
@@ -45,6 +46,7 @@ references:
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
stigid@rhel7: RHEL-07-030430
+ stigid@sle12: SLES-12-020480
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
index 7950e714f6..d75447dab4 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml
@@ -33,6 +33,7 @@ identifiers:
cce@rhel7: CCE-27356-5
cce@rhel8: CCE-80689-3
cce@rhcos4: CCE-82560-4
+ cce@sle12: CCE-83136-2
references:
stigid@ol7: OL07-00-030380
@@ -46,8 +47,10 @@ references:
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
+ srg@sle12: SRG-OS-000037-GPOS-00015
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
stigid@rhel7: RHEL-07-030380
+ stigid@sle12: SLES-12-020430
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
index b35b2d7298..214f7e95c0 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml
@@ -30,6 +30,7 @@ identifiers:
cce@rhel7: CCE-27387-0
cce@rhel8: CCE-80690-1
cce@rhcos4: CCE-82561-2
+ cce@sle12: CCE-83134-7
references:
stigid@ol7: OL07-00-030400
@@ -43,8 +44,10 @@ references:
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
+ srg@sle12: SRG-OS-000037-GPOS-00015
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
stigid@rhel7: RHEL-07-030400
+ stigid@sle12: SLES-12-020450
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
index fb936a04b6..af1eea1a36 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml
@@ -35,6 +35,7 @@ identifiers:
cce@rhel7: CCE-27353-2
cce@rhel8: CCE-80691-9
cce@rhcos4: CCE-82562-0
+ cce@sle12: CCE-83138-8
references:
stigid@ol7: OL07-00-030480
@@ -48,8 +49,10 @@ references:
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203
+ srg@sle12: SRG-OS-000037-GPOS-00015
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
stigid@rhel7: RHEL-07-030480
+ stigid@sle12: SLES-12-020410
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
index 6d6216122d..33de1d53eb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml
@@ -30,6 +30,7 @@ identifiers:
cce@rhel7: CCE-27389-6
cce@rhel8: CCE-80692-7
cce@rhcos4: CCE-82563-8
+ cce@sle12: CCE-83141-2
references:
stigid@ol7: OL07-00-030450
@@ -43,8 +44,10 @@ references:
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203
+ srg@sle12: SRG-OS-000037-GPOS-00015
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
stigid@rhel7: RHEL-07-030450
+ stigid@sle12: SLES-12-020380
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
index 53d680a29c..04e8ae5d99 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml
@@ -30,6 +30,7 @@ identifiers:
cce@rhel7: CCE-27083-5
cce@rhel8: CCE-80693-5
cce@rhcos4: CCE-82564-6
+ cce@sle12: CCE-83135-4
references:
stigid@ol7: OL07-00-030390
@@ -43,8 +44,10 @@ references:
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000474-GPOS-00219
+ srg@sle12: SRG-OS-000037-GPOS-00015
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
stigid@rhel7: RHEL-07-030390
+ stigid@sle12: SLES-12-020440
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
index bbce29648d..55bc1502d6 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml
@@ -35,6 +35,7 @@ identifiers:
cce@rhel7: CCE-27410-0
cce@rhel8: CCE-80694-3
cce@rhcos4: CCE-82565-3
+ cce@sle12: CCE-83139-6
references:
stigid@ol7: OL07-00-030490
@@ -48,8 +49,10 @@ references:
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203
+ srg@sle12: SRG-OS-000037-GPOS-00015
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
stigid@rhel7: RHEL-07-030490
+ stigid@sle12: SLES-12-020400
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
index f8890cea0d..abbe9269fe 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml
@@ -34,6 +34,7 @@ identifiers:
cce@rhel7: CCE-27367-2
cce@rhel8: CCE-80696-8
cce@rhcos4: CCE-82567-9
+ cce@sle12: CCE-83140-4
references:
stigid@ol7: OL07-00-030470
@@ -47,8 +48,10 @@ references:
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203
+ srg@sle12: SRG-OS-000037-GPOS-00015
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
stigid@rhel7: RHEL-07-030470
+ stigid@sle12: SLES-12-020390
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
index 4bcbaf54b4..a74756bfbd 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml
@@ -30,6 +30,7 @@ identifiers:
cce@rhel7: CCE-27213-8
cce@rhel8: CCE-80697-6
cce@rhcos4: CCE-82568-7
+ cce@sle12: CCE-83142-0
references:
stigid@ol7: OL07-00-030440
@@ -43,8 +44,10 @@ references:
ospp: FAU_GEN.1.1.c
pcidss: Req-10.5.5
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203
+ srg@sle12: SRG-OS-000037-GPOS-00015
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940
stigid@rhel7: RHEL-07-030440
+ stigid@sle12: SLES-12-020370
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
index ebccc4dbbf..97aa771056 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml
@@ -39,6 +39,7 @@ identifiers:
cce@rhel7: CCE-80386-6
cce@rhel8: CCE-80753-7
cce@rhcos4: CCE-82633-9
+ cce@sle12: CCE-83131-3
references:
stigid@ol7: OL07-00-030510
@@ -53,6 +54,7 @@ references:
srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172
vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830
stigid@rhel7: RHEL-07-030510
+ stigid@sle12: SLES-12-020490
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml
index 4759760bc1..c7b605ec31 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle
# reboot = false
# complexity = low
# disruption = low
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
index d53927fcab..0997c1c6a5 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml
@@ -27,6 +27,7 @@ identifiers:
cce@rhel7: CCE-80415-3
cce@rhel8: CCE-80711-5
cce@rhcos4: CCE-82580-2
+ cce@sle12: CCE-83128-9
references:
stigid@ol7: OL07-00-030830
@@ -41,6 +42,7 @@ references:
srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
vmmsrg: SRG-OS-000477-VMM-001970
stigid@rhel7: RHEL-07-030830
+ stigid@sle12: SLES-12-020730
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml
index 62220a2294..3f3c3e3d94 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_sle
# reboot = false
# complexity = low
# disruption = low
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
index a6c457485c..f54035bfcb 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml
@@ -27,6 +27,7 @@ identifiers:
cce@rhel7: CCE-80547-3
cce@rhel8: CCE-80712-3
cce@rhcos4: CCE-82581-0
+ cce@sle12: CCE-83129-7
references:
stigid@ol7: OL07-00-030821
@@ -41,6 +42,7 @@ references:
srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
vmmsrg: SRG-OS-000477-VMM-001970
stigid@rhel7: RHEL-07-030821
+ stigid@sle12: SLES-12-020740
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml
index ee6aa0ba59..d804bbd09e 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_rhv
+# platform = multi_platform_rhel,multi_platform_rhv,multi_platform_sle
# reboot = false
# complexity = low
# disruption = low
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
index b81ca09151..829f3b2c8a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml
@@ -27,7 +27,7 @@ identifiers:
cce@rhel7: CCE-80414-6
cce@rhel8: CCE-80713-1
cce@rhcos4: CCE-82582-8
-
+ cce@sle12: CCE-83130-5
references:
stigid@ol7: OL07-00-030820
cis: 5.2.17
@@ -41,6 +41,7 @@ references:
srg: SRG-OS-000471-GPOS-00216,SRG-OS-000477-GPOS-00222
vmmsrg: SRG-OS-000477-VMM-001970
stigid@rhel7: RHEL-07-030820
+ stigid@sle12: SLES-12-020750
isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
index 53be8f4928..0cd92027b1 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019
title: 'Ensure auditd Collects Information on the Use of Privileged Commands - crontab'
@@ -34,6 +34,7 @@ identifiers:
cce@rhel7: CCE-80410-4
cce@rhel8: CCE-80727-1
cce@rhcos4: CCE-82593-5
+ cce@sle12: CCE-83126-3
references:
stigid@ol7: OL07-00-030800
@@ -45,6 +46,7 @@ references:
srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
vmmsrg: SRG-OS-000471-VMM-001910
stigid@rhel7: RHEL-07-030800
+ stigid@sle12: SLES-12-020710
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml
index 471a920ed4..4941b38aac 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_mount/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,sle12
title: 'Ensure auditd Collects Information on the Use of Privileged Commands - mount'
@@ -34,6 +34,7 @@ identifiers:
cce@rhel7: CCE-81064-8
cce@rhel8: CCE-80989-7
cce@rhcos4: CCE-82595-0
+ cce@sle12: CCE-83145-3
references:
disa: CCI-000135,CCI-000172,CCI-002884
@@ -41,8 +42,10 @@ references:
ospp: FAU_GEN.1.1.c
vmmsrg: SRG-OS-000471-VMM-001910
srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172
+ srg@sle12: SRG-OS-000037-GPOS-00015
stigid@rhel7: RHEL-07-030740
stigid@ol7: OL07-00-030740
+ stigid@sle12: SLES-12-020290
ocil_clause: 'it is not the case'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
index 824e7470ec..d6780b0156 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019
title: 'Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check'
@@ -34,6 +34,7 @@ identifiers:
cce@rhel7: CCE-80411-2
cce@rhel8: CCE-80730-5
cce@rhcos4: CCE-82599-2
+ cce@sle12: CCE-83127-1
references:
stigid@ol7: OL07-00-030810
@@ -45,6 +46,7 @@ references:
srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
vmmsrg: SRG-OS-000471-VMM-001910
stigid@rhel7: RHEL-07-030810
+ stigid@sle12: SLES-12-020720
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
index 4de737ddf1..86c423dd28 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019
title: 'Ensure auditd Collects Information on the Use of Privileged Commands - su'
@@ -34,6 +34,7 @@ identifiers:
cce@rhel7: CCE-80400-5
cce@rhel8: CCE-80736-2
cce@rhcos4: CCE-82605-7
+ cce@sle12: CCE-83143-8
references:
stigid@ol7: OL07-00-030680
@@ -46,6 +47,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
vmmsrg: SRG-OS-000471-VMM-001910
stigid@rhel7: RHEL-07-030680
+ stigid@sle12: SLES-12-020250
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
index 382c66cc88..9e9e892789 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019
title: 'Ensure auditd Collects Information on the Use of Privileged Commands - sudo'
@@ -34,6 +34,7 @@ identifiers:
cce@rhel7: CCE-80401-3
cce@rhel8: CCE-80737-0
cce@rhcos4: CCE-82606-5
+ cce@sle12: CCE-83144-6
references:
stigid@ol7: OL07-00-030690
@@ -46,6 +47,7 @@ references:
srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215
vmmsrg: SRG-OS-000471-VMM-001910
stigid@rhel7: RHEL-07-030690
+ stigid@sle12: SLES-12-020260
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
index e8a7ef5f9d..2ce9d62aaf 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_umount/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,wrlinux1019
title: 'Ensure auditd Collects Information on the Use of Privileged Commands - umount'
@@ -34,6 +34,7 @@ identifiers:
cce@rhel7: CCE-80405-4
cce@rhel8: CCE-80739-6
cce@rhcos4: CCE-82608-1
+ cce@sle12: CCE-83158-6
references:
stigid@ol7: OL07-00-030750
@@ -43,8 +44,10 @@ references:
nist: AU-2(d),AU-12(c),AC-6(9),CM-6(a)
nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215
+ srg@sle12: SRG-OS-000037-GPOS-00015
vmmsrg: SRG-OS-000471-VMM-001910
stigid@rhel7: RHEL-07-030750
+ stigid@sle12: SLES-12-020300
isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2'
isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml
new file mode 100644
index 0000000000..8286d51cf2
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml
@@ -0,0 +1,53 @@
+# platform = multi_platform_sle
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Service facts
+ service_facts:
+
+- name: Check the rules script being used
+ command:
+ grep '^ExecStartPost' /usr/lib/systemd/system/auditd.service
+ register: check_rules_scripts_result
+
+- name: Find audit rules in /etc/audit/rules.d
+ find:
+ paths: /etc/audit/rules.d
+ file_type: file
+ follow: yes
+ register: find_audit_rules_result
+ when:
+ - '"auditd.service" in ansible_facts.services'
+ - '"augenrules" in check_rules_scripts_result.stdout'
+
+- name: Enable syscall auditing (augenrules)
+ lineinfile:
+ path: "{{ item.path }}"
+ regex: ^(?i)(\s*-a\s+task,never)\s*$
+ line: '#-a task,never'
+ with_items: "{{ find_audit_rules_result.files }}"
+ when:
+ - '"auditd.service" in ansible_facts.services'
+ - '"augenrules" in check_rules_scripts_result.stdout'
+ register: augenrules_syscall_auditing_rule_update_result
+
+- name: Enable syscall auditing (auditctl)
+ lineinfile:
+ path: /etc/audit/audit.rules
+ regex: ^(?i)(\s*-a\s+task,never)\s*$
+ line: '#-a task,never'
+ when:
+ - '"auditd.service" in ansible_facts.services'
+ - '"auditctl" in check_rules_scripts_result.stdout'
+ register: auditctl_syscall_auditing_rule_update_result
+
+- name: Restart auditd.service
+ systemd:
+ name: auditd.service
+ state: restarted
+ when:
+ - ansible_facts.services["auditd.service"].state == "running"
+ - (augenrules_syscall_auditing_rule_update_result.changed or
+ auditctl_syscall_auditing_rule_update_result.changed)
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh
new file mode 100644
index 0000000000..501095bb85
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh
@@ -0,0 +1,19 @@
+# platform = multi_platform_sle
+
+if [ -f "/usr/lib/systemd/system/auditd.service" ] ; then
+ EXECSTARTPOST_SCRIPT=$(grep '^ExecStartPost=' /usr/lib/systemd/system/auditd.service | sed 's/ExecStartPost=//')
+
+ if [[ "$EXECSTARTPOST_SCRIPT" == *"augenrules"* ]] ; then
+ for f in /etc/audit/rules.d/*.rules ; do
+ sed -E -i --follow-symlinks 's/^(\s*-a\s+task,never)/#\1/' "$f"
+ done
+ else
+ # auditctl is used
+ sed -E -i --follow-symlinks 's/^(\s*-a\s+task,never)/#\1/' /etc/audit/audit.rules
+ fi
+
+ systemctl is-active --quiet auditd.service
+ if [ $? -ne 0 ] ; then
+ systemctl restart auditd.service
+ fi
+fi
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/oval/shared.xml
new file mode 100644
index 0000000000..f871e0195c
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/oval/shared.xml
@@ -0,0 +1,46 @@
+<def-group>
+ <definition class="compliance" id="audit_rules_enable_syscall_auditing" version="1">
+ <metadata>
+ <title>Enable Syscall Auditing</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>Syscall auditing should not be disabled.</description>
+ </metadata>
+
+ <criteria operator="OR">
+
+ <!-- Test the augenrules case -->
+ <criteria operator="AND">
+ <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
+ <criterion comment="check that no audit rule exists in /etc/audit/rules.d/*.rules that disables all syscall auditing" test_ref="test_enable_syscall_audit_augenrules" />
+ </criteria>
+
+ <!-- OR test the auditctl case -->
+ <criteria operator="AND">
+ <extend_definition comment="audit auditctl" definition_ref="audit_rules_auditctl" />
+ <criterion comment="check that no audit rule exists in /etc/audit/audit.rules that disables all syscall auditing" test_ref="test_enable_syscall_audit_auditctl" />
+ </criteria>
+
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check that no audit rule exists in /etc/audit/rules.d/*.rules that disables all syscall auditing" id="test_enable_syscall_audit_augenrules" version="1">
+ <ind:object object_ref="object_enable_syscall_audit_augenrules" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_enable_syscall_audit_augenrules" version="1">
+ <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+task,never[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check that no audit rule exists in /etc/audit/audit.rules that disables all syscall auditing" id="test_enable_syscall_audit_auditctl" version="1">
+ <ind:object object_ref="object_enable_syscall_audit_auditctl" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_enable_syscall_audit_auditctl" version="1">
+ <ind:filepath>/etc/audit/audit.rules</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*-a[\s]+task,never[\s]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml
new file mode 100644
index 0000000000..9c23291d62
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+prodtype: sle12
+
+title: 'Remove Default Configuration to Disable Syscall Auditing'
+
+description: |-
+ By default, {{{ full_name }}} ships an audit rule to disable syscall
+ auditing for performance reasons.
+
+ To make sure that syscall auditing works, this line must be removed from
+ <tt>/etc/audit/rules.d/audit.rules</tt> and <tt>/etc/audit/audit.rules</tt>:
+
+ <pre>-a task,never</pre>
+
+rationale: |-
+ Audit rules for syscalls do not take effect unless this line is removed.
+
+severity: medium
+
+identifiers:
+ cce@sle12: CCE-83119-8
+
+references:
+ stigid@sle12: SLES-12-020199
+ srg@sle12: SRG-OS-000480-GPOS-00227
+ disa@sle12: CCI-000366
+
+ocil_clause: 'syscall auditing is still disabled'
+
+ocil: |-
+ To check for the offending line, run the following command:
+ <pre>$ grep task,never /etc/audit/{rules.d,.}/audit.rules</pre>
+ There must not be any output, or else these lines must be removed from
+ the matching files.
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
index 750fba65bb..e4b2b8dcb8 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
title: 'Record Events that Modify User/Group Information - /etc/group'
@@ -31,6 +31,7 @@ identifiers:
cce@rhel7: CCE-80433-6
cce@rhel8: CCE-80758-6
cce@rhcos4: CCE-82654-5
+ cce@sle12: CCE-83121-4
references:
stigid@ol7: OL07-00-030871
@@ -51,6 +52,7 @@ references:
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
+ stigid@sle12: SLES-12-020210
ocil_clause: 'the system is not configured to audit account changes'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
index adf9f616b8..41434f664a 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
title: 'Record Events that Modify User/Group Information - /etc/security/opasswd'
@@ -31,6 +31,7 @@ identifiers:
cce@rhel7: CCE-80430-2
cce@rhel8: CCE-80760-2
cce@rhcos4: CCE-82656-0
+ cce@sle12: CCE-83123-0
references:
stigid@ol7: OL07-00-030874
@@ -51,6 +52,8 @@ references:
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
+ srg@sle12: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221
+ stigid@sle12: SLES-12-020230
ocil_clause: 'the system is not configured to audit account changes'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
index c0e3b4b23a..bae0a29903 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
title: 'Record Events that Modify User/Group Information - /etc/passwd'
@@ -31,6 +31,7 @@ identifiers:
cce@rhel7: CCE-80435-1
cce@rhel8: CCE-80761-0
cce@rhcos4: CCE-82657-8
+ cce@sle12: CCE-83120-6
references:
stigid@ol7: OL07-00-030870
@@ -51,6 +52,7 @@ references:
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
+ stigid@sle12: SLES-12-020200
ocil_clause: 'the system is not configured to audit account changes'
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
index 6545282c8a..f3d9cf9cd2 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
title: 'Record Events that Modify User/Group Information - /etc/shadow'
@@ -31,6 +31,7 @@ identifiers:
cce@rhel7: CCE-80431-0
cce@rhel8: CCE-80762-8
cce@rhcos4: CCE-82658-6
+ cce@sle12: CCE-83122-2
references:
stigid@ol7: OL07-00-030873
@@ -51,6 +52,8 @@ references:
cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
iso27001-2013: A.11.2.6,A.12.4.1,A.12.4.2,A.12.4.3,A.12.4.4,A.12.7.1,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.7,A.15.2.1,A.15.2.2,A.16.1.4,A.16.1.5,A.16.1.7,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
+ stigid@sle12: SLES-12-020220
+ srg@sle12: SRG-OS-000004-GPOS-00004,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000476-GPOS-00221
ocil_clause: 'the system is not configured to audit account changes'
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/oval/shared.xml
new file mode 100644
index 0000000000..8aa7b04f7c
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/oval/shared.xml
@@ -0,0 +1,34 @@
+{{% if target_oval_version >= [5, 11.2] %}}
+<def-group oval_version="5.11.2">
+ <definition class="compliance" id="auditd_audispd_configure_sufficiently_large_partition" version="1">
+ {{{ oval_metadata("Configure a sufficiently large partition for audit logs.") }}}
+ <criteria>
+ <criterion comment="Check that the partition with audit logs is at least 10G large" test_ref="test_aacsflp" />
+ </criteria>
+ </definition>
+
+ <!-- partition for the mount point for audit logs -->
+ <linux:partition_object id="obj_aacsflp_audit_partition" version="1">
+ <linux:mount_point operation="equals">/var/log/audit</linux:mount_point>
+ </linux:partition_object>
+ <!-- total partition size in bytes -->
+ <local_variable id="var_aacsflp_audit_partition_size" comment="total capacity (in bytes) of the audit partition" datatype="string" version="1">
+ <arithmetic arithmetic_operation="multiply">
+ <object_component item_field="block_size" object_ref="obj_aacsflp_audit_partition" />
+ <object_component item_field="total_space" object_ref="obj_aacsflp_audit_partition" />
+ </arithmetic>
+ </local_variable>
+ <ind:variable_object id="obj_aacsflp_audit_partition_size" version="1">
+ <ind:var_ref>var_aacsflp_audit_partition_size</ind:var_ref>
+ </ind:variable_object>
+
+ <ind:variable_test id="test_aacsflp" version="1" check="all" check_existence="all_exist" comment="Check that the partition with audit logs is at least 10G large">
+ <ind:object object_ref="obj_aacsflp_audit_partition_size" />
+ <ind:state state_ref="state_aacsflp_partition_sufficiently_large" />
+ </ind:variable_test>
+ <ind:variable_state id="state_aacsflp_partition_sufficiently_large" version="1">
+ <ind:value operation="greater than or equal" datatype="int">10000000000</ind:value>
+ </ind:variable_state>
+
+</def-group>
+{{% endif %}}
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml
new file mode 100644
index 0000000000..421b410446
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml
@@ -0,0 +1,69 @@
+documentation_complete: true
+
+prodtype: sle12
+
+title: 'Configure a Sufficiently Large Partition for Audit Logs'
+
+description: |-
+ The SUSE operating system must allocate audit record storage capacity to
+ store at least one weeks worth of audit records when audit records are not
+ immediately sent to a central audit record storage facility.
+
+ The partition size needed to capture a week's worth of audit records is
+ based on the activity level of the system and the total storage capacity
+ available. In normal circumstances, 10.0 GB of storage space for audit
+ records will be sufficient.
+
+ Determine which partition the audit records are being written to with the
+ following command:
+
+ <pre># grep log_file /etc/audit/auditd.conf
+ log_file = /var/log/audit/audit.log</pre>
+
+ Check the size of the partition that audit records are written to with the
+ following command:
+
+ <pre># df -h /var/log/audit/
+ /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit</pre>
+
+rationale: |-
+ Information stored in one location is vulnerable to accidental or incidental
+ deletion or alteration.Off-loading is a common process in information
+ systems with limited audit storage capacity.
+
+severity: medium
+
+identifiers:
+ cce@sle12: CCE-83114-9
+
+references:
+ disa@sle12: CCI-001849
+ srg@sle12: SRG-OS-000342-GPOS-00133
+ stigid@sle12: SLES-12-020020
+
+ocil_clause: 'audispd is not sending logs to a remote system and the local partition has inadequate'
+
+ocil: |-
+ To verify whether audispd plugin off-loads audit records onto a different
+ system or media from the system being audited, run the following command:
+
+ <pre># grep -i remote_server /etc/audisp/audisp-remote.conf</pre>
+
+ The output should return something similar to where <i>REMOTE_SYSTEM</i>
+ is an IP address or hostname:
+ <pre>remote_server = <i>REMOTE_SYSTEM</i></pre>
+
+ Determine which partition the audit records are being written to with the
+ following command:
+
+ <pre># grep log_file /etc/audit/auditd.conf
+ log_file = /var/log/audit/audit.log</pre>
+
+ Check the size of the partition that audit records are written to with the
+ following command and verify whether it is sufficiently large:
+
+ <pre># df -h /var/log/audit/
+ /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit</pre>
+
+
+platform: machine
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml
index 5b9baa2858..d3bf2845ef 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
title: 'Configure audispd''s Plugin disk_full_action When Disk Is Full'
@@ -23,6 +23,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80539-0
+ cce@sle12: CCE-83116-4
references:
stigid@ol7: OL07-00-030320
@@ -30,6 +31,8 @@ references:
disa: CCI-001851
srg: SRG-OS-000342-GPOS-00133
stigid@rhel7: RHEL-07-030320
+ srg@sle12: SRG-OS-000479-GPOS-00224
+ stigid@sle12: SLES-12-020110
ocil_clause: 'the system is not configured to switch to single user mode for corrective action'
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml
index 9e677d225c..f756e47969 100644
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml
@@ -1,6 +1,6 @@
documentation_complete: true
-prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12
title: 'Configure audispd''s Plugin network_failure_action On Network Failure'
@@ -24,6 +24,7 @@ severity: medium
identifiers:
cce@rhel7: CCE-80538-2
+ cce@sle12: CCE-83115-6
references:
stigid@ol7: OL07-00-030321
@@ -31,6 +32,7 @@ references:
disa: CCI-001851
srg: SRG-OS-000342-GPOS-00133
stigid@rhel7: RHEL-07-030321
+ stigid@sle12: SLES-12-020100
ocil_clause: 'the system is not configured to switch to single user mode for corrective action'
diff --git a/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/ansible/shared.yml b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/ansible/shared.yml
new file mode 100644
index 0000000000..7ee0817b30
--- /dev/null
+++ b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = multi_platform_sle
+# reboot = false
+# complexity = low
+# strategy = configure
+# disruption = low
+
+{{{ ansible_lineinfile(msg='Configure permission for /var/log/messages', path='/etc/permissions.local', regex='^\/var\/log\/messages\s+root.*', new_line='/var/log/messages root:root 640', create='yes', state='present', register='update_permissions_local_result') }}}
+
+- name: "Correct file permissions after update /etc/permissions.local"
+ shell: >
+ chkstat --set --system
+ when: update_permissions_local_result.changed
diff --git a/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/oval/shared.xml b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/oval/shared.xml
new file mode 100644
index 0000000000..c0af07f781
--- /dev/null
+++ b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/oval/shared.xml
@@ -0,0 +1,45 @@
+<def-group>
+ <definition class="compliance" id="file_permissions_var_log_messages" version="1">
+ <metadata>
+ <title>Verify that /var/log/messages is readable only by root</title>
+ <affected family="unix">
+ <platform>multi_platform_sle</platform>
+ </affected>
+ <description>
+ Checks that /var/log/messages is only readable by root.
+ </description>
+ </metadata>
+ <criteria operator="OR">
+ <extend_definition comment="Check if syslog service is disabled" definition_ref="service_syslog_disabled" />
+ <criterion test_ref="test_permissions_var_log_messages_files" />
+ </criteria>
+ </definition>
+
+ <unix:file_test check="all" check_existence="all_exist" comment="system.map files readable only by root" id="test_permissions_var_log_messages_files" version="1">
+ <unix:object object_ref="object_file_permissions_var_log_messages_files" />
+ <unix:state state_ref="state_owner_var_log_messages" />
+ <unix:state state_ref="state_file_permissions_var_log_messages" />
+ </unix:file_test>
+
+ <unix:file_object comment="system.mapfiles" id="object_file_permissions_var_log_messages_files" version="1">
+ <unix:filepath>/var/log/messages</unix:filepath>
+ </unix:file_object>
+
+ <unix:file_state id="state_owner_var_log_messages" version="1">
+ <unix:group_id datatype="int" operation="equals">0</unix:group_id>
+ <unix:user_id datatype="int" operation="equals">0</unix:user_id>
+ </unix:file_state>
+
+ <unix:file_state id="state_file_permissions_var_log_messages" version="1">
+ <unix:suid datatype="boolean">false</unix:suid>
+ <unix:sgid datatype="boolean">false</unix:sgid>
+ <unix:sticky datatype="boolean">false</unix:sticky>
+ <unix:uexec datatype="boolean">false</unix:uexec>
+ <unix:gwrite datatype="boolean">false</unix:gwrite>
+ <unix:gexec datatype="boolean">false</unix:gexec>
+ <unix:oread datatype="boolean">false</unix:oread>
+ <unix:owrite datatype="boolean">false</unix:owrite>
+ <unix:oexec datatype="boolean">false</unix:oexec>
+ </unix:file_state>
+
+</def-group>
diff --git a/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/rule.yml b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/rule.yml
new file mode 100644
index 0000000000..e0569758a9
--- /dev/null
+++ b/linux_os/guide/system/permissions/permissions_local/file_permissions_var_log_messages/rule.yml
@@ -0,0 +1,53 @@
+documentation_complete: true
+
+prodtype: sle12
+
+title: 'Verify that local /var/log/messages is not world-readable'
+
+description: |-
+ Files containing sensitive informations should be protected by restrictive
+ permissions. Most of the time, there is no need that these files need to be read by any non-root user
+ {{{ describe_file_permissions(file="/var/log/messages", perms="0640") }}}
+
+ Check that "permissions.local" file contains the correct permissions rules with the following command:
+
+ <pre># grep -i messages /etc/permissions.local
+
+ /var/log/messages root:root 640</pre>
+
+rationale: |-
+ The <tt>/var/log/messages</tt> file contains system error messages. Only
+ authorized personnel should be aware of errors and the details of the
+ errors. Error messages are an indicator of an organization's operational
+ state or can identify the SUSE operating system or platform. Additionally,
+ Personally Identifiable Information (PII) and operational information must
+ not be revealed through error messages to unauthorized personnel or their
+ designated representatives.
+
+severity: medium
+
+identifiers:
+ cce@sle12: CCE-83112-3
+
+references:
+ disa@sle12: CCI-001314
+ nist@sle12: SI-11(c)
+ stigid@sle12: SLES-12-010890
+ srg@sle12: SRG-OS-000206-GPOS-00084
+
+ocil_clause: 'Make sure /var/log/messages is not world-readable'
+
+ocil: |-
+ {{{ ocil_file_permissions(file="/var/log/messages", perms="-rw-r-----") }}}
+
+ Check that <tt>permissions.local</tt> file contains the correct permissions rules with the following command:
+
+ <pre># grep -i messages /etc/permissions.local
+
+ /var/log/messages root:root 640</pre>
+
+ If the command does not return any or different output, this is a finding.
+
+ Run the following command to correct the permissions after adding the missing entry:
+
+ <pre># sudo chkstat --set --system</pre>
diff --git a/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml b/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml
new file mode 100644
index 0000000000..b66a44452f
--- /dev/null
+++ b/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml
@@ -0,0 +1,72 @@
+documentation_complete: true
+
+prodtype: sle12
+
+title: 'Verify Permissions of Local Logs of audit Tools'
+
+description: |-
+ The SUSE operating system audit tools must have the proper permissions
+ configured to protect against unauthorized access.
+
+ Check that "permissions.local" file contains the correct permissions rules
+ with the following command:
+
+ <pre>grep "^/usr/sbin/au" /etc/permissions.local
+
+ /usr/sbin/audispd root:root 0750
+ /usr/sbin/auditctl root:root 0750
+ /usr/sbin/auditd root:root 0750
+ /usr/sbin/ausearch root:root 0755
+ /usr/sbin/aureport root:root 0755
+ /usr/sbin/autrace root:root 0750
+ /usr/sbin/augenrules root:root 0750
+ </pre>
+
+ Audit tools include but are not limited to vendor-provided and open-source
+ audit tools needed to successfully view and manipulate audit information
+ system activity and records. Audit tools include custom queries and report
+ generators.
+
+rationale: |-
+ Protecting audit information also includes identifying and protecting the
+ tools used to view and manipulate log data. Therefore, protecting audit
+ tools is necessary to prevent unauthorized operation on audit information.
+
+ SUSE operating systems providing tools to interface with audit information
+ will leverage user permissions and roles identifying the user accessing the
+ tools and the corresponding rights the user enjoys to make access decisions
+ regarding the access to audit tools.
+
+severity: medium
+
+identifiers:
+ cce@sle12: CCE-83118-0
+
+references:
+ disa@sle12: CCI-001493,CCI-001494,CCI-001495
+ nisti@sle12: AU-9
+ srg@sle12: SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099
+ stigid@sle12: SLES-12-020130
+
+ocil: |-
+ Check that <tt>permissions.local</tt> file contains the correct permissions
+ rules with the following command:
+
+ <pre>grep "^/usr/sbin/au" /etc/permissions.local
+
+ /usr/sbin/audispd root:root 0750
+ /usr/sbin/auditctl root:root 0750
+ /usr/sbin/auditd root:root 0750
+ /usr/sbin/ausearch root:root 0755
+ /usr/sbin/aureport root:root 0755
+ /usr/sbin/autrace root:root 0750
+ /usr/sbin/augenrules root:root 0750
+ </pre>
+
+ If the command does not return all the above lines, the missing ones need
+ to be added.
+
+ Run the following command to correct the permissions after adding missing
+ entries:
+
+ <pre># sudo chkstat --set --system</pre>
diff --git a/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml
new file mode 100644
index 0000000000..0eb6bfc893
--- /dev/null
+++ b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml
@@ -0,0 +1,57 @@
+documentation_complete: true
+
+prodtype: sle12
+
+title: 'Verify that Local Logs of the audit Daemon are not World-Readable'
+
+description: |-
+ Files containing sensitive informations should be protected by restrictive
+ permissions. Most of the time, there is no need that these files need to bei
+ read by any non-root user.
+
+ Check that "permissions.local" file contains the correct permissions rules with the following command:
+
+ <pre># grep -i audit /etc/permissions.local
+
+ /var/log/audit/ root:root 600
+ /var/log/audit/audit.log root:root 600
+ /etc/audit/audit.rules root:root 640
+ /etc/audit/rules.d/audit.rules root:root 640</pre>
+
+rationale: |-
+ Without the capability to restrict which roles and individuals can select
+ which events are audited, unauthorized personnel may be able to prevent the
+ auditing of critical events. Misconfigured audits may degrade the system's
+ performance by overwhelming the audit log. Misconfigured audits may also
+ make it more difficult to establish, correlate, and investigate the events
+ relating to an incident or identify those responsible for one.
+
+severity: medium
+
+identifiers:
+ cce@sle12: CCE-83117-2
+
+references:
+ disa@sle12: CCI-000164
+ nist: AU-9
+ srg@sle12: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029
+ stigid@sle12: SLES-12-020120
+
+ocil: |-
+ Check that <tt>permissions.local</tt> file contains the correct permissionsi
+ rules with the following command:
+
+ <pre># grep -i audit /etc/permissions.local
+
+ /var/log/audit/ root:root 600
+ /var/log/audit/audit.log root:root 600
+ /etc/audit/audit.rules root:root 640
+ /etc/audit/rules.d/audit.rules root:root 640</pre>
+
+ If the command does not return all the above lines, the missing ones need
+ to be added.
+
+ Run the following command to correct the permissions after adding missing
+ entries:
+
+ <pre># sudo chkstat --set --system</pre>
diff --git a/shared/templates/extra_ovals.yml b/shared/templates/extra_ovals.yml
index 2d305f56d4..89dbe31beb 100644
--- a/shared/templates/extra_ovals.yml
+++ b/shared/templates/extra_ovals.yml
@@ -43,3 +43,9 @@ service_sssd_disabled:
vars:
servicename: sssd
packagename: sssd-common
+
+service_syslog_disabled:
+ name: service_disabled
+ vars:
+ servicename: syslog
+ packagename: rsyslog
diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile
index 4c8b361226..095be4febe 100644
--- a/sle12/profiles/stig.profile
+++ b/sle12/profiles/stig.profile
@@ -8,8 +8,10 @@ description: |-
selections:
- sshd_approved_macs=stig
+ - var_account_disable_post_pw_expiration=35
- var_accounts_fail_delay=4
- var_removable_partition=dev_cdrom
+ - var_time_service_set_maxpoll=system_default
- account_disable_post_pw_expiration
- account_temp_expire_date
- accounts_have_homedir_login_defs
@@ -27,22 +29,52 @@ selections:
- accounts_user_interactive_home_directory_exists
- aide_scan_notification
- audit_rules_dac_modification_chmod
+ - audit_rules_dac_modification_chown
+ - audit_rules_dac_modification_fchmod
+ - audit_rules_dac_modification_fchmodat
+ - audit_rules_dac_modification_fchown
+ - audit_rules_dac_modification_fchownat
+ - audit_rules_dac_modification_fremovexattr
+ - audit_rules_dac_modification_fsetxattr
+ - audit_rules_dac_modification_lchown
+ - audit_rules_dac_modification_lremovexattr
+ - audit_rules_dac_modification_removexattr
+ - audit_rules_dac_modification_setxattr
+ - audit_rules_enable_syscall_auditing
+ - audit_rules_kernel_module_loading_delete
+ - audit_rules_kernel_module_loading_finit
+ - audit_rules_kernel_module_loading_init
- audit_rules_login_events_lastlog
- audit_rules_login_events_tallylog
- audit_rules_privileged_commands_chage
+ - audit_rules_privileged_commands_crontab
+ - audit_rules_privileged_commands_mount
+ - audit_rules_privileged_commands_pam_timestamp_check
+ - audit_rules_privileged_commands_su
+ - audit_rules_privileged_commands_sudo
+ - audit_rules_privileged_commands_umount
- audit_rules_privileged_commands_unix_chkpwd
- audit_rules_unsuccessful_file_modification_creat
- audit_rules_unsuccessful_file_modification_ftruncate
+ - audit_rules_unsuccessful_file_modification_open
- audit_rules_unsuccessful_file_modification_open_by_handle_at
- audit_rules_unsuccessful_file_modification_openat
- audit_rules_unsuccessful_file_modification_truncate
+ - audit_rules_usergroup_modification_group
- audit_rules_usergroup_modification_gshadow
+ - audit_rules_usergroup_modification_opasswd
+ - audit_rules_usergroup_modification_passwd
+ - audit_rules_usergroup_modification_shadow
+ - auditd_audispd_configure_sufficiently_large_partition
+ - auditd_audispd_disk_full_action
- auditd_audispd_encrypt_sent_records
+ - auditd_audispd_network_failure_action
- auditd_data_disk_full_action
- auditd_data_retention_action_mail_acct
- auditd_data_retention_space_left
- banner_etc_issue
- banner_etc_motd
+ - chronyd_or_ntpd_set_maxpoll
- dir_perms_world_writable_sticky_bits
- dir_perms_world_writable_system_owned_group
- disable_ctrlaltdel_reboot
@@ -54,6 +86,7 @@ selections:
- file_permissions_sshd_private_key
- file_permissions_sshd_pub_key
- file_permissions_ungroupowned
+ - file_permissions_var_log_messages
- ftp_present_banner
- gnome_gdm_disable_automatic_login
- grub2_password
@@ -74,6 +107,9 @@ selections:
- package_audit-audispd-plugins_installed
- package_audit_installed
- package_telnet-server_removed
+ - pam_disable_automatic_configuration
+ - permissions_local_audit_binaries
+ - permissions_local_var_log_audit
- postfix_client_configure_mail_alias
- run_chkstat
- security_patches_up_to_date
@@ -106,4 +142,3 @@ selections:
- sysctl_net_ipv4_ip_forward
- sysctl_net_ipv6_conf_all_accept_source_route
- sysctl_net_ipv6_conf_default_accept_source_route
-