From c58524117bb49aba6133041bf76ae672e1f67b27 Mon Sep 17 00:00:00 2001 From: svet-se Date: Tue, 22 Oct 2024 14:49:35 +0300 Subject: [PATCH 1/5] Add rule accounts_tmout to sle micro 5 stig profile --- controls/stig_slmicro5.yml | 6 ++++-- .../accounts_tmout/ansible/slmicro5.yml | 16 +++++++++++++++ .../accounts_tmout/bash/slmicro5.sh | 20 +++++++++++++++++++ .../accounts_tmout/oval/shared.xml | 2 +- .../accounts-session/accounts_tmout/rule.yml | 7 ++++--- shared/references/cce-slmicro5-avail.txt | 1 - 6 files changed, 45 insertions(+), 7 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/slmicro5.yml create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/slmicro5.sh diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 4b02a96c192..187370c1e75 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -948,8 +948,10 @@ controls: levels: - medium title: SLEM 5 must initiate a session lock after a 15-minute period of inactivity. - rules: [] - status: pending + rules: + - accounts_tmout + - var_accounts_tmout=15_min + status: automated - id: SLEM-05-412020 levels: diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/slmicro5.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/slmicro5.yml new file mode 100644 index 00000000000..7350f44deb3 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/slmicro5.yml @@ -0,0 +1,16 @@ +# platform = multi_platform_slmicro +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low +{{{ ansible_instantiate_variables("var_accounts_tmout") }}} + +{{{ ansible_set_config_file(file='/etc/profile.d/autologout.sh', parameter='TMOUT', separator='=', separator_regex='=', value='{{ var_accounts_tmout }}', create='yes') }}} +{{{ ansible_set_config_file(file='/etc/profile.d/autologout.sh', parameter='readonly', separator=' ', value='TMOUT', create='yes') }}} +{{{ ansible_set_config_file(file='/etc/profile.d/autologout.sh', parameter='export', separator=' ', value='TMOUT', create='yes') }}} + +- name: Set the permission for /etc/profile.d/autologout.sh + file: + path: /etc/profile.d/autologout.sh + mode: '0755' + when: lookup('ansible.builtin.file', '/etc/profile.d/autologout.sh', errors='warn') diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/slmicro5.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/slmicro5.sh new file mode 100644 index 00000000000..19aba33e6eb --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/slmicro5.sh @@ -0,0 +1,20 @@ +# platform = multi_platform_slmicro + +{{{ bash_instantiate_variables("var_accounts_tmout") }}} + +if [ -f /etc/profile.d/autologout.sh ]; then + if grep --silent '^\s*TMOUT' /etc/profile.d/autologout.sh ; then + sed -i -E "s/^(\s*)TMOUT\s*=\s*(\w|\$)*(.*)$/\1TMOUT=$var_accounts_tmout\3/g" /etc/profile.d/autologout.sh + fi +else + echo -e "\n# Set TMOUT to $var_accounts_tmout per security requirements" >> /etc/profile.d/autologout.sh + echo "TMOUT=$var_accounts_tmout" >> /etc/profile.d/autologout.sh +fi +if ! grep --silent '^\s*readonly TMOUT' /etc/profile.d/autologout.sh ; then + echo "readonly TMOUT" >> /etc/profile.d/autologout.sh +fi + +if ! grep --silent '^\s*export TMOUT' /etc/profile.d/autologout.sh ; then + echo "export TMOUT" >> /etc/profile.d/autologout.sh +fi +chmod +x /etc/profile.d/autologout.sh diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml index e74106fe722..d2caa3c2ce2 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/oval/shared.xml @@ -37,7 +37,7 @@ {{% if filepath %}} {{{ filepath }}} {{% endif %}} - {{% if product in ['sle12', 'sle15'] or "ubuntu" in product %}} + {{% if product in ["sle12", "sle15", "slmicro5"] or "ubuntu" in product %}} ^[\s]*TMOUT=([\w$]+)[\s]*readonly TMOUT[\s]*export TMOUT$ {{% else %}} ^[\s]*(?:typeset|declare)[\s]+-xr[\s]+TMOUT=([\w$]+).*$ diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml index 619c20f78b6..bc729ba5eb0 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml @@ -8,7 +8,7 @@ description: |- all user sessions will terminate based on inactivity. The value of TMOUT should be exported and read only. The TMOUT - {{% if product in ["sle12", "sle15"] %}} + {{% if product in ["sle12", "sle15", "slmicro5"] %}} setting in /etc/profile.d/autologout.sh should read as follows:
TMOUT={{{ xccdf_value("var_accounts_tmout") }}}
readonly TMOUT @@ -43,6 +43,7 @@ identifiers: cce@rhel10: CCE-88163-1 cce@sle12: CCE-83011-7 cce@sle15: CCE-83269-1 + cce@slmicro5: CCE-93805-0 references: cis-csc: 1,12,15,16 @@ -72,7 +73,7 @@ ocil_clause: 'value of TMOUT is not less than or equal to expected setting' ocil: |- Run the following command to ensure the TMOUT value is configured for all users on the system: - {{% if product in ["sle12", "sle15"] %}} + {{% if product in ["sle12", "sle15", "slmicro5"] %}}
$ sudo grep TMOUT /etc/profile.d/autologout.sh
{{% elif "ubuntu" in product %}}
$ sudo grep TMOUT /etc/bash.bashrc /etc/profile /etc/profile.d/*.sh
@@ -81,7 +82,7 @@ ocil: |- {{% endif %}} The output should return the following:
TMOUT={{{ xccdf_value("var_accounts_tmout") }}}
- {{% if product in ["sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} + {{% if product in ["sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}} readonly TMOUT export TMOUT {{% endif %}} diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index 4bc2b69a1b9..deed11db8c6 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -13,7 +13,6 @@ CCE-93743-3 CCE-93757-3 CCE-93777-1 CCE-93783-9 -CCE-93805-0 CCE-93806-8 CCE-93807-6 CCE-93808-4 From b0e3295d0b00cc6f629c9a1fdffbbc5912d99a34 Mon Sep 17 00:00:00 2001 From: svet-se Date: Tue, 22 Oct 2024 14:57:00 +0300 Subject: [PATCH 2/5] Fix check_id: system_with_kernel to support SLE --- shared/applicability/system_with_kernel.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/shared/applicability/system_with_kernel.yml b/shared/applicability/system_with_kernel.yml index cfa666611be..d19350a6b50 100644 --- a/shared/applicability/system_with_kernel.yml +++ b/shared/applicability/system_with_kernel.yml @@ -16,8 +16,16 @@ title: Bare-metal systems, virtual machines, bootc container images, running boo # was set in past. check_id: system_with_kernel {{% if pkg_system == "rpm" %}} +{{% if "sle" in product or "slmicro" in product %}} +bash_conditional: "rpm --quiet -q kernel-default" +{{% else %}} bash_conditional: "rpm --quiet -q kernel" +{{% endif %}} {{% else %}} bash_conditional: "dpkg-query --show --showformat='${db:Status-Status}\n' 'kernel' 2>/dev/null | grep -q installed" {{% endif %}} +{{% if "sle" in product or "slmicro" in product %}} +ansible_conditional: '"kernel-default" in ansible_facts.packages' +{{% else %}} ansible_conditional: '"kernel" in ansible_facts.packages' +{{% endif %}} \ No newline at end of file From 4b30432134b6b7631b3363167998c28997e55784 Mon Sep 17 00:00:00 2001 From: svet-se Date: Tue, 22 Oct 2024 14:58:17 +0300 Subject: [PATCH 3/5] Update status of SLEM-05-211015 to manual --- controls/stig_slmicro5.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 187370c1e75..8724a325ae9 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -23,8 +23,8 @@ controls: - medium title: SLEM 5 must implement an endpoint security tool. rules: [] - status: pending - + status: manual + - id: SLEM-05-211020 levels: - medium From a98ca5c0806ff04be74c07297863dc7d8971214e Mon Sep 17 00:00:00 2001 From: svet-se Date: Tue, 22 Oct 2024 14:59:01 +0300 Subject: [PATCH 4/5] Update status of SLEM-05-653060 to manual --- controls/stig_slmicro5.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 8724a325ae9..185497bf52b 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -1500,8 +1500,8 @@ controls: SLEM 5 audit tools must have the proper permissions applied to protect against unauthorized access. rules: [] - status: pending - + status: manual + - id: SLEM-05-653065 levels: - low From 412220f3b0b45fe75facc7352c3c3441ef347b2d Mon Sep 17 00:00:00 2001 From: svet-se Date: Tue, 22 Oct 2024 15:48:00 +0300 Subject: [PATCH 5/5] Fix system_with_kernel.yml ending --- shared/applicability/system_with_kernel.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shared/applicability/system_with_kernel.yml b/shared/applicability/system_with_kernel.yml index d19350a6b50..1ea9313ed3b 100644 --- a/shared/applicability/system_with_kernel.yml +++ b/shared/applicability/system_with_kernel.yml @@ -28,4 +28,4 @@ bash_conditional: "dpkg-query --show --showformat='${db:Status-Status}\n' 'kerne ansible_conditional: '"kernel-default" in ansible_facts.packages' {{% else %}} ansible_conditional: '"kernel" in ansible_facts.packages' -{{% endif %}} \ No newline at end of file +{{% endif %}}