From d232f4a49f363dac7544d3f059d0e8b8e5890bf2 Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Tue, 28 May 2024 10:52:47 +0300 Subject: [PATCH 1/8] Add skeleton for product support SLE Micro OS --- CMakeLists.txt | 5 ++ build_product | 1 + products/slemicro/CMakeLists.txt | 13 +++++ products/slemicro/product.yml | 47 +++++++++++++++++ products/slemicro/profiles/stig.profile | 51 +++++++++++++++++++ products/slemicro/transforms/constants.xslt | 13 +++++ products/slemicro/transforms/table-style.xslt | 5 ++ .../transforms/xccdf-apply-overlay-stig.xslt | 8 +++ .../slemicro/transforms/xccdf2table-cce.xslt | 9 ++++ .../xccdf2table-profileccirefs.xslt | 9 ++++ ssg/constants.py | 5 +- 11 files changed, 165 insertions(+), 1 deletion(-) create mode 100644 products/slemicro/CMakeLists.txt create mode 100644 products/slemicro/product.yml create mode 100644 products/slemicro/profiles/stig.profile create mode 100644 products/slemicro/transforms/constants.xslt create mode 100644 products/slemicro/transforms/table-style.xslt create mode 100644 products/slemicro/transforms/xccdf-apply-overlay-stig.xslt create mode 100644 products/slemicro/transforms/xccdf2table-cce.xslt create mode 100644 products/slemicro/transforms/xccdf2table-profileccirefs.xslt diff --git a/CMakeLists.txt b/CMakeLists.txt index 9e385a23bdb..463cb01b8bd 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -110,6 +110,7 @@ option(SSG_PRODUCT_RHEL10 "If enabled, the RHEL10 SCAP content will be built" ${ option(SSG_PRODUCT_RHV4 "If enabled, the RHV4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_SLE12 "If enabled, the SLE12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_SLE15 "If enabled, the SLE15 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) +option(SSG_PRODUCT_SLEMICRO "If enabled, the SLEMICRO SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_UBUNTU1604 "If enabled, the Ubuntu 16.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) @@ -337,6 +338,7 @@ message(STATUS "RHEL 10: ${SSG_PRODUCT_RHEL10}") message(STATUS "RHV 4: ${SSG_PRODUCT_RHV4}") message(STATUS "SUSE 12: ${SSG_PRODUCT_SLE12}") message(STATUS "SUSE 15: ${SSG_PRODUCT_SLE15}") +message(STATUS "SUSE Micro: ${SSG_PRODUCT_SLEMICRO}") message(STATUS "Ubuntu 16.04: ${SSG_PRODUCT_UBUNTU1604}") message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}") message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}") @@ -450,6 +452,9 @@ endif() if(SSG_PRODUCT_SLE15) add_subdirectory("products/sle15" "sle15") endif() +if(SSG_PRODUCT_SLEMICRO) + add_subdirectory("products/slemicro" "slemicro") +endif() if(SSG_PRODUCT_UBUNTU1604) add_subdirectory("products/ubuntu1604" "ubuntu1604") endif() diff --git a/build_product b/build_product index 686e80764aa..88035ae86ad 100755 --- a/build_product +++ b/build_product @@ -373,6 +373,7 @@ all_cmake_products=( RHV4 SLE12 SLE15 + SLEMICRO UBUNTU1604 UBUNTU1804 UBUNTU2004 diff --git a/products/slemicro/CMakeLists.txt b/products/slemicro/CMakeLists.txt new file mode 100644 index 00000000000..520746e0422 --- /dev/null +++ b/products/slemicro/CMakeLists.txt @@ -0,0 +1,13 @@ +# Sometimes our users will try to do: "cd slemicro; cmake ." That needs to error in a nice way. +if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") + message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") +endif() + +set(PRODUCT "slemicro") +ssg_build_product("slemicro") + + +ssg_build_html_cce_table(${PRODUCT}) + +ssg_build_html_stig_tables(${PRODUCT}) +ssg_build_html_stig_tables_per_profile(${PRODUCT} "stig") diff --git a/products/slemicro/product.yml b/products/slemicro/product.yml new file mode 100644 index 00000000000..d3d36519034 --- /dev/null +++ b/products/slemicro/product.yml @@ -0,0 +1,47 @@ +product: slemicro +full_name: SUSE Linux Enterprise Micro OS +type: platform + +benchmark_id: SLEMICRO +benchmark_root: "../../linux_os/guide" + +profiles_root: "./profiles" + +init_system: "systemd" + +pkg_manager: "zypper" +pkg_manager_config_file: "/etc/zypp/zypp.conf" + + +aide_bin_path: "/usr/bin/aide" + +cpes_root: "../../shared/applicability" +cpes: + - slemicro-5.2: + name: "cpe:/o:suse:sle-microos:5.2" + title: "SLE MicroOS 5.2" + check_id: installed_OS_is_slemicro + + - slemicro-5.3: + name: "cpe:/o:suse:sle-microos:5.3" + title: "SLE MicroOS 5.3" + check_id: installed_OS_is_slemicro + + - slemicro-5.4: + name: "cpe:/o:suse:sle-microos:5.4" + title: "SLE Micro 5.5" + check_id: installed_OS_is_slemicro + + - slemicro-5.5: + name: "cpe:/o:suse:sle-microos:5.5" + title: "SLE Micro 5.5" + check_id: installed_OS_is_slemicro + +platform_package_overrides: + login_defs: "shadow" + grub2: "grub2" + sssd: "sssd" + passwd: "shadow" + +sysctl_remediate_drop_in_file: "true" +journald_conf_dir_path: /etc/systemd/journal.conf.d diff --git a/products/slemicro/profiles/stig.profile b/products/slemicro/profiles/stig.profile new file mode 100644 index 00000000000..5e116661102 --- /dev/null +++ b/products/slemicro/profiles/stig.profile @@ -0,0 +1,51 @@ +documentation_complete: true + +metadata: + version: V1R1 + SMEs: + - abergmann + +reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + +title: 'DISA STIG for SUSE Linux Enterprise Micro OS' + +description: |- + This profile contains configuration checks that align to the + DISA STIG for SUSE Linux Enterprise Micro OS. + + +selections: + - var_account_disable_post_pw_expiration=35 + - var_accounts_fail_delay=4 + - var_accounts_tmout=15_min + - inactivity_timeout_value=15_minutes + - var_password_pam_dcredit=1 + - var_password_pam_lcredit=1 + - var_password_pam_minlen=15 + - var_password_pam_ocredit=1 + - var_password_pam_ucredit=1 + - var_sudo_timestamp_timeout=always_prompt + - var_password_pam_unix_remember=5 + - var_accounts_maximum_age_login_defs=60 + - var_password_pam_delay=4000000 + - login_banner_text=dod_banners + # + # Note: must configure "var_accounts_authorized_local_users_regex" when + # "accounts_authorized_local_users" rule is enabled + # - var_accounts_authorized_local_users_regex= + # + # NOTE: must configure "var_audispd_remote_server" when + # "auditd_audispd_configure_remote_server" rule is enabled + # + # - var_audispd_remote_server= + - var_removable_partition=dev_cdrom + - var_sssd_memcache_timeout=1_day + - var_time_service_set_maxpoll=18_hours + - var_accounts_minimum_age_login_defs=7 + - var_accounts_authorized_local_users_regex=sle15 + - var_accounts_max_concurrent_login_sessions=10 + - var_password_pam_tally2=3 + - var_auditd_disk_full_action=syslog + - sshd_idle_timeout_value=10_minutes + - var_sshd_set_keepalive=0 + \ No newline at end of file diff --git a/products/slemicro/transforms/constants.xslt b/products/slemicro/transforms/constants.xslt new file mode 100644 index 00000000000..49b354073c6 --- /dev/null +++ b/products/slemicro/transforms/constants.xslt @@ -0,0 +1,13 @@ + + + + +SUSE Linux Enterprise Micro OS +SLE Micro +SUSE_Linux_Enterprise_Micro_OS_STIG +slemicro + + +https://www.cisecurity.org/benchmark/suse_linux/ + + diff --git a/products/slemicro/transforms/table-style.xslt b/products/slemicro/transforms/table-style.xslt new file mode 100644 index 00000000000..8b6caeab8cd --- /dev/null +++ b/products/slemicro/transforms/table-style.xslt @@ -0,0 +1,5 @@ + + + + + diff --git a/products/slemicro/transforms/xccdf-apply-overlay-stig.xslt b/products/slemicro/transforms/xccdf-apply-overlay-stig.xslt new file mode 100644 index 00000000000..4789419b80a --- /dev/null +++ b/products/slemicro/transforms/xccdf-apply-overlay-stig.xslt @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/products/slemicro/transforms/xccdf2table-cce.xslt b/products/slemicro/transforms/xccdf2table-cce.xslt new file mode 100644 index 00000000000..f156a669566 --- /dev/null +++ b/products/slemicro/transforms/xccdf2table-cce.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/products/slemicro/transforms/xccdf2table-profileccirefs.xslt b/products/slemicro/transforms/xccdf2table-profileccirefs.xslt new file mode 100644 index 00000000000..30419e92b28 --- /dev/null +++ b/products/slemicro/transforms/xccdf2table-profileccirefs.xslt @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/ssg/constants.py b/ssg/constants.py index 1d690e19f0f..4f89fc14478 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -58,7 +58,7 @@ 'openembedded', 'rhel8', 'rhel9', 'rhel10', 'rhv4', - 'sle12', 'sle15', + 'sle12', 'sle15', 'slemicro', 'ubuntu1604', 'ubuntu1804', 'ubuntu2004', 'ubuntu2204', 'uos20', ] @@ -224,6 +224,7 @@ "Red Hat Virtualization 4": "rhv4", "SUSE Linux Enterprise 12": "sle12", "SUSE Linux Enterprise 15": "sle15", + "SUSE Linux Enterprise Micro OS": "slemicro", "Ubuntu 16.04": "ubuntu1604", "Ubuntu 18.04": "ubuntu1804", "Ubuntu 20.04": "ubuntu2004", @@ -299,6 +300,7 @@ "multi_platform_rhel": ["rhel8", "rhel9", "rhel10"], "multi_platform_rhv": ["rhv4"], "multi_platform_sle": ["sle12", "sle15"], + "multi_platform_sle_micro": ["slemicro"], "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"], "multi_platform_uos": ["uos20"], "multi_platform_openembedded": ["openembedded"], @@ -424,6 +426,7 @@ 'openeuler': 'openEuler', 'opensuse': 'openSUSE', 'sle': 'SUSE Linux Enterprise', + 'slemicro': 'SUSE Linux Enterprise Micro OS', 'example': 'Example', 'ol': 'Oracle Linux', 'ocp': 'Red Hat OpenShift Container Platform', From 9da0137b9b1e43830c5525ae77241f03a2f000b9 Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Mon, 1 Jul 2024 06:21:55 +0300 Subject: [PATCH 2/8] Add rule installed_OS_is_vendor_supported --- .../oval/shared.xml | 1 + .../installed_OS_is_vendor_supported/rule.yml | 6 ++- products/slemicro/profiles/stig.profile | 3 +- .../checks/oval/installed_OS_is_slemicro.xml | 45 +++++++++++++++++++ 4 files changed, 52 insertions(+), 3 deletions(-) create mode 100644 shared/checks/oval/installed_OS_is_slemicro.xml diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml index a1925ac3b99..22b9342ab57 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml @@ -10,6 +10,7 @@ + diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml index 76c35c3ad64..c43290a1085 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml @@ -8,7 +8,7 @@ description: |- {{% if 'ol' in product %}} Oracle Linux is supported by Oracle Corporation. As the Oracle Linux vendor, Oracle Corporation is responsible for providing security patches. -{{% elif product in ["sle12", "sle15"] %}} +{{% elif product in ["sle12", "sle15", "slemicro"] %}} SUSE Linux Enterprise is supported by SUSE. As the SUSE Linux Enterprise vendor, SUSE is responsible for providing security patches. {{% else %}} @@ -34,6 +34,7 @@ identifiers: cce@rhel9: CCE-83453-1 cce@sle12: CCE-83001-8 cce@sle15: CCE-83260-0 + cce@slemicro: CCE-93601-3 references: cis-csc: 18,20,4 @@ -49,6 +50,7 @@ references: stigid@rhel8: RHEL-08-010000 stigid@sle12: SLES-12-010000 stigid@sle15: SLES-15-010000 + stigid@slemicro: SLEM-05-211010 ocil_clause: 'the installed operating system is not supported' @@ -59,7 +61,7 @@ ocil: |- 
$ grep -i "red hat" /etc/redhat-release
{{% elif 'ol' in product %}} 
$ grep -i "oracle" /etc/oracle-release
-{{% elif product in ["sle12", "sle15"] %}} +{{% elif product in ["sle12", "sle15", "slemicro"] %}} 
$ grep -i "suse" /etc/os-release
{{% endif %}} 
{{{ full_name }}}
diff --git a/products/slemicro/profiles/stig.profile b/products/slemicro/profiles/stig.profile index 5e116661102..a9f30631090 100644 --- a/products/slemicro/profiles/stig.profile +++ b/products/slemicro/profiles/stig.profile @@ -48,4 +48,5 @@ selections: - var_auditd_disk_full_action=syslog - sshd_idle_timeout_value=10_minutes - var_sshd_set_keepalive=0 - \ No newline at end of file + + - installed_OS_is_vendor_supported diff --git a/shared/checks/oval/installed_OS_is_slemicro.xml b/shared/checks/oval/installed_OS_is_slemicro.xml new file mode 100644 index 00000000000..213694f4c2b --- /dev/null +++ b/shared/checks/oval/installed_OS_is_slemicro.xml @@ -0,0 +1,45 @@ + + + + SUSE Linux Enterprise MicroOS + + multi_platform_all + + + + The operating system installed on the system is + SUSE Linux Enterprise MicroOS. + + + + + + + + + + + + + + + unix + + + + + + + + + ^5.*$ + + + SUSE-MicroOS-release + + + From f50b52ce6d1d4e2945be6ebc236191bb0a06f75a Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Mon, 1 Jul 2024 14:33:36 +0200 Subject: [PATCH 3/8] Rename slemicro to susemicro5 Thus achieveing several goals: - Avoid checks in jinja if *sle* in platform, when assuming sle12 or sle15 - Current SUSE Linux Enterprise MicroOS support targets only major version 5 of the platfom so SLE MicroOS v6 and above is target to future developments - Due to confusion in platfrom multi_platform checks the installed_OS_is check was failiing to compile fully --- CMakeLists.txt | 8 +- build_product | 2 +- controls/stig_susemicro5.yml | 1403 +++++++++++++++++ .../oval/shared.xml | 2 +- .../installed_OS_is_vendor_supported/rule.yml | 7 +- products/slemicro/profiles/stig.profile | 52 - .../{slemicro => susemicro5}/CMakeLists.txt | 6 +- products/{slemicro => susemicro5}/product.yml | 24 +- products/susemicro5/profiles/stig.profile | 17 + .../transforms/constants.xslt | 10 +- .../transforms/table-style.xslt | 0 .../transforms/xccdf-apply-overlay-stig.xslt | 0 .../transforms/xccdf2table-cce.xslt | 0 .../xccdf2table-profileccirefs.xslt | 0 ...cro.xml => installed_OS_is_susemicro5.xml} | 30 +- ssg/constants.py | 10 +- 16 files changed, 1472 insertions(+), 99 deletions(-) create mode 100644 controls/stig_susemicro5.yml delete mode 100644 products/slemicro/profiles/stig.profile rename products/{slemicro => susemicro5}/CMakeLists.txt (69%) rename products/{slemicro => susemicro5}/product.yml (67%) create mode 100644 products/susemicro5/profiles/stig.profile rename products/{slemicro => susemicro5}/transforms/constants.xslt (66%) rename products/{slemicro => susemicro5}/transforms/table-style.xslt (100%) rename products/{slemicro => susemicro5}/transforms/xccdf-apply-overlay-stig.xslt (100%) rename products/{slemicro => susemicro5}/transforms/xccdf2table-cce.xslt (100%) rename products/{slemicro => susemicro5}/transforms/xccdf2table-profileccirefs.xslt (100%) rename shared/checks/oval/{installed_OS_is_slemicro.xml => installed_OS_is_susemicro5.xml} (55%) diff --git a/CMakeLists.txt b/CMakeLists.txt index 463cb01b8bd..5e0f4d3ca09 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -110,7 +110,7 @@ option(SSG_PRODUCT_RHEL10 "If enabled, the RHEL10 SCAP content will be built" ${ option(SSG_PRODUCT_RHV4 "If enabled, the RHV4 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_SLE12 "If enabled, the SLE12 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_SLE15 "If enabled, the SLE15 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) -option(SSG_PRODUCT_SLEMICRO "If enabled, the SLEMICRO SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) +option(SSG_PRODUCT_SUSEMICRO5 "If enabled, the SUSEMICRO5 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_UBUNTU1604 "If enabled, the Ubuntu 16.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) @@ -338,7 +338,7 @@ message(STATUS "RHEL 10: ${SSG_PRODUCT_RHEL10}") message(STATUS "RHV 4: ${SSG_PRODUCT_RHV4}") message(STATUS "SUSE 12: ${SSG_PRODUCT_SLE12}") message(STATUS "SUSE 15: ${SSG_PRODUCT_SLE15}") -message(STATUS "SUSE Micro: ${SSG_PRODUCT_SLEMICRO}") +message(STATUS "SLE MicroOS 5: ${SSG_PRODUCT_SUSEMICRO5}") message(STATUS "Ubuntu 16.04: ${SSG_PRODUCT_UBUNTU1604}") message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}") message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}") @@ -452,8 +452,8 @@ endif() if(SSG_PRODUCT_SLE15) add_subdirectory("products/sle15" "sle15") endif() -if(SSG_PRODUCT_SLEMICRO) - add_subdirectory("products/slemicro" "slemicro") +if(SSG_PRODUCT_SUSEMICRO5) + add_subdirectory("products/susemicro5" "susemicro5") endif() if(SSG_PRODUCT_UBUNTU1604) add_subdirectory("products/ubuntu1604" "ubuntu1604") diff --git a/build_product b/build_product index 88035ae86ad..26f89b72520 100755 --- a/build_product +++ b/build_product @@ -373,7 +373,7 @@ all_cmake_products=( RHV4 SLE12 SLE15 - SLEMICRO + SUSEMICRO5 UBUNTU1604 UBUNTU1804 UBUNTU2004 diff --git a/controls/stig_susemicro5.yml b/controls/stig_susemicro5.yml new file mode 100644 index 00000000000..bb5a8a22e4c --- /dev/null +++ b/controls/stig_susemicro5.yml @@ -0,0 +1,1403 @@ +policy: SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide +title: SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide +id: stig_susemicro5 +version: V1R1 +source: https://public.cyber.mil/stigs/downloads/ +reference_type: stigid +product: susemicro5 +levels: +- id: high +- id: medium +- id: low +controls: +- id: SLEM-05-211010 + levels: + - high + title: SLEM 5 must be a vendor-supported release. + rules: + - installed_OS_is_vendor_supported + status: automated +- id: SLEM-05-211015 + levels: + - medium + title: SLEM 5 must implement an endpoint security tool. + rules: [] + status: pending +- id: SLEM-05-211020 + levels: + - medium + title: SLEM 5 must display the Standard Mandatory DOD Notice and Consent Banner + before granting any local or remote connection to the system. + rules: [] + status: pending +- id: SLEM-05-211025 + levels: + - high + title: SLEM 5 must disable the x86 Ctrl-Alt-Delete key sequence. + rules: [] + status: pending +- id: SLEM-05-212010 + levels: + - high + title: SLEM 5 with a basic input/output system (BIOS) must require authentication + upon booting into single-user and maintenance modes. + rules: [] + status: pending +- id: SLEM-05-212015 + levels: + - high + title: SLEM 5 with Unified Extensible Firmware Interface (UEFI) implemented must + require authentication upon booting into single-user mode and maintenance. + rules: [] + status: pending +- id: SLEM-05-213010 + levels: + - medium + title: SLEM 5 must restrict access to the kernel message buffer. + rules: [] + status: pending +- id: SLEM-05-213015 + levels: + - medium + title: SLEM 5 kernel core dumps must be disabled unless needed. + rules: [] + status: pending +- id: SLEM-05-213020 + levels: + - medium + title: Address space layout randomization (ASLR) must be implemented by SLEM 5 to + protect memory from unauthorized code execution. + rules: [] + status: pending +- id: SLEM-05-213025 + levels: + - medium + title: SLEM 5 must implement kptr-restrict to prevent the leaking of internal kernel + addresses. + rules: [] + status: pending +- id: SLEM-05-214010 + levels: + - medium + title: Vendor-packaged SLEM 5 security patches and updates must be installed and + up to date. + rules: [] + status: pending +- id: SLEM-05-214015 + levels: + - high + title: The SLEM 5 tool zypper must have gpgcheck enabled. + rules: [] + status: pending +- id: SLEM-05-214020 + levels: + - medium + title: SLEM 5 must remove all outdated software components after updated versions + have been installed. + rules: [] + status: pending +- id: SLEM-05-215010 + levels: + - medium + title: SLEM 5 must use vlock to allow for session locking. + rules: [] + status: pending +- id: SLEM-05-215015 + levels: + - high + title: SLEM 5 must not have the telnet-server package installed. + rules: [] + status: pending +- id: SLEM-05-231010 + levels: + - medium + title: A separate file system must be used for SLEM 5 user home directories (such + as /home or an equivalent). + rules: [] + status: pending +- id: SLEM-05-231015 + levels: + - medium + title: SLEM 5 must use a separate file system for /var. + rules: [] + status: pending +- id: SLEM-05-231020 + levels: + - medium + title: SLEM 5 must use a separate file system for the system audit data path. + rules: [] + status: pending +- id: SLEM-05-231025 + levels: + - medium + title: SLEM 5 file systems that are being imported via Network File System (NFS) + must be mounted to prevent files with the setuid and setgid bit set from being + executed. + rules: [] + status: pending +- id: SLEM-05-231030 + levels: + - medium + title: SLEM 5 file systems that are being imported via Network File System (NFS) + must be mounted to prevent binary files from being executed. + rules: [] + status: pending +- id: SLEM-05-231035 + levels: + - medium + title: SLEM 5 file systems that are used with removable media must be mounted to + prevent files with the setuid and setgid bit set from being executed. + rules: [] + status: pending +- id: SLEM-05-231040 + levels: + - high + title: All SLEM 5 persistent disk partitions must implement cryptographic mechanisms + to prevent unauthorized disclosure or modification of all information that requires + at-rest protection. + rules: [] + status: pending +- id: SLEM-05-231045 + levels: + - medium + title: SLEM 5 file systems that contain user home directories must be mounted to + prevent files with the setuid and setgid bit set from being executed. + rules: [] + status: pending +- id: SLEM-05-231050 + levels: + - medium + title: SLEM 5 must disable the file system automounter unless required. + rules: [] + status: pending +- id: SLEM-05-232010 + levels: + - medium + title: SLEM 5 must have directories that contain system commands set to a mode of + 755 or less permissive. + rules: [] + status: pending +- id: SLEM-05-232015 + levels: + - medium + title: SLEM 5 must have system commands set to a mode of 755 or less permissive. + rules: [] + status: pending +- id: SLEM-05-232020 + levels: + - medium + title: SLEM 5 library directories must have mode 755 or less permissive. + rules: [] + status: pending +- id: SLEM-05-232025 + levels: + - medium + title: SLEM 5 library files must have mode 755 or less permissive. + rules: [] + status: pending +- id: SLEM-05-232030 + levels: + - medium + title: All SLEM 5 local interactive user home directories must have mode 750 or + less permissive. + rules: [] + status: pending +- id: SLEM-05-232035 + levels: + - medium + title: All SLEM 5 local initialization files must have mode 740 or less permissive. + rules: [] + status: pending +- id: SLEM-05-232040 + levels: + - medium + title: SLEM 5 SSH daemon public host key files must have mode 644 or less permissive. + rules: [] + status: pending +- id: SLEM-05-232045 + levels: + - medium + title: SLEM 5 SSH daemon private host key files must have mode 640 or less permissive. + rules: [] + status: pending +- id: SLEM-05-232050 + levels: + - medium + title: SLEM 5 library files must be owned by root. + rules: [] + status: pending +- id: SLEM-05-232055 + levels: + - medium + title: SLEM 5 library files must be group-owned by root. + rules: [] + status: pending +- id: SLEM-05-232060 + levels: + - medium + title: SLEM 5 library directories must be owned by root. + rules: [] + status: pending +- id: SLEM-05-232065 + levels: + - medium + title: SLEM 5 library directories must be group-owned by root. + rules: [] + status: pending +- id: SLEM-05-232070 + levels: + - medium + title: SLEM 5 must have system commands owned by root. + rules: [] + status: pending +- id: SLEM-05-232075 + levels: + - medium + title: SLEM 5 must have system commands group-owned by root or a system account. + rules: [] + status: pending +- id: SLEM-05-232080 + levels: + - medium + title: SLEM 5 must have directories that contain system commands owned by root. + rules: [] + status: pending +- id: SLEM-05-232085 + levels: + - medium + title: SLEM 5 must have directories that contain system commands group-owned by + root. + rules: [] + status: pending +- id: SLEM-05-232090 + levels: + - medium + title: All SLEM 5 files and directories must have a valid owner. + rules: [] + status: pending +- id: SLEM-05-232095 + levels: + - medium + title: All SLEM 5 files and directories must have a valid group owner. + rules: [] + status: pending +- id: SLEM-05-232100 + levels: + - medium + title: All SLEM 5 local interactive user home directories must be group-owned by + the home directory owner's primary group. + rules: [] + status: pending +- id: SLEM-05-232105 + levels: + - medium + title: All SLEM 5 world-writable directories must be group-owned by root, sys, bin, + or an application group. + rules: [] + status: pending +- id: SLEM-05-232110 + levels: + - medium + title: The sticky bit must be set on all SLEM 5 world-writable directories. + rules: [] + status: pending +- id: SLEM-05-232115 + levels: + - medium + title: SLEM 5 must prevent unauthorized users from accessing system error messages. + rules: [] + status: pending +- id: SLEM-05-232120 + levels: + - medium + title: SLEM 5 must generate error messages that provide information necessary for + corrective actions without revealing information that could be exploited by adversaries. + rules: [] + status: pending +- id: SLEM-05-251010 + levels: + - medium + title: SLEM 5 must be configured to prohibit or restrict the use of functions, ports, + protocols, and/or services as defined in the Ports, Protocols, and Services Management + (PPSM) Category Assignments List (CAL) and vulnerability assessments. + rules: [] + status: pending +- id: SLEM-05-252010 + levels: + - medium + title: SLEM 5 clock must, for networked systems, be synchronized to an authoritative + DOD time source at least every 24 hours. + rules: [] + status: pending +- id: SLEM-05-252015 + levels: + - medium + title: SLEM 5 must not have network interfaces in promiscuous mode unless approved + and documented. + rules: [] + status: pending +- id: SLEM-05-253010 + levels: + - medium + title: SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed + packets. + rules: [] + status: pending +- id: SLEM-05-253015 + levels: + - medium + title: SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed + packets by default. + rules: [] + status: pending +- id: SLEM-05-253020 + levels: + - medium + title: SLEM 5 must prevent Internet Protocol version 4 (IPv4) Internet Control Message + Protocol (ICMP) redirect messages from being accepted. + rules: [] + status: pending +- id: SLEM-05-253025 + levels: + - medium + title: SLEM 5 must not allow interfaces to accept Internet Protocol version 4 (IPv4) + Internet Control Message Protocol (ICMP) redirect messages by default. + rules: [] + status: pending +- id: SLEM-05-253030 + levels: + - medium + title: SLEM 5 must not send Internet Protocol version 4 (IPv4) Internet Control + Message Protocol (ICMP) redirects. + rules: [] + status: pending +- id: SLEM-05-253035 + levels: + - medium + title: SLEM 5 must not allow interfaces to send Internet Protocol version 4 (IPv4) + Internet Control Message Protocol (ICMP) redirect messages by default. + rules: [] + status: pending +- id: SLEM-05-253040 + levels: + - medium + title: SLEM 5 must not be performing Internet Protocol version 4 (IPv4) packet forwarding + unless the system is a router. + rules: [] + status: pending +- id: SLEM-05-253045 + levels: + - medium + title: SLEM 5 must be configured to use TCP syncookies. + rules: [] + status: pending +- id: SLEM-05-254010 + levels: + - medium + title: SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed + packets. + rules: [] + status: pending +- id: SLEM-05-254015 + levels: + - medium + title: SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed + packets by default. + rules: [] + status: pending +- id: SLEM-05-254020 + levels: + - medium + title: SLEM 5 must prevent Internet Protocol version 6 (IPv6) Internet Control Message + Protocol (ICMP) redirect messages from being accepted. + rules: [] + status: pending +- id: SLEM-05-254025 + levels: + - medium + title: SLEM 5 must not allow interfaces to accept Internet Protocol version 6 (IPv6) + Internet Control Message Protocol (ICMP) redirect messages by default. + rules: [] + status: pending +- id: SLEM-05-254030 + levels: + - medium + title: SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding + unless the system is a router. + rules: [] + status: pending +- id: SLEM-05-254035 + levels: + - medium + title: SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding + by default unless the system is a router. + rules: [] + status: pending +- id: SLEM-05-255010 + levels: + - high + title: SLEM 5 must have SSH installed to protect the confidentiality and integrity + of transmitted information. + rules: [] + status: pending +- id: SLEM-05-255015 + levels: + - high + title: SLEM 5 must use SSH to protect the confidentiality and integrity of transmitted + information. + rules: [] + status: pending +- id: SLEM-05-255020 + levels: + - medium + title: SLEM 5 must display the Standard Mandatory DOD Notice and Consent Banner + before granting access via SSH. + rules: [] + status: pending +- id: SLEM-05-255025 + levels: + - high + title: SLEM 5 must not allow unattended or automatic logon via SSH. + rules: [] + status: pending +- id: SLEM-05-255030 + levels: + - medium + title: SLEM 5 must be configured so that all network connections associated with + SSH traffic terminate after becoming unresponsive. + rules: [] + status: pending +- id: SLEM-05-255035 + levels: + - medium + title: SLEM 5 must be configured so that all network connections associated with + SSH traffic are terminated after 10 minutes of becoming unresponsive. + rules: [] + status: pending +- id: SLEM-05-255040 + levels: + - medium + title: SLEM 5 SSH daemon must disable forwarded remote X connections for interactive + users, unless to fulfill documented and validated mission requirements. + rules: [] + status: pending +- id: SLEM-05-255045 + levels: + - high + title: SLEM 5 must implement DOD-approved encryption to protect the confidentiality + of SSH remote connections. + rules: [] + status: pending +- id: SLEM-05-255050 + levels: + - high + title: SLEM 5 SSH daemon must be configured to only use Message Authentication Codes + (MACs) employing FIPS 140-2/140-3 approved cryptographic hash algorithms. + rules: [] + status: pending +- id: SLEM-05-255055 + levels: + - high + title: SLEM 5 SSH server must be configured to use only FIPS 140-2/140-3 validated + key exchange algorithms. + rules: [] + status: pending +- id: SLEM-05-255060 + levels: + - medium + title: SLEM 5 must deny direct logons to the root account using remote access via + SSH. + rules: [] + status: pending +- id: SLEM-05-255065 + levels: + - medium + title: SLEM 5 must log SSH connection attempts and failures to the server. + rules: [] + status: pending +- id: SLEM-05-255070 + levels: + - medium + title: SLEM 5 must display the date and time of the last successful account logon + upon an SSH logon. + rules: [] + status: pending +- id: SLEM-05-255075 + levels: + - medium + title: SLEM 5 SSH daemon must be configured to not allow authentication using known + hosts authentication. + rules: [] + status: pending +- id: SLEM-05-255080 + levels: + - medium + title: SLEM 5 SSH daemon must perform strict mode checking of home directory configuration + files. + rules: [] + status: pending +- id: SLEM-05-255085 + levels: + - medium + title: SLEM 5, for PKI-based authentication, must enforce authorized access to the + corresponding private key. + rules: [] + status: pending +- id: SLEM-05-255090 + levels: + - high + title: There must be no .shosts files on SLEM 5. + rules: [] + status: pending +- id: SLEM-05-255095 + levels: + - high + title: There must be no shosts.equiv files on SLEM 5. + rules: [] + status: pending +- id: SLEM-05-272010 + levels: + - high + title: SLEM 5 must not allow unattended or automatic logon via the graphical user + interface (GUI). + rules: [] + status: pending +- id: SLEM-05-291010 + levels: + - medium + title: SLEM 5 wireless network adapters must be disabled unless approved and documented. + rules: [] + status: pending +- id: SLEM-05-291015 + levels: + - medium + title: SLEM 5 must disable the USB mass storage kernel module. + rules: [] + status: pending +- id: SLEM-05-411010 + levels: + - medium + title: All SLEM 5 local interactive user accounts, upon creation, must be assigned + a home directory. + rules: [] + status: pending +- id: SLEM-05-411015 + levels: + - medium + title: SLEM 5 default permissions must be defined in such a way that all authenticated + users can only read and modify their own files. + rules: [] + status: pending +- id: SLEM-05-411020 + levels: + - medium + title: SLEM 5 shadow password suite must be configured to enforce a delay of at + least five seconds between logon prompts following a failed logon attempt. + rules: [] + status: pending +- id: SLEM-05-411025 + levels: + - medium + title: All SLEM 5 local interactive users must have a home directory assigned in + the /etc/passwd file. + rules: [] + status: pending +- id: SLEM-05-411030 + levels: + - medium + title: All SLEM 5 local interactive user home directories defined in the /etc/passwd + file must exist. + rules: [] + status: pending +- id: SLEM-05-411035 + levels: + - medium + title: All SLEM 5 local interactive user initialization files executable search + paths must contain only paths that resolve to the users' home directory. + rules: [] + status: pending +- id: SLEM-05-411040 + levels: + - medium + title: All SLEM 5 local initialization files must not execute world-writable programs. + rules: [] + status: pending +- id: SLEM-05-411045 + levels: + - medium + title: SLEM 5 must automatically expire temporary accounts within 72 hours. + rules: [] + status: pending +- id: SLEM-05-411050 + levels: + - medium + title: SLEM 5 must never automatically remove or disable emergency administrator + accounts. + rules: [] + status: pending +- id: SLEM-05-411055 + levels: + - medium + title: SLEM 5 must not have unnecessary accounts. + rules: [] + status: pending +- id: SLEM-05-411060 + levels: + - medium + title: SLEM 5 must not have unnecessary account capabilities. + rules: [] + status: pending +- id: SLEM-05-411065 + levels: + - high + title: SLEM 5 root account must be the only account with unrestricted access to + the system. + rules: [] + status: pending +- id: SLEM-05-411070 + levels: + - medium + title: SLEM 5 must disable account identifiers (individuals, groups, roles, and + devices) after 35 days of inactivity after password expiration. + rules: [] + status: pending +- id: SLEM-05-411075 + levels: + - medium + title: SLEM 5 must not have duplicate User IDs (UIDs) for interactive users. + rules: [] + status: pending +- id: SLEM-05-412010 + levels: + - medium + title: SLEM 5 must display the date and time of the last successful account logon + upon logon. + rules: [] + status: pending +- id: SLEM-05-412015 + levels: + - medium + title: SLEM 5 must initiate a session lock after a 15-minute period of inactivity. + rules: [] + status: pending +- id: SLEM-05-412020 + levels: + - medium + title: SLEM 5 must lock an account after three consecutive invalid access attempts. + rules: [] + status: pending +- id: SLEM-05-412025 + levels: + - medium + title: SLEM 5 must enforce a delay of at least five seconds between logon prompts + following a failed logon attempt via pluggable authentication modules (PAM). + rules: [] + status: pending +- id: SLEM-05-412030 + levels: + - medium + title: SLEM 5 must use the default pam_tally2 tally directory. + rules: [] + status: pending +- id: SLEM-05-412035 + levels: + - low + title: SLEM 5 must limit the number of concurrent sessions to 10 for all accounts + and/or account types. + rules: [] + status: pending +- id: SLEM-05-431010 + levels: + - low + title: SLEM 5 must have policycoreutils package installed. + rules: [] + status: pending +- id: SLEM-05-431015 + levels: + - high + title: SLEM 5 must use a Linux Security Module configured to enforce limits on system + services. + rules: [] + status: pending +- id: SLEM-05-431020 + levels: + - medium + title: SLEM 5 must enable the SELinux targeted policy. + rules: [] + status: pending +- id: SLEM-05-431025 + levels: + - medium + title: SLEM 5 must prevent nonprivileged users from executing privileged functions, + including disabling, circumventing, or altering implemented security safeguards/countermeasures. + rules: [] + status: pending +- id: SLEM-05-432010 + levels: + - medium + title: SLEM 5 must use the invoking user's password for privilege escalation when + using "sudo". + rules: [] + status: pending +- id: SLEM-05-432015 + levels: + - medium + title: SLEM 5 must reauthenticate users when changing authenticators, roles, or + escalating privileges. + rules: [] + status: pending +- id: SLEM-05-432020 + levels: + - medium + title: SLEM 5 must require reauthentication when using the "sudo" command. + rules: [] + status: pending +- id: SLEM-05-432025 + levels: + - medium + title: SLEM 5 must restrict privilege elevation to authorized personnel. + rules: [] + status: pending +- id: SLEM-05-432030 + levels: + - medium + title: SLEM 5 must specify the default "include" directory for the /etc/sudoers + file. + rules: [] + status: pending +- id: SLEM-05-611010 + levels: + - medium + title: SLEM 5 must enforce passwords that contain at least one uppercase character. + rules: [] + status: pending +- id: SLEM-05-611015 + levels: + - medium + title: SLEM 5 must enforce passwords that contain at least one lowercase character. + rules: [] + status: pending +- id: SLEM-05-611020 + levels: + - medium + title: SLEM 5 must enforce passwords that contain at least one numeric character. + rules: [] + status: pending +- id: SLEM-05-611025 + levels: + - medium + title: SLEM 5 must enforce passwords that contain at least one special character. + rules: [] + status: pending +- id: SLEM-05-611030 + levels: + - medium + title: SLEM 5 must prevent the use of dictionary words for passwords. + rules: [] + status: pending +- id: SLEM-05-611035 + levels: + - medium + title: SLEM 5 must employ passwords with a minimum of 15 characters. + rules: [] + status: pending +- id: SLEM-05-611040 + levels: + - medium + title: SLEM 5 must require the change of at least eight of the total number of characters + when passwords are changed. + rules: [] + status: pending +- id: SLEM-05-611045 + levels: + - medium + title: SLEM 5 must not allow passwords to be reused for a minimum of five generations. + rules: [] + status: pending +- id: SLEM-05-611050 + levels: + - medium + title: SLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to + only store encrypted representations of passwords. + rules: [] + status: pending +- id: SLEM-05-611055 + levels: + - high + title: SLEM 5 must not be configured to allow blank or null passwords. + rules: [] + status: pending +- id: SLEM-05-611060 + levels: + - high + title: SLEM 5 must not have accounts configured with blank or null passwords. + rules: [] + status: pending +- id: SLEM-05-611065 + levels: + - medium + title: SLEM 5 must employ user passwords with a minimum lifetime of 24 hours (one + day). + rules: [] + status: pending +- id: SLEM-05-611070 + levels: + - medium + title: SLEM 5 must employ user passwords with a maximum lifetime of 60 days. + rules: [] + status: pending +- id: SLEM-05-611075 + levels: + - medium + title: SLEM 5 must employ a password history file. + rules: [] + status: pending +- id: SLEM-05-611080 + levels: + - high + title: SLEM 5 must employ FIPS 140-2/140-3-approved cryptographic hashing algorithms + for system authentication. + rules: [] + status: pending +- id: SLEM-05-611085 + levels: + - high + title: SLEM 5 shadow password suite must be configured to use a sufficient number + of hashing rounds. + rules: [] + status: pending +- id: SLEM-05-611090 + levels: + - medium + title: SLEM 5 must employ FIPS 140-2/140-3 approved cryptographic hashing algorithm + for system authentication (login.defs). + rules: [] + status: pending +- id: SLEM-05-611095 + levels: + - medium + title: SLEM 5 must be configured to create or update passwords with a minimum lifetime + of 24 hours (one day). + rules: [] + status: pending +- id: SLEM-05-611100 + levels: + - medium + title: SLEM 5 must be configured to create or update passwords with a maximum lifetime + of 60 days. + rules: [] + status: pending +- id: SLEM-05-612010 + levels: + - medium + title: SLEM 5 must have the packages required for multifactor authentication to + be installed. + rules: [] + status: pending +- id: SLEM-05-612015 + levels: + - medium + title: SLEM 5 must implement multifactor authentication for access to privileged + accounts via pluggable authentication modules (PAM). + rules: [] + status: pending +- id: SLEM-05-612020 + levels: + - medium + title: SLEM 5 must implement certificate status checking for multifactor authentication. + rules: [] + status: pending +- id: SLEM-05-631010 + levels: + - medium + title: If Network Security Services (NSS) is being used by SLEM 5 it must prohibit + the use of cached authentications after one day. + rules: [] + status: pending +- id: SLEM-05-631015 + levels: + - medium + title: SLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to + prohibit the use of cached offline authentications after one day. + rules: [] + status: pending +- id: SLEM-05-631020 + levels: + - medium + title: SLEM 5, for PKI-based authentication, must validate certificates by constructing + a certification path (which includes status information) to an accepted trust + anchor. + rules: [] + status: pending +- id: SLEM-05-631025 + levels: + - medium + title: SLEM 5 must be configured to not overwrite Pluggable Authentication Modules + (PAM) configuration on package changes. + rules: [] + status: pending +- id: SLEM-05-651010 + levels: + - medium + title: SLEM 5 must use a file integrity tool to verify correct operation of all + security functions. + rules: [] + status: pending +- id: SLEM-05-651015 + levels: + - medium + title: SLEM 5 file integrity tool must be configured to verify Access Control Lists + (ACLs). + rules: [] + status: pending +- id: SLEM-05-651020 + levels: + - medium + title: SLEM 5 file integrity tool must be configured to verify extended attributes. + rules: [] + status: pending +- id: SLEM-05-651025 + levels: + - medium + title: SLEM 5 file integrity tool must be configured to protect the integrity of + the audit tools. + rules: [] + status: pending +- id: SLEM-05-651030 + levels: + - medium + title: Advanced Intrusion Detection Environment (AIDE) must verify the baseline + SLEM 5 configuration at least weekly. + rules: [] + status: pending +- id: SLEM-05-651035 + levels: + - medium + title: SLEM 5 must notify the system administrator (SA) when Advanced Intrusion + Detection Environment (AIDE) discovers anomalies in the operation of any security + functions. + rules: [] + status: pending +- id: SLEM-05-652010 + levels: + - medium + title: SLEM 5 must offload rsyslog messages for networked systems in real time and + offload standalone systems at least weekly. + rules: [] + status: pending +- id: SLEM-05-653010 + levels: + - medium + title: SLEM 5 must have the auditing package installed. + rules: [] + status: pending +- id: SLEM-05-653015 + levels: + - medium + title: SLEM 5 audit records must contain information to establish what type of events + occurred, the source of events, where events occurred, and the outcome of events. + rules: [] + status: pending +- id: SLEM-05-653020 + levels: + - medium + title: The audit-audispd-plugins package must be installed on SLEM 5. + rules: [] + status: pending +- id: SLEM-05-653025 + levels: + - medium + title: SLEM 5 must allocate audit record storage capacity to store at least one + week of audit records when audit records are not immediately sent to a central + audit record storage facility. + rules: [] + status: pending +- id: SLEM-05-653030 + levels: + - medium + title: SLEM 5 auditd service must notify the system administrator (SA) and information + system security officer (ISSO) immediately when audit storage capacity is 75 percent + full. + rules: [] + status: pending +- id: SLEM-05-653035 + levels: + - medium + title: SLEM 5 audit system must take appropriate action when the audit storage volume + is full. + rules: [] + status: pending +- id: SLEM-05-653040 + levels: + - medium + title: SLEM 5 must offload audit records onto a different system or media from the + system being audited. + rules: [] + status: pending +- id: SLEM-05-653045 + levels: + - medium + title: Audispd must take appropriate action when SLEM 5 audit storage is full. + rules: [] + status: pending +- id: SLEM-05-653050 + levels: + - medium + title: SLEM 5 must protect audit rules from unauthorized modification. + rules: [] + status: pending +- id: SLEM-05-653055 + levels: + - medium + title: SLEM 5 audit tools must have the proper permissions configured to protect + against unauthorized access. + rules: [] + status: pending +- id: SLEM-05-653060 + levels: + - medium + title: SLEM 5 audit tools must have the proper permissions applied to protect against + unauthorized access. + rules: [] + status: pending +- id: SLEM-05-653065 + levels: + - low + title: SLEM 5 audit event multiplexor must be configured to use Kerberos. + rules: [] + status: pending +- id: SLEM-05-653070 + levels: + - medium + title: Audispd must offload audit records onto a different system or media from + SLEM 5 being audited. + rules: [] + status: pending +- id: SLEM-05-653075 + levels: + - medium + title: The information system security officer (ISSO) and system administrator (SA), + at a minimum, must have mail aliases to be notified of a SLEM 5 audit processing + failure. + rules: [] + status: pending +- id: SLEM-05-653080 + levels: + - medium + title: The information system security officer (ISSO) and system administrator (SA), + at a minimum, must be alerted of a SLEM 5 audit processing failure event. + rules: [] + status: pending +- id: SLEM-05-654010 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "chacl" command. + rules: [] + status: pending +- id: SLEM-05-654015 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "chage" command. + rules: [] + status: pending +- id: SLEM-05-654020 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "chcon" command. + rules: [] + status: pending +- id: SLEM-05-654025 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "chfn" command. + rules: [] + status: pending +- id: SLEM-05-654030 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "chmod" command. + rules: [] + status: pending +- id: SLEM-05-654035 + levels: + - medium + title: SLEM 5 must generate audit records for a uses of the "chsh" command. + rules: [] + status: pending +- id: SLEM-05-654040 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "crontab" command. + rules: [] + status: pending +- id: SLEM-05-654045 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "gpasswd" command. + rules: [] + status: pending +- id: SLEM-05-654050 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "insmod" command. + rules: [] + status: pending +- id: SLEM-05-654055 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "kmod" command. + rules: [] + status: pending +- id: SLEM-05-654060 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "modprobe" command. + rules: [] + status: pending +- id: SLEM-05-654065 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "newgrp" command. + rules: [] + status: pending +- id: SLEM-05-654070 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "pam_timestamp_check" + command. + rules: [] + status: pending +- id: SLEM-05-654075 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "passwd" command. + rules: [] + status: pending +- id: SLEM-05-654080 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "rm" command. + rules: [] + status: pending +- id: SLEM-05-654085 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "rmmod" command. + rules: [] + status: pending +- id: SLEM-05-654090 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "setfacl" command. + rules: [] + status: pending +- id: SLEM-05-654095 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "ssh-agent" command. + rules: [] + status: pending +- id: SLEM-05-654100 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "ssh-keysign" command. + rules: [] + status: pending +- id: SLEM-05-654105 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "su" command. + rules: [] + status: pending +- id: SLEM-05-654110 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "sudo" command. + rules: [] + status: pending +- id: SLEM-05-654115 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "sudoedit" command. + rules: [] + status: pending +- id: SLEM-05-654120 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "unix_chkpwd" or "unix2_chkpwd" + commands. + rules: [] + status: pending +- id: SLEM-05-654125 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "usermod" command. + rules: [] + status: pending +- id: SLEM-05-654130 + levels: + - medium + title: SLEM 5 must generate audit records for all account creations, modifications, + disabling, and termination events that affect /etc/group. + rules: [] + status: pending +- id: SLEM-05-654135 + levels: + - medium + title: SLEM 5 must generate audit records for all account creations, modifications, + disabling, and termination events that affect /etc/security/opasswd. + rules: [] + status: pending +- id: SLEM-05-654140 + levels: + - medium + title: SLEM 5 must generate audit records for all account creations, modifications, + disabling, and termination events that affect /etc/passwd. + rules: [] + status: pending +- id: SLEM-05-654145 + levels: + - medium + title: SLEM 5 must generate audit records for all account creations, modifications, + disabling, and termination events that affect /etc/shadow. + rules: [] + status: pending +- id: SLEM-05-654150 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "chmod", "fchmod" + and "fchmodat" system calls. + rules: [] + status: pending +- id: SLEM-05-654155 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "chown", "fchown", + "fchownat", and "lchown" system calls. + rules: [] + status: pending +- id: SLEM-05-654160 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "creat", "open", "openat", + "open_by_handle_at", "truncate", and "ftruncate" system calls. + rules: [] + status: pending +- id: SLEM-05-654165 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "delete_module" system + call. + rules: [] + status: pending +- id: SLEM-05-654170 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "init_module" and + "finit_module" system calls. + rules: [] + status: pending +- id: SLEM-05-654175 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "mount" system call. + rules: [] + status: pending +- id: SLEM-05-654180 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "setxattr", "fsetxattr", + "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. + rules: [] + status: pending +- id: SLEM-05-654185 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "umount" system call. + rules: [] + status: pending +- id: SLEM-05-654190 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of the "unlink", "unlinkat", + "rename", "renameat", and "rmdir" system calls. + rules: [] + status: pending +- id: SLEM-05-654195 + levels: + - medium + title: SLEM 5 must generate audit records for all uses of privileged functions. + rules: [] + status: pending +- id: SLEM-05-654200 + levels: + - medium + title: SLEM 5 must generate audit records for all modifications to the "lastlog" + file. + rules: [] + status: pending +- id: SLEM-05-654205 + levels: + - medium + title: SLEM 5 must generate audit records for all modifications to the "tallylog" + file must generate an audit record. + rules: [] + status: pending +- id: SLEM-05-654210 + levels: + - medium + title: SLEM 5 must audit all uses of the sudoers file and all files in the "/etc/sudoers.d/" + directory. + rules: [] + status: pending +- id: SLEM-05-654215 + levels: + - medium + title: Successful/unsuccessful uses of "setfiles" in SLEM 5 must generate an audit + record. + rules: [] + status: pending +- id: SLEM-05-654220 + levels: + - medium + title: Successful/unsuccessful uses of "semanage" in SLEM 5 must generate an audit + record. + rules: [] + status: pending +- id: SLEM-05-654225 + levels: + - medium + title: Successful/unsuccessful uses of "setsebool" in SLEM 5 must generate an audit + record. + rules: [] + status: pending +- id: SLEM-05-654230 + levels: + - medium + title: SLEM 5 must generate audit records for the "/run/utmp file". + rules: [] + status: pending +- id: SLEM-05-654235 + levels: + - medium + title: SLEM 5 must generate audit records for the "/var/log/btmp" file. + rules: [] + status: pending +- id: SLEM-05-654240 + levels: + - medium + title: SLEM 5 must generate audit records for the "/var/log/wtmp" file. + rules: [] + status: pending +- id: SLEM-05-654245 + levels: + - medium + title: SLEM 5 must not disable syscall auditing. + rules: [] + status: pending +- id: SLEM-05-671010 + levels: + - high + title: FIPS 140-2/140-3 mode must be enabled on SLEM 5. + rules: [] + status: pending diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml index 22b9342ab57..6a8240fff15 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml @@ -10,7 +10,7 @@ - + diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml index c43290a1085..d0eb4a4ccb2 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml @@ -8,7 +8,7 @@ description: |- {{% if 'ol' in product %}} Oracle Linux is supported by Oracle Corporation. As the Oracle Linux vendor, Oracle Corporation is responsible for providing security patches. -{{% elif product in ["sle12", "sle15", "slemicro"] %}} +{{% elif product in ["sle12", "sle15", "susemicro5"] %}} SUSE Linux Enterprise is supported by SUSE. As the SUSE Linux Enterprise vendor, SUSE is responsible for providing security patches. {{% else %}} @@ -34,7 +34,7 @@ identifiers: cce@rhel9: CCE-83453-1 cce@sle12: CCE-83001-8 cce@sle15: CCE-83260-0 - cce@slemicro: CCE-93601-3 + cce@susemicro5: CCE-93601-3 references: cis-csc: 18,20,4 @@ -50,7 +50,6 @@ references: stigid@rhel8: RHEL-08-010000 stigid@sle12: SLES-12-010000 stigid@sle15: SLES-15-010000 - stigid@slemicro: SLEM-05-211010 ocil_clause: 'the installed operating system is not supported' @@ -61,7 +60,7 @@ ocil: |- 
$ grep -i "red hat" /etc/redhat-release
{{% elif 'ol' in product %}} 
$ grep -i "oracle" /etc/oracle-release
-{{% elif product in ["sle12", "sle15", "slemicro"] %}} +{{% elif product in ["sle12", "sle15", "susemicro5"] %}} 
$ grep -i "suse" /etc/os-release
{{% endif %}} 
{{{ full_name }}}
diff --git a/products/slemicro/profiles/stig.profile b/products/slemicro/profiles/stig.profile deleted file mode 100644 index a9f30631090..00000000000 --- a/products/slemicro/profiles/stig.profile +++ /dev/null @@ -1,52 +0,0 @@ -documentation_complete: true - -metadata: - version: V1R1 - SMEs: - - abergmann - -reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux - -title: 'DISA STIG for SUSE Linux Enterprise Micro OS' - -description: |- - This profile contains configuration checks that align to the - DISA STIG for SUSE Linux Enterprise Micro OS. - - -selections: - - var_account_disable_post_pw_expiration=35 - - var_accounts_fail_delay=4 - - var_accounts_tmout=15_min - - inactivity_timeout_value=15_minutes - - var_password_pam_dcredit=1 - - var_password_pam_lcredit=1 - - var_password_pam_minlen=15 - - var_password_pam_ocredit=1 - - var_password_pam_ucredit=1 - - var_sudo_timestamp_timeout=always_prompt - - var_password_pam_unix_remember=5 - - var_accounts_maximum_age_login_defs=60 - - var_password_pam_delay=4000000 - - login_banner_text=dod_banners - # - # Note: must configure "var_accounts_authorized_local_users_regex" when - # "accounts_authorized_local_users" rule is enabled - # - var_accounts_authorized_local_users_regex= - # - # NOTE: must configure "var_audispd_remote_server" when - # "auditd_audispd_configure_remote_server" rule is enabled - # - # - var_audispd_remote_server= - - var_removable_partition=dev_cdrom - - var_sssd_memcache_timeout=1_day - - var_time_service_set_maxpoll=18_hours - - var_accounts_minimum_age_login_defs=7 - - var_accounts_authorized_local_users_regex=sle15 - - var_accounts_max_concurrent_login_sessions=10 - - var_password_pam_tally2=3 - - var_auditd_disk_full_action=syslog - - sshd_idle_timeout_value=10_minutes - - var_sshd_set_keepalive=0 - - - installed_OS_is_vendor_supported diff --git a/products/slemicro/CMakeLists.txt b/products/susemicro5/CMakeLists.txt similarity index 69% rename from products/slemicro/CMakeLists.txt rename to products/susemicro5/CMakeLists.txt index 520746e0422..92397b9d811 100644 --- a/products/slemicro/CMakeLists.txt +++ b/products/susemicro5/CMakeLists.txt @@ -1,10 +1,10 @@ -# Sometimes our users will try to do: "cd slemicro; cmake ." That needs to error in a nice way. +# Sometimes our users will try to do: "cd susemicro5; cmake ." That needs to error in a nice way. if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") endif() -set(PRODUCT "slemicro") -ssg_build_product("slemicro") +set(PRODUCT "susemicro5") +ssg_build_product("susemicro5") ssg_build_html_cce_table(${PRODUCT}) diff --git a/products/slemicro/product.yml b/products/susemicro5/product.yml similarity index 67% rename from products/slemicro/product.yml rename to products/susemicro5/product.yml index d3d36519034..ce822169f40 100644 --- a/products/slemicro/product.yml +++ b/products/susemicro5/product.yml @@ -1,8 +1,10 @@ -product: slemicro -full_name: SUSE Linux Enterprise Micro OS +product: susemicro5 +full_name: SUSE Linux Enterprise Micro OS 5.x type: platform -benchmark_id: SLEMICRO +major_version_ordinal: 5 + +benchmark_id: SUSEMICRO5 benchmark_root: "../../linux_os/guide" profiles_root: "./profiles" @@ -17,25 +19,25 @@ aide_bin_path: "/usr/bin/aide" cpes_root: "../../shared/applicability" cpes: - - slemicro-5.2: + - susemicro-5.2: name: "cpe:/o:suse:sle-microos:5.2" title: "SLE MicroOS 5.2" - check_id: installed_OS_is_slemicro + check_id: installed_OS_is_susemicro5 - - slemicro-5.3: + - susemicro-5.3: name: "cpe:/o:suse:sle-microos:5.3" title: "SLE MicroOS 5.3" - check_id: installed_OS_is_slemicro + check_id: installed_OS_is_susemicro5 - - slemicro-5.4: + - susemicro-5.4: name: "cpe:/o:suse:sle-microos:5.4" title: "SLE Micro 5.5" - check_id: installed_OS_is_slemicro + check_id: installed_OS_is_susemicro5 - - slemicro-5.5: + - susemicro-5.5: name: "cpe:/o:suse:sle-microos:5.5" title: "SLE Micro 5.5" - check_id: installed_OS_is_slemicro + check_id: installed_OS_is_susemicro5 platform_package_overrides: login_defs: "shadow" diff --git a/products/susemicro5/profiles/stig.profile b/products/susemicro5/profiles/stig.profile new file mode 100644 index 00000000000..4f0011af5c6 --- /dev/null +++ b/products/susemicro5/profiles/stig.profile @@ -0,0 +1,17 @@ +documentation_complete: true + +metadata: + version: V1R1 + SMEs: + - teacup-on-rockingchair + +reference: https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux + +title: 'SUSE Linux Enterprise Micro (SLEM) 5' + +description: |- + This profile contains configuration checks that align to the + DISA STIG for SUSE Linux Enterprise Micro (SLEM) 5. + +selections: + - stig_susemicro5:all diff --git a/products/slemicro/transforms/constants.xslt b/products/susemicro5/transforms/constants.xslt similarity index 66% rename from products/slemicro/transforms/constants.xslt rename to products/susemicro5/transforms/constants.xslt index 49b354073c6..12b64837fad 100644 --- a/products/slemicro/transforms/constants.xslt +++ b/products/susemicro5/transforms/constants.xslt @@ -2,12 +2,12 @@ -SUSE Linux Enterprise Micro OS -SLE Micro -SUSE_Linux_Enterprise_Micro_OS_STIG -slemicro +SUSE Linux Enterprise Micro OS 5.x +SLE Micro OS 5 +SUSE_Linux_Enterprise_Micro_OS_5_STIG +susemicro5 - + https://www.cisecurity.org/benchmark/suse_linux/ diff --git a/products/slemicro/transforms/table-style.xslt b/products/susemicro5/transforms/table-style.xslt similarity index 100% rename from products/slemicro/transforms/table-style.xslt rename to products/susemicro5/transforms/table-style.xslt diff --git a/products/slemicro/transforms/xccdf-apply-overlay-stig.xslt b/products/susemicro5/transforms/xccdf-apply-overlay-stig.xslt similarity index 100% rename from products/slemicro/transforms/xccdf-apply-overlay-stig.xslt rename to products/susemicro5/transforms/xccdf-apply-overlay-stig.xslt diff --git a/products/slemicro/transforms/xccdf2table-cce.xslt b/products/susemicro5/transforms/xccdf2table-cce.xslt similarity index 100% rename from products/slemicro/transforms/xccdf2table-cce.xslt rename to products/susemicro5/transforms/xccdf2table-cce.xslt diff --git a/products/slemicro/transforms/xccdf2table-profileccirefs.xslt b/products/susemicro5/transforms/xccdf2table-profileccirefs.xslt similarity index 100% rename from products/slemicro/transforms/xccdf2table-profileccirefs.xslt rename to products/susemicro5/transforms/xccdf2table-profileccirefs.xslt diff --git a/shared/checks/oval/installed_OS_is_slemicro.xml b/shared/checks/oval/installed_OS_is_susemicro5.xml similarity index 55% rename from shared/checks/oval/installed_OS_is_slemicro.xml rename to shared/checks/oval/installed_OS_is_susemicro5.xml index 213694f4c2b..c3005e197fa 100644 --- a/shared/checks/oval/installed_OS_is_slemicro.xml +++ b/shared/checks/oval/installed_OS_is_susemicro5.xml @@ -1,6 +1,6 @@ + id="installed_OS_is_susemicro5" version="1"> SUSE Linux Enterprise MicroOS @@ -10,35 +10,39 @@ source="CPE" /> + + The operating system installed on the system is SUSE Linux Enterprise MicroOS. + test_ref="test_susemicro5_unix_family" /> - + - - - + + + - + unix - + - - - + + + - + ^5.*$ - + SUSE-MicroOS-release diff --git a/ssg/constants.py b/ssg/constants.py index 4f89fc14478..b54b185f459 100644 --- a/ssg/constants.py +++ b/ssg/constants.py @@ -58,7 +58,7 @@ 'openembedded', 'rhel8', 'rhel9', 'rhel10', 'rhv4', - 'sle12', 'sle15', 'slemicro', + 'sle12', 'sle15', 'susemicro5', 'ubuntu1604', 'ubuntu1804', 'ubuntu2004', 'ubuntu2204', 'uos20', ] @@ -224,7 +224,7 @@ "Red Hat Virtualization 4": "rhv4", "SUSE Linux Enterprise 12": "sle12", "SUSE Linux Enterprise 15": "sle15", - "SUSE Linux Enterprise Micro OS": "slemicro", + "SUSE Linux Enterprise Micro OS 5.x": "susemicro5", "Ubuntu 16.04": "ubuntu1604", "Ubuntu 18.04": "ubuntu1804", "Ubuntu 20.04": "ubuntu2004", @@ -283,7 +283,7 @@ MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu", "openeuler", "opensuse", "sle", "ol", "ocp", "rhcos", - "example", "eks", "alinux", "uos", "anolis", "openembedded", "al"] + "example", "eks", "alinux", "uos", "anolis", "openembedded", "al", "susemicro"] MULTI_PLATFORM_MAPPING = { "multi_platform_alinux": ["alinux2", "alinux3"], @@ -300,7 +300,7 @@ "multi_platform_rhel": ["rhel8", "rhel9", "rhel10"], "multi_platform_rhv": ["rhv4"], "multi_platform_sle": ["sle12", "sle15"], - "multi_platform_sle_micro": ["slemicro"], + "multi_platform_susemicro": ["susemicro5"], "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"], "multi_platform_uos": ["uos20"], "multi_platform_openembedded": ["openembedded"], @@ -426,7 +426,7 @@ 'openeuler': 'openEuler', 'opensuse': 'openSUSE', 'sle': 'SUSE Linux Enterprise', - 'slemicro': 'SUSE Linux Enterprise Micro OS', + 'susemicro': 'SUSE Linux Enterprise Micro OS', 'example': 'Example', 'ol': 'Oracle Linux', 'ocp': 'Red Hat OpenShift Container Platform', From 7975614cd8148e1506ec36f3a7f374be893b7163 Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Mon, 1 Jul 2024 14:37:00 +0200 Subject: [PATCH 4/8] Add manual DISA STIG for susemicro5 as reference --- ...disa-stig-susemicro5-v1r1-xccdf-manual.xml | 3511 +++++++++++++++++ 1 file changed, 3511 insertions(+) create mode 100644 shared/references/disa-stig-susemicro5-v1r1-xccdf-manual.xml diff --git a/shared/references/disa-stig-susemicro5-v1r1-xccdf-manual.xml b/shared/references/disa-stig-susemicro5-v1r1-xccdf-manual.xml new file mode 100644 index 00000000000..043e74e4d69 --- /dev/null +++ b/shared/references/disa-stig-susemicro5-v1r1-xccdf-manual.xml @@ -0,0 +1,3511 @@ +acceptedSUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 13 Jun 20243.51.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>