Add skeleton for product support SLE Micro OS

ComplianceAsCode · May 28, 2024 · 42af8d2 · 42af8d2
1 parent a2f912a
commit 42af8d2
Show file tree

Hide file tree

Showing 11 changed files with 151 additions and 1 deletion.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -104,6 +104,7 @@ option(SSG_PRODUCT_RHEL10 "If enabled, the RHEL10 SCAP content will be built" ${
 option(SSG_PRODUCT_RHV4 "If enabled, the RHV4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_SLE12 "If enabled, the SLE12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_SLE15 "If enabled, the SLE15 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+option(SSG_PRODUCT_SLEMICRO "If enabled, the SLEMICRO SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_UBUNTU1604 "If enabled, the Ubuntu 16.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
 option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
@@ -333,6 +334,7 @@ message(STATUS "RHEL 10: ${SSG_PRODUCT_RHEL10}")
 message(STATUS "RHV 4: ${SSG_PRODUCT_RHV4}")
 message(STATUS "SUSE 12: ${SSG_PRODUCT_SLE12}")
 message(STATUS "SUSE 15: ${SSG_PRODUCT_SLE15}")
+message(STATUS "SUSE Micro: ${SSG_PRODUCT_SLEMICRO}")
 message(STATUS "Ubuntu 16.04: ${SSG_PRODUCT_UBUNTU1604}")
 message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}")
 message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}")
@@ -454,6 +456,9 @@ endif()
 if(SSG_PRODUCT_SLE15)
     add_subdirectory("products/sle15" "sle15")
 endif()
+if(SSG_PRODUCT_SLEMICRO)
+    add_subdirectory("products/slemicro" "slemicro")
+endif()
 if(SSG_PRODUCT_UBUNTU1604)
     add_subdirectory("products/ubuntu1604" "ubuntu1604")
 endif()

diff --git a/build_product b/build_product
@@ -370,6 +370,7 @@ all_cmake_products=(
 	RHV4
 	SLE12
 	SLE15
+        SLEMICRO
 	UBUNTU1604
 	UBUNTU1804
 	UBUNTU2004

diff --git a/products/slemicro/CMakeLists.txt b/products/slemicro/CMakeLists.txt
@@ -0,0 +1,14 @@
+# Sometimes our users will try to do: "cd slemicro; cmake ." That needs to error in a nice way.
+if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
+    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
+endif()
+
+set(PRODUCT "slemicro")
+ssg_build_product("slemicro")
+
+ssg_build_html_profile_table("table-${PRODUCT}-nistrefs-standard" "${PRODUCT}" "standard" "nist")
+
+ssg_build_html_cce_table(${PRODUCT})
+
+ssg_build_html_stig_tables(${PRODUCT})
+ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig")
diff --git a/products/slemicro/product.yml b/products/slemicro/product.yml
@@ -0,0 +1,32 @@
+product: slemicro
+full_name: SUSE Linux Enterprise Micro OS
+type: platform
+
+benchmark_id: SLEMICRO
+benchmark_root: "../../linux_os/guide"
+
+profiles_root: "./profiles"
+
+init_system: "systemd"
+
+pkg_manager: "zypper"
+pkg_manager_config_file: "/etc/zypp/zypp.conf"
+
+
+aide_bin_path: "/usr/bin/aide"
+
+cpes_root: "../../shared/applicability"
+cpes:
+  - slemicro-5.5:
+      name: "cpe:/o:suse:sle-micro:5.5"
+      title: "SLE Micro 5.5"
+      check_id: installed_OS_is_slemicro
+
+platform_package_overrides:
+  login_defs: "shadow"
+  grub2: "grub2"
+  sssd: "sssd"
+  passwd: "shadow"
+
+sysctl_remediate_drop_in_file: "true"
+journald_conf_dir_path: /etc/systemd/journal.conf.d
diff --git a/products/slemicro/profiles/stig.profile b/products/slemicro/profiles/stig.profile
@@ -0,0 +1,51 @@
+documentation_complete: true
+
+metadata:
+    version: V1R1
+    SMEs:
+        - abergmann
+
+reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux
+
+title: 'DISA STIG for SUSE Linux Enterprise Micro OS'
+
+description: |-
+    This profile contains configuration checks that align to the
+    DISA STIG for SUSE Linux Enterprise Micro OS.
+
+
+selections:
+    - var_account_disable_post_pw_expiration=35
+    - var_accounts_fail_delay=4
+    - var_accounts_tmout=15_min
+    - inactivity_timeout_value=15_minutes
+    - var_password_pam_dcredit=1
+    - var_password_pam_lcredit=1
+    - var_password_pam_minlen=15
+    - var_password_pam_ocredit=1
+    - var_password_pam_ucredit=1
+    - var_sudo_timestamp_timeout=always_prompt
+    - var_password_pam_unix_remember=5
+    - var_accounts_maximum_age_login_defs=60
+    - var_password_pam_delay=4000000
+    - login_banner_text=dod_banners
+    #
+    # Note: must configure "var_accounts_authorized_local_users_regex" when
+    # "accounts_authorized_local_users" rule is enabled
+    # - var_accounts_authorized_local_users_regex=<authorized local user accounts>
+    #
+    # NOTE: must configure "var_audispd_remote_server" when
+    # "auditd_audispd_configure_remote_server" rule is enabled
+    #
+    # - var_audispd_remote_server=<remote audit server name/IP>
+    - var_removable_partition=dev_cdrom
+    - var_sssd_memcache_timeout=1_day
+    - var_time_service_set_maxpoll=18_hours
+    - var_accounts_minimum_age_login_defs=7
+    - var_accounts_authorized_local_users_regex=sle15
+    - var_accounts_max_concurrent_login_sessions=10
+    - var_password_pam_tally2=3
+    - var_auditd_disk_full_action=syslog
+    - sshd_idle_timeout_value=10_minutes
+    - var_sshd_set_keepalive=0
+
diff --git a/products/slemicro/transforms/constants.xslt b/products/slemicro/transforms/constants.xslt
@@ -0,0 +1,13 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
+
+<xsl:variable name="product_long_name">SUSE Linux Enterprise Micro OS</xsl:variable>
+<xsl:variable name="product_short_name">SLE Micro</xsl:variable>
+<xsl:variable name="product_stig_id_name">SUSE_Linux_Enterprise_Micro_OS_STIG</xsl:variable>
+<xsl:variable name="prod_type">slemicro</xsl:variable>
+
+<!-- Define URI of official Center for Internet Security Benchmark for SUSE Linux Enterprise Micro OS -->
+<xsl:variable name="cisuri">https://www.cisecurity.org/benchmark/suse_linux/</xsl:variable>
+
+</xsl:stylesheet>
diff --git a/products/slemicro/transforms/table-style.xslt b/products/slemicro/transforms/table-style.xslt
@@ -0,0 +1,5 @@
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:import href="../../../shared/transforms/shared_table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/slemicro/transforms/xccdf-apply-overlay-stig.xslt b/products/slemicro/transforms/xccdf-apply-overlay-stig.xslt
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
+
+<xsl:include href="../../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
+<xsl:include href="constants.xslt"/>
+<xsl:variable name="overlays" select="document($overlay)/xccdf:overlays" />
+
+</xsl:stylesheet>
diff --git a/products/slemicro/transforms/xccdf2table-cce.xslt b/products/slemicro/transforms/xccdf2table-cce.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-cce.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/products/slemicro/transforms/xccdf2table-profileccirefs.xslt b/products/slemicro/transforms/xccdf2table-profileccirefs.xslt
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:cci="https://public.cyber.mil/stigs/cci" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:ovalns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+
+<xsl:import href="../../../shared/transforms/shared_xccdf2table-profileccirefs.xslt"/>
+
+<xsl:include href="constants.xslt"/>
+<xsl:include href="table-style.xslt"/>
+
+</xsl:stylesheet>
diff --git a/ssg/constants.py b/ssg/constants.py
@@ -57,7 +57,7 @@
     'openembedded',
     'rhel7', 'rhel8', 'rhel9', 'rhel10',
     'rhv4',
-    'sle12', 'sle15',
+    'sle12', 'sle15', 'slemicro',
     'ubuntu1604', 'ubuntu1804', 'ubuntu2004', 'ubuntu2204',
     'uos20',
 ]
@@ -223,6 +223,7 @@
     "Red Hat Virtualization 4": "rhv4",
     "SUSE Linux Enterprise 12": "sle12",
     "SUSE Linux Enterprise 15": "sle15",
+    "SUSE Linux Enterprise Micro OS": "slemicro",
     "Ubuntu 16.04": "ubuntu1604",
     "Ubuntu 18.04": "ubuntu1804",
     "Ubuntu 20.04": "ubuntu2004",
@@ -298,6 +299,7 @@
     "multi_platform_rhel": ["rhel7", "rhel8", "rhel9", "rhel10"],
     "multi_platform_rhv": ["rhv4"],
     "multi_platform_sle": ["sle12", "sle15"],
+    "multi_platform_sle_micro": ["slemicro"],
     "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"],
     "multi_platform_uos": ["uos20"],
     "multi_platform_openembedded": ["openembedded"],
@@ -467,6 +469,7 @@
     'openeuler': 'openEuler',
     'opensuse': 'openSUSE',
     'sle': 'SUSE Linux Enterprise',
+    'slemicro': 'SUSE Linux Enterprise Micro OS',
     'example': 'Example',
     'ol': 'Oracle Linux',
     'ocp': 'Red Hat OpenShift Container Platform',