Merge pull request #12364 from svet-se/slmicro5-stig-add-accounts-and…

…-software-rules-support

Slmicro5 stig add accounts and software rules support

controls/stig_slmicro5.yml

@@ -1256,8 +1256,9 @@ controls:
       title:
           SLEM 5 must implement multifactor authentication for access to privileged
           accounts via pluggable authentication modules (PAM).
-      rules: []
-      status: pending
+      rules:
+          - smartcard_pam_enabled
+      status: automated
 
     - id: SLEM-05-612020
       levels:
@@ -1355,7 +1356,7 @@ controls:
           Advanced Intrusion Detection Environment (AIDE) must verify the baseline
           SLEM 5 configuration at least weekly.
       rules:
-          - aide_periodic_cron_checking
+          - aide_periodic_checking_systemd_timer
       status: automated
 
     - id: SLEM-05-651035
@@ -1365,8 +1366,9 @@ controls:
           SLEM 5 must notify the system administrator (SA) when Advanced Intrusion
           Detection Environment (AIDE) discovers anomalies in the operation of any security
           functions.
-      rules: []
-      status: pending
+      rules:
+          - aide_scan_notification
+      status: automated
 
     - id: SLEM-05-652010
       levels:
@@ -1399,8 +1401,9 @@ controls:
       levels:
           - medium
       title: The audit-audispd-plugins package must be installed on SLEM 5.
-      rules: []
-      status: pending
+      rules:
+          - package_audit-audispd-plugins_installed
+      status: automated
 
     - id: SLEM-05-653025
       levels:
@@ -1410,7 +1413,6 @@ controls:
           week of audit records when audit records are not immediately sent to a central
           audit record storage facility.
       rules:
-        - package_audit-audispd-plugins_installed
         - auditd_audispd_configure_sufficiently_large_partition
       status: automated
 

linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/ansible/shared.yml

@@ -1,18 +1,14 @@
-# platform = multi_platform_sle,Ubuntu 20.04
+# platform = multi_platform_sle,multi_platform_slmicro,Ubuntu 20.04
 # reboot = false
 # strategy = restrict
 # complexity = low
 # disruption = low
 
-{{%- if 'sle' in product %}}
+{{%- if 'sle' in product or 'slmicro' in product %}}
   {{%- set pam_package = "pam_pkcs11" %}}
-{{%- else %}}
-  {{%- set pam_package = "libpam-pkcs11" %}}
-{{% endif %}}
-
-{{%- if 'sle' in product %}}
   {{%- set pam_pkcs11_control_flag = "sufficient" %}}
 {{%- else %}}
+  {{%- set pam_package = "libpam-pkcs11" %}}
   {{%- set pam_pkcs11_control_flag = "\u005Bsuccess=2 default=ignore\u005D" %}}
 {{% endif %}}
 

linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,Ubuntu 20.04
+# platform = multi_platform_sle,multi_platform_slmicro,Ubuntu 20.04
 {{% if 'ubuntu' in product %}}
 {{{ bash_ensure_pam_module_option('/etc/pam.d/common-auth', 'auth', '[success=2 default=ignore]', 'pam_pkcs11.so', '', '', '# here are the per-package modules') }}}
 {{% else %}}

linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/rule.yml

@@ -53,6 +53,7 @@ severity: medium
 identifiers:
     cce@sle12: CCE-83208-9
     cce@sle15: CCE-85556-9
+    cce@slmicro5: CCE-93800-1
 
 references:
     disa: CCI-000765,CCI-000766,CCI-000767,CCI-000768,CCI-000187,CCI-001948,CCI-001953,CCI-001954,CCI-004047

linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/commented.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 # packages = libpam-pkcs11
 {{% if 'ubuntu' in product %}}
 sed -i '/^auth.*pam_unix.so/i # auth [success=2 default=ignore] pam_pkcs11.so' /etc/pam.d/common-auth

linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/correct.pass.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 # packages = libpam-pkcs11
 
 {{% if 'ubuntu' in product %}}

linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/nothing.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 # packages = libpam-pkcs11
 
 echo "auth	[success=1 default=ignore]	pam_unix.so nullok" > /etc/pam.d/common-auth

linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/tests/substring.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 # packages = libpam-pkcs11
 
 {{% if 'ubuntu' in product %}}

linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_checking_systemd_timer/rule.yml

@@ -22,6 +22,7 @@ severity: medium
 identifiers:
     cce@sle12: CCE-92366-4
     cce@sle15: CCE-92516-4
+    cce@slmicro5: CCE-93721-9
 
 references:
     cis-csc: 1,11,12,13,14,15,16,2,3,5,7,8,9

linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/bash/shared.sh

@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
 
 {{{ bash_package_install("aide") }}}
 

linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/ansible/shared.yml

@@ -12,7 +12,7 @@
   with_items:
     - aide
 
-{{% if product in ["sle15"] %}}
+{{% if product in ["sle15", "slmicro5"] %}}
 - name: "{{{ rule_title }}} check service"
   ansible.builtin.blockinfile:
       create: yes

linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/bash/shared.sh

@@ -3,7 +3,7 @@
 {{{ bash_package_install("aide") }}}
 {{{ bash_instantiate_variables("var_aide_scan_notification_email") }}}
 
-{{% if product in ["sle15"] %}}
+{{% if product in ["sle15", "slmicro5"] %}}
 # create unit file for periodic aide database check
 cat > /etc/systemd/system/aidecheck.service <<CHECKEOF
 [Unit]

linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml

@@ -11,7 +11,7 @@
           test_ref="test_aide_var_cron_notification" />
         <criterion comment="notify personnel when aide completes in cron.(d|daily|weekly|monthly)"
           test_ref="test_aide_crontabs_notification" />
-{{% if product in ["sle15"] %}}
+{{% if product in ["sle15", "slmicro5"] %}}
         <criteria operator="AND">
           <criterion comment="notification started after check"
             test_ref="test_aidecheck_systemd_scan_before_notification"/>
@@ -52,7 +52,7 @@
     <ind:pattern operation="pattern match">^.*{{{ aide_bin_path }}}[\s]*\-\-check.*\|.*/bin/mail[\s]*-s[\s]*".*"[\s]*.+@.+$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
-{{% if product in ["sle15"] %}}
+{{% if product in ["sle15", "slmicro5"] %}}
   <ind:textfilecontent54_test check="all" check_existence="all_exist"
     id="test_aidecheck_systemd_scan_report" version="1"
     comment="report results of aide check, when started by systemd">
@@ -61,7 +61,7 @@
   <ind:textfilecontent54_object id="obj_aidecheck_systemd_report" version="1"
     comment="run aide check with output to a report file">
     <ind:filepath>/etc/systemd/system/aidecheck.service</ind:filepath>
-    <ind:pattern operation="pattern match">^ExecStart\=.*/usr/bin/aide[\s]*\-\-check.*\-r\s*file:\/w*.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^.*ExecStart\=.*/usr/bin/aide[\s]*\-\-check.*\-r\s*file:\/w*.*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
   <ind:textfilecontent54_test check="all" check_existence="all_exist"
@@ -72,7 +72,7 @@
   <ind:textfilecontent54_object id="obj_aidecheck_systemd_before_notification" version="1"
     comment="run aide check before notification">
     <ind:filepath>/etc/systemd/system/aidecheck.service</ind:filepath>
-    <ind:pattern operation="pattern match">^Before\=.*aidecheck-notify.service$</ind:pattern>
+    <ind:pattern operation="pattern match">^.*Before\=.*aidecheck-notify.service.*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
   <ind:textfilecontent54_test check="all" check_existence="any_exist"
@@ -83,7 +83,7 @@
   <ind:textfilecontent54_object id="object_aidecheck_for_notification_enabled" version="1"
     comment="list of dependencies should include aidecheck.service">
     <ind:filepath>/etc/systemd/system/aidecheck.service</ind:filepath>
-    <ind:pattern operation="pattern match">^Wants\=.*aidecheck-notify.service.*$</ind:pattern>
+    <ind:pattern operation="pattern match">^.*Wants\=.*aidecheck-notify.service.*$</ind:pattern>
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
   </ind:textfilecontent54_object>
 {{% endif %}}

linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml

@@ -32,6 +32,7 @@ identifiers:
     cce@rhel10: CCE-90177-7
     cce@sle12: CCE-83048-9
     cce@sle15: CCE-91214-7
+    cce@slmicro5: CCE-93722-7
 
 references:
     cis-csc: 1,11,12,13,15,16,2,3,5,7,8,9
@@ -54,7 +55,7 @@ ocil_clause: 'AIDE has not been configured or has not been configured to notify
 
 ocil: |-
     To determine that periodic AIDE execution has been scheduled, run the following command:
-{{% if product in ["sle15"] %}}
+{{% if product in ["sle15", "slmicro5"] %}}
     <pre>$ sudo systemctl status  aidecheck-notify|grep loaded</pre>
     The output should return that the service is loaded.
     Also we should make sure that notification service is started by the check:
@@ -73,7 +74,7 @@ fixtext: |-
     The AIDE tool can be configured to email designated personnel with the use of the cron system.
 
     The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis.
-{{% if product in ["sle15"] %}}
+{{% if product in ["sle15", "slmicro5"] %}}
     $ cat > /etc/systemd/system/aidecheck-notify.service <<NOTIFYEOF
     [Unit]
         Description=Status email for AIDE check result

shared/references/cce-slmicro5-avail.txt

@@ -9,14 +9,11 @@ CCE-93709-4
 CCE-93713-6
 CCE-93711-0
 CCE-93712-8
-CCE-93721-9
-CCE-93722-7
 CCE-93726-8
 CCE-93743-3
 CCE-93757-3
 CCE-93777-1
 CCE-93783-9
-CCE-93800-1
 CCE-93801-9
 CCE-93802-7
 CCE-93803-5