diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml index afeea9dbe62..45c87652446 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember/rule.yml @@ -30,7 +30,6 @@ references: disa: CCI-000200 nist@sle12: IA-5(1)(e),IA-5 (1).1(v) srg: SRG-OS-000077-GPOS-00045 - stigid@sle12: SLES-12-010310 ocil_clause: |- the value of remember is not set equal to or greater than {{{ xccdf_value("var_password_pam_remember") }}} diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/ansible/shared.yml index 1fc282c25f0..dd9cfafb912 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/ansible/shared.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,multi_platform_slmicro +# platform = multi_platform_slmicro # reboot = false # strategy = restrict # complexity = low diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/bash/shared.sh index 7e69037f7e9..bba05385826 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_sle,multi_platform_slmicro +# platform = multi_platform_slmicro # Create /etc/security/opasswd if needed # Owner group mode root.root 0600 diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml index a17c9dd6299..19afb581a93 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_etc_security_opasswd/rule.yml @@ -25,7 +25,6 @@ references: disa: CCI-000200 nist@sle12: IA-5(1)(e),IA-5(1).1(v) srg: SRG-OS-000077-GPOS-00045 - stigid@sle12: SLES-12-010300 ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/security/opasswd", owner="root") }}} and {{{ ocil_clause_file_group_owner(file="/etc/security/opasswd", group="root") }}} and {{{ ocil_clause_file_permissions(file="/etc/security/opasswd", perms="0600") }}}' diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml index ff5efb08097..1ebc05209cd 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/agent_mfetpd_running/rule.yml @@ -24,7 +24,6 @@ references: disa: CCI-001263,CCI-000366 nist: SI-2(2) srg: SRG-OS-000191-GPOS-00080 - stigid@sle12: SLES-12-010599 ocil_clause: 'virus scanning software is not running' diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml index fb75fca7711..88d8a4312bc 100644 --- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_endpoint_security_software/package_mcafeetp_installed/rule.yml @@ -34,7 +34,6 @@ references: nist: SI-2(2) srg: SRG-OS-000191-GPOS-00080 stigid@rhel8: RHEL-08-010001 - stigid@sle12: SLES-12-010599 stigid@ubuntu2004: UBTU-20-010415 ocil_clause: 'the package is not installed' diff --git a/products/sle12/profiles/stig.profile b/products/sle12/profiles/stig.profile index 2471dcbb6c8..882fd1a16a9 100644 --- a/products/sle12/profiles/stig.profile +++ b/products/sle12/profiles/stig.profile @@ -1,7 +1,7 @@ documentation_complete: true metadata: - version: V2R13 + version: V3R1 SMEs: - abergmann @@ -11,14 +11,14 @@ title: 'DISA STIG for SUSE Linux Enterprise 12' description: |- This profile contains configuration checks that align to the - DISA STIG for SUSE Linux Enterprise 12 V2R13. + DISA STIG for SUSE Linux Enterprise 12 V3R1. selections: - sshd_approved_macs=stig - sshd_approved_ciphers=stig - var_account_disable_post_pw_expiration=35 - var_accounts_fail_delay=4 - - var_accounts_tmout=15_min + - var_accounts_tmout=10_min - inactivity_timeout_value=15_minutes - var_password_pam_dcredit=1 - var_password_pam_delay=4000000 @@ -26,7 +26,6 @@ selections: - var_password_pam_lcredit=1 - var_password_pam_minlen=15 - var_password_pam_ocredit=1 - - var_password_pam_remember=5 - var_password_pam_retry=3 - var_password_pam_ucredit=1 - var_accounts_maximum_age_login_defs=60 @@ -59,7 +58,6 @@ selections: - accounts_password_all_shadowed_sha512 - accounts_passwords_pam_faildelay_delay - accounts_passwords_pam_tally2 - - accounts_password_pam_pwhistory_remember - accounts_password_set_max_life_existing - accounts_password_set_min_life_existing - accounts_tmout @@ -70,7 +68,6 @@ selections: - accounts_user_interactive_home_directory_defined - accounts_user_interactive_home_directory_exists - account_temp_expire_date - - agent_mfetpd_running - aide_build_database - aide_check_audit_tools - aide_periodic_cron_checking @@ -182,7 +179,6 @@ selections: - encrypt_partitions - ensure_gpgcheck_globally_activated - ensure_rtc_utc_configuration - - file_etc_security_opasswd - file_groupownership_home_directories - file_groupownership_system_commands_dirs - file_ownership_binary_dirs @@ -223,7 +219,6 @@ selections: - package_audit-audispd-plugins_installed - package_audit_installed - package_mailx_installed - - package_mcafeetp_installed - package_pam_apparmor_installed - package_SuSEfirewall2_installed - package_telnet-server_removed diff --git a/shared/references/disa-stig-sle12-v2r13-xccdf-manual.xml b/shared/references/disa-stig-sle12-v3r1-xccdf-manual.xml similarity index 82% rename from shared/references/disa-stig-sle12-v2r13-xccdf-manual.xml rename to shared/references/disa-stig-sle12-v3r1-xccdf-manual.xml index 3985b3361bd..2af7feb6982 100644 --- a/shared/references/disa-stig-sle12-v2r13-xccdf-manual.xml +++ b/shared/references/disa-stig-sle12-v3r1-xccdf-manual.xml @@ -1,4 +1,4 @@ -acceptedSLES 12 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 13 Benchmark Date: 24 Jan 20243.4.1.229161.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>SLES-12-010000The SUSE operating system must be a vendor-supported release.<VulnDiscussion>A SUSE operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target SUSE Linux Enterprise Server 12DISADPMS TargetSUSE Linux Enterprise Server 124033V-77045SV-91741CCI-001230Upgrade the SUSE operating system to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription. +acceptedSLES 12 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 24 Oct 20243.51.10.03I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>