From 0e28027e3094a219956bbd8d9f6ead1375b901fe Mon Sep 17 00:00:00 2001 From: Guang Yee Date: Fri, 22 Jan 2021 12:20:03 -0800 Subject: [PATCH] Enable checks and remediations for the following SLES-12 STIGs: - SLES-12-010510 'aide_scan_notification' - SLES-12-010700 'file_permissions_ungroupowned' - SLES-12-010710 'accounts_user_interactive_home_directory_defined' - SLES-12-010730 'accounts_user_interactive_home_directory_exists' - SLES-12-010740 'file_permissions_home_directories' - SLES-12-010750 'file_groupownership_home_directories' - SLES-12-010760 'file_permission_user_init_files' - SLES-12-010770 'accounts_user_home_paths_only' - SLES-12-010780 'accounts_user_dot_no_world_writable_programs' - SLES-12-010790 'mount_option_home_nosuid' - SLES-12-010800 'mount_option_nosuid_removable_partitions' - SLES-12-010810 'mount_option_nosuid_remote_filesystems' - SLES-12-010820 'mount_option_noexec_remote_filesystems' - SLES-12-010830 'dir_perms_world_writable_system_owned_group' - SLES-12-010840 'service_kdump_disabled' - SLES-12-010880 'run_chkstat' - SLES-12-020500 'audit_rules_unsuccessful_file_modification_truncate' - SLES-12-020510 'audit_rules_unsuccessful_file_modification_ftruncate' - SLES-12-020520 'audit_rules_unsuccessful_file_modification_creat' - SLES-12-020530 'audit_rules_unsuccessful_file_modification_openat' - SLES-12-020540 'audit_rules_unsuccessful_file_modification_open_by_handle_at' - SLES-12-020590 'audit_rules_usergroup_modification_gshadow' - SLES-12-020600 'audit_rules_dac_modification_chmod' - SLES-12-020650 'audit_rules_login_events_tallylog' - SLES-12-020660 'audit_rules_login_events_lastlog' - SLES-12-020680 'audit_rules_privileged_commands_unix_chkpwd' - SLES-12-020690 'audit_rules_privileged_commands_chage' - SLES-12-030030 'kernel_module_dccp_disabled' - SLES-12-030140 'sshd_disable_root_login' - SLES-12-030180 'sshd_use_approved_macs' - SLES-12-030380 'sysctl_net_ipv4_icmp_echo_ignore_broadcasts' - SLES-12-030390 'sysctl_net_ipv4_conf_all_accept_redirects' - SLES-12-030400 'sysctl_net_ipv4_conf_default_accept_redirects' - SLES-12-030401 'sysctl_net_ipv6_conf_default_accept_source_route' - SLES-12-030420 'sysctl_net_ipv4_conf_all_send_redirects' - SLES-12-030430 'sysctl_net_ipv4_ip_forward' Corrections: - Rule 'sysctl_net_ipv4_conf_default_send_redirects' was originally submitted with an incorrect SLES12 STIG ID. The correct SLES12 STIG ID should be 'SLES-12-030410'. --- .../base/service_kdump_disabled/rule.yml | 1 + .../rule.yml | 4 +- .../rule.yml | 4 +- .../sshd_disable_root_login/rule.yml | 1 + .../sshd_use_approved_macs/ansible/shared.yml | 2 +- .../sshd_use_approved_macs/rule.yml | 1 + .../rule.yml | 6 ++- .../accounts_user_home_paths_only/rule.yml | 4 +- .../rule.yml | 4 +- .../rule.yml | 4 +- .../rule.yml | 4 +- .../file_permission_user_init_files/rule.yml | 4 +- .../rule.yml | 4 +- .../rule.yml | 2 + .../rule.yml | 2 + .../rule.yml | 2 + .../rule.yml | 2 + .../rule.yml | 2 + .../rule.yml | 2 + .../audit_rules_login_events_lastlog/rule.yml | 2 + .../rule.yml | 2 + .../rule.yml | 4 +- .../rule.yml | 4 +- .../rule.yml | 4 +- .../rule.yml | 4 +- .../rule.yml | 4 +- .../rule.yml | 5 +- .../rule.yml | 4 +- .../rule.yml | 4 +- .../rule.yml | 2 +- .../sysctl_net_ipv4_ip_forward/rule.yml | 4 +- .../kernel_module_dccp_disabled/rule.yml | 4 +- .../rule.yml | 9 ++-- .../file_permissions_ungroupowned/rule.yml | 4 +- .../mount_option_home_nosuid/rule.yml | 4 +- .../rule.yml | 4 +- .../permissions/permissions_local/group.yml | 12 +++++ .../permissions_local/run_chkstat/rule.yml | 50 +++++++++++++++++++ .../aide_scan_notification/bash/shared.sh | 13 ++++- .../aide_scan_notification/oval/shared.xml | 12 +++-- .../aide/aide_scan_notification/rule.yml | 8 ++- .../aide/package_aide_installed/rule.yml | 2 +- .../ansible.template | 2 +- .../audit_rules_login_events/ansible.template | 2 +- .../ansible.template | 2 +- .../ansible.template | 2 +- .../ansible.template | 2 +- sle12/profiles/stig.profile | 39 +++++++++++++++ 48 files changed, 229 insertions(+), 40 deletions(-) create mode 100644 linux_os/guide/system/permissions/permissions_local/group.yml create mode 100644 linux_os/guide/system/permissions/permissions_local/run_chkstat/rule.yml diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml index 3737b264ce..ff9d439b4f 100644 --- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml +++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml @@ -22,6 +22,7 @@ severity: medium identifiers: cce@rhel7: CCE-80258-7 cce@rhel8: CCE-80878-2 + cce@sle12: CCE-83105-7 references: stigid@ol7: OL07-00-021300 diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml index a4a8160aa9..d9c17fb416 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Mount Remote Filesystems with noexec' @@ -16,6 +16,7 @@ severity: medium identifiers: cce@rhel7: CCE-80436-9 + cce@sle12: CCE-83103-2 references: stigid@ol7: OL07-00-021021 @@ -29,6 +30,7 @@ references: cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 + stigid@sle12: SLES-12-010820 ocil_clause: 'the setting does not show' diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml index 7a40ea2b27..c14b0aeefb 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Mount Remote Filesystems with nosuid' @@ -14,6 +14,7 @@ severity: medium identifiers: cce@rhel7: CCE-80240-5 + cce@sle12: CCE-83102-4 references: stigid@ol7: OL07-00-021020 @@ -27,6 +28,7 @@ references: cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 + stigid@sle12: SLES-12-010810 ocil_clause: 'the setting does not show' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml index 74002ded9a..287954db61 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml @@ -21,6 +21,7 @@ severity: medium identifiers: cce@rhel7: CCE-27445-6 cce@rhel8: CCE-80901-2 + cce@sle12: CCE-83035-6 references: stigid@ol7: OL07-00-040370 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml index 1a9b6990e9..2c5cf7e1c7 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Enterprise Linux 7,Oracle Linux 7 +# platform = Red Hat Enterprise Linux 7,Oracle Linux 7,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml index 394c733f51..a0bc4578a6 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml @@ -43,6 +43,7 @@ severity: medium identifiers: cce@rhel7: CCE-27455-5 cce@rhel8: CCE-82198-3 + cce@sle12: CCE-83036-4 references: stigid@ol7: OL07-00-040400 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml index ad337e982c..77f3a12148 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'User Initialization Files Must Not Run World-Writable Programs' @@ -20,17 +20,19 @@ severity: medium identifiers: cce@rhel7: CCE-80523-4 + cce@sle12: CCE-83099-2 references: stigid@ol7: OL07-00-020730 disa: CCI-000366 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-020730 + stigid@sle12: SLES-12-010780 ocil_clause: 'files are executing world-writable programs' ocil: |- To verify that local initialization files do not execute world-writable programs, execute the following command: -
$ sudo find /home -perm -002 -type f -exec ls -ld {} -name ".[^.]*" \;
+
$ sudo find /home -perm -002 -type f -name ".[^.]*" -exec ls -ld {} \;
There should be no output. diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml index 9c9dd92fb0..0154c1d73b 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Ensure that Users Path Contains Only Local Directories' @@ -24,12 +24,14 @@ severity: medium identifiers: cce@rhel7: CCE-80524-2 + cce@sle12: CCE-83098-4 references: stigid@ol7: OL07-00-020720 disa: CCI-000366 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-020720 + stigid@sle12: SLES-12-010770 ocil_clause: 'paths contain more than local home directories' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml index 6d6c28eb85..9ee21744b2 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'All Interactive Users Must Have A Home Directory Defined' @@ -16,12 +16,14 @@ severity: medium identifiers: cce@rhel7: CCE-80528-3 + cce@sle12: CCE-83075-2 references: stigid@ol7: OL07-00-020600 disa: CCI-000366 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-020600 + stigid@sle12: SLES-12-010710 ocil_clause: 'users home directory is not defined' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml index 42dfdeabed..a262abba7a 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'All Interactive Users Home Directories Must Exist' @@ -22,6 +22,7 @@ severity: medium identifiers: cce@rhel7: CCE-80529-1 cce@rhel8: CCE-83424-2 + cce@sle12: CCE-83074-5 references: stigid@ol7: OL07-00-020620 @@ -29,6 +30,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-020620 cis@rhel8: 6.2.20 + stigid@sle12: SLES-12-010730 ocil_clause: 'users home directory does not exist' diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml index 0efb03da74..820a942220 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'All Interactive User Home Directories Must Be Group-Owned By The Primary User' @@ -21,6 +21,7 @@ severity: medium identifiers: cce@rhel7: CCE-80532-5 cce@rhel8: CCE-83434-1 + cce@sle12: CCE-83096-8 references: stigid@ol7: OL07-00-020650 @@ -28,6 +29,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-020650 cis@rhel8: 6.2.8 + stigid@sle12: SLES-12-010750 ocil_clause: 'the group ownership is incorrect' diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml index 6d719039a3..4810c941d6 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Ensure All User Initialization Files Have Mode 0740 Or Less Permissive' @@ -18,12 +18,14 @@ severity: medium identifiers: cce@rhel7: CCE-80525-9 + cce@sle12: CCE-83097-6 references: stigid@ol7: OL07-00-020710 disa: CCI-000366 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-020710 + stigid@sle12: SLES-12-010760 ocil_clause: 'they are not 0740 or more permissive' diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml index edb1b821d3..4898bfa6b6 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'All Interactive User Home Directories Must Have mode 0750 Or Less Permissive' @@ -18,12 +18,14 @@ severity: medium identifiers: cce@rhel7: CCE-80530-9 + cce@sle12: CCE-83076-0 references: stigid@ol7: OL07-00-020630 disa: CCI-000366 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-020630 + stigid@sle12: SLES-12-010740 ocil_clause: 'they are more permissive' diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml index 5dc589b5fc..22031b6517 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml @@ -30,6 +30,7 @@ identifiers: cce@rhel7: CCE-27339-1 cce@rhel8: CCE-80685-1 cce@rhcos4: CCE-82556-2 + cce@sle12: CCE-83106-5 references: stigid@ol7: OL07-00-030410 @@ -45,6 +46,7 @@ references: srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000474-VMM-001940 stigid@rhel7: RHEL-07-030410 + stigid@sle12: SLES-12-020600 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml index cd550e7c0a..b5abef23d9 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml @@ -36,6 +36,7 @@ identifiers: cce@rhel7: CCE-80385-8 cce@rhel8: CCE-80751-1 cce@rhcos4: CCE-82621-4 + cce@sle12: CCE-83092-7 references: stigid@ol7: OL07-00-030500 @@ -50,6 +51,7 @@ references: srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 stigid@rhel7: RHEL-07-030500 + stigid@sle12: SLES-12-020520 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml index 9696633f7e..9ed6b36699 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml @@ -39,6 +39,7 @@ identifiers: cce@rhel7: CCE-80390-8 cce@rhel8: CCE-80752-9 cce@rhcos4: CCE-82629-7 + cce@sle12: CCE-83091-9 references: stigid@ol7: OL07-00-030550 @@ -53,6 +54,7 @@ references: srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 stigid@rhel7: RHEL-07-030550 + stigid@sle12: SLES-12-020510 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml index 08cd7a656c..28076744c3 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml @@ -36,6 +36,7 @@ identifiers: cce@rhel7: CCE-80388-2 cce@rhel8: CCE-80755-2 cce@rhcos4: CCE-82640-4 + cce@sle12: CCE-83094-3 references: stigid@ol7: OL07-00-030530 @@ -50,6 +51,7 @@ references: srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 stigid@rhel7: RHEL-07-030530 + stigid@sle12: SLES-12-020540 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml index 32501fd295..f1699ab14e 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml @@ -39,6 +39,7 @@ identifiers: cce@rhel7: CCE-80387-4 cce@rhel8: CCE-80754-5 cce@rhcos4: CCE-82634-7 + cce@sle12: CCE-83093-5 references: stigid@ol7: OL07-00-030520 @@ -53,6 +54,7 @@ references: srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 stigid@rhel7: RHEL-07-030520 + stigid@sle12: SLES-12-020530 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml index 037812a685..60d98c5803 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml @@ -39,6 +39,7 @@ identifiers: cce@rhel7: CCE-80389-0 cce@rhel8: CCE-80756-0 cce@rhcos4: CCE-82651-1 + cce@sle12: CCE-83085-1 references: stigid@ol7: OL07-00-030540 @@ -53,6 +54,7 @@ references: srg: SRG-OS-000064-GPOS-00033,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000392-GPOS-00172 vmmsrg: SRG-OS-000458-VMM-001810,SRG-OS-000461-VMM-001830 stigid@rhel7: RHEL-07-030540 + stigid@sle12: SLES-12-020500 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml index 7590cb2353..54e820c309 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml @@ -28,6 +28,7 @@ identifiers: cce@rhel7: CCE-80384-1 cce@rhel8: CCE-80719-8 cce@rhcos4: CCE-82584-4 + cce@sle12: CCE-83108-1 references: cis@rhel7: 4.1.8 @@ -43,6 +44,7 @@ references: srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218 vmmsrg: SRG-OS-000473-VMM-001930,SRG-OS-000470-VMM-001900 stigid@rhel7: RHEL-07-030620 + stigid@sle12: SLES-12-020660 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml index 267cafb758..730b7d7201 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml @@ -28,6 +28,7 @@ identifiers: cce@rhel7: CCE-80994-7 cce@rhel8: CCE-80720-6 cce@rhcos4: CCE-82585-1 + cce@sle12: CCE-83107-3 references: cis: 5.2.8 @@ -41,6 +42,7 @@ references: srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218 vmmsrg: SRG-OS-000473-VMM-001930,SRG-OS-000470-VMM-001900 stigid@rhel7: RHEL-07-030600 + stigid@sle12: SLES-12-020650 isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.3.6.6,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml index 9503765c88..0fcf3fb9f6 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - chage' @@ -34,6 +34,7 @@ identifiers: cce@rhel7: CCE-80398-1 cce@rhel8: CCE-80725-5 cce@rhcos4: CCE-82591-9 + cce@sle12: CCE-83110-7 references: stigid@ol7: OL07-00-030660 @@ -45,6 +46,7 @@ references: srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 vmmsrg: SRG-OS-000471-VMM-001910 stigid@rhel7: RHEL-07-030660 + stigid@sle12: SLES-12-020690 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml index 0171bd3758..b458ed6d8c 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd' @@ -34,6 +34,7 @@ identifiers: cce@rhel7: CCE-80396-5 cce@rhel8: CCE-80740-4 cce@rhcos4: CCE-82609-9 + cce@sle12: CCE-83109-9 references: stigid@ol7: OL07-00-030640 @@ -46,6 +47,7 @@ references: srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215 vmmsrg: SRG-OS-000471-VMM-001910 stigid@rhel7: RHEL-07-030640 + stigid@sle12: SLES-12-020680 isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.8,SR 2.9,SR 6.1,SR 6.2' isa-62443-2009: 4.3.2.6.7,4.3.3.3.9,4.3.3.5.8,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,BAI03.05,DSS01.03,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml index 9ee6de4b51..0b5707f596 100644 --- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Record Events that Modify User/Group Information - /etc/gshadow' @@ -31,6 +31,7 @@ identifiers: cce@rhel7: CCE-80432-8 cce@rhel8: CCE-80759-4 cce@rhcos4: CCE-82655-2 + cce@sle12: CCE-83095-0 references: stigid@ol7: OL07-00-030872 @@ -46,6 +47,7 @@ references: srg: SRG-OS-000004-GPOS-00004 vmmsrg: SRG-OS-000004-VMM-000040,SRG-OS-000239-VMM-000810,SRG-OS-000240-VMM-000820,SRG-OS-000241-VMM-000830,SRG-OS-000274-VMM-000960,SRG-OS-000275-VMM-000970,SRG-OS-000276-VMM-000980,SRG-OS-000277-VMM-000990,SRG-OS-000303-VMM-001090,SRG-OS-000304-VMM-001100,SRG-OS-000476-VMM-001960 stigid@rhel7: RHEL-07-030872 + stigid@sle12: SLES-12-020590 isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.10,4.3.2.6.7,4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.8,4.3.3.6.6,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.4.7,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.4.2.1,4.4.2.2,4.4.2.4 cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml index 76aed7c565..af6be9505a 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4 +prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default' @@ -22,6 +22,7 @@ identifiers: cce@rhel7: CCE-80355-1 cce@rhel8: CCE-81015-0 cce@rhcos4: CCE-82481-3 + cce@sle12: CCE-83087-7 references: anssi: BP28(R22) @@ -35,6 +36,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.2,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 1,12,13,14,15,16,18,4,6,8,9 srg: SRG-OS-000480-GPOS-00227 + stigid@sle12: SLES-12-030401 cis@rhel8: 3.2.1 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_source_route", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml index 5a529710db..361073e99c 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 title: 'Disable Accepting ICMP Redirects for All IPv4 Interfaces' @@ -21,6 +21,7 @@ identifiers: cce@rhel7: CCE-80158-9 cce@rhel8: CCE-80917-8 cce@rhcos4: CCE-82469-8 + cce@sle12: CCE-83090-1 references: stigid@ol7: OL07-00-040641 @@ -33,6 +34,7 @@ references: nist-csf: DE.CM-1,PR.DS-4,PR.IP-1,PR.PT-3 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-040641 + stigid@sle12: SLES-12-030390 isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 6.2,SR 7.1,SR 7.2,SR 7.6' isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 cobit5: APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.05,DSS05.07,DSS06.06 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml index d3336d246f..ed4a024797 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,sle12 title: 'Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces' @@ -20,6 +20,7 @@ identifiers: cce@rhel7: CCE-80163-9 cce@rhel8: CCE-80919-4 cce@rhcos4: CCE-82470-6 + cce@sle12: CCE-83081-0 references: stigid@ol7: OL07-00-040640 @@ -32,6 +33,8 @@ references: nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-040640 + stigid@sle12: SLES-12-030400 + isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6' isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3 cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml index a7f24853f6..ef659ec1c2 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_icmp_echo_ignore_broadcasts/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 title: 'Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces' @@ -19,6 +19,7 @@ identifiers: cce@rhel7: CCE-80165-4 cce@rhel8: CCE-80922-8 cce@rhcos4: CCE-82491-2 + cce@sle12: CCE-83080-2 references: stigid@ol7: OL07-00-040630 @@ -30,6 +31,7 @@ references: nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-040630 + stigid@sle12: SLES-12-030380 isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6' isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3 cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml index d610f022fe..f49353c25c 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces' @@ -19,6 +19,7 @@ identifiers: cce@rhel7: CCE-80156-3 cce@rhel8: CCE-80918-6 cce@rhcos4: CCE-82484-7 + cce@sle12: CCE-83089-3 references: stigid@ol7: OL07-00-040660 @@ -31,6 +32,7 @@ references: nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-040660 + stigid@sle12: SLES-12-030420 isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6' isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3 cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml index 861c3485f3..d7d5bfe607 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml @@ -32,7 +32,7 @@ references: nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-040650 - stigid@sle12: SLES-12-030420 + stigid@sle12: SLES-12-030410 isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6' isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3 cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml index 12d84a2604..b9f3d060d5 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,rhcos4 +prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,rhcos4,sle12 title: 'Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces' @@ -17,6 +17,7 @@ severity: medium identifiers: cce@rhel7: CCE-80157-1 cce@rhel8: CCE-81024-2 + cce@sle12: CCE-83088-5 references: stigid@ol7: OL07-00-040740 @@ -28,6 +29,7 @@ references: nist-csf: DE.CM-1,PR.DS-4,PR.IP-1,PR.PT-3,PR.PT-4 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-040740 + stigid@sle12: SLES-12-030430 isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6' isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3 cobit5: APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.05,DSS05.07,DSS06.06 diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml index ee7140be4b..d9db321b70 100644 --- a/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml +++ b/linux_os/guide/system/network/network-uncommon/kernel_module_dccp_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 +prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 title: 'Disable DCCP Support' @@ -19,10 +19,12 @@ severity: medium identifiers: cce@rhel7: CCE-82024-1 cce@rhel8: CCE-80833-7 + cce@sle12: CCE-83055-4 references: stigid@ol7: OL07-00-020101 stigid@rhel7: RHEL-07-020101 + stigid@sle12: SLES-12-030030 cis@rhel8: 3.3.1 cjis: 5.10.1 cui: 3.4.6 diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml index 1e3c60b7e3..8578172a99 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Ensure All World-Writable Directories Are Group Owned by a System Account' @@ -22,14 +22,17 @@ severity: medium identifiers: cce@rhel7: CCE-83923-3 + cce@sle12: CCE-83104-0 references: stigid@ol7: OL07-00-021030 disa: CCI-000366 nist: CM-6(a),AC-6(1) + nist@sle12: CM-6(b) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-021030 + stigid@sle12: SLES-12-010830 isa-62443-2013: 'SR 2.1,SR 5.2' isa-62443-2009: 4.3.3.7.3 cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02 @@ -41,5 +44,5 @@ ocil_clause: 'there is output' ocil: |- The following command will discover and print world-writable directories that are not group owned by a system account, given the assumption that only system - accounts have a gid lower than 500. Run it once for each local partition PART: -
$ sudo find PART -xdev -type d -perm -0002 -gid +499 -print
+ accounts have a gid lower than {{{ auid }}}. Run it once for each local partition PART: +
$ sudo find PART -xdev -type d -perm -0002 -gid +{{{ auid - 1 }}} -print
diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml index 68fd6821b8..79594c701f 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 +prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019 title: 'Ensure All Files Are Owned by a Group' @@ -24,6 +24,7 @@ severity: medium identifiers: cce@rhel7: CCE-80135-7 cce@rhel8: CCE-83497-8 + cce@sle12: CCE-83073-7 references: stigid@ol7: OL07-00-020330 @@ -40,6 +41,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5 cis-csc: 1,11,12,13,14,15,16,18,3,5 cis@sle15: 6.1.12 + stigid@sle12: SLES-12-010700 ocil_clause: 'there is output' diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml index dadd3fa3e9..3652cf9f2b 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,rhcos4 +prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,rhcos4,sle12 title: 'Add nosuid Option to /home' @@ -21,6 +21,7 @@ severity: medium identifiers: cce@rhel7: CCE-81153-9 cce@rhel8: CCE-81050-7 + cce@sle12: CCE-83100-8 references: stigid@ol7: OL07-00-021000 @@ -36,6 +37,7 @@ references: cis-csc: 11,13,14,3,8,9 anssi: BP28(R12) srg: SRG-OS-000368-GPOS-00154,SRG-OS-000480-GPOS-00227 + stigid@sle12: SLES-12-010790 platform: machine diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml index e507bb4465..5f19864ded 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,rhcos4,ubuntu1804 +prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019,rhcos4,ubuntu1804 title: 'Add nosuid Option to Removable Media Partitions' @@ -23,6 +23,7 @@ identifiers: cce@rhel7: CCE-80148-0 cce@rhel8: CCE-82744-4 cce@rhcos4: CCE-82745-1 + cce@sle12: CCE-83101-6 references: cis@rhel8: 1.1.19 @@ -39,6 +40,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.11.2.6,A.11.2.9,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.6.2.1,A.6.2.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.1,A.8.2.2,A.8.2.3,A.8.3.1,A.8.3.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 11,12,13,14,15,16,18,3,5,8,9 cis@sle15: 1.1.21 + stigid@sle12: SLES-12-010800 platform: machine diff --git a/linux_os/guide/system/permissions/permissions_local/group.yml b/linux_os/guide/system/permissions/permissions_local/group.yml new file mode 100644 index 0000000000..6e13c74f51 --- /dev/null +++ b/linux_os/guide/system/permissions/permissions_local/group.yml @@ -0,0 +1,12 @@ +documentation_complete: true + +title: |- + Verify Permissions on Important Files and + Directories Are Configured in /etc/permissions.local + +description: |- + Permissions for many files on a system must be set + restrictively to ensure sensitive information is properly protected. + This section discusses the /etc/permissions.local file, where + expected permissions can be configured to be checked and fixed through + usage of the chkstat command. diff --git a/linux_os/guide/system/permissions/permissions_local/run_chkstat/rule.yml b/linux_os/guide/system/permissions/permissions_local/run_chkstat/rule.yml new file mode 100644 index 0000000000..8c28313067 --- /dev/null +++ b/linux_os/guide/system/permissions/permissions_local/run_chkstat/rule.yml @@ -0,0 +1,50 @@ +documentation_complete: true + +prodtype: sle12 + +title: 'OS commands and libraries must have the proper permissions to protect from unauthorized access' + +description: |- + Verify that the SUSE operating system prevents unauthorized users from + accessing system command and library files. + + Check that all of the audit information files and folders have the correct + permissions with the following command: +
# sudo chkstat --warn --system
+ + Set the correct permissions with the following command: + +
# sudo chkstat --set --system
+ +rationale: |- + If the SUSE operating system were to allow any user to make changes to + software libraries, those changes might be implemented without undergoing + the appropriate testing and approvals that are part of a robust change + management process. + + This requirement applies to SUSE operating systems with software libraries + that are accessible and configurable, as in the case of interpreted + languages. Software libraries also include privileged programs that execute + with escalated privileges. Only qualified and authorized individuals must + be allowed to obtain access to information system components to initiate + changes, including upgrades and modifications. + +severity: medium + +identifiers: + cce@sle12: CCE-83111-5 + +references: + disa@sle12: CCI-001499 + nist@sle12: CM-5(6) + srg@sle12: SRG-OS-000259-GPOS-00100 + stigid@sle12: SLES-12-010880 + +ocil: |- + Check that all of the audit information files and folders have the correct + permissions with the following command: +
# sudo chkstat --warn --system
+ + If you get any warnings, set the correct permissions with the following command: + +
# sudo chkstat --set --system
diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh index 9b2e235311..fbe9ddbb3e 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh @@ -1,15 +1,24 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_wrlinux,multi_platform_ol +# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_wrlinux,multi_platform_ol,multi_platform_sle {{{ bash_package_install("aide") }}} CRONTAB=/etc/crontab CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly' +# NOTE: on some platforms, /etc/crontab may not exist +if [ -f /etc/crontab ]; then + CRONTAB_EXIST=/etc/crontab +fi + if [ -f /var/spool/cron/root ]; then VARSPOOL=/var/spool/cron/root fi -if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB $VARSPOOL $CRONDIRS; then +if ! grep -qR '^.*\/usr\/sbin\/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*root@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then +{{% if product == "sle12" %}} + echo '0 5 * * * root /usr/bin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB +{{% else %}} echo '0 5 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost' >> $CRONTAB +{{% endif %}} fi diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml index d6d9f2542e..7f557bd6a3 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml @@ -1,3 +1,9 @@ +{{% if product in ["sle12", "sle15"] %}} +{{% set aide_bin_path = "/usr/bin/aide" %}} +{{% else %}} +{{% set aide_bin_path = "/usr/sbin/aide" %}} +{{% endif %}} + {{{ oval_metadata("AIDE should notify appropriate personnel of the details @@ -17,7 +23,7 @@ /etc/crontab - ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ + ^.*{{{ aide_bin_path }}}[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 @@ -26,7 +32,7 @@ /var/spool/cron/root - ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ + ^.*{{{ aide_bin_path }}}[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 @@ -36,7 +42,7 @@ ^/etc/cron.(d|daily|weekly|monthly)$ ^.*$ - ^.*/usr/sbin/aide[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ + ^.*{{{ aide_bin_path }}}[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$ 1 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml index 3ed6a7bb37..cc696141f6 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Configure Notification of Post-AIDE Scan Details' @@ -30,6 +30,7 @@ severity: medium identifiers: cce@rhel7: CCE-80374-2 cce@rhel8: CCE-82891-3 + cce@sle12: CCE-83048-9 references: stigid@ol7: OL07-00-020040 @@ -44,6 +45,11 @@ references: cobit5: BAI01.06,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS03.05,DSS05.02,DSS05.05,DSS05.07 iso27001-2013: A.12.1.2,A.12.4.1,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.14.2.7,A.15.2.1 cis-csc: 1,11,12,13,15,16,2,3,5,7,8,9 + disa@sle12: CCI-002702 + nist@sle12: SI-6d + stigid@sle12: SLES-12-010510 + srg@sle12: SRG-OS-000447-GPOS-00201 + disa@sle12: CCI-002702 ocil_clause: 'AIDE has not been configured or has not been configured to notify personnel of scan details' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml index 23e939bbec..abf13a274a 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml @@ -14,7 +14,7 @@ severity: medium identifiers: cce@rhel7: CCE-27096-7 cce@rhel8: CCE-80844-4 - cce@sle12: CCE-83048-9 + cce@sle12: CCE-83067-9 references: cis@rhel8: 1.4.1 diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template index 49e4258cd2..70101ca777 100644 --- a/shared/templates/audit_rules_dac_modification/ansible.template +++ b/shared/templates/audit_rules_dac_modification/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = true # strategy = restrict # complexity = low diff --git a/shared/templates/audit_rules_login_events/ansible.template b/shared/templates/audit_rules_login_events/ansible.template index e36d4b3371..4b32771c3f 100644 --- a/shared/templates/audit_rules_login_events/ansible.template +++ b/shared/templates/audit_rules_login_events/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = true # strategy = restrict # complexity = low diff --git a/shared/templates/audit_rules_privileged_commands/ansible.template b/shared/templates/audit_rules_privileged_commands/ansible.template index a992b47960..1c5a8b6b2a 100644 --- a/shared/templates/audit_rules_privileged_commands/ansible.template +++ b/shared/templates/audit_rules_privileged_commands/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template index 3737145add..8e8e003a5b 100644 --- a/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template +++ b/shared/templates/audit_rules_unsuccessful_file_modification/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = true # strategy = restrict # complexity = low diff --git a/shared/templates/audit_rules_usergroup_modification/ansible.template b/shared/templates/audit_rules_usergroup_modification/ansible.template index 2fab63ae44..ea9738ecb2 100644 --- a/shared/templates/audit_rules_usergroup_modification/ansible.template +++ b/shared/templates/audit_rules_usergroup_modification/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = true # strategy = restrict # complexity = low diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile index 15c4f70336..4c8b361226 100644 --- a/sle12/profiles/stig.profile +++ b/sle12/profiles/stig.profile @@ -7,7 +7,9 @@ description: |- DISA STIG for SUSE Linux Enterprise 12 V1R2. selections: + - sshd_approved_macs=stig - var_accounts_fail_delay=4 + - var_removable_partition=dev_cdrom - account_disable_post_pw_expiration - account_temp_expire_date - accounts_have_homedir_login_defs @@ -19,6 +21,22 @@ selections: - accounts_password_set_max_life_existing - accounts_password_set_min_life_existing - accounts_umask_etc_login_defs + - accounts_user_dot_no_world_writable_programs + - accounts_user_home_paths_only + - accounts_user_interactive_home_directory_defined + - accounts_user_interactive_home_directory_exists + - aide_scan_notification + - audit_rules_dac_modification_chmod + - audit_rules_login_events_lastlog + - audit_rules_login_events_tallylog + - audit_rules_privileged_commands_chage + - audit_rules_privileged_commands_unix_chkpwd + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate + - audit_rules_usergroup_modification_gshadow - auditd_audispd_encrypt_sent_records - auditd_data_disk_full_action - auditd_data_retention_action_mail_acct @@ -26,17 +44,27 @@ selections: - banner_etc_issue - banner_etc_motd - dir_perms_world_writable_sticky_bits + - dir_perms_world_writable_system_owned_group - disable_ctrlaltdel_reboot - encrypt_partitions - ensure_gpgcheck_globally_activated + - file_groupownership_home_directories + - file_permission_user_init_files + - file_permissions_home_directories - file_permissions_sshd_private_key - file_permissions_sshd_pub_key + - file_permissions_ungroupowned - ftp_present_banner - gnome_gdm_disable_automatic_login - grub2_password - grub2_uefi_password - installed_OS_is_vendor_supported + - kernel_module_dccp_disabled - kernel_module_usb-storage_disabled + - mount_option_home_nosuid + - mount_option_noexec_remote_filesystems + - mount_option_nosuid_remote_filesystems + - mount_option_nosuid_removable_partitions - no_empty_passwords - no_files_unowned_by_user - no_host_based_files @@ -47,11 +75,14 @@ selections: - package_audit_installed - package_telnet-server_removed - postfix_client_configure_mail_alias + - run_chkstat - security_patches_up_to_date - service_auditd_enabled + - service_kdump_disabled - set_password_hashing_algorithm_logindefs - sshd_disable_compression - sshd_disable_empty_passwords + - sshd_disable_root_login - sshd_disable_user_known_hosts - sshd_do_not_permit_user_env - sshd_enable_strictmodes @@ -61,10 +92,18 @@ selections: - sshd_set_idle_timeout - sshd_set_keepalive - sshd_set_loglevel_verbose + - sshd_use_approved_macs - sshd_use_priv_separation - sudo_remove_no_authenticate - sudo_remove_nopasswd + - sysctl_net_ipv4_conf_all_accept_redirects - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv4_conf_all_send_redirects + - sysctl_net_ipv4_conf_default_accept_redirects - sysctl_net_ipv4_conf_default_accept_source_route - sysctl_net_ipv4_conf_default_send_redirects + - sysctl_net_ipv4_icmp_echo_ignore_broadcasts + - sysctl_net_ipv4_ip_forward - sysctl_net_ipv6_conf_all_accept_source_route + - sysctl_net_ipv6_conf_default_accept_source_route +