Merge pull request #12524 from svet-se/slmicro5-stig-add-rule-account…

…s_tmout

Add rule accounts_tmout to SLE Micro 5 STIG profile

controls/stig_slmicro5.yml

@@ -23,8 +23,8 @@ controls:
           - medium
       title: SLEM 5 must implement an endpoint security tool.
       rules: []
-      status: pending
-
+      status: manual
+    
     - id: SLEM-05-211020
       levels:
           - medium
@@ -948,8 +948,10 @@ controls:
       levels:
           - medium
       title: SLEM 5 must initiate a session lock after a 15-minute period of inactivity.
-      rules: []
-      status: pending
+      rules:
+          - accounts_tmout
+          - var_accounts_tmout=15_min
+      status: automated
 
     - id: SLEM-05-412020
       levels:
@@ -1498,8 +1500,8 @@ controls:
           SLEM 5 audit tools must have the proper permissions applied to protect against
           unauthorized access.
       rules: []
-      status: pending
-
+      status: manual
+    
     - id: SLEM-05-653065
       levels:
           - low

linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/slmicro5.yml

@@ -0,0 +1,16 @@
+# platform = multi_platform_slmicro
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{ ansible_instantiate_variables("var_accounts_tmout") }}}
+
+{{{ ansible_set_config_file(file='/etc/profile.d/autologout.sh', parameter='TMOUT', separator='=', separator_regex='=', value='{{ var_accounts_tmout }}', create='yes') }}}
+{{{ ansible_set_config_file(file='/etc/profile.d/autologout.sh', parameter='readonly', separator=' ', value='TMOUT', create='yes') }}}
+{{{ ansible_set_config_file(file='/etc/profile.d/autologout.sh', parameter='export', separator=' ', value='TMOUT', create='yes') }}}
+
+- name: Set the permission for /etc/profile.d/autologout.sh
+  file:
+    path: /etc/profile.d/autologout.sh
+    mode: '0755'
+  when: lookup('ansible.builtin.file', '/etc/profile.d/autologout.sh', errors='warn')

linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/slmicro5.sh

@@ -0,0 +1,20 @@
+# platform = multi_platform_slmicro
+
+{{{ bash_instantiate_variables("var_accounts_tmout") }}}
+
+if [ -f /etc/profile.d/autologout.sh ]; then
+    if grep --silent '^\s*TMOUT' /etc/profile.d/autologout.sh ; then
+        sed -i -E "s/^(\s*)TMOUT\s*=\s*(\w|\$)*(.*)$/\1TMOUT=$var_accounts_tmout\3/g" /etc/profile.d/autologout.sh
+    fi
+else
+    echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile.d/autologout.sh
+    echo "TMOUT=$var_accounts_tmout" >> /etc/profile.d/autologout.sh
+fi
+if ! grep --silent '^\s*readonly TMOUT' /etc/profile.d/autologout.sh ; then
+    echo "readonly TMOUT" >> /etc/profile.d/autologout.sh
+fi
+
+if ! grep --silent '^\s*export TMOUT' /etc/profile.d/autologout.sh ; then
+    echo "export TMOUT" >> /etc/profile.d/autologout.sh
+fi
+chmod +x /etc/profile.d/autologout.sh

linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml

@@ -37,7 +37,7 @@
     {{% if filepath %}}
     <ind:filepath>{{{ filepath }}}</ind:filepath>
     {{% endif %}}
-    {{% if product in ['sle12', 'sle15'] or "ubuntu" in product %}}
+    {{% if product in ["sle12", "sle15", "slmicro5"] or "ubuntu" in product %}}
     <ind:pattern operation="pattern match">^[\s]*TMOUT=([\w$]+)[\s]*readonly TMOUT[\s]*export TMOUT$</ind:pattern>
     {{% else %}}
     <ind:pattern operation="pattern match">^[\s]*(?:typeset|declare)[\s]+-xr[\s]+TMOUT=([\w$]+).*$</ind:pattern>

linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml

@@ -8,7 +8,7 @@ description: |-
     all user sessions will terminate based on inactivity.
     The value of TMOUT should be exported and read only.
     The <tt>TMOUT</tt>
-    {{% if product in ["sle12", "sle15"] %}}
+    {{% if product in ["sle12", "sle15", "slmicro5"] %}}
     setting in <tt>/etc/profile.d/autologout.sh</tt> should read as follows:
     <pre>TMOUT={{{ xccdf_value("var_accounts_tmout") }}}</pre>
     readonly TMOUT
@@ -43,6 +43,7 @@ identifiers:
     cce@rhel10: CCE-88163-1
     cce@sle12: CCE-83011-7
     cce@sle15: CCE-83269-1
+    cce@slmicro5: CCE-93805-0
 
 references:
     cis-csc: 1,12,15,16
@@ -72,7 +73,7 @@ ocil_clause: 'value of TMOUT is not less than or equal to expected setting'
 ocil: |-
     Run the following command to ensure the <tt>TMOUT</tt> value is configured for all users
     on the system:
-    {{% if product in ["sle12", "sle15"] %}}
+    {{% if product in ["sle12", "sle15", "slmicro5"] %}}
     <pre>$ sudo grep TMOUT /etc/profile.d/autologout.sh</pre>
     {{% elif "ubuntu" in product %}}
     <pre>$ sudo grep TMOUT /etc/bash.bashrc /etc/profile /etc/profile.d/*.sh</pre>
@@ -81,7 +82,7 @@ ocil: |-
     {{% endif %}}
     The output should return the following:
     <pre>TMOUT={{{ xccdf_value("var_accounts_tmout") }}}</pre>
-    {{% if product in ["sle12", "sle15",  "ubuntu2004", "ubuntu2204"] %}}
+    {{% if product in ["sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}}
     readonly TMOUT
     export TMOUT
     {{% endif %}}

shared/applicability/system_with_kernel.yml

@@ -16,8 +16,16 @@ title: Bare-metal systems, virtual machines, bootc container images, running boo
 # was set in past.
 check_id: system_with_kernel
 {{% if pkg_system == "rpm" %}}
+{{% if "sle" in product or "slmicro" in product %}}
+bash_conditional: "rpm --quiet -q kernel-default"
+{{% else %}}
 bash_conditional: "rpm --quiet -q kernel"
+{{% endif %}}
 {{% else %}}
 bash_conditional: "dpkg-query --show --showformat='${db:Status-Status}\n' 'kernel' 2>/dev/null | grep -q installed"
 {{% endif %}}
+{{% if "sle" in product or "slmicro" in product %}}
+ansible_conditional: '"kernel-default" in ansible_facts.packages'
+{{% else %}}
 ansible_conditional: '"kernel" in ansible_facts.packages'
+{{% endif %}}

shared/references/cce-slmicro5-avail.txt

@@ -13,7 +13,6 @@ CCE-93743-3
 CCE-93757-3
 CCE-93777-1
 CCE-93783-9
-CCE-93805-0
 CCE-93806-8
 CCE-93807-6
 CCE-93808-4