From c4374e3c3d6532c92df672901a20dae0f7faba6f Mon Sep 17 00:00:00 2001 From: rchikov Date: Fri, 23 Aug 2024 10:23:31 +0200 Subject: [PATCH 1/3] Updated 6 rules to support SLE Micro --- controls/stig_slmicro5.yml | 27 +++++++++++-------- .../ansible/shared.yml | 2 +- .../bash/shared.sh | 2 +- .../rule.yml | 1 + .../ansible/shared.yml | 2 +- .../bash/shared.sh | 2 +- .../auditd_audispd_disk_full_action/rule.yml | 1 + .../ansible/shared.yml | 2 +- .../bash/shared.sh | 2 +- .../rule.yml | 1 + ...disp_network_failure_action_absent.fail.sh | 2 +- .../audisp_network_failure_action_set.pass.sh | 2 +- .../no_empty_passwords/bash/shared.sh | 4 +-- .../no_empty_passwords/oval/shared.xml | 2 +- .../no_empty_passwords/rule.yml | 5 ++-- .../no_empty_passwords_etc_shadow/rule.yml | 1 + .../accounts_have_homedir_login_defs/rule.yml | 1 + 17 files changed, 35 insertions(+), 24 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index ae7e5897552..13ca65b0385 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -802,8 +802,9 @@ controls: title: All SLEM 5 local interactive user accounts, upon creation, must be assigned a home directory. - rules: [] - status: pending + rules: + - accounts_have_homedir_login_defs + status: automated - id: SLEM-05-411015 levels: @@ -1154,15 +1155,16 @@ controls: - high title: SLEM 5 must not be configured to allow blank or null passwords. rules: - - sshd_disable_empty_passwords + - no_empty_passwords status: automated - id: SLEM-05-611060 levels: - high title: SLEM 5 must not have accounts configured with blank or null passwords. - rules: [] - status: pending + rules: + - no_empty_passwords_etc_shadow + status: automated - id: SLEM-05-611065 levels: @@ -1449,15 +1451,17 @@ controls: title: SLEM 5 must offload audit records onto a different system or media from the system being audited. - rules: [] - status: pending + rules: + - auditd_audispd_network_failure_action + status: automated - id: SLEM-05-653045 levels: - medium title: Audispd must take appropriate action when SLEM 5 audit storage is full. - rules: [] - status: pending + rules: + - auditd_audispd_disk_full_action + status: automated - id: SLEM-05-653050 levels: @@ -1944,8 +1948,9 @@ controls: levels: - medium title: SLEM 5 must not disable syscall auditing. - rules: [] - status: pending + rules: + - audit_rules_enable_syscall_auditing + status: automated - id: SLEM-05-671010 levels: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml index 4933805f33f..6cf1b549f56 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_sle +# platform = multi_platform_sle,multi_platform_slmicro # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh index 82ebf19876d..c0de3a9272d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_sle +# platform = multi_platform_sle,multi_platform_slmicro if [ -f "/usr/lib/systemd/system/auditd.service" ] ; then IS_AUGENRULES=$(grep -E "^(ExecStartPost=|Requires=augenrules\.service)" /usr/lib/systemd/system/auditd.service) diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml index 10b41ec36b6..1490b9c6a9f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml @@ -20,6 +20,7 @@ severity: medium identifiers: cce@sle12: CCE-83119-8 cce@sle15: CCE-85706-0 + cce@slmicro5: CCE-93739-1 references: disa: CCI-000366 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/ansible/shared.yml index 942cd0f5d00..d4ba66ac7bb 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh index 36e7f8cda05..76c1ad18350 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu {{{ bash_instantiate_variables("var_audispd_disk_full_action") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml index 73bd3511b35..6e3b4e67d77 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel9: CCE-88477-5 cce@sle12: CCE-83116-4 cce@sle15: CCE-85617-9 + cce@slmicro5: CCE-93728-4 references: disa: CCI-001851 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/ansible/shared.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/ansible/shared.yml index 71fc81683f7..d238e7277b6 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/ansible/shared.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro # reboot = false # strategy = configure # complexity = low diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/bash/shared.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/bash/shared.sh index d1a51360052..90f6fbc93d0 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/bash/shared.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu {{{ bash_instantiate_variables("var_audispd_network_failure_action") }}} diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml index dda6f34d0cc..111834b5b44 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml @@ -25,6 +25,7 @@ identifiers: cce@rhel9: CCE-90187-6 cce@sle12: CCE-83115-6 cce@sle15: CCE-85705-2 + cce@slmicro5: CCE-93727-6 references: disa: CCI-001851 diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/tests/audisp_network_failure_action_absent.fail.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/tests/audisp_network_failure_action_absent.fail.sh index d244d4bd0e0..28d00f26e2d 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/tests/audisp_network_failure_action_absent.fail.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/tests/audisp_network_failure_action_absent.fail.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro . $SHARED/auditd_utils.sh prepare_auditd_test_enviroment diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/tests/audisp_network_failure_action_set.pass.sh b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/tests/audisp_network_failure_action_set.pass.sh index af96da871cc..fea488a3e9b 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/tests/audisp_network_failure_action_set.pass.sh +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/tests/audisp_network_failure_action_set.pass.sh @@ -1,5 +1,5 @@ #!/bin/bash -# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle +# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro . $SHARED/auditd_utils.sh prepare_auditd_test_enviroment diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh index 9878acd1ae2..29ecc1b43dc 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh @@ -1,10 +1,10 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu # reboot = false # strategy = configure # complexity = low # disruption = medium -{{% if 'sle' in product %}} +{{% if 'sle' or 'slmicro' in product %}} PAM_PATH="/etc/pam.d/" NULLOK_FILES=$(grep -rl ".*pam_unix\\.so.*nullok.*" ${PAM_PATH}) for FILE in ${NULLOK_FILES}; do diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml index 33a4d585aa3..8d670982225 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml @@ -12,7 +12,7 @@ -{{% if product in ['sle12', 'sle15'] %}} +{{% if product in ["sle12", "sle15", "slmicro5"] %}} ^/etc/pam.d/.*$ {{% elif 'ubuntu' in product %}} ^/etc/pam.d/common-password diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml index 146d5983875..6b7e29f2652 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml @@ -7,7 +7,7 @@ description: |- but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok in - {{% if product in ["sle12", "sle15"] %}} + {{% if product in ["sle12", "sle15", "slmicro5"] %}} password authentication configurations in /etc/pam.d/ {{% elif 'ubuntu' in product %}} /etc/pam.d/common-password @@ -33,6 +33,7 @@ identifiers: cce@rhel10: CCE-86640-0 cce@sle12: CCE-83039-8 cce@sle15: CCE-85576-7 + cce@slmicro5: CCE-93738-3 references: cis-csc: 1,12,13,14,15,16,18,3,5 @@ -62,7 +63,7 @@ ocil_clause: 'NULL passwords can be used' ocil: |- To verify that null passwords cannot be used, run the following command: - {{% if product in ["sle12", "sle15"] %}} + {{% if product in ["sle12", "sle15", "slmicro5"] %}}
$ grep pam_unix.so /etc/pam.d/* | grep nullok
{{% elif 'ubuntu' in product %}}
grep nullok /etc/pam.d/common-password
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml index 1a64a9d5605..5eca22667fd 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml @@ -29,6 +29,7 @@ identifiers: cce@rhel10: CCE-90491-2 cce@sle12: CCE-83249-3 cce@sle15: CCE-91155-2 + cce@slmicro5: CCE-93737-5 references: cis@ubuntu2204: 6.2.2 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml index 6da117a36b6..1c0e2ca284c 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@rhel10: CCE-88604-4 cce@sle12: CCE-83053-9 cce@sle15: CCE-85562-7 + cce@slmicro5: CCE-93736-7 references: disa: CCI-000366 From 1eac5b03c77eeceb22317f8f7f63ef05bc0556a0 Mon Sep 17 00:00:00 2001 From: rchikov Date: Fri, 23 Aug 2024 10:26:20 +0200 Subject: [PATCH 2/3] Added a file to support SLE Micro --- .../no_empty_passwords/ansible/slmicro5.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/slmicro5.yml diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/slmicro5.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/slmicro5.yml new file mode 100644 index 00000000000..28416e10f6b --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/slmicro5.yml @@ -0,0 +1,17 @@ +# platform = multi_platform_slmicro +# reboot = false +# strategy = configure +# complexity = low +# disruption = medium +- name: Find files in /etc/pam.d/ with password auth + find: + paths: /etc/pam.d + contains: ".*pam_unix\\.so.*nullok.*" + recurse: yes + register: find_pam_conf_files_result + +- name: Prevent Log In to Accounts with Empty Password + replace: + dest: "{{ item.path }}" + regexp: nullok + with_items: "{{ find_pam_conf_files_result.files }}" From 8237441aca439936cc09f9abdeecdf2bd7639b1b Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Thu, 26 Sep 2024 07:35:39 +0300 Subject: [PATCH 3/3] Rework jinja condition in bash script --- .../password_storage/no_empty_passwords/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh index 29ecc1b43dc..88999830909 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh @@ -4,7 +4,7 @@ # complexity = low # disruption = medium -{{% if 'sle' or 'slmicro' in product %}} +{{% if 'sle' in product or 'slmicro' in product %}} PAM_PATH="/etc/pam.d/" NULLOK_FILES=$(grep -rl ".*pam_unix\\.so.*nullok.*" ${PAM_PATH}) for FILE in ${NULLOK_FILES}; do