From c5f46d9166d0629740deb3cc5c45d3925345df09 Mon Sep 17 00:00:00 2001 From: Guang Yee Date: Mon, 11 Jan 2021 12:55:43 -0800 Subject: [PATCH] Enable checks and remediations for the following SLES-12 STIGs: - SLES-12-010030 'banner_etc_issue' - SLES-12-010120 'accounts_max_concurrent_login_sessions' - SLES-12-010450 'encrypt_partitions' - SLES-12-010460 'dir_perms_world_writable_sticky_bits' - SLES-12-010500 'package_aide_installed' - SLES-12-010550 'ensure_gpgcheck_globally_activated' - SLES-12-010580 'kernel_module_usb-storage_disabled' - SLES-12-010599 'package_MFEhiplsm_installed' - SLES-12-010690 'no_files_unowned_by_user' - SLES-12-030000 'package_telnet-server_removed' - SLES-12-030010 'ftp_present_banner' - SLES-12-030050 'sshd_enable_warning_banner' - SLES-12-030110 'sshd_set_loglevel_verbose' - SLES-12-030130 'sshd_print_last_log' - SLES-12-030210 'file_permissions_sshd_pub_key' - SLES-12-030220 'file_permissions_sshd_private_key' - SLES-12-030230 'sshd_enable_strictmodes' - SLES-12-030240 'sshd_use_priv_separation' - SLES-12-030250 'sshd_disable_compression' - SLES-12-030340 'auditd_audispd_encrypt_sent_records' - SLES-12-030360 'sysctl_net_ipv4_conf_all_accept_source_route' - SLES-12-030361 'sysctl_net_ipv6_conf_all_accept_source_route' - SLES-12-030370 'sysctl_net_ipv4_conf_default_accept_source_route' - SLES-12-030420 'sysctl_net_ipv4_conf_default_send_redirects' --- .../ftp_present_banner/rule.yml | 1 + .../package_telnet-server_removed/rule.yml | 1 + .../rule.yml | 1 + .../file_permissions_sshd_pub_key/rule.yml | 1 + .../ansible/shared.yml | 2 +- .../sshd_disable_compression/rule.yml | 1 + .../sshd_enable_strictmodes/rule.yml | 1 + .../sshd_enable_warning_banner/rule.yml | 1 + .../ssh_server/sshd_print_last_log/rule.yml | 1 + .../sshd_set_loglevel_verbose/rule.yml | 1 + .../sshd_use_priv_separation/rule.yml | 1 + .../banner_etc_issue/ansible/shared.yml | 2 +- .../banner_etc_issue/rule.yml | 4 ++- .../ansible/shared.yml | 2 +- .../rule.yml | 2 ++ .../ansible/shared.yml | 2 +- .../rule.yml | 4 ++- .../rule.yml | 4 ++- .../rule.yml | 4 ++- .../rule.yml | 4 ++- .../rule.yml | 4 ++- .../bash/shared.sh | 2 +- .../rule.yml | 2 ++ .../files/no_files_unowned_by_user/rule.yml | 4 ++- .../rule.yml | 4 ++- .../encrypt_partitions/rule.yml | 8 +++++- .../package_MFEhiplsm_installed/rule.yml | 2 ++ .../aide/package_aide_installed/rule.yml | 3 +++ .../ansible/sle12.yml | 13 ++++++++++ .../rule.yml | 8 +++++- shared/applicability/general.yml | 4 +++ .../oval/installed_env_has_zypper_package.xml | 25 +++++++++++++++++++ .../kernel_module_disabled/ansible.template | 12 +++++++-- .../kernel_module_disabled/bash.template | 9 ++++++- .../kernel_module_disabled/oval.template | 5 ++++ sle12/product.yml | 1 + sle12/profiles/stig.profile | 25 +++++++++++++++++++ 37 files changed, 153 insertions(+), 18 deletions(-) create mode 100644 linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml create mode 100644 shared/checks/oval/installed_env_has_zypper_package.xml diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml index 35ba09b0d0..3590a085b6 100644 --- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml +++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/rule.yml @@ -19,6 +19,7 @@ severity: medium identifiers: cce@rhel7: CCE-80248-8 + cce@sle12: CCE-83059-6 references: stigid@sle12: SLES-12-030010 diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml index 317eecdc3d..619b3f0b7d 100644 --- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml @@ -27,6 +27,7 @@ severity: high identifiers: cce@rhel7: CCE-27165-0 cce@rhel8: CCE-82182-7 + cce@sle12: CCE-83084-4 references: stigid@ol7: OL07-00-021710 diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml index 2e52219ece..d460411667 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml @@ -18,6 +18,7 @@ severity: medium identifiers: cce@rhel7: CCE-27485-2 cce@rhel8: CCE-82424-3 + cce@sle12: CCE-83058-8 references: stigid@ol7: OL07-00-040420 diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml index e59ddc0770..b9e07d71af 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml @@ -13,6 +13,7 @@ severity: medium identifiers: cce@rhel7: CCE-27311-0 cce@rhel8: CCE-82428-4 + cce@sle12: CCE-83057-0 references: stigid@ol7: OL07-00-040410 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml index e07e436d60..f8d422c6c4 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml index fe7e67c1c2..f8eec6a074 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml @@ -21,6 +21,7 @@ severity: medium identifiers: cce@rhel7: CCE-80224-9 cce@rhel8: CCE-80895-6 + cce@sle12: CCE-83062-0 references: stigid@ol7: OL07-00-040470 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml index 22b98c71a2..601f6a0ca2 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml @@ -18,6 +18,7 @@ severity: medium identifiers: cce@rhel7: CCE-80222-3 cce@rhel8: CCE-80904-6 + cce@sle12: CCE-83060-4 references: stigid@ol7: OL07-00-040450 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml index 2199d61ca9..c93ef6340f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml @@ -20,6 +20,7 @@ severity: medium identifiers: cce@rhel7: CCE-27314-4 cce@rhel8: CCE-80905-3 + cce@sle12: CCE-83066-1 references: stigid@ol7: OL07-00-040170 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml index a0b8ed38ae..0ce5da30b2 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml @@ -17,6 +17,7 @@ severity: medium identifiers: cce@rhel7: CCE-80225-6 cce@rhel8: CCE-82281-7 + cce@sle12: CCE-83083-6 references: stigid@ol7: OL07-00-040360 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml index 28ce48de8e..2180398855 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml @@ -22,6 +22,7 @@ severity: medium identifiers: cce@rhel7: CCE-82419-3 cce@rhel8: CCE-82420-1 + cce@sle12: CCE-83077-8 references: srg: SRG-OS-000032-GPOS-00013 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml index 14d1acfd22..d65ddb6cd1 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml @@ -18,6 +18,7 @@ severity: medium identifiers: cce@rhel7: CCE-80223-1 cce@rhel8: CCE-80908-7 + cce@sle12: CCE-83061-2 references: stigid@ol7: OL07-00-040460 diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml index f3a0c85ea5..ff6b6eab42 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle # reboot = false # strategy = unknown # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml index a86ede70f8..637d8ee528 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 title: 'Modify the System Login Banner' @@ -52,6 +52,7 @@ identifiers: cce@rhel7: CCE-27303-7 cce@rhel8: CCE-80763-6 cce@rhcos4: CCE-82555-4 + cce@sle12: CCE-83054-7 references: stigid@ol7: OL07-00-010050 @@ -64,6 +65,7 @@ references: srg: SRG-OS-000023-GPOS-00006,SRG-OS-000024-GPOS-00007 vmmsrg: SRG-OS-000023-VMM-000060,SRG-OS-000024-VMM-000070 stigid@rhel7: RHEL-07-010050 + stigid@sle12: SLES-12-010030 isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9' isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9 cobit5: DSS05.04,DSS05.10,DSS06.10 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml index 9d50a9d20c..536ac29569 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml index e598f4e8cb..32412aa482 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml @@ -20,6 +20,7 @@ severity: low identifiers: cce@rhel7: CCE-82041-5 cce@rhel8: CCE-80955-8 + cce@sle12: CCE-83065-3 references: stigid@ol7: OL07-00-040000 @@ -30,6 +31,7 @@ references: srg: SRG-OS-000027-GPOS-00008 vmmsrg: SRG-OS-000027-VMM-000080 stigid@rhel7: RHEL-07-040000 + stigid@sle12: SLES-12-010120 isa-62443-2013: 'SR 3.1,SR 3.8' isa-62443-2009: 4.3.3.4 cobit5: DSS01.05,DSS05.02 diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml index 23bcdf8641..007b23ba24 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4 +# platform = Oracle Linux 7,Red Hat Enterprise Linux 7,Red Hat Virtualization 4,multi_platform_sle # reboot = false # complexity = low # disruption = low diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml index 4c27eb11fd..1943a00fb2 100644 --- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml +++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Encrypt Audit Records Sent With audispd Plugin' @@ -26,6 +26,7 @@ severity: medium identifiers: cce@rhel7: CCE-80540-8 cce@rhel8: CCE-80926-9 + cce@sle12: CCE-83063-8 references: stigid@ol7: OL07-00-030310 @@ -33,6 +34,7 @@ references: nist: AU-9(3),CM-6(a) srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 stigid@rhel7: RHEL-07-030310 + stigid@sle12: SLES-12-030340 ospp: FAU_GEN.1.1.c ocil_clause: 'audispd is not encrypting audit records when sent over the network' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml index a3f78cb910..8767a5226f 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019 +prodtype: rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019,sle12 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces' @@ -22,6 +22,7 @@ identifiers: cce@rhel7: CCE-80179-5 cce@rhel8: CCE-81013-5 cce@rhcos4: CCE-82480-5 + cce@sle12: CCE-83078-6 references: stigid@ol7: OL07-00-040830 @@ -33,6 +34,7 @@ references: nist-csf: DE.AE-1,ID.AM-3,PR.AC-5,PR.DS-5,PR.PT-4 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-040830 + stigid@sle12: SLES-12-030361 isa-62443-2013: 'SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6' isa-62443-2009: 4.2.3.4,4.3.3.4,4.4.3.3 cobit5: APO01.06,APO13.01,DSS01.05,DSS03.01,DSS05.02,DSS05.04,DSS05.07,DSS06.02 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml index 0cd3dbc143..7bc4e3b9b7 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces' @@ -22,6 +22,7 @@ identifiers: cce@rhel7: CCE-27434-0 cce@rhel8: CCE-81011-9 cce@rhcos4: CCE-82478-9 + cce@sle12: CCE-83064-6 references: stigid@ol7: OL07-00-040610 @@ -33,6 +34,7 @@ references: nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-040610 + stigid@sle12: SLES-12-030360 isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6' isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3 cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml index c48ec8de3d..f7ee2e9818 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 title: 'Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default' @@ -22,6 +22,7 @@ identifiers: cce@rhel7: CCE-80162-1 cce@rhel8: CCE-80920-2 cce@rhcos4: CCE-82479-7 + cce@sle12: CCE-83079-4 references: stigid@ol7: OL07-00-040620 @@ -34,6 +35,7 @@ references: nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-040620 + stigid@sle12: SLES-12-030370 isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6' isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3 cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml index ddf6b07758..861c3485f3 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019,sle12 title: 'Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default' @@ -19,6 +19,7 @@ identifiers: cce@rhel7: CCE-80999-6 cce@rhel8: CCE-80921-0 cce@rhcos4: CCE-82485-4 + cce@sle12: CCE-83086-9 references: stigid@ol7: OL07-00-040650 @@ -31,6 +32,7 @@ references: nist-csf: DE.AE-1,DE.CM-1,ID.AM-3,PR.AC-5,PR.DS-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4 srg: SRG-OS-000480-GPOS-00227 stigid@rhel7: RHEL-07-040650 + stigid@sle12: SLES-12-030420 isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.2,SR 7.1,SR 7.2,SR 7.6' isa-62443-2009: 4.2.3.4,4.3.3.4,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.4.3.3 cobit5: APO01.06,APO13.01,BAI04.04,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.03,DSS01.05,DSS03.01,DSS03.05,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.02,DSS06.06 diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh index 0a829df187..e49942d1cc 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_rhel +# platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_sle df --local -P | awk '{if (NR!=1) print $6}' \ | xargs -I '{}' find '{}' -xdev -type d \ \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null \ diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml index d04df8df86..5bb3cf3713 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml @@ -34,6 +34,7 @@ identifiers: cce@rhel7: CCE-80130-8 cce@rhel8: CCE-80783-4 cce@rhcos4: CCE-82753-5 + cce@sle12: CCE-83047-1 references: cis@rhe8: 1.1.21 @@ -46,6 +47,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 12,13,14,15,16,18,3,5 cis@sle15: 1.1.22 + stigid@sle12: SLES-12-010460 ocil_clause: 'any world-writable directories are missing the sticky bit' diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml index e664cf9215..faab0b8822 100644 --- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 +prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019 title: 'Ensure All Files Are Owned by a User' @@ -24,6 +24,7 @@ severity: medium identifiers: cce@rhel7: CCE-80134-0 cce@rhel8: CCE-83499-4 + cce@sle12: CCE-83072-9 references: stigid@ol7: OL07-00-020320 @@ -40,6 +41,7 @@ references: iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5 cis-csc: 11,12,13,14,15,16,18,3,5,9 cis@sle15: 6.1.11 + stigid@sle12: SLES-12-010690 ocil_clause: 'files exist that are not owned by a valid user' diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml index c78b570efb..24e77cc74e 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle15,wrlinux1019 +prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15,wrlinux1019 title: 'Disable Modprobe Loading of USB Storage Driver' @@ -22,6 +22,7 @@ identifiers: cce@rhel7: CCE-27277-3 cce@rhel8: CCE-80835-2 cce@rhcos4: CCE-82719-6 + cce@sle12: CCE-83069-5 references: stigid@ol7: OL07-00-020100 @@ -39,6 +40,7 @@ references: cis-csc: 1,12,15,16,5 cis@rhel8: 1.1.23 cis@sle15: 1.1.3 + stigid@sle12: SLES-12-010580 {{{ complete_ocil_entry_module_disable(module="usb-storage") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml index 80d1856778..fe370a4323 100644 --- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4 +prodtype: ol7,ol8,rhel7,rhel8,rhv4,rhcos4,sle12 title: 'Encrypt Partitions' @@ -14,6 +14,7 @@ description: |- option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots. + {{% if product != "sle12" %}}

For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be @@ -26,11 +27,14 @@ description: |-

By default, the Anaconda installer uses aes-xts-plain64 cipher with a minimum 512 bit key size which should be compatible with FIPS enabled. + {{% endif %}}

Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the {{{ full_name }}} Documentation web site:
{{% if product in ["ol7", "ol8"] %}} {{{ weblink(link="https://docs.oracle.com/cd/E52668_01/E54670/html/ol7-encrypt-sec.html") }}}. + {{% elif product == "sle12" %}} + {{{ weblink(link="https://www.suse.com/documentation/sled-12/book_security/data/sec_security_cryptofs_y2.html") }}} {{% else %}} {{{ weblink(link="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html") }}}. {{% endif %}} @@ -45,6 +49,7 @@ severity: high identifiers: cce@rhel7: CCE-27128-8 cce@rhel8: CCE-80789-1 + cce@sle12: CCE-83046-3 references: cui: 3.13.16 @@ -58,6 +63,7 @@ references: isa-62443-2013: 'SR 3.4,SR 4.1,SR 5.2' cobit5: APO01.06,BAI02.01,BAI06.01,DSS04.07,DSS05.03,DSS05.04,DSS05.07,DSS06.02,DSS06.06 cis-csc: 13,14 + stigid@sle12: SLES-12-010450 ocil_clause: 'partitions do not have a type of crypto_LUKS' diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml index f96cfc925b..c0bf1ee908 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml @@ -18,6 +18,7 @@ severity: medium identifiers: cce@rhel7: CCE-80368-4 + cce@sle12: CCE-83071-1 references: disa: CCI-000366,CCI-001263 @@ -31,6 +32,7 @@ references: iso27001-2013: 'A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.3,A.12.5.1,A.12.6.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.7,A.14.2.8,A.15.2.1,A.16.1.1,A.16.1.2,A.16.1.3,A.16.1.4,A.16.1.5,A.16.1.6,A.16.1.7,A.18.1.4,A.18.2.2,A.18.2.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,Clause 16.1.2,Clause 7.4' cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 stigid@rhel7: RHEL-07-020019 + stigid@sle12: SLES-12-010599 ocil_clause: 'the HBSS HIPS module is not installed' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml index 699992b48c..23e939bbec 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml @@ -14,6 +14,7 @@ severity: medium identifiers: cce@rhel7: CCE-27096-7 cce@rhel8: CCE-80844-4 + cce@sle12: CCE-83048-9 references: cis@rhel8: 1.4.1 @@ -30,6 +31,8 @@ references: srg: SRG-OS-000363-GPOS-00150 cis@sle15: 1.4.1 ism: 1034,1288,1341,1417 + stigid@sle12: SLES-12-010500 + disa@sle12: CCI-002699 ocil_clause: 'the package is not installed' diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml new file mode 100644 index 0000000000..6fca48166a --- /dev/null +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/ansible/sle12.yml @@ -0,0 +1,13 @@ +# platform = multi_platform_sle +# reboot = false +# strategy = unknown +# complexity = low +# disruption = medium +- name: Ensure GPG check is globally activated (zypper) + ini_file: + dest: /etc/zypp/zypp.conf + section: main + option: gpgcheck + value: 1 + no_extra_spaces: yes + create: False diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml index 24cef5499c..1f86aff1e9 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle15 +prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,sle12,sle15 title: 'Ensure gpgcheck Enabled In Main {{{ pkg_manager }}} Configuration' @@ -33,6 +33,7 @@ severity: high identifiers: cce@rhel7: CCE-26989-4 cce@rhel8: CCE-80790-9 + cce@sle12: CCE-83068-7 references: stigid@ol7: OL07-00-020050 @@ -54,6 +55,7 @@ references: iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4 cis-csc: 11,2,3,9 anssi: BP28(R15) + stigid@sle12: SLES-12-010550 ocil_clause: 'GPG checking is not enabled' @@ -66,4 +68,8 @@ ocil: |- gpgcheck line or a setting of 0 indicates that it is disabled. +{{% if product == 'sle12' %}} +platform: zypper +{{% else %}} platform: yum +{{% endif %}} diff --git a/shared/applicability/general.yml b/shared/applicability/general.yml index a6581fd713..7382b7dd30 100644 --- a/shared/applicability/general.yml +++ b/shared/applicability/general.yml @@ -74,3 +74,7 @@ cpes: title: "Package yum is installed" check_id: installed_env_has_yum_package + - zypper: + name: "cpe:/a:zypper" + title: "Package zypper is installed" + check_id: installed_env_has_zypper_package diff --git a/shared/checks/oval/installed_env_has_zypper_package.xml b/shared/checks/oval/installed_env_has_zypper_package.xml new file mode 100644 index 0000000000..cf14e6af3c --- /dev/null +++ b/shared/checks/oval/installed_env_has_zypper_package.xml @@ -0,0 +1,25 @@ + + + + Package zypper is installed + + multi_platform_sle + + Checks if package zypper is installed. + + + + + + + + + + + + zypper + + diff --git a/shared/templates/kernel_module_disabled/ansible.template b/shared/templates/kernel_module_disabled/ansible.template index 47deee6e54..c4a83ad325 100644 --- a/shared/templates/kernel_module_disabled/ansible.template +++ b/shared/templates/kernel_module_disabled/ansible.template @@ -1,12 +1,20 @@ -# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu +# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle # reboot = true # strategy = disable # complexity = low # disruption = medium +{{% if product == "sle12" %}} +- name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled + lineinfile: + create: yes + dest: "/etc/modprobe.d/50-blacklist.conf" + regexp: '^blacklist {{{ KERNMODULE }}}$' + line: "blacklist {{{ KERNMODULE }}}" +{{% else %}} - name: Ensure kernel module '{{{ KERNMODULE }}}' is disabled lineinfile: create: yes dest: "/etc/modprobe.d/{{{ KERNMODULE }}}.conf" regexp: '{{{ KERNMODULE }}}' line: "install {{{ KERNMODULE }}} /bin/true" - +{{% endif %}} diff --git a/shared/templates/kernel_module_disabled/bash.template b/shared/templates/kernel_module_disabled/bash.template index 42c0830b5f..f70a9925cd 100644 --- a/shared/templates/kernel_module_disabled/bash.template +++ b/shared/templates/kernel_module_disabled/bash.template @@ -1,11 +1,18 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle # reboot = true # strategy = disable # complexity = low # disruption = medium +{{% if product == "sle12" %}} +if ! LC_ALL=C grep -q -m 1 "^blacklist {{{ KERNMODULE }}}$" /etc/modprobe.d/50-blacklist.conf ; then + echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/50-blacklist.conf + echo "blacklist {{{ KERNMODULE }}}" >> /etc/modprobe.d/50-blacklist.conf +fi +{{% else %}} if LC_ALL=C grep -q -m 1 "^install {{{ KERNMODULE }}}" /etc/modprobe.d/{{{ KERNMODULE }}}.conf ; then sed -i 's/^install {{{ KERNMODULE }}}.*/install {{{ KERNMODULE }}} /bin/true/g' /etc/modprobe.d/{{{ KERNMODULE }}}.conf else echo -e "\n# Disable per security requirements" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf echo "install {{{ KERNMODULE }}} /bin/true" >> /etc/modprobe.d/{{{ KERNMODULE }}}.conf fi +{{% endif %}} diff --git a/shared/templates/kernel_module_disabled/oval.template b/shared/templates/kernel_module_disabled/oval.template index e5a7aaa8b4..737ae3c796 100644 --- a/shared/templates/kernel_module_disabled/oval.template +++ b/shared/templates/kernel_module_disabled/oval.template @@ -54,9 +54,14 @@ + {{% if product == "sle12" %}} + /etc/modprobe.d/50-blacklist.conf + ^blacklist\s+{{{ KERNMODULE }}}$ + {{% else %}} /etc/modprobe.d ^.*\.conf$ ^\s*install\s+{{{ KERNMODULE }}}\s+(/bin/false|/bin/true)$ + {{% endif %}} 1 diff --git a/sle12/product.yml b/sle12/product.yml index e465a6d687..d83ad88c21 100644 --- a/sle12/product.yml +++ b/sle12/product.yml @@ -9,6 +9,7 @@ profiles_root: "./profiles" init_system: "systemd" pkg_manager: "zypper" +pkg_manager_config_file: "/etc/zypp/zypp.conf" oval_feed_url: "https://support.novell.com/security/oval/suse.linux.enterprise.12.xml" cpes_root: "../shared/applicability" diff --git a/sle12/profiles/stig.profile b/sle12/profiles/stig.profile index 6cf3339569..15c4f70336 100644 --- a/sle12/profiles/stig.profile +++ b/sle12/profiles/stig.profile @@ -12,34 +12,59 @@ selections: - account_temp_expire_date - accounts_have_homedir_login_defs - accounts_logon_fail_delay + - accounts_max_concurrent_login_sessions - accounts_maximum_age_login_defs + - accounts_minimum_age_login_defs - accounts_no_uid_except_zero - accounts_password_set_max_life_existing - accounts_password_set_min_life_existing - accounts_umask_etc_login_defs + - auditd_audispd_encrypt_sent_records - auditd_data_disk_full_action - auditd_data_retention_action_mail_acct - auditd_data_retention_space_left + - banner_etc_issue - banner_etc_motd + - dir_perms_world_writable_sticky_bits - disable_ctrlaltdel_reboot + - encrypt_partitions + - ensure_gpgcheck_globally_activated + - file_permissions_sshd_private_key + - file_permissions_sshd_pub_key + - ftp_present_banner - gnome_gdm_disable_automatic_login - grub2_password - grub2_uefi_password - installed_OS_is_vendor_supported + - kernel_module_usb-storage_disabled - no_empty_passwords + - no_files_unowned_by_user - no_host_based_files - no_user_host_based_files + - package_MFEhiplsm_installed + - package_aide_installed - package_audit-audispd-plugins_installed - package_audit_installed + - package_telnet-server_removed - postfix_client_configure_mail_alias - security_patches_up_to_date - service_auditd_enabled - set_password_hashing_algorithm_logindefs + - sshd_disable_compression - sshd_disable_empty_passwords - sshd_disable_user_known_hosts - sshd_do_not_permit_user_env + - sshd_enable_strictmodes + - sshd_enable_warning_banner - sshd_enable_x11_forwarding + - sshd_print_last_log - sshd_set_idle_timeout - sshd_set_keepalive + - sshd_set_loglevel_verbose + - sshd_use_priv_separation - sudo_remove_no_authenticate - sudo_remove_nopasswd + - sysctl_net_ipv4_conf_all_accept_source_route + - sysctl_net_ipv4_conf_default_accept_source_route + - sysctl_net_ipv4_conf_default_send_redirects + - sysctl_net_ipv6_conf_all_accept_source_route