forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Enable checks and remediations for the following SLES-12 STIGs:
- SLES-12-010890 'file_permissions_var_log_messages' - SLES-12-010910 'pam_disable_automatic_configuration' - SLES-12-020020 'auditd_audispd_configure_sufficiently_large_partition' - SLES-12-020100 'auditd_audispd_network_failure_action' - SLES-12-020110 'auditd_audispd_disk_full_action' - SLES-12-020120 'permissions_local_var_log_audit' - SLES-12-020130 'permissions_local_audit_binaries' - SLES-12-020199 'audit_rules_enable_syscall_auditing' - SLES-12-020200 'audit_rules_usergroup_modification_passwd' - SLES-12-020210 'audit_rules_usergroup_modification_group' - SLES-12-020220 'audit_rules_usergroup_modification_shadow' - SLES-12-020230 'audit_rules_usergroup_modification_opasswd' - SLES-12-020250 'audit_rules_privileged_commands_su' - SLES-12-020260 'audit_rules_privileged_commands_sudo' - SLES-12-020290 'audit_rules_privileged_commands_mount' - SLES-12-020300 'audit_rules_privileged_commands_umount' - SLES-12-020370 'audit_rules_dac_modification_setxattr' - SLES-12-020380 'audit_rules_dac_modification_fsetxattr' - SLES-12-020390 'audit_rules_dac_modification_removexattr' - SLES-12-020400 'audit_rules_dac_modification_lremovexattr' - SLES-12-020410 'audit_rules_dac_modification_fremovexattr' - SLES-12-020430 'audit_rules_dac_modification_fchown' - SLES-12-020440 'audit_rules_dac_modification_lchown' - SLES-12-020450 'audit_rules_dac_modification_fchownat' - SLES-12-020460 'audit_rules_dac_modification_chown' - SLES-12-020470 'audit_rules_dac_modification_fchmod' - SLES-12-020480 'audit_rules_dac_modification_fchmodat' - SLES-12-020490 'audit_rules_unsuccessful_file_modification_open' - SLES-12-020710 'audit_rules_privileged_commands_crontab' - SLES-12-020720 'audit_rules_privileged_commands_pam_timestamp_check' - SLES-12-020730 'audit_rules_kernel_module_loading_delete' - SLES-12-020740 'audit_rules_kernel_module_loading_finit' - SLES-12-020750 'audit_rules_kernel_module_loading_init' - SLES-12-030300 'chronyd_or_ntpd_set_maxpoll' Corrections: - The STIG ID for audit_rules_dac_modification_chmod was incorrect. It should've been SLES-12-020460 instead of SLES-12-020600. - The STIG ID for sshd_do_not_permit_user_env was incorrect. It should've been SLES-12-030151 instead of SLES-12-030150.
- Loading branch information
Showing
51 changed files
with
766 additions
and
20 deletions.
There are no files selected for viewing
49 changes: 49 additions & 0 deletions
49
linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/ansible/shared.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
# platform = multi_platform_sle | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
|
||
{{{ ansible_instantiate_variables('var_time_service_set_maxpoll') }}} | ||
|
||
- name: Check that /etc/ntp.conf exist | ||
stat: | ||
path: /etc/ntp.conf | ||
register: ntp_conf_exist_result | ||
|
||
- name: Check that /etc/chrony.conf exist | ||
stat: | ||
path: /etc/chrony.conf | ||
register: chrony_conf_exist_result | ||
|
||
- name: Update the maxpoll values in /etc/ntp.conf | ||
lineinfile: | ||
path: /etc/ntp.conf | ||
regex: '^(server.*maxpoll) [0-9]+(\s+.*)$' | ||
line: '\1 {{ var_time_service_set_maxpoll }}\2' | ||
backrefs: yes | ||
when: ntp_conf_exist_result.stat.exists | ||
|
||
- name: Update the maxpoll values in /etc/chrony.conf | ||
lineinfile: | ||
path: /etc/chrony.conf | ||
regex: '^(server.*maxpoll) [0-9]+(\s+.*)$' | ||
line: '\1 {{ var_time_service_set_maxpoll }}\2' | ||
backrefs: yes | ||
when: chrony_conf_exist_result.stat.exists | ||
|
||
- name: Set the maxpoll values in /etc/ntp.conf | ||
lineinfile: | ||
path: /etc/ntp.conf | ||
regex: '(^server\s+((?!maxpoll).)*)$' | ||
line: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n' | ||
backrefs: yes | ||
when: ntp_conf_exist_result.stat.exists | ||
|
||
- name: Set the maxpoll values in /etc/chrony.conf | ||
lineinfile: | ||
path: /etc/chrony.conf | ||
regex: '(^server\s+((?!maxpoll).)*)$' | ||
line: '\1 maxpoll {{ var_time_service_set_maxpoll }}\n' | ||
backrefs: yes | ||
when: chrony_conf_exist_result.stat.exists |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 19 additions & 0 deletions
19
...guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/ansible/shared.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# platform = multi_platform_sle | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
|
||
- name: Find soft links /etc/pam.d/ | ||
find: | ||
paths: /etc/pam.d | ||
file_type: link | ||
patterns: common-.* | ||
use_regex: yes | ||
register: find_pam_soft_links_result | ||
|
||
- name: Remove soft links in /etc/pam.d/ | ||
shell: | | ||
target=$(readlink -f "{{ item.path }}") | ||
cp -p --remove-destination "$target" "{{ item.path }}" | ||
with_items: "{{ find_pam_soft_links_result.files }}" |
6 changes: 6 additions & 0 deletions
6
..._os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# platform = multi_platform_sle | ||
|
||
for link in $(find /etc/pam.d/ -type l -iname "common-*") ; do | ||
target=$(readlink -f "$link") | ||
cp -p --remove-destination "$target" "$link" | ||
done |
29 changes: 29 additions & 0 deletions
29
...os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
<def-group> | ||
<definition class="compliance" id="pam_disable_automatic_configuration" version="1"> | ||
<metadata> | ||
<title>The PAM configuration should not be changed automatically</title> | ||
<affected family="unix"> | ||
<platform>multi_platform_sle</platform> | ||
</affected> | ||
<description>Verify the SUSE operating system is configured to not overwrite Pluggable | ||
Authentication Modules (PAM) configuration on package changes.</description> | ||
</metadata> | ||
<criteria> | ||
<criterion comment="/etc/pam.d/common-* are not symbolic links" test_ref="test_pam_disable_automatic_configuration" /> | ||
</criteria> | ||
</definition> | ||
|
||
<unix:file_test check="all" check_existence="all_exist" comment="/etc/pam.d/common-* are not symbolic links" id="test_pam_disable_automatic_configuration" version="1"> | ||
<unix:object object_ref="obj_pam_disable_automatic_configuration" /> | ||
<unix:state state_ref="state_pam_disable_automatic_configuration_no_symlink" /> | ||
</unix:file_test> | ||
|
||
<unix:file_object comment="/etc/pam.d/common-* files" id="obj_pam_disable_automatic_configuration" version="1"> | ||
<unix:path operation="equals">/etc/pam.d</unix:path> | ||
<unix:filename operation="pattern match">^common-.*$</unix:filename> | ||
</unix:file_object> | ||
|
||
<unix:file_state id="state_pam_disable_automatic_configuration_no_symlink" version="1"> | ||
<unix:type>regular</unix:type> | ||
</unix:file_state> | ||
</def-group> |
37 changes: 37 additions & 0 deletions
37
linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
documentation_complete: true | ||
|
||
prodtype: sle12 | ||
|
||
title: 'The PAM configuration should not be changed automatically' | ||
|
||
description: |- | ||
Verify the SUSE operating system is configured to not overwrite Pluggable | ||
Authentication Modules (PAM) configuration on package changes. | ||
rationale: |- | ||
<tt>pam-config</tt> is a command line utility that automatically generates | ||
a system PAM configuration as packages are installed, updated or removed | ||
from the system. <tt>pam-config</tt> removes configurations for PAM modules | ||
and parameters that it does not know about. It may render ineffective PAM | ||
configuration by the system administrator and thus impact system security. | ||
severity: medium | ||
|
||
identifiers: | ||
cce@sle12: CCE-83113-1 | ||
|
||
references: | ||
stigid@sle12: SLES-12-010910 | ||
disa@sle12: CCI-000366 | ||
srg@sle12: SRG-OS-000480-GPOS-00227 | ||
nist@sle12: CM-6(b),CM-6.1(iv) | ||
|
||
ocil_clause: 'that is not the case' | ||
|
||
ocil: |- | ||
Check that soft links between PAM configuration files are removed with the following command: | ||
<pre># find /etc/pam.d/ -type l -iname "common-*"</pre> | ||
If any results are returned, this is a finding. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.