diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml index bf0bd48403dc..c359d10a7564 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml @@ -58,7 +58,6 @@ references: stigid@ol7: OL07-00-030410 stigid@ol8: OL08-00-030490 stigid@sle12: SLES-12-020460 - stigid@sle15: SLES-15-030290 ocil_clause: 'the system is not configured to audit permission changes' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml index d25df1bbd7d3..71b8b9cd9a78 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml @@ -58,7 +58,6 @@ references: stigid@ol7: OL07-00-030370 stigid@ol8: OL08-00-030480 stigid@sle12: SLES-12-020420 - stigid@sle15: SLES-15-030250 {{{ complete_ocil_entry_audit_syscall(syscall="chown") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml index eaac617a07c7..96b83a58a929 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml @@ -56,7 +56,6 @@ references: stigid@ol7: OL07-00-030410 stigid@ol8: OL08-00-030490 stigid@sle12: SLES-12-020460 - stigid@sle15: SLES-15-030290 {{{ complete_ocil_entry_audit_syscall(syscall="fchmod") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml index e947bb93ef8d..a569528ec071 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml @@ -55,7 +55,6 @@ references: stigid@ol7: OL07-00-030410 stigid@ol8: OL08-00-030490 stigid@sle12: SLES-12-020460 - stigid@sle15: SLES-15-030290 {{{ complete_ocil_entry_audit_syscall(syscall="fchmodat") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml index 5f260a163ff8..1ad364fb717a 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml @@ -58,7 +58,6 @@ references: stigid@ol7: OL07-00-030370 stigid@ol8: OL08-00-030480 stigid@sle12: SLES-12-020420 - stigid@sle15: SLES-15-030250 {{{ complete_ocil_entry_audit_syscall(syscall="fchown") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml index ced1e57df1d8..1361dbe3be5d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml @@ -55,7 +55,6 @@ references: stigid@ol7: OL07-00-030370 stigid@ol8: OL08-00-030480 stigid@sle12: SLES-12-020420 - stigid@sle15: SLES-15-030250 {{{ complete_ocil_entry_audit_syscall(syscall="fchownat") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml index 9c142b436839..93d7698e8216 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml @@ -73,7 +73,6 @@ references: stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 stigid@sle12: SLES-12-020370 - stigid@sle15: SLES-15-030190 {{{ complete_ocil_entry_audit_syscall(syscall="fremovexattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml index 2f8460a1475f..3ca88c4b2fd1 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml @@ -67,7 +67,6 @@ references: stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 stigid@sle12: SLES-12-020370 - stigid@sle15: SLES-15-030190 {{{ complete_ocil_entry_audit_syscall(syscall="fsetxattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml index 71228638c5b7..1205fe57cb5c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml @@ -59,7 +59,6 @@ references: stigid@ol7: OL07-00-030370 stigid@ol8: OL08-00-030480 stigid@sle12: SLES-12-020420 - stigid@sle15: SLES-15-030250 {{{ complete_ocil_entry_audit_syscall(syscall="lchown") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml index 74af5cb4a474..d4b352cc6c1b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml @@ -72,7 +72,6 @@ references: stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 stigid@sle12: SLES-12-020370 - stigid@sle15: SLES-15-030190 {{{ complete_ocil_entry_audit_syscall(syscall="lremovexattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml index d1c6b36cfe18..9f606707d3d1 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml @@ -67,7 +67,6 @@ references: stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 stigid@sle12: SLES-12-020370 - stigid@sle15: SLES-15-030190 {{{ complete_ocil_entry_audit_syscall(syscall="lsetxattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml index f66be4ce29f9..d28bce273e24 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml @@ -71,7 +71,6 @@ references: stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 stigid@sle12: SLES-12-020370 - stigid@sle15: SLES-15-030190 {{{ complete_ocil_entry_audit_syscall(syscall="removexattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml index 24c5c5128f12..e9b0e54f6220 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml @@ -67,7 +67,6 @@ references: stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 stigid@sle12: SLES-12-020370 - stigid@sle15: SLES-15-030190 {{{ complete_ocil_entry_audit_syscall(syscall="setxattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount/rule.yml index 5615f21a3b85..d95c0e113e52 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount/rule.yml @@ -35,7 +35,6 @@ references: nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235 stigid@sle12: SLES-12-020300 - stigid@sle15: SLES-15-030360 ocil_clause: '{{{ ocil_clause_audit() }}}' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml index 6d3821a97db7..c9721e260a56 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml @@ -40,7 +40,6 @@ references: nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235 stigid@sle12: SLES-12-020300 - stigid@sle15: SLES-15-030360 {{{ complete_ocil_entry_audit_syscall(syscall="umount2") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml index 2d545e951385..46c16dfd003f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml @@ -30,7 +30,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255 stigid@ol8: OL08-00-030570 stigid@sle12: SLES-12-020620 - stigid@sle15: SLES-15-030440 {{{ ocil_fix_srg_privileged_command("chacl", "/usr/bin/", "perm_mod") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chmod/rule.yml index d1291a88c512..8fe1302e271b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chmod/rule.yml @@ -27,7 +27,6 @@ references: nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@sle12: SLES-12-020600 - stigid@sle15: SLES-15-030420 ocil: |- To verify that execution of the command is being audited, run the following command: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml index 56b841cb2fcb..c9a7cd950019 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml @@ -29,7 +29,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235 stigid@ol8: OL08-00-030330 stigid@sle12: SLES-12-020610 - stigid@sle15: SLES-15-030430 {{{ ocil_fix_srg_privileged_command("setfacl", "/usr/bin/", "perm_mod") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml index 46c526ac68f7..9ba329f94c42 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml @@ -46,7 +46,6 @@ references: stigid@ol7: OL07-00-030580 stigid@ol8: OL08-00-030260 stigid@sle12: SLES-12-020630 - stigid@sle15: SLES-15-030450 {{{ ocil_fix_srg_privileged_command("chcon", "/usr/bin/", "perm_mod") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_rm/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_rm/rule.yml index f44a5385e761..d4b221cfa8a2 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_rm/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_rm/rule.yml @@ -27,7 +27,6 @@ references: nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@sle12: SLES-12-020640 - stigid@sle15: SLES-15-030460 ocil: |- To verify that execution of the command is being audited, run the following command: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml index 24bbb5c20e6a..c563651b4d4e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml @@ -62,7 +62,6 @@ references: stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 stigid@sle12: SLES-12-020490 - stigid@sle15: SLES-15-030150 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("creat", "access") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml index 2028094a96f3..c3df4964cb97 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml @@ -62,7 +62,6 @@ references: stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 stigid@sle12: SLES-12-020490 - stigid@sle15: SLES-15-030150 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("ftruncate", "access") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml index fe58f9ccd263..15861002b09b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml @@ -66,7 +66,6 @@ references: stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 stigid@sle12: SLES-12-020490 - stigid@sle15: SLES-15-030150 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("open", "access") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml index 71a6883e4cd1..0f2584da7c21 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml @@ -56,7 +56,6 @@ references: stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 stigid@sle12: SLES-12-020490 - stigid@sle15: SLES-15-030150 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("open_by_handle_at", "access") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml index 60f10c9d79ba..1fb647e1a7db 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml @@ -62,7 +62,6 @@ references: stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 stigid@sle12: SLES-12-020490 - stigid@sle15: SLES-15-030150 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("openat", "access") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml index a8fa3b592b4b..f6979d523457 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml @@ -53,7 +53,6 @@ references: pcidss: Req-10.2.4,Req-10.2.1 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@sle12: SLES-12-020411 - stigid@sle15: SLES-15-030740 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("rename", "unsuccessful-delete") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml index e1aafd60d663..ed1576ab8dc9 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml @@ -59,7 +59,6 @@ references: pcidss: Req-10.2.4,Req-10.2.1 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@sle12: SLES-12-020411 - stigid@sle15: SLES-15-030740 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("renameat", "unsuccessful-delete") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml index 8597ce55eec9..1baaf6ce2999 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml @@ -5,11 +5,11 @@ title: 'Record Unsuccessful Delete Attempts to Files - renameat2' description: |- The operating system must generate audit records for all uses of the renameat2 system call. - Without generating audit records specific to the security and mission needs of the organization, it would be + Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - Add or update the following lines to /etc/audit/rules.d/audit.rules to configure the operating system to generate - an audit record for all uses of the renameat2 system call: + Add or update the following lines to /etc/audit/rules.d/audit.rules to configure the operating system to generate + an audit record for all uses of the renameat2 system call:
     -a always,exit -F arch=b32 -S renameat2 -F auid>={{{ uid_min }}} -F auid!=-1 -k perm_mod
     -a always,exit -F arch=b64 -S renameat2 -F auid>={{{ uid_min }}} -F auid!=-1 -k perm_mod
@@ -26,7 +26,6 @@ identifiers: references: nist@sle15: AU-12(c),AU-12.1(iv) srg: SRG-OS-000468-GPOS-00212 - stigid@sle15: SLES-15-030740 {{{ complete_ocil_entry_audit_unsuccessful_syscall(syscall="renameat2") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml index 7f24feabc8e3..4dd4e9aa01df 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml @@ -61,7 +61,6 @@ references: stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 stigid@sle12: SLES-12-020490 - stigid@sle15: SLES-15-030150 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("truncate", "access") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml index bfb9b645fd48..b8a8bde22990 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml @@ -65,7 +65,6 @@ references: pcidss: Req-10.2.4,Req-10.2.1 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@sle12: SLES-12-020411 - stigid@sle15: SLES-15-030740 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("unlink", "unsuccessful-delete") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml index 1511b5a81fe8..242daceadf10 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml @@ -62,7 +62,6 @@ references: pcidss: Req-10.2.4,Req-10.2.1 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@sle12: SLES-12-020411 - stigid@sle15: SLES-15-030740 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("unlinkat", "unsuccessful-delete") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml index 25f668b942e6..532b63321448 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml @@ -42,7 +42,6 @@ references: stigid@ol7: OL07-00-030830 stigid@ol8: OL08-00-030390 stigid@sle12: SLES-12-020730 - stigid@sle15: SLES-15-030520 {{{ complete_ocil_entry_audit_syscall(syscall="delete_module") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml index 4117218a3287..46880f6833fd 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml @@ -40,7 +40,6 @@ references: stigid@ol7: OL07-00-030820 stigid@ol8: OL08-00-030360 stigid@sle12: SLES-12-020740 - stigid@sle15: SLES-15-030530 {{{ complete_ocil_entry_audit_syscall(syscall="finit_module") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml index 2947c3fe297e..b6eefe06ed29 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml @@ -41,7 +41,6 @@ references: stigid@ol7: OL07-00-030820 stigid@ol8: OL08-00-030360 stigid@sle12: SLES-12-020740 - stigid@sle15: SLES-15-030530 {{{ complete_ocil_entry_audit_syscall(syscall="init_module") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml index 6fb6c3cca539..2e1a28d286a8 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml @@ -42,7 +42,6 @@ references: stigid@ol7: OL07-00-030620 stigid@ol8: OL08-00-030600 stigid@sle12: SLES-12-020660 - stigid@sle15: SLES-15-030480 ocil_clause: 'the command does not return a line, or the line is commented out' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml index b4f178c19111..07fdf2a2e701 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml @@ -39,7 +39,6 @@ references: pcidss: Req-10.2.3 srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218,SRG-APP-000503-CTR-001275 stigid@sle12: SLES-12-020650 - stigid@sle15: SLES-15-030470 ocil_clause: 'the command does not return a line, or the line is commented out' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml index cf71821e6937..89ede770ae94 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml @@ -45,7 +45,6 @@ references: stigid@ol7: OL07-00-030660 stigid@ol8: OL08-00-030250 stigid@sle12: SLES-12-020690 - stigid@sle15: SLES-15-030120 {{{ ocil_fix_srg_privileged_command("chage") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chfn/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chfn/rule.yml index 7bb2ee7bf5e5..1aedae1806c3 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chfn/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chfn/rule.yml @@ -26,7 +26,6 @@ identifiers: references: nist: AU-3,AU-12(a),AU-12(c),MA-4(1)(a) stigid@sle12: SLES-12-020280 - stigid@sle15: SLES-15-030340 ocil_clause: '{{{ ocil_clause_audit() }}}' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml index db76114e7c52..685d4fde3fa3 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml @@ -45,7 +45,6 @@ references: stigid@ol7: OL07-00-030720 stigid@ol8: OL08-00-030410 stigid@sle12: SLES-12-020580 - stigid@sle15: SLES-15-030100 {{{ ocil_fix_srg_privileged_command("chsh") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml index bed9679415a5..990a6f0a037c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-030800 stigid@ol8: OL08-00-030400 stigid@sle12: SLES-12-020710 - stigid@sle15: SLES-15-030130 {{{ ocil_fix_srg_privileged_command("crontab") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml index 3e6b252e92c8..aded41a6b1ca 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml @@ -45,7 +45,6 @@ references: stigid@ol7: OL07-00-030650 stigid@ol8: OL08-00-030370 stigid@sle12: SLES-12-020560 - stigid@sle15: SLES-15-030080 {{{ ocil_fix_srg_privileged_command("gpasswd") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml index 6b2f502687d1..a4bcb4689174 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml @@ -39,7 +39,6 @@ references: cis@sle15: 4.1.16 nist: AU-12(c),AU-12.1(iv),AU-3,AU-3.1,AU-12(a),AU-12.1(ii),MA-4(1)(a) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 - stigid@sle15: SLES-15-030380 ocil_clause: '{{{ ocil_clause_audit() }}}' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml index 4d321ba3a10a..78aad6361769 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml @@ -32,7 +32,6 @@ references: stigid@ol7: OL07-00-030840 stigid@ol8: OL08-00-030580 stigid@sle12: SLES-12-020360 - stigid@sle15: SLES-15-030410 {{{ ocil_fix_srg_privileged_command("kmod") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml index 4ccc58df4968..d01767bbd54d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml @@ -43,7 +43,6 @@ references: cis@sle15: 4.1.16 nist: AU-12(a),AU-12.1(ii),AU-3,AU-3.1,AU-12(c),AU-12.1(iv),MA-4(1)(a) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 - stigid@sle15: SLES-15-030400 ocil_clause: '{{{ ocil_clause_audit() }}}' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml index 2c62fc261037..b1754b93d7df 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml @@ -45,7 +45,6 @@ references: stigid@ol7: OL07-00-030710 stigid@ol8: OL08-00-030350 stigid@sle12: SLES-12-020570 - stigid@sle15: SLES-15-030090 {{{ ocil_fix_srg_privileged_command("newgrp") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml index 1d5bc10c572b..078aeb86a920 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml @@ -50,7 +50,6 @@ references: stigid@ol7: OL07-00-030810 stigid@ol8: OL08-00-030340 stigid@sle12: SLES-12-020720 - stigid@sle15: SLES-15-030510 {{% if product not in ["sle12", "sle15", "slmicro5", "slmicro6"] %}} {{{ ocil_fix_srg_privileged_command("pam_timestamp_check", "/usr/sbin/") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passmass/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passmass/rule.yml index 34d8c9bc20d4..183af2589520 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passmass/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passmass/rule.yml @@ -27,7 +27,6 @@ references: nist@sle12: AU-3,AU-12(a),AU-12(c),MA-4(1)(a) srg: SRG-OS-000037-GPOS-00015 stigid@sle12: SLES-12-020670 - stigid@sle15: SLES-15-030490 ocil_clause: '{{{ ocil_clause_audit() }}}' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml index 641ae6b92b5f..4acca3afa661 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml @@ -45,7 +45,6 @@ references: stigid@ol7: OL07-00-030630 stigid@ol8: OL08-00-030290 stigid@sle12: SLES-12-020550 - stigid@sle15: SLES-15-030070 {{{ ocil_fix_srg_privileged_command("passwd") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml index 40f76e0fcbea..70a02c49991a 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml @@ -39,7 +39,6 @@ references: cis@sle15: 4.1.16 nist@sle15: AU-12(c),AU-12.1(iv),AU-3,AU-3.1,AU-12(a),AU-12.1(ii),MA-4(1)(a) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 - stigid@sle15: SLES-15-030390 ocil_clause: '{{{ ocil_clause_audit() }}}' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml index c837ce565cfb..556889ead2a9 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml @@ -31,7 +31,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235 stigid@ol8: OL08-00-030280 stigid@sle12: SLES-12-020310 - stigid@sle15: SLES-15-030370 {{{ ocil_fix_srg_privileged_command("ssh-agent") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml index 1272c7f12834..9dd913d31d2f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml @@ -55,7 +55,6 @@ references: stigid@ol7: OL07-00-030780 stigid@ol8: OL08-00-030320 stigid@sle12: SLES-12-020320 - stigid@sle15: SLES-15-030060 {{{ ocil_fix_srg_privileged_command("ssh-keysign", ssh_keysign_path) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml index b06051b91eb8..23ef16dd74e4 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml @@ -44,7 +44,6 @@ references: stigid@ol7: OL07-00-030680 stigid@ol8: OL08-00-030190 stigid@sle12: SLES-12-020250 - stigid@sle15: SLES-15-030550 {{{ ocil_fix_srg_privileged_command("su") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml index f6ff8c742532..eb0dbd52a02e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml @@ -44,7 +44,6 @@ references: stigid@ol7: OL07-00-030690 stigid@ol8: OL08-00-030550 stigid@sle12: SLES-12-020260 - stigid@sle15: SLES-15-030560 {{{ ocil_fix_srg_privileged_command("sudo") }}} template: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml index b759481795fa..cad432585f78 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml @@ -41,7 +41,6 @@ references: nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235,SRG-OS-000755-GPOS-00220 - stigid@sle15: SLES-15-030330 {{{ ocil_fix_srg_privileged_command("sudoedit") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/rule.yml index 79d46e355833..daf3ab9d1524 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/rule.yml @@ -40,7 +40,6 @@ references: nist: AC-2(4),AU-2(d),AU-3,AU-3.1,AU-12(a),AU-12(c),AU-12.1(ii),AU-12.1(iv),AC-6(9),CM-6(a),MA-4(1)(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215,SRG-OS-000037-GPOS-00015 - stigid@sle15: SLES-15-030110 ocil_clause: '{{{ ocil_clause_audit() }}}' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml index e6232d15e0ec..7ea79357ec34 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml @@ -52,7 +52,6 @@ references: stigid@ol7: OL07-00-030640 stigid@ol8: OL08-00-030317 stigid@sle12: SLES-12-020680 - stigid@sle15: SLES-15-030110 {{{ ocil_fix_srg_privileged_command("unix_chkpwd") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml index a11911aa46bb..5e5db6abfde2 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml @@ -34,7 +34,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255 stigid@ol8: OL08-00-030560 stigid@sle12: SLES-12-020700 - stigid@sle15: SLES-15-030500 {{{ ocil_fix_srg_privileged_command("usermod") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml index 73892895915f..f166c2ac0612 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml @@ -27,7 +27,6 @@ references: nist@sle15: CM-6(b),CM-6.1(iv) srg: SRG-OS-000480-GPOS-00227 stigid@sle12: SLES-12-020199 - stigid@sle15: SLES-15-030820 ocil_clause: 'syscall auditing is still disabled' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_etc_cron_d/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_etc_cron_d/rule.yml index ee6310e4b4ac..a99495e5f445 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_etc_cron_d/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_etc_cron_d/rule.yml @@ -25,7 +25,6 @@ identifiers: references: srg: SRG-OS-000471-GPOS-00215 stigid@ol8: OL08-00-030645 - stigid@sle15: SLES-15-030015 ocil_clause: 'the command does not return a line, or the line is commented out' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml index 34878e01a7eb..26d66e2637a5 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml @@ -55,7 +55,6 @@ references: stigid@ol7: OL07-00-030740 stigid@ol8: OL08-00-030302 stigid@sle12: SLES-12-020290 - stigid@sle15: SLES-15-030350 {{{ complete_ocil_entry_audit_syscall(syscall="mount") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_btmp/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_btmp/rule.yml index 0abf1d04bff6..83bfc83dfa07 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_btmp/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_btmp/rule.yml @@ -27,7 +27,6 @@ references: hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-12(c),AU-12.1(iv) srg: SRG-OS-000472-GPOS-00217 - stigid@sle15: SLES-15-030780 ocil_clause: 'Audit rule is not present' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_utmp/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_utmp/rule.yml index 9b6006221f70..700af289abff 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_utmp/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_utmp/rule.yml @@ -27,7 +27,6 @@ references: hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-12(c),AU-12.1(iv) srg: SRG-OS-000472-GPOS-00217 - stigid@sle15: SLES-15-030760 ocil_clause: 'Audit rule is not present' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml index 8123c1cf0486..37c025ce1f0c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml @@ -27,7 +27,6 @@ references: hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-12(c),AU-12.1(iv) srg: SRG-OS-000472-GPOS-00217 - stigid@sle15: SLES-15-030770 ocil_clause: 'Audit rule is not present' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml index 6c5ecb7c051b..dbb71bf09081 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml @@ -55,7 +55,6 @@ references: stigid@ol7: OL07-00-030360 stigid@ol8: OL08-00-030000 stigid@sle12: SLES-12-020240 - stigid@sle15: SLES-15-030640 warnings: - general: |- diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml index afbf92bad9f3..dd5d67cccb85 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml @@ -40,7 +40,6 @@ references: pcidss: Req-10.2.2,Req-10.2.5.b srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-APP-000026-CTR-000070,SRG-APP-000027-CTR-000075,SRG-APP-000028-CTR-000080,SRG-APP-000291-CTR-000675,SRG-APP-000292-CTR-000680,SRG-APP-000293-CTR-000685,SRG-APP-000294-CTR-000690,SRG-APP-000319-CTR-000745,SRG-APP-000320-CTR-000750,SRG-APP-000509-CTR-001305 stigid@ol7: OL07-00-030700 - stigid@sle15: SLES-15-030140 ocil_clause: 'there is not output' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml index 2cb871c443a5..e0fdb636d9d0 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-030871 stigid@ol8: OL08-00-030170 stigid@sle12: SLES-12-020210 - stigid@sle15: SLES-15-030010 ocil_clause: 'the command does not return a line, or the line is commented out' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml index 8a516287c055..a2a90e4ef448 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml @@ -42,7 +42,6 @@ references: stigid@ol7: OL07-00-030872 stigid@ol8: OL08-00-030160 stigid@sle12: SLES-12-020590 - stigid@sle15: SLES-15-030040 ocil_clause: 'the system is not configured to audit account changes' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml index fefa3e9986db..0220ee822f6e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml @@ -44,7 +44,6 @@ references: stigid@ol7: OL07-00-030874 stigid@ol8: OL08-00-030140 stigid@sle12: SLES-12-020230 - stigid@sle15: SLES-15-030030 ocil_clause: 'the command does not return a line, or the line is commented out' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml index 6ce2b2440e2d..fbc56cd1e9d3 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-030870 stigid@ol8: OL08-00-030150 stigid@sle12: SLES-12-020200 - stigid@sle15: SLES-15-030000 ocil_clause: 'the command does not return a line, or the line is commented out' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml index f2d70b0ad6db..c2635f61b69b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-030873 stigid@ol8: OL08-00-030130 stigid@sle12: SLES-12-020220 - stigid@sle15: SLES-15-030020 ocil_clause: 'command does not return a line, or the line is commented out' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_var_spool_cron/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_var_spool_cron/rule.yml index 52ea2600f43d..256de8d5e40f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_var_spool_cron/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_var_spool_cron/rule.yml @@ -21,7 +21,6 @@ identifiers: references: srg: SRG-OS-000363-GPOS-00150,SRG-OS-000363-GPOS-00150,SRG-OS-000446-GPOS-00200,SRG-OS-000447-GPOS-00201 stigid@ol8: OL08-00-030645 - stigid@sle15: SLES-15-030015 ocil_clause: 'command does not return a line, or the line is commented out' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml index 75fa45032f97..96377ee9f4fd 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml @@ -36,7 +36,6 @@ references: srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 stigid@ol7: OL07-00-030300 stigid@sle12: SLES-12-020090 - stigid@sle15: SLES-15-030690 ocil_clause: 'audispd is not sending logs to a remote system' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml index a1de9a5f04ec..ac6a3f8b1d46 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml @@ -49,7 +49,6 @@ references: srg: SRG-OS-000341-GPOS-00132,SRG-OS-000342-GPOS-00133 stigid@ol8: OL08-00-030660 stigid@sle12: SLES-12-020020 - stigid@sle15: SLES-15-030660 ocil_clause: 'audispd is not sending logs to a remote system and the local partition has inadequate space' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml index d6550b17d4dc..0450e1257133 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml @@ -32,7 +32,6 @@ references: srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 stigid@ol7: OL07-00-030320 stigid@sle12: SLES-12-020110 - stigid@sle15: SLES-15-030800 ocil_clause: 'the system is not configured to switch to single user mode for corrective action' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml index 392f1d108eca..e58ffbc190cc 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml @@ -36,7 +36,6 @@ references: srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 stigid@ol7: OL07-00-030310 stigid@sle12: SLES-12-020080 - stigid@sle15: SLES-15-030680 ocil_clause: 'audispd is not encrypting audit records when sent over the network' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml index a0b72828507b..9699111745fa 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml @@ -34,7 +34,6 @@ references: srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 stigid@ol7: OL07-00-030321 stigid@sle12: SLES-12-020100 - stigid@sle15: SLES-15-030790 ocil_clause: 'the system is not configured to switch to single user mode for corrective action' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml index 1a082a24dd21..474732a91f3e 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml @@ -50,7 +50,6 @@ references: srg: SRG-OS-000047-GPOS-00023 stigid@ol8: OL08-00-030060 stigid@sle12: SLES-12-020060 - stigid@sle15: SLES-15-030590 ocil_clause: there is no evidence of appropriate action diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml index 89d28223895a..0ad31052f022 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml @@ -46,7 +46,6 @@ references: stigid@ol7: OL07-00-030350 stigid@ol8: OL08-00-030020 stigid@sle12: SLES-12-020040 - stigid@sle15: SLES-15-030570 ocil_clause: 'the value of the "action_mail_acct" keyword is not set to "{{{ xccdf_value("var_auditd_action_mail_acct") }}}" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml index b0142a0ae32f..14c366e67f49 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml @@ -39,7 +39,6 @@ references: pcidss: Req-10.7 srg: SRG-OS-000343-GPOS-00134 stigid@sle12: SLES-12-020030 - stigid@sle15: SLES-15-030700 ocil_clause: 'the system is not configured a specific size in MB to notify administrators of an issue' diff --git a/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml b/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml index 7cce12f50fee..b2e539a90b9c 100644 --- a/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml +++ b/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml @@ -25,7 +25,6 @@ references: pcidss: Req-10.5.3 srg: SRG-OS-000342-GPOS-00133 stigid@sle12: SLES-12-020070 - stigid@sle15: SLES-15-030670 template: name: package_installed diff --git a/linux_os/guide/auditing/package_audit_installed/rule.yml b/linux_os/guide/auditing/package_audit_installed/rule.yml index 47f71637a7a2..99a5b4b50ead 100644 --- a/linux_os/guide/auditing/package_audit_installed/rule.yml +++ b/linux_os/guide/auditing/package_audit_installed/rule.yml @@ -31,7 +31,6 @@ references: srg: SRG-OS-000062-GPOS-00031,SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00021,SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000122-GPOS-00063,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000475-GPOS-00220 stigid@ol8: OL08-00-030180 stigid@sle12: SLES-12-020000 - stigid@sle15: SLES-15-030650 {{{ complete_ocil_entry_package_installed("audit") }}} diff --git a/linux_os/guide/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/auditing/service_auditd_enabled/rule.yml index eed3adb9361c..9e2d7467b6d5 100644 --- a/linux_os/guide/auditing/service_auditd_enabled/rule.yml +++ b/linux_os/guide/auditing/service_auditd_enabled/rule.yml @@ -55,7 +55,6 @@ references: stigid@ol7: OL07-00-030000 stigid@ol8: OL08-00-030181 stigid@sle12: SLES-12-020010 - stigid@sle15: SLES-15-030050 ocil_clause: 'the auditd service is not running' diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml index 4ec2e5eb9b1d..03d292d7af66 100644 --- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml +++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml @@ -31,7 +31,7 @@ identifiers: cce@sle15: CCE-85638-5 cce@sle16: CCE-96052-6 cce@slmicro5: CCE-93773-0 - cce@slmicro6: CCE-95065-9 + cce@slmicro6: CCE-95065-9 references: cis-csc: 11,12,14,15,3,8,9 @@ -47,7 +47,6 @@ references: stigid@ol7: OL07-00-021300 stigid@ol8: OL08-00-010670 stigid@sle12: SLES-12-010840 - stigid@sle15: SLES-15-040190 ocil_clause: |- {{{ ocil_clause_service_disabled(service=kdump_service) }}} diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml index 783ab5e16d83..b317e42603e5 100644 --- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml +++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml @@ -34,7 +34,6 @@ references: stigid@ol7: OL07-00-040690 stigid@ol8: OL08-00-040360 stigid@sle12: SLES-12-030011 - stigid@sle15: SLES-15-010030 {{{ complete_ocil_entry_package_removed("vsftpd") }}} diff --git a/linux_os/guide/services/mail/package_mailx_installed/rule.yml b/linux_os/guide/services/mail/package_mailx_installed/rule.yml index b61f166bb54b..53f880436871 100644 --- a/linux_os/guide/services/mail/package_mailx_installed/rule.yml +++ b/linux_os/guide/services/mail/package_mailx_installed/rule.yml @@ -24,7 +24,6 @@ references: stigid@ol7: OL07-00-020028 stigid@ol8: OL08-00-010358 stigid@sle12: SLES-12-010498 - stigid@sle15: SLES-15-010418 {{{ complete_ocil_entry_package_installed("mailx") }}} diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml index 721e16e03d13..dc6b5f92b1ae 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml @@ -33,7 +33,6 @@ references: nist@sle12: AU-5(a),AU-5.1(ii) srg: SRG-OS-000046-GPOS-00022 stigid@sle12: SLES-12-020050 - stigid@sle15: SLES-15-030580 ocil_clause: 'the alias is not set' diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml index c40c189335a9..969fe8297b17 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml @@ -33,7 +33,6 @@ references: stigid@ol7: OL07-00-021021 stigid@ol8: OL08-00-010630 stigid@sle12: SLES-12-010820 - stigid@sle15: SLES-15-040170 ocil_clause: 'the setting does not show' diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml index 38f6ec6e3b96..127a8a6bd73c 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml @@ -31,7 +31,6 @@ references: stigid@ol7: OL07-00-021020 stigid@ol8: OL08-00-010650 stigid@sle12: SLES-12-010810 - stigid@sle15: SLES-15-040160 ocil_clause: 'the setting does not show' diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml index 44ddd9bffe6c..127107dd6931 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml @@ -93,7 +93,6 @@ references: stigid@ol7: OL07-00-040500 stigid@ol8: OL08-00-030740 stigid@sle12: SLES-12-030300 - stigid@sle15: SLES-15-010400 ocil_clause: '"maxpoll" has not been set to the value of "{{{ xccdf_value("var_time_service_set_maxpoll") }}}", is commented out, or is missing' diff --git a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml index 8ce212e83bd9..0549fcb89280 100644 --- a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml @@ -23,14 +23,13 @@ identifiers: cce@sle12: CCE-83022-4 cce@sle15: CCE-85622-9 cce@slmicro5: CCE-93741-7 - cce@slmicro6: CCE-95051-9 + cce@slmicro6: CCE-95051-9 references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040550 stigid@ol8: OL08-00-010460 stigid@sle12: SLES-12-010410 - stigid@sle15: SLES-15-040030 ocil_clause: 'shosts.equiv files exist' diff --git a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml index 4006cb47e6b3..c2086e2e7b26 100644 --- a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml @@ -26,14 +26,13 @@ identifiers: cce@sle12: CCE-83021-6 cce@sle15: CCE-85621-1 cce@slmicro5: CCE-93740-9 - cce@slmicro6: CCE-95049-3 + cce@slmicro6: CCE-95049-3 references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040540 stigid@ol8: OL08-00-010470 stigid@sle12: SLES-12-010400 - stigid@sle15: SLES-15-040020 ocil_clause: '.shosts files exist' diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml index e561d5b0e872..cf53228d3f0d 100644 --- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml @@ -49,7 +49,6 @@ references: stigid@ol7: OL07-00-021710 stigid@ol8: OL08-00-040000 stigid@sle12: SLES-12-030000 - stigid@sle15: SLES-15-010180 {{{ complete_ocil_entry_package_removed("telnet-server") }}} diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml index 12abf9b815e0..91bb0fd02834 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml @@ -34,7 +34,7 @@ identifiers: cce@sle15: CCE-85644-3 cce@sle16: CCE-96360-3 cce@slmicro5: CCE-93751-6 - cce@slmicro6: CCE-95070-9 + cce@slmicro6: CCE-95070-9 references: cis-csc: 12,13,14,15,16,18,3,5 @@ -53,7 +53,6 @@ references: stigid@ol7: OL07-00-040420 stigid@ol8: OL08-00-010490 stigid@sle12: SLES-12-030220 - stigid@sle15: SLES-15-040250 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms=perms) }}}' diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml index 3b9cbd89a694..0655c270a5d3 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml @@ -18,7 +18,7 @@ identifiers: cce@sle15: CCE-85643-5 cce@sle16: CCE-95850-4 cce@slmicro5: CCE-93663-3 - cce@slmicro6: CCE-95069-1 + cce@slmicro6: CCE-95069-1 references: cis-csc: 12,13,14,15,16,18,3,5 @@ -37,7 +37,6 @@ references: stigid@ol7: OL07-00-040410 stigid@ol8: OL08-00-010480 stigid@sle12: SLES-12-030210 - stigid@sle15: SLES-15-040240 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*.pub", perms="-rw-r--r--") }}}' diff --git a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml index 413c576c4c4e..d8db9865785a 100644 --- a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml +++ b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml @@ -41,7 +41,6 @@ references: stigid@ol7: OL07-00-040310 stigid@ol8: OL08-00-040160 stigid@sle12: SLES-12-030100 - stigid@sle15: SLES-15-010530 ocil: |- {{{ ocil_service_enabled(service="sshd") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml index bf30c05996fd..608f5e6c169b 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml @@ -30,7 +30,7 @@ identifiers: cce@sle15: CCE-85667-4 cce@sle16: CCE-95818-1 cce@slmicro5: CCE-93650-0 - cce@slmicro6: CCE-95091-5 + cce@slmicro6: CCE-95091-5 references: cis-csc: 11,12,13,14,15,16,18,3,5,9 @@ -52,7 +52,6 @@ references: stigid@ol7: OL07-00-010300 stigid@ol8: OL08-00-020330 stigid@sle12: SLES-12-030150 - stigid@sle15: SLES-15-040440 {{{ complete_ocil_entry_sshd_option(default="yes", option="PermitEmptyPasswords", value="no") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml index 1ef15a5e2329..9611b90f49d6 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml @@ -49,7 +49,6 @@ references: stigid@ol7: OL07-00-040370 stigid@ol8: OL08-00-010550 stigid@sle12: SLES-12-030140 - stigid@sle15: SLES-15-020040 {{{ complete_ocil_entry_sshd_option(default="no", option="PermitRootLogin", value="no") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml index d4abee5dde5a..7d5ddadb36ba 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml @@ -25,7 +25,7 @@ identifiers: cce@sle15: CCE-85642-7 cce@sle16: CCE-96499-9 cce@slmicro5: CCE-93646-8 - cce@slmicro6: CCE-95068-3 + cce@slmicro6: CCE-95068-3 references: cis-csc: 11,3,9 @@ -41,7 +41,6 @@ references: stigid@ol7: OL07-00-040380 stigid@ol8: OL08-00-010520 stigid@sle12: SLES-12-030200 - stigid@sle15: SLES-15-040230 {{{ complete_ocil_entry_sshd_option(default="no", option="IgnoreUserKnownHosts", value="yes") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml index 1d33a6010b04..96d9fc4bf522 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -32,7 +32,7 @@ identifiers: cce@sle15: CCE-85707-8 cce@sle16: CCE-96661-4 cce@slmicro5: CCE-93648-4 - cce@slmicro6: CCE-95072-5 + cce@slmicro6: CCE-95072-5 references: cis@sle12: 5.2.6 @@ -42,7 +42,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040710 stigid@ol8: OL08-00-040340 - stigid@sle15: SLES-15-040290 {{{ complete_ocil_entry_sshd_option(default="yes", option="X11Forwarding", value="no") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml index b750d64addb7..2f56ad890353 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@sle15: CCE-85666-6 cce@sle16: CCE-95825-6 cce@slmicro5: CCE-93649-2 - cce@slmicro6: CCE-95090-7 + cce@slmicro6: CCE-95090-7 references: cis-csc: 11,3,9 @@ -47,7 +47,6 @@ references: stigid@ol7: OL07-00-010460 stigid@ol8: OL08-00-010830 stigid@sle12: SLES-12-030151 - stigid@sle15: SLES-15-040440 {{{ complete_ocil_entry_sshd_option(default="yes", option="PermitUserEnvironment", value="no") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml index f5c61c48fb5a..b9daf1136609 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml @@ -28,7 +28,7 @@ identifiers: cce@sle15: CCE-85645-0 cce@sle16: CCE-95844-7 cce@slmicro5: CCE-93647-6 - cce@slmicro6: CCE-95071-7 + cce@slmicro6: CCE-95071-7 references: cis-csc: 12,13,14,15,16,18,3,5 @@ -45,7 +45,6 @@ references: stigid@ol7: OL07-00-040450 stigid@ol8: OL08-00-010500 stigid@sle12: SLES-12-030230 - stigid@sle15: SLES-15-040260 {{{ complete_ocil_entry_sshd_option(default="yes", option="StrictModes", value="yes") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml index 97a343d7f47d..6edaa7cb018f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml @@ -47,7 +47,6 @@ references: stigid@ol7: OL07-00-040170 stigid@ol8: OL08-00-010040 stigid@sle12: SLES-12-030050 - stigid@sle15: SLES-15-010040 {{{ complete_ocil_entry_sshd_option(default="no", option="Banner", value="/etc/issue") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml index 8f73ef35dde4..b28bb1c307ee 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml @@ -25,7 +25,7 @@ identifiers: cce@sle12: CCE-83083-6 cce@sle15: CCE-85563-5 cce@slmicro5: CCE-93645-0 - cce@slmicro6: CCE-95045-1 + cce@slmicro6: CCE-95045-1 references: cis-csc: 1,12,15,16 @@ -39,7 +39,6 @@ references: stigid@ol7: OL07-00-040360 stigid@ol8: OL08-00-020350 stigid@sle12: SLES-12-030130 - stigid@sle15: SLES-15-020120 {{{ complete_ocil_entry_sshd_option(default="yes", option="PrintLastLog", value="yes") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml index 544ce16bf731..b3129efba1b9 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml @@ -53,7 +53,6 @@ references: stigid@ol7: OL07-00-040320 stigid@ol8: OL08-00-010201 stigid@sle12: SLES-12-030190 - stigid@sle15: SLES-15-010280 requires: - sshd_set_keepalive diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml index 64c59df51a54..efb4f21ef565 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml @@ -52,7 +52,6 @@ references: srg: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109 stigid@ol8: OL08-00-010200 stigid@sle12: SLES-12-030191 - stigid@sle15: SLES-15-010320 requires: - sshd_set_idle_timeout diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml index 54b1c2a29e84..28615f381a19 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml @@ -48,7 +48,6 @@ references: srg: SRG-OS-000126-GPOS-00066,SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109 stigid@ol7: OL07-00-040340 stigid@sle12: SLES-12-030191 - stigid@sle15: SLES-15-010320 requires: - sshd_set_idle_timeout diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml index 43da92e7c0b8..0578a2c6e32c 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml @@ -38,7 +38,6 @@ references: pcidss: Req-2.2.4 srg: SRG-OS-000032-GPOS-00013 stigid@sle12: SLES-12-030110 - stigid@sle15: SLES-15-010150 {{{ complete_ocil_entry_sshd_option(default="no", option="LogLevel", value="VERBOSE") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml index cd40734f9337..1df6bc5c0b54 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml @@ -69,7 +69,6 @@ references: nist-csf: PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-1,PR.PT-1,PR.PT-3,PR.PT-4 srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 stigid@sle12: SLES-12-030170 - stigid@sle15: SLES-15-010160 ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml index b4be9801bb8c..cf22ac9ea35e 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml @@ -42,7 +42,6 @@ identifiers: references: srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 stigid@ol7: OL07-00-040110 - stigid@sle15: SLES-15-010160 ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml index 7277f511fce2..06de73351bf6 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml @@ -47,7 +47,6 @@ references: srg: SRG-OS-000250-GPOS-00093 stigid@ol7: OL07-00-040712 stigid@sle12: SLES-12-030270 - stigid@sle15: SLES-15-040450 ocil_clause: 'KexAlgorithms option is commented out, contains non-approved algorithms, or the FIPS-approved algorithms are not in the exact order' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml index 3bbdfb623b90..ffd406360c26 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml @@ -60,7 +60,6 @@ references: nist-csf: PR.AC-1,PR.AC-3,PR.DS-5,PR.PT-4 srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174 stigid@sle12: SLES-12-030180 - stigid@sle15: SLES-15-010270 ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml index 0f64f3deec7b..777525e2e876 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml @@ -35,7 +35,6 @@ identifiers: references: srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174 stigid@ol7: OL07-00-040400 - stigid@sle15: SLES-15-010270 ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml index 3925f749f3cb..4da0f9102b5a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml @@ -37,7 +37,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040460 stigid@sle12: SLES-12-030240 - stigid@sle15: SLES-15-040270 + ocil_clause: 'it is commented out or is not enabled' diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml index 7d9555ff3306..8cfc3de81746 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml @@ -38,7 +38,6 @@ references: nist-csf: PR.AC-1,PR.AC-6,PR.AC-7 srg: SRG-OS-000383-GPOS-00166 stigid@sle12: SLES-12-010670 - stigid@sle15: SLES-15-010490 ocil_clause: 'it does not exist or is not configured properly' diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml index 8acb5361f37f..2d10b6536726 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml @@ -46,7 +46,6 @@ references: srg: SRG-OS-000383-GPOS-00166 stigid@ol8: OL08-00-020290 stigid@sle12: SLES-12-010680 - stigid@sle15: SLES-15-010500 ocil_clause: 'it does not exist or is not configured properly' diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml index cde6be2b7342..fab7fe742a8e 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml @@ -119,7 +119,6 @@ references: stigid@ol7: OL07-00-010050 stigid@ol8: OL08-00-010060 stigid@sle12: SLES-12-010030 - stigid@sle15: SLES-15-010020 platform: system_with_kernel diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml index 9cce04ec9ae5..fce9aa9352c1 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml @@ -54,7 +54,6 @@ identifiers: references: nist: AC-8(b) stigid@sle12: SLES-12-030020 - stigid@sle15: SLES-15-010060 ocil_clause: 'it does not display the required banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml index 8bcc7bc8f8ca..8c8d5b4a5827 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml @@ -51,7 +51,6 @@ references: stigid@ol7: OL07-00-010030 stigid@ol8: OL08-00-010049 stigid@sle12: SLES-12-010040 - stigid@sle15: SLES-15-010080 ocil_clause: 'it is not' diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml index 38877d7ec66e..93aa7c489403 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml @@ -55,7 +55,6 @@ references: stigid@ol7: OL07-00-010040 stigid@ol8: OL08-00-010050 stigid@sle12: SLES-12-010050 - stigid@sle15: SLES-15-010090 ocil_clause: 'it does not' diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gui_login_dod_acknowledgement/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gui_login_dod_acknowledgement/rule.yml index ca4ae3b37f54..f686afc0aeb2 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gui_login_dod_acknowledgement/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gui_login_dod_acknowledgement/rule.yml @@ -59,7 +59,6 @@ references: nist: AC-8 a,AC-8.1 (ii),AC-8 b,AC-8.1 (iii) srg: SRG-OS-000023-GPOS-00006 stigid@sle12: SLES-12-010020 - stigid@sle15: SLES-15-010050 ocil_clause: 'the GNOME environment does not display the standard mandatory DoD notice and consent banner' diff --git a/linux_os/guide/system/accounts/accounts-pam/disallow_bypass_password_sudo/rule.yml b/linux_os/guide/system/accounts/accounts-pam/disallow_bypass_password_sudo/rule.yml index af715fd37ae7..ac5060bb0a26 100644 --- a/linux_os/guide/system/accounts/accounts-pam/disallow_bypass_password_sudo/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/disallow_bypass_password_sudo/rule.yml @@ -29,7 +29,6 @@ references: stigid@ol7: OL07-00-010344 stigid@ol8: OL08-00-010385 stigid@sle12: SLES-12-010114 - stigid@sle15: SLES-15-020104 ocil_clause: |- system is configured to bypass password requirements for privilege escalation diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml index 535d7f30c19c..9721547f0512 100644 --- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml @@ -60,7 +60,7 @@ references: stigid@ol7: OL07-00-040530 stigid@ol8: OL08-00-020340 stigid@sle12: SLES-12-010390 - stigid@sle15: SLES-15-020080 + platform: package[pam] and system_with_kernel diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml index 8555409a4c7b..6d4c44e265fc 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml @@ -26,7 +26,6 @@ references: nist@sle12: CM-6(b),CM-6.1(iv) srg: SRG-OS-000480-GPOS-00226 stigid@sle12: SLES-12-010370 - stigid@sle15: SLES-15-040010 ocil_clause: 'the value of delay is not set properly or the line is commented or missing' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/rule.yml index a535d2645ea6..205f54d2f633 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/rule.yml @@ -47,7 +47,6 @@ references: pcidss: Req-8.1.6 srg: SRG-OS-000021-GPOS-00005 stigid@sle12: SLES-12-010130 - stigid@sle15: SLES-15-020010 ocil_clause: 'the account option is missing or commented out' diff --git a/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml index 0c2f23c62d71..6749f438f535 100644 --- a/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml @@ -26,7 +26,6 @@ references: nist@sle12: CM-6(b),CM-6.1(iv) srg: SRG-OS-000480-GPOS-00227 stigid@sle12: SLES-12-010910 - stigid@sle15: SLES-15-040220 ocil_clause: 'there is output' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_dcredit/rule.yml index 3a3d8a90382b..9d1339074db9 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_dcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_dcredit/rule.yml @@ -31,7 +31,6 @@ references: pcidss: Req-8.2.3 srg: SRG-OS-000071-GPOS-00039 stigid@sle12: SLES-12-010170 - stigid@sle15: SLES-15-020150 ocil_clause: 'dcredit is not found or not set to the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml index f7ce3211bbca..8979c17c24c5 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml @@ -32,7 +32,6 @@ references: nist@sle15: IA-5(1).1(v),IA-5(1)(b) srg: SRG-OS-000072-GPOS-00040 stigid@sle12: SLES-12-010190 - stigid@sle15: SLES-15-020160 ocil_clause: 'difok is not found or not set to the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_lcredit/rule.yml index ba21d26c306c..cec08d97d8c2 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_lcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_lcredit/rule.yml @@ -33,7 +33,6 @@ references: pcidss: Req-8.2.3 srg: SRG-OS-000070-GPOS-00038 stigid@sle12: SLES-12-010160 - stigid@sle15: SLES-15-020140 ocil_clause: 'lcredit is not found or not set to the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml index 9dcca5707ea8..df034053a731 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml @@ -30,7 +30,6 @@ references: pcidss: Req-8.2.3 srg: SRG-OS-000078-GPOS-00046 stigid@sle12: SLES-12-010250 - stigid@sle15: SLES-15-020260 ocil_clause: 'minlen is not found or not set to the required value (or higher)' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml index 06794ce968d2..f8c2b0195cb2 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml @@ -32,7 +32,6 @@ references: pcidss: Req-8.2.3 srg: SRG-OS-000266-GPOS-00101 stigid@sle12: SLES-12-010180 - stigid@sle15: SLES-15-020270 ocil_clause: 'ocredit is not found or not set to the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml index f0c3ceeafffb..dfd6923ddd5f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml @@ -28,7 +28,6 @@ references: pcidss: Req-8.1.6,Req-8.1.7 srg: SRG-OS-000480-GPOS-00225 stigid@sle12: SLES-12-010320 - stigid@sle15: SLES-15-020290 ocil_clause: 'retry is not found or not set to the required value (or lower)' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml index f480c5d0113f..b757fc8f6b11 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml @@ -33,7 +33,6 @@ references: pcidss: Req-8.2.3 srg: SRG-OS-000069-GPOS-00037 stigid@sle12: SLES-12-010150 - stigid@sle15: SLES-15-020130 ocil_clause: 'ucredit is not found or not set to the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml index ba6db029b603..8e2b38dac3bf 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-010210 stigid@ol8: OL08-00-010110 stigid@sle12: SLES-12-010210 - stigid@sle15: SLES-15-010260 ocil_clause: 'ENCRYPT_METHOD is not set to {{{ xccdf_value("var_password_hashing_algorithm") }}}' diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml index 8d6623d17811..61800d37c1b6 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml @@ -66,7 +66,6 @@ references: stigid@ol7: OL07-00-010200 stigid@ol8: OL08-00-010159 stigid@sle12: SLES-12-010230 - stigid@sle15: SLES-15-020170 ocil_clause: '"{{{ xccdf_value("var_password_hashing_algorithm_pam") }}}" is missing, or is commented out' diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml index 6c728f535085..fea6421daef7 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml @@ -38,7 +38,6 @@ references: srg: SRG-OS-000073-GPOS-00041,SRG-OS-000120-GPOS-00061 stigid@ol8: OL08-00-010130 stigid@sle12: SLES-12-010240 - stigid@sle15: SLES-15-020190 ocil_clause: 'it does not' diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml index 66c9bd659b04..d0c80daa536a 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml @@ -71,7 +71,6 @@ references: ospp: FAU_GEN.1.2 srg: SRG-OS-000324-GPOS-00125,SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040172 - stigid@sle15: SLES-15-040062 ocil_clause: 'the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.' diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml index bd8d28cd1e6c..d2d0e71b558d 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml @@ -60,7 +60,7 @@ identifiers: cce@sle15: CCE-85625-2 cce@sle16: CCE-96667-1 cce@slmicro5: CCE-93744-1 - cce@slmicro6: CCE-95054-3 + cce@slmicro6: CCE-95054-3 references: cis-csc: 12,13,14,15,16,18,3,5 @@ -78,7 +78,6 @@ references: stigid@ol7: OL07-00-020230 stigid@ol8: OL08-00-040170 stigid@sle12: SLES-12-010610 - stigid@sle15: SLES-15-040060 {{% if pkg_system == "dpkg" %}} platform: not container diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/vlock_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/vlock_installed/rule.yml index 847d74aedec5..51d7c49af4c9 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/vlock_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/vlock_installed/rule.yml @@ -41,7 +41,6 @@ references: srg: SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011 stigid@ol8: OL08-00-020043 stigid@sle12: SLES-12-010070 - stigid@sle15: SLES-15-010110 {{{ complete_ocil_entry_package_installed(package) }}} diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml index cd2393b0c761..1b850e2167b1 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml @@ -55,7 +55,6 @@ references: stigid@ol7: OL07-00-041001 stigid@ol8: OL08-00-010390 stigid@sle12: SLES-12-030500 - stigid@sle15: SLES-15-010460 ocil_clause: 'smartcard software is not installed' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_ca/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_ca/rule.yml index 2d2231f7a7dc..b366b958ed9c 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_ca/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_ca/rule.yml @@ -32,7 +32,6 @@ references: nist@sle12: IA-5 (2),IA-5(2)(a),IA-5 (2).1,IA-5(2)(d) srg: SRG-OS-000066-GPOS-00034,SRG-OS-000384-GPOS-00167 stigid@sle12: SLES-12-030530 - stigid@sle15: SLES-15-010170 ocil_clause: 'ca is not configured' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml index d81afeb2601d..3ddaaf4141fb 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml @@ -36,7 +36,6 @@ references: srg: SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161,SRG-OS-000377-GPOS-00162,SRG-OS-000384-GPOS-00167 stigid@ol7: OL07-00-041003 stigid@sle12: SLES-12-030510 - stigid@sle15: SLES-15-010470 ocil_clause: 'ocsp_on is not configured' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/rule.yml index 5e7b27deaa46..2e588ecac7d8 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/rule.yml @@ -61,7 +61,6 @@ references: nist@sle12: IA-2(1),IA-2(1).1,IA-2(2),IA-2(2).1,IA-2(3),IA-2(3).1,IA-2(4),IA-2(4).1,IA-5(2),IA-5(2).1,IA-5(2)(c),IA-2(11),IA-2(12) srg: SRG-OS-000068-GPOS-00036,SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162 stigid@sle12: SLES-12-030520 - stigid@sle15: SLES-15-020030 ocil_clause: 'non-exempt accounts are not using CAC authentication' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml index 25e02f369671..178aa93473c1 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml @@ -52,7 +52,6 @@ references: stigid@ol7: OL07-00-010310 stigid@ol8: OL08-00-020260 stigid@sle12: SLES-12-010340 - stigid@sle15: SLES-15-020050 ocil_clause: 'the value of INACTIVE is greater than the expected value or is -1' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_admin/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_admin/rule.yml index 3a6a09dc1967..79553b52f773 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_admin/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_admin/rule.yml @@ -47,7 +47,6 @@ references: nist@sle12: AC-2(2),AC-2(2).1(ii) srg: SRG-OS-000123-GPOS-00064 stigid@sle12: SLES-12-010330 - stigid@sle15: SLES-15-020060 ocil_clause: 'any emergency administrator account or account password has an expiration date set' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml index b18ceb489871..d938157ec508 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml @@ -46,7 +46,6 @@ references: stigid@ol7: OL07-00-010271 stigid@ol8: OL08-00-020000,OL08-00-020270 stigid@sle12: SLES-12-010331 - stigid@sle15: SLES-15-020061 ocil_clause: 'any temporary accounts have no expiration date set or do not expire within 72 hours' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml index 72635c289207..ca5bdbc43213 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml @@ -27,7 +27,6 @@ references: srg: SRG-OS-000104-GPOS-00051,SRG-OS-000121-GPOS-00062 stigid@ol8: OL08-00-020240 stigid@sle12: SLES-12-010640 - stigid@sle15: SLES-15-010230 # The rule check uses password probe, which doesn't support offline mode platform: system_with_kernel diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml index d5ef8e9d5908..0093273c6ee9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml @@ -32,7 +32,7 @@ identifiers: cce@sle12: CCE-83195-8 cce@sle15: CCE-85561-9 cce@slmicro5: CCE-93731-8 - cce@slmicro6: CCE-95038-6 + cce@slmicro6: CCE-95038-6 references: nist@sle12: CM-6(b),CM-6.1(iv) @@ -40,7 +40,6 @@ references: stigid@ol7: OL07-00-020270 stigid@ol8: OL08-00-020320 stigid@sle12: SLES-12-010630 - stigid@sle15: SLES-15-020090 ocil_clause: 'there are unauthorized local user accounts on the system' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml index 638bb17ea5c8..fddbdb3844f1 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml @@ -49,7 +49,6 @@ references: stigid@ol7: OL07-00-010250 stigid@ol8: OL08-00-020200 stigid@sle12: SLES-12-010280 - stigid@sle15: SLES-15-020220 ocil_clause: 'the "PASS_MAX_DAYS" parameter value is greater than "{{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}", or commented out' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml index 942c30a87863..3c7cb3be412c 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml @@ -49,7 +49,6 @@ references: stigid@ol7: OL07-00-010230 stigid@ol8: OL08-00-020190 stigid@sle12: SLES-12-010260 - stigid@sle15: SLES-15-020200 ocil_clause: 'the "PASS_MIN_DAYS" parameter value is not "{{{ xccdf_value("var_accounts_minimum_age_login_defs") }}}" or greater, or is commented out' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml index d7d3318a2c51..e8459f0eb311 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml @@ -39,7 +39,6 @@ references: stigid@ol7: OL07-00-010260 stigid@ol8: OL08-00-020210 stigid@sle12: SLES-12-010290 - stigid@sle15: SLES-15-020230 ocil_clause: 'any results are returned that are not associated with a system account' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml index 3967d6123bdf..6589ae29b325 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml @@ -35,7 +35,6 @@ references: stigid@ol7: OL07-00-010240 stigid@ol8: OL08-00-020180 stigid@sle12: SLES-12-010270 - stigid@sle15: SLES-15-020210 ocil_clause: 'any results are returned that are not associated with a system account' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed_sha512/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed_sha512/rule.yml index f6d7d43f7c6d..b191a83151b7 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed_sha512/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed_sha512/rule.yml @@ -39,7 +39,6 @@ references: srg: SRG-OS-000073-GPOS-00041,SRG-OS-000120-GPOS-00061 stigid@ol8: OL08-00-010120 stigid@sle12: SLES-12-010220 - stigid@sle15: SLES-15-020180 ocil_clause: 'any interactive user password hash does not begin with "$6"' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml index b88e482f57ca..cb75ad37779d 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml @@ -54,7 +54,6 @@ references: stigid@ol7: OL07-00-010290 stigid@ol8: OL08-00-020331,OL08-00-020332 stigid@sle12: SLES-12-010231 - stigid@sle15: SLES-15-020300 ocil_clause: 'NULL passwords can be used' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml index c6801ba6a896..dfbedd28d14e 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml @@ -31,7 +31,7 @@ identifiers: cce@sle15: CCE-91155-2 cce@sle16: CCE-96014-6 cce@slmicro5: CCE-93737-5 - cce@slmicro6: CCE-95046-9 + cce@slmicro6: CCE-95046-9 references: nist: CM-6(b),CM-6.1(iv) @@ -39,7 +39,6 @@ references: stigid@ol7: OL07-00-010291 stigid@ol8: OL08-00-010121 stigid@sle12: SLES-12-010221 - stigid@sle15: SLES-15-020181 ocil_clause: 'Blank or NULL passwords can be used' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml index 5293b2a6695f..121128b66212 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml @@ -30,7 +30,7 @@ identifiers: cce@sle15: CCE-85664-1 cce@sle16: CCE-96388-4 cce@slmicro5: CCE-93734-2 - cce@slmicro6: CCE-95041-0 + cce@slmicro6: CCE-95041-0 references: cis-csc: 1,12,13,14,15,16,18,3,5 @@ -51,7 +51,6 @@ references: stigid@ol7: OL07-00-020310 stigid@ol8: OL08-00-040200 stigid@sle12: SLES-12-010650 - stigid@sle15: SLES-15-020100 ocil_clause: 'any accounts other than "root" have a UID of "0"' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml index 47d8886b01a1..f16dbf64f861 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml @@ -29,7 +29,7 @@ identifiers: cce@sle15: CCE-85672-4 cce@sle16: CCE-95711-8 cce@slmicro5: CCE-93732-6 - cce@slmicro6: CCE-95039-4 + cce@slmicro6: CCE-95039-4 references: cis-csc: 1,12,13,14,15,16,18,3,5,7,8 @@ -43,7 +43,6 @@ references: nist-csf: DE.CM-1,DE.CM-3,PR.AC-1,PR.AC-4,PR.AC-6 srg: SRG-OS-000480-GPOS-00227 stigid@sle12: SLES-12-010631 - stigid@sle15: SLES-15-020091 ocil_clause: 'any system account other than root has a login shell' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml index f794fe8ac0f3..06b0de56471e 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml @@ -31,7 +31,6 @@ references: stigid@ol7: OL07-00-020610 stigid@ol8: OL08-00-010760 stigid@sle12: SLES-12-010720 - stigid@sle15: SLES-15-020110 ocil_clause: 'the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml index 771b65d58cd3..f56d49c0e422 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml @@ -40,7 +40,6 @@ references: stigid@ol7: OL07-00-040000 stigid@ol8: OL08-00-020024 stigid@sle12: SLES-12-010120 - stigid@sle15: SLES-15-020020 ocil_clause: |- the "maxlogins" item is missing, commented out, or the value is set greater diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml index 99464727bf99..234fa57c274c 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml @@ -64,7 +64,6 @@ references: srg: SRG-OS-000163-GPOS-00072,SRG-OS-000029-GPOS-00010 stigid@ol7: OL07-00-040160 stigid@sle12: SLES-12-010090 - stigid@sle15: SLES-15-010130 ocil_clause: 'the TMOUT value is not configured, is set to 0, or is not less than or equal to the expected setting' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml index cc67d332fa5b..43669409233b 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml @@ -24,7 +24,7 @@ identifiers: cce@sle12: CCE-83099-2 cce@sle15: CCE-85632-8 cce@slmicro5: CCE-93790-4 - cce@slmicro6: CCE-95061-8 + cce@slmicro6: CCE-95061-8 references: cis@sle12: 6.2.8 @@ -33,7 +33,6 @@ references: stigid@ol7: OL07-00-020730 stigid@ol8: OL08-00-010660 stigid@sle12: SLES-12-010780 - stigid@sle15: SLES-15-040130 ocil_clause: 'any local initialization files are found to reference world-writable files' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml index c2d22a1d002e..7d6b969cda02 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml @@ -28,14 +28,13 @@ identifiers: cce@sle12: CCE-83098-4 cce@sle15: CCE-85631-0 cce@slmicro5: CCE-93789-6 - cce@slmicro6: CCE-95060-0 + cce@slmicro6: CCE-95060-0 references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020720 stigid@ol8: OL08-00-010690 stigid@sle12: SLES-12-010770 - stigid@sle15: SLES-15-040120 ocil_clause: 'any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml index 152a206f9719..7db29ab81ff6 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml @@ -25,13 +25,12 @@ identifiers: cce@sle12: CCE-83075-2 cce@sle15: CCE-85627-8 cce@slmicro5: CCE-93745-8 - cce@slmicro6: CCE-95055-0 + cce@slmicro6: CCE-95055-0 references: srg: SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-010720 stigid@sle12: SLES-12-010710 - stigid@sle15: SLES-15-040070 ocil_clause: 'users home directory is not defined' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml index 14fc7d40a7be..b6e9057edae9 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml @@ -25,7 +25,7 @@ identifiers: cce@sle12: CCE-83074-5 cce@sle15: CCE-85628-6 cce@slmicro5: CCE-93746-6 - cce@slmicro6: CCE-95056-8 + cce@slmicro6: CCE-95056-8 references: cis@sle12: 6.2.5 @@ -34,7 +34,6 @@ references: stigid@ol7: OL07-00-020620 stigid@ol8: OL08-00-010750 stigid@sle12: SLES-12-010730 - stigid@sle15: SLES-15-040080 ocil_clause: 'users home directory does not exist' diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml index 46c14a7f18e4..9fff2eddbf2a 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml @@ -28,7 +28,7 @@ identifiers: cce@sle12: CCE-83096-8 cce@sle15: CCE-85711-0 cce@slmicro5: CCE-93748-2 - cce@slmicro6: CCE-95058-4 + cce@slmicro6: CCE-95058-4 references: cis@sle12: 6.2.7 @@ -38,7 +38,6 @@ references: stigid@ol7: OL07-00-020650 stigid@ol8: OL08-00-010740 stigid@sle12: SLES-12-010750 - stigid@sle15: SLES-15-040100 ocil_clause: 'the group ownership is incorrect' diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml index aa4101b1bb1a..7698dd4e60ec 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml @@ -23,14 +23,13 @@ identifiers: cce@sle15: CCE-85630-2 cce@sle16: CCE-96448-6 cce@slmicro5: CCE-93749-0 - cce@slmicro6: CCE-95059-2 + cce@slmicro6: CCE-95059-2 references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-020710 stigid@ol8: OL08-00-010770 stigid@sle12: SLES-12-010760 - stigid@sle15: SLES-15-040110 ocil_clause: 'they are not 0740 or more permissive' diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml index 7dddff5ce8b2..811f063c65e7 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml @@ -22,7 +22,7 @@ identifiers: cce@sle12: CCE-83076-0 cce@sle15: CCE-85629-4 cce@slmicro5: CCE-93747-4 - cce@slmicro6: CCE-95057-6 + cce@slmicro6: CCE-95057-6 references: cis@sle12: 6.2.6 @@ -31,7 +31,6 @@ references: stigid@ol7: OL07-00-020630 stigid@ol8: OL08-00-010730 stigid@sle12: SLES-12-010740 - stigid@sle15: SLES-15-040090 ocil_clause: 'they are more permissive' diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml index d58c68770f4a..4ba21c40c14d 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml @@ -39,7 +39,6 @@ references: stigid@ol7: OL07-00-020240 stigid@ol8: OL08-00-020351 stigid@sle12: SLES-12-010620 - stigid@sle15: SLES-15-040420 ocil_clause: 'the value for the "UMASK" parameter is not "{{{ xccdf_value("var_accounts_user_umask") }}}", or the "UMASK" parameter is missing or is commented out' diff --git a/linux_os/guide/system/apparmor/apparmor_configured/rule.yml b/linux_os/guide/system/apparmor/apparmor_configured/rule.yml index cb2776276677..e11ec847afc4 100644 --- a/linux_os/guide/system/apparmor/apparmor_configured/rule.yml +++ b/linux_os/guide/system/apparmor/apparmor_configured/rule.yml @@ -44,7 +44,6 @@ references: nist: AC-3(4),AC-6(8),AC-6(10),CM-7(5)(b),CM-7(2),SC-7(21),CM-6(a) srg: SRG-OS-000312-GPOS-00122,SRG-OS-000312-GPOS-00123,SRG-OS-000312-GPOS-00124,SRG-OS-000324-GPOS-00125,SRG-OS-000326-GPOS-00126,SRG-OS-000370-GPOS-00155,SRG-OS-000480-GPOS-00230,SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00231,SRG-OS-000480-GPOS-00232 stigid@sle12: SLES-12-010600 - stigid@sle15: SLES-15-010390 ocil_clause: 'it is not' diff --git a/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml b/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml index e5bbb94e024c..84d243a3084c 100644 --- a/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml +++ b/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml @@ -23,7 +23,6 @@ references: nist: AC-3(4),AC-6(8),AC-6(10),CM-7(5)(b),CM-7(2),SC-7(21),CM-6(a) srg: SRG-OS-000312-GPOS-00122,SRG-OS-000312-GPOS-00123,SRG-OS-000312-GPOS-00124,SRG-OS-000324-GPOS-00125,SRG-OS-000326-GPOS-00126,SRG-OS-000370-GPOS-00155,SRG-OS-000480-GPOS-00230,SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00231,SRG-OS-000480-GPOS-00232 stigid@sle12: SLES-12-010600 - stigid@sle15: SLES-15-010390 {{{ complete_ocil_entry_package_installed("pam_apparmor") }}} diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml index c1f8cd5e485f..d1014f68475e 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml @@ -69,7 +69,6 @@ references: stigid@ol7: OL07-00-010482 stigid@ol8: OL08-00-010150 stigid@sle12: SLES-12-010430 - stigid@sle15: SLES-15-010190 ocil_clause: 'it does not produce any output' diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml index 6af1a9a3cefb..e500f3aefed2 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml @@ -70,7 +70,6 @@ references: stigid@ol7: OL07-00-010491 stigid@ol8: OL08-00-010140 stigid@sle12: SLES-12-010440 - stigid@sle15: SLES-15-010200 ocil_clause: 'no password is set' diff --git a/linux_os/guide/system/logging/ensure_rtc_utc_configuration/rule.yml b/linux_os/guide/system/logging/ensure_rtc_utc_configuration/rule.yml index 8b1c52aeb909..5c81f4e2dfb6 100644 --- a/linux_os/guide/system/logging/ensure_rtc_utc_configuration/rule.yml +++ b/linux_os/guide/system/logging/ensure_rtc_utc_configuration/rule.yml @@ -24,7 +24,6 @@ references: nist@sle15: AU-8(b) srg: SRG-OS-000359-GPOS-00146 stigid@sle12: SLES-12-030310 - stigid@sle15: SLES-15-010410 ocil_clause: 'the system real-time clock is not configured to use UTC as its time base' diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml index 0dad6580056c..1a87564649f4 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml @@ -68,7 +68,6 @@ references: stigid@ol7: OL07-00-031000 stigid@ol8: OL08-00-030690 stigid@sle12: SLES-12-030340 - stigid@sle15: SLES-15-010580 ocil_clause: 'no evidence that the audit logs are being off-loaded to another system or media' diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml index 64e521807275..66d8a5629ec5 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml @@ -36,7 +36,6 @@ references: srg: SRG-OS-000096-GPOS-00050,SRG-OS-000297-GPOS-00115,SRG-OS-000298-GPOS-00116,SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00232 stigid@ol7: OL07-00-040520 stigid@ol8: OL08-00-040100 - stigid@sle15: SLES-15-010220 {{{ complete_ocil_entry_package_installed("firewalld") }}} diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml index 2ae1eb0991d0..060e04ac813f 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml @@ -42,7 +42,6 @@ references: srg: SRG-OS-000096-GPOS-00050,SRG-OS-000297-GPOS-00115,SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00231,SRG-OS-000480-GPOS-00232 stigid@ol7: OL07-00-040520 stigid@ol8: OL08-00-040101 - stigid@sle15: SLES-15-010220 ocil_clause: '{{{ ocil_clause_service_enabled("firewalld") }}}' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml index 027e308f53db..2ff272cd0b97 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml @@ -18,7 +18,7 @@ identifiers: cce@sle15: CCE-85708-6 cce@sle16: CCE-96632-5 cce@slmicro5: CCE-93635-1 - cce@slmicro6: CCE-95079-0 + cce@slmicro6: CCE-95079-0 references: cis-csc: 11,14,3,9 @@ -34,7 +34,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040280 stigid@sle12: SLES-12-030363 - stigid@sle15: SLES-15-040341 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml index a96d1af2a24b..75a244b9b930 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@sle15: CCE-85649-2 cce@sle16: CCE-96132-6 cce@slmicro5: CCE-93630-2 - cce@slmicro6: CCE-95074-1 + cce@slmicro6: CCE-95074-1 references: cis-csc: 1,12,13,14,15,16,18,4,6,8,9 @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-040830 stigid@ol8: OL08-00-040240 stigid@sle12: SLES-12-030361 - stigid@sle15: SLES-15-040310 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_source_route", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml index 3bd288088266..83193a6fe999 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml @@ -19,7 +19,7 @@ identifiers: cce@sle12: CCE-83247-7 cce@sle15: CCE-85713-6 cce@slmicro5: CCE-93640-1 - cce@slmicro6: CCE-95084-0 + cce@slmicro6: CCE-95084-0 references: cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9 @@ -34,7 +34,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040260 stigid@sle12: SLES-12-030364 - stigid@sle15: SLES-15-040381 ocil_clause: 'IP forwarding value is "1" and the system is not router' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml index 8f8f0be40d5b..7e807d0f5916 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml @@ -18,7 +18,7 @@ identifiers: cce@sle15: CCE-85722-7 cce@sle16: CCE-96192-0 cce@slmicro5: CCE-93636-9 - cce@slmicro6: CCE-95080-8 + cce@slmicro6: CCE-95080-8 references: cis-csc: 11,14,3,9 @@ -37,7 +37,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040210 stigid@sle12: SLES-12-030401 - stigid@sle15: SLES-15-040350 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml index d85dc0121fc2..257db00d523f 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@sle15: CCE-85653-4 cce@sle16: CCE-96234-0 cce@slmicro5: CCE-93632-8 - cce@slmicro6: CCE-95076-6 + cce@slmicro6: CCE-95076-6 references: cis-csc: 1,12,13,14,15,16,18,4,6,8,9 @@ -43,7 +43,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040250 stigid@sle12: SLES-12-030362 - stigid@sle15: SLES-15-040321 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_source_route", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml index 0325334a4d14..5320fadffcb7 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml @@ -24,7 +24,6 @@ references: nist: CM-6(b),CM-6.1(iv) srg: SRG-OS-000480-GPOS-00227 stigid@sle12: SLES-12-030365 - stigid@sle15: SLES-15-040382 ocil_clause: 'IPv6 Forwarding is not disabled' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml index 654a99a37f0d..efe089ffe128 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml @@ -25,7 +25,7 @@ identifiers: cce@sle15: CCE-85651-8 cce@sle16: CCE-96527-7 cce@slmicro5: CCE-93633-6 - cce@slmicro6: CCE-95077-4 + cce@slmicro6: CCE-95077-4 references: cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9 @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-040641 stigid@ol8: OL08-00-040279 stigid@sle12: SLES-12-030390 - stigid@sle15: SLES-15-040330 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.accept_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml index 9bd302a891fb..7e66f2528502 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@sle15: CCE-85648-4 cce@sle16: CCE-96355-3 cce@slmicro5: CCE-93629-4 - cce@slmicro6: CCE-95073-3 + cce@slmicro6: CCE-95073-3 references: cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 @@ -44,7 +44,6 @@ references: stigid@ol7: OL07-00-040610 stigid@ol8: OL08-00-040239 stigid@sle12: SLES-12-030360 - stigid@sle15: SLES-15-040300 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.accept_source_route", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml index ab07f2c78520..d196735894da 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml @@ -24,7 +24,7 @@ identifiers: cce@sle15: CCE-85652-6 cce@sle16: CCE-96155-7 cce@slmicro5: CCE-93634-4 - cce@slmicro6: CCE-95078-2 + cce@slmicro6: CCE-95078-2 references: cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-040640 stigid@ol8: OL08-00-040209 stigid@sle12: SLES-12-030400 - stigid@sle15: SLES-15-040340 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.accept_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml index 8658fc9a8c75..30e61cd34ed5 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@sle15: CCE-85650-0 cce@sle16: CCE-96076-5 cce@slmicro5: CCE-93631-0 - cce@slmicro6: CCE-95075-8 + cce@slmicro6: CCE-95075-8 references: cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 @@ -45,7 +45,6 @@ references: stigid@ol7: OL07-00-040620 stigid@ol8: OL08-00-040249 stigid@sle12: SLES-12-030370 - stigid@sle15: SLES-15-040320 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.accept_source_route", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml index 762c418e453b..f18a6daf2ced 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml @@ -41,7 +41,6 @@ references: pcidss: Req-1.4.1 srg: SRG-OS-000480-GPOS-00227,SRG-OS-000420-GPOS-00186,SRG-OS-000142-GPOS-00071 stigid@sle12: SLES-12-030350 - stigid@sle15: SLES-15-010310 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.tcp_syncookies", value="1") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml index ac926343a9f9..90fc843bd69e 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml @@ -23,7 +23,7 @@ identifiers: cce@sle15: CCE-85655-9 cce@sle16: CCE-95931-2 cce@slmicro5: CCE-93638-5 - cce@slmicro6: CCE-95082-4 + cce@slmicro6: CCE-95082-4 references: cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 @@ -42,7 +42,6 @@ references: stigid@ol7: OL07-00-040660 stigid@ol8: OL08-00-040220 stigid@sle12: SLES-12-030420 - stigid@sle15: SLES-15-040370 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.send_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml index 30280a66307a..d434006caf2c 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml @@ -23,7 +23,7 @@ identifiers: cce@sle15: CCE-85654-2 cce@sle16: CCE-96422-1 cce@slmicro5: CCE-93637-7 - cce@slmicro6: CCE-95081-6 + cce@slmicro6: CCE-95081-6 references: cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 @@ -42,7 +42,6 @@ references: stigid@ol7: OL07-00-040650 stigid@ol8: OL08-00-040270 stigid@sle12: SLES-12-030410 - stigid@sle15: SLES-15-040360 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.send_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml index 240192691c53..b060456d2410 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml @@ -21,7 +21,7 @@ identifiers: cce@sle15: CCE-85709-4 cce@sle16: CCE-95846-2 cce@slmicro5: CCE-93639-3 - cce@slmicro6: CCE-95083-2 + cce@slmicro6: CCE-95083-2 references: cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9 @@ -41,7 +41,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040740 stigid@sle12: SLES-12-030430 - stigid@sle15: SLES-15-040380 ocil_clause: "the correct value is not returned" diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml index ae3153889f0d..473d41c5da24 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml @@ -62,7 +62,6 @@ references: stigid@ol7: OL07-00-041010 stigid@ol8: OL08-00-040110 stigid@sle12: SLES-12-030450 - stigid@sle15: SLES-15-010380 ocil_clause: 'a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO)' diff --git a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml index 02203bf1fc40..c248d60eeb79 100644 --- a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml +++ b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml @@ -48,7 +48,6 @@ references: stigid@ol7: OL07-00-040670 stigid@ol8: OL08-00-040330 stigid@sle12: SLES-12-030440 - stigid@sle15: SLES-15-040390 ocil_clause: 'any network device is in promiscuous mode' diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml index 975a75074f48..a738d1684bb3 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml @@ -50,7 +50,6 @@ references: srg: SRG-OS-000138-GPOS-00069 stigid@ol8: OL08-00-010190 stigid@sle12: SLES-12-010460 - stigid@sle15: SLES-15-010300 ocil_clause: 'any world-writable directories are missing the sticky bit' diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml index 0baffa7ac782..190f4a659746 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml @@ -24,7 +24,7 @@ identifiers: cce@sle12: CCE-83104-0 cce@sle15: CCE-85637-7 cce@slmicro5: CCE-93795-3 - cce@slmicro6: CCE-95064-2 + cce@slmicro6: CCE-95064-2 references: cis-csc: 12,13,14,15,16,18,3,5 @@ -39,7 +39,6 @@ references: stigid@ol7: OL07-00-021030 stigid@ol8: OL08-00-010710 stigid@sle12: SLES-12-010830 - stigid@sle15: SLES-15-040180 ocil_clause: 'there is output' diff --git a/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml index 4a300fcd8a49..aa2eea35b789 100644 --- a/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml @@ -7,29 +7,29 @@ title: 'Verify that system commands directories have root as a group owner' description: |- System commands are stored in the following directories: by default: -
/bin 
-    /sbin 
-    /usr/bin 
-    /usr/sbin 
-    /usr/local/bin 
+    
/bin
+    /sbin
+    /usr/bin
+    /usr/sbin
+    /usr/local/bin
     /usr/local/sbin
     
- All these directories should have root user as a group owner. - If any system command directory is not group owned by a user other than root + All these directories should have root user as a group owner. + If any system command directory is not group owned by a user other than root correct its ownership with the following command:
$ sudo chgrp root DIR
rationale: |- - If the operating system were to allow any user to make changes to - software libraries, then those changes might be implemented without - undergoing the appropriate testing and approvals that are part of a + If the operating system were to allow any user to make changes to + software libraries, then those changes might be implemented without + undergoing the appropriate testing and approvals that are part of a robust change management process. - + This requirement applies to operating systems with software libraries - that are accessible and configurable, as in the case of interpreted languages. - Software libraries also include privileged programs which execute with escalated - privileges. Only qualified and authorized individuals must be allowed to obtain - access to information system components for purposes of initiating changes, + that are accessible and configurable, as in the case of interpreted languages. + Software libraries also include privileged programs which execute with escalated + privileges. Only qualified and authorized individuals must be allowed to obtain + access to information system components for purposes of initiating changes, including upgrades and modifications. severity: medium @@ -46,20 +46,19 @@ identifiers: references: nist: CM-5(6),CM-5(6).1 - srg: SRG-OS-000259-GPOS-00100 + srg: SRG-OS-000259-GPOS-00100 stigid@sle12: SLES-12-010883 - stigid@sle15: SLES-15-010362 ocil_clause: 'any of these directories are not group owned by root' ocil: |- System commands are stored in the following directories: -
/bin 
-    /sbin 
-    /usr/bin 
-    /usr/sbin 
-    /usr/local/bin 
+    
/bin
+    /sbin
+    /usr/bin
+    /usr/sbin
+    /usr/local/bin
     /usr/local/sbin
For each of these directories, run the following command to find directories not owned by root: diff --git a/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml index 12dc621b7fde..4f242dd6ad5f 100644 --- a/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml @@ -5,29 +5,29 @@ title: 'Verify that system commands directories have root ownership' description: |- System commands are stored in the following directories by default: -
/bin 
-    /sbin 
-    /usr/bin 
-    /usr/sbin 
-    /usr/local/bin 
+    
/bin
+    /sbin
+    /usr/bin
+    /usr/sbin
+    /usr/local/bin
     /usr/local/sbin
     
- All these directories should be owned by the root user. - If any system command directory is not owned by a user other than root + All these directories should be owned by the root user. + If any system command directory is not owned by a user other than root correct its ownership with the following command:
$ sudo chown root DIR
rationale: |- - If the operating system were to allow any user to make changes to - software libraries, then those changes might be implemented without - undergoing the appropriate testing and approvals that are part of a + If the operating system were to allow any user to make changes to + software libraries, then those changes might be implemented without + undergoing the appropriate testing and approvals that are part of a robust change management process. - + This requirement applies to operating systems with software libraries - that are accessible and configurable, as in the case of interpreted languages. - Software libraries also include privileged programs which execute with escalated - privileges. Only qualified and authorized individuals must be allowed to obtain - access to information system components for purposes of initiating changes, + that are accessible and configurable, as in the case of interpreted languages. + Software libraries also include privileged programs which execute with escalated + privileges. Only qualified and authorized individuals must be allowed to obtain + access to information system components for purposes of initiating changes, including upgrades and modifications. severity: medium @@ -46,17 +46,16 @@ references: nist: CM-5(6),CM-5(6).1 srg: SRG-OS-000259-GPOS-00100 stigid@sle12: SLES-12-010881 - stigid@sle15: SLES-15-010360 ocil_clause: 'any of these directories are not owned by root' ocil: |- System commands are stored in the following directories: -
/bin 
-    /sbin 
-    /usr/bin 
-    /usr/sbin 
-    /usr/local/bin 
+    
/bin
+    /sbin
+    /usr/bin
+    /usr/sbin
+    /usr/local/bin
     /usr/local/sbin
For each of these directories, run the following command to find directories not owned by root: diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml index f04a923cd2c1..8124e4b90123 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml @@ -34,7 +34,7 @@ identifiers: cce@sle15: CCE-85658-3 cce@sle16: CCE-95705-0 cce@slmicro5: CCE-93799-5 - cce@slmicro6: CCE-95088-1 + cce@slmicro6: CCE-95088-1 references: cis-csc: 1,11,12,13,14,15,16,18,3,5 @@ -50,7 +50,6 @@ references: stigid@ol7: OL07-00-020330 stigid@ol8: OL08-00-010790 stigid@sle12: SLES-12-010700 - stigid@sle15: SLES-15-040410 ocil_clause: 'there is output' diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml index bae321639396..9bcd740e26c5 100644 --- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml @@ -31,7 +31,7 @@ identifiers: cce@sle15: CCE-85657-5 cce@sle16: CCE-95710-0 cce@slmicro5: CCE-93798-7 - cce@slmicro6: CCE-95087-3 + cce@slmicro6: CCE-95087-3 references: cis-csc: 11,12,13,14,15,16,18,3,5,9 @@ -47,7 +47,6 @@ references: stigid@ol7: OL07-00-020320 stigid@ol8: OL08-00-010780 stigid@sle12: SLES-12-010690 - stigid@sle15: SLES-15-040400 # The rule check uses password probe, which doesn't support offline mode platform: system_with_kernel diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml index 192383d53e40..daae0440207a 100644 --- a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml @@ -38,7 +38,6 @@ references: nist: SI-11(a),SI-11(b),SI-11.1(iii) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000205-GPOS-00083 - stigid@sle15: SLES-15-010340 ocil_clause: 'not all log files have permission 640 or stricter' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml index e1780a7da884..a8b3b56d187e 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml @@ -45,7 +45,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010351 stigid@sle12: SLES-12-010876 - stigid@sle15: SLES-15-010356 ocil_clause: any system-wide shared library directory is returned and is not group-owned by a required system account diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml index 83037dba7333..8679ea58a561 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml @@ -44,7 +44,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010341 stigid@sle12: SLES-12-010874 - stigid@sle15: SLES-15-010354 ocil_clause: any system-wide shared library directory is not owned by root diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml index 2236a9f16be3..4821a4f8c58d 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml @@ -51,7 +51,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010331 stigid@sle12: SLES-12-010872 - stigid@sle15: SLES-15-010352 ocil_clause: 'any of these files are group-writable or world-writable' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml index 950ff7cc9d11..33ee24fb56c6 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml @@ -51,7 +51,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010320 stigid@sle12: SLES-12-010882 - stigid@sle15: SLES-15-010361 ocil_clause: 'any system commands are returned and is not group-owned by a required system account' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml index fade0c0a085e..8635ed911c34 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml @@ -46,7 +46,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010310 stigid@sle12: SLES-12-010879 - stigid@sle15: SLES-15-010359 ocil_clause: 'any system commands are found to not be owned by root' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml index 609309761ae5..074c54158a8b 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml @@ -50,7 +50,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010340 stigid@sle12: SLES-12-010873 - stigid@sle15: SLES-15-010353 ocil_clause: 'any system wide shared library file is not owned by root' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml index 5cd917fc6c08..548b22059e11 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml @@ -46,7 +46,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010300 stigid@sle12: SLES-12-010878 - stigid@sle15: SLES-15-010358 ocil_clause: any system commands are found to be group-writable or world-writable diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml index 3361cf819a9f..82a6c1fd55ca 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml @@ -50,7 +50,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010330 stigid@sle12: SLES-12-010871 - stigid@sle15: SLES-15-010351 ocil_clause: any system-wide shared library file is found to be group-writable or world-writable diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_system_commands_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_system_commands_dirs/rule.yml index d404048840be..67499085dc0c 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_system_commands_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_system_commands_dirs/rule.yml @@ -32,7 +32,6 @@ references: nist: CM-5(6),CM-5(6).1 srg: SRG-OS-000259-GPOS-00100 stigid@sle12: SLES-12-010877 - stigid@sle15: SLES-15-010357 ocil_clause: 'any system commands are found to be group or world writable' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml index 91ea1c5933f6..3dd6e903985e 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml @@ -44,7 +44,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010350 stigid@sle12: SLES-12-010875 - stigid@sle15: SLES-15-010355 ocil_clause: any system wide shared library file is returned and is not group-owned by root diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml index 082a67cf3ed5..4bdc36e8a7b9 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml @@ -44,7 +44,6 @@ references: stigid@ol7: OL07-00-020100 stigid@ol8: OL08-00-040080 stigid@sle12: SLES-12-010580 - stigid@sle15: SLES-15-010480 {{{ complete_ocil_entry_module_disable(module="usb-storage") }}} diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml index 6a7de2130bde..6280ab63b03d 100644 --- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml @@ -49,7 +49,6 @@ references: stigid@ol7: OL07-00-020110 stigid@ol8: OL08-00-040070 stigid@sle12: SLES-12-010590 - stigid@sle15: SLES-15-010240 ocil_clause: |- {{{ ocil_clause_service_disabled(service="autofs") }}} diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml index ccb05ba12ef7..bfc934af81b1 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml @@ -38,7 +38,6 @@ references: stigid@ol7: OL07-00-021000 stigid@ol8: OL08-00-010570 stigid@sle12: SLES-12-010790 - stigid@sle15: SLES-15-040140 {{{ complete_ocil_entry_mount_option("/home", "nosuid") }}} diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml index 3ca9021f3182..9172941470f8 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@sle12: CCE-83101-6 cce@sle15: CCE-85634-4 cce@slmicro5: CCE-93792-0 - cce@slmicro6: CCE-95063-4 + cce@slmicro6: CCE-95063-4 references: cis-csc: 11,12,13,14,15,16,18,3,5,8,9 @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-021010 stigid@ol8: OL08-00-010620 stigid@sle12: SLES-12-010800 - stigid@sle15: SLES-15-040150 ocil_clause: 'file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set' diff --git a/linux_os/guide/system/permissions/permissions_local/file_permissions_local_var_log_messages/rule.yml b/linux_os/guide/system/permissions/permissions_local/file_permissions_local_var_log_messages/rule.yml index 65494238b9d5..45d10c721109 100644 --- a/linux_os/guide/system/permissions/permissions_local/file_permissions_local_var_log_messages/rule.yml +++ b/linux_os/guide/system/permissions/permissions_local/file_permissions_local_var_log_messages/rule.yml @@ -34,7 +34,6 @@ references: nist@sle12: SI-11(c) srg: SRG-OS-000206-GPOS-00084 stigid@sle12: SLES-12-010890 - stigid@sle15: SLES-15-010350 ocil_clause: 'Make sure /var/log/messages is not world-readable' diff --git a/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml b/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml index 4adf4c7a838d..9f7fd99c59f0 100644 --- a/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml +++ b/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml @@ -48,7 +48,6 @@ references: nist@sle12: AU-9 srg: SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099 stigid@sle12: SLES-12-020130 - stigid@sle15: SLES-15-030620 ocil: |- Check that permissions.local file contains the correct permissions diff --git a/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml index 4dfe55312fbe..0684547c060f 100644 --- a/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml +++ b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml @@ -45,7 +45,6 @@ references: nist: AU-9 srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029 stigid@sle12: SLES-12-020120 - stigid@sle15: SLES-15-030600 ocil: |- {{% if product in slmicro %}} diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml index 1f235a2e6506..03d0b130d556 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml @@ -31,7 +31,6 @@ references: srg: SRG-OS-000132-GPOS-00067,SRG-OS-000433-GPOS-00192,SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040283 stigid@sle12: SLES-12-030320 - stigid@sle15: SLES-15-010540 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}} diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml index 74ee0861e9a2..b9d14f920126 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml @@ -37,7 +37,6 @@ references: stigid@ol7: OL07-00-040201 stigid@ol8: OL08-00-010430 stigid@sle12: SLES-12-030330 - stigid@sle15: SLES-15-010550 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.randomize_va_space", value="2") }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml index 98e18049e172..04645fe52e46 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml @@ -31,7 +31,6 @@ references: stigid@ol7: OL07-00-010375 stigid@ol8: OL08-00-010375 stigid@sle12: SLES-12-010375 - stigid@sle15: SLES-15-010375 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.dmesg_restrict", value="1") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml index 7d0c8aa188f6..f96fc012c368 100644 --- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml @@ -87,7 +87,6 @@ references: srg: SRG-OS-000405-GPOS-00184,SRG-OS-000185-GPOS-00079,SRG-OS-000404-GPOS-00183 stigid@ol8: OL08-00-010030 stigid@sle12: SLES-12-010450 - stigid@sle15: SLES-15-010330 ocil_clause: 'partitions do not have a type of crypto_LUKS' @@ -112,9 +111,9 @@ fixtext: |- To encrypt an entire partition, dedicate a partition for encryption in the partition layout. {{% if "slmicro" in product %}} - The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted + The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted partition by default. Add it manually in the partitioning dialog. - + The following set of commands will switch {{{ full_name }}} to work in FIPS mode:
$ sudo transactional-update pkg install -t pattern microos-fips
$ sudo reboot
@@ -144,19 +143,19 @@ checktext: |- /dev/sda2: "UUID=f5b8a790-14cb-4b82-882d-707d52f27765" TYPE="crypto_LUKS" /dev/sda3: "UUID=f2d86128-f975-478d-a5b0-25806c900eac" TYPE="crypto_LUKS" - Every persistent disk partition present must be of type "crypto_LUKS". - If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) or temporary file systems (that are tmpfs) - are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. + Every persistent disk partition present must be of type "crypto_LUKS". + If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) or temporary file systems (that are tmpfs) + are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.
$ sudo more /etc/cryptab


- Output will be similar to: + Output will be similar to: cr_root UUID=26d4a101-7f48-4394-b730-56dc00e65f64 cr_home UUID=f5b8a790-14cb-4b82-882d-707d52f27765 - cr_swap UUID=f2d86128-f975-478d-a5b0-25806c900eac - - Every persistent disk partition present on the system must have an entry in the /etc/crypttab file. + cr_swap UUID=f2d86128-f975-478d-a5b0-25806c900eac + + Every persistent disk partition present on the system must have an entry in the /etc/crypttab file. If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding. Verify the system works in FIPS mode with the following command: diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml index 9ea58be5c905..a139de0753ed 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml @@ -25,7 +25,7 @@ identifiers: cce@sle15: CCE-85639-3 cce@sle16: CCE-95729-0 cce@slmicro5: CCE-93796-1 - cce@slmicro6: CCE-95066-7 + cce@slmicro6: CCE-95066-7 references: cis-csc: 12,15,8 @@ -40,7 +40,6 @@ references: stigid@ol7: OL07-00-021310 stigid@ol8: OL08-00-010800 stigid@sle12: SLES-12-010850 - stigid@sle15: SLES-15-040200 {{{ complete_ocil_entry_separate_partition(part="/home") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml index 0c9ca10087f2..4083b6c8060a 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml @@ -24,7 +24,7 @@ identifiers: cce@sle15: CCE-85640-1 cce@sle16: CCE-95761-3 cce@slmicro5: CCE-93797-9 - cce@slmicro6: CCE-95067-5 + cce@slmicro6: CCE-95067-5 references: cis-csc: 12,15,8 @@ -39,7 +39,6 @@ references: stigid@ol7: OL07-00-021320 stigid@ol8: OL08-00-010540 stigid@sle12: SLES-12-010860 - stigid@sle15: SLES-15-040210 {{{ complete_ocil_entry_separate_partition(part="/var") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml index bf3efecdf5c4..96f7a75e22f5 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@sle15: CCE-85618-7 cce@sle16: CCE-96283-7 cce@slmicro5: CCE-93787-0 - cce@slmicro6: CCE-95048-5 + cce@slmicro6: CCE-95048-5 references: cis-csc: 1,12,13,14,15,16,2,3,5,6,8 @@ -45,7 +45,6 @@ references: stigid@ol7: OL07-00-021330 stigid@ol8: OL08-00-010542 stigid@sle12: SLES-12-010870 - stigid@sle15: SLES-15-030810 {{{ complete_ocil_entry_separate_partition(part="/var/log/audit") }}} diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml index 1e4ea5eeff96..f04ec5d4a586 100644 --- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml +++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml @@ -34,7 +34,6 @@ references: pcidss: Req-6.2 srg: SRG-OS-000480-GPOS-00227 stigid@sle12: SLES-12-010040 - stigid@sle15: SLES-15-010090 ocil_clause: 'The system-wide dconf databases are up-to-date with regards to respective keyfiles' diff --git a/linux_os/guide/system/software/gnome/enable_dconf_user_profile/rule.yml b/linux_os/guide/system/software/gnome/enable_dconf_user_profile/rule.yml index a6e661bccf2d..db9198b5c2c7 100644 --- a/linux_os/guide/system/software/gnome/enable_dconf_user_profile/rule.yml +++ b/linux_os/guide/system/software/gnome/enable_dconf_user_profile/rule.yml @@ -51,7 +51,6 @@ references: cis@sle12: '1.10' cis@sle15: '1.10' stigid@sle12: SLES-12-010611 - stigid@sle15: SLES-15-040061 ocil_clause: 'DConf User profile does not exist or is not configured correctly' diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml index bab08ccef959..d00237db83d4 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml @@ -29,7 +29,6 @@ references: nist: CM-6(b),CM-6.1(iv) srg: SRG-OS-000480-GPOS-00229 stigid@sle12: SLES-12-010380 - stigid@sle15: SLES-15-040430 ocil_clause: 'GDM allows users to automatically login or unattended login' diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml index 6689d0bd7a5a..43409171aa20 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml @@ -47,7 +47,6 @@ references: stigid@ol7: OL07-00-010070 stigid@ol8: OL08-00-020060 stigid@sle12: SLES-12-010080 - stigid@sle15: SLES-15-010120 ocil_clause: 'idle-delay is set to 0 or a value greater than {{{ xccdf_value("inactivity_timeout_value") }}}' diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml index 52cd9f02e1d1..32be53c6324c 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml @@ -54,7 +54,6 @@ references: stigid@ol7: OL07-00-010060 stigid@ol8: OL08-00-020030,OL08-00-020082 stigid@sle12: SLES-12-010060 - stigid@sle15: SLES-15-010100 ocil_clause: 'screensaver locking is not enabled and/or has not been set or configured correctly' diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml index d333b030f189..cfdfde610685 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml @@ -66,7 +66,6 @@ references: pcidss: Req-8.1.8 srg: SRG-OS-000031-GPOS-00012 stigid@sle12: SLES-12-010100 - stigid@sle15: SLES-15-010140 ocil_clause: 'it is not set or configured properly' diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml index 8660efc708bf..d431bf75be20 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml @@ -42,7 +42,6 @@ references: stigid@ol7: OL07-00-010082 stigid@ol8: OL08-00-020081 stigid@sle12: SLES-12-010080 - stigid@sle15: SLES-15-010120 ocil_clause: 'idle-delay is not locked' diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml index 35e234c7d031..1a86b3a7a036 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml @@ -53,7 +53,6 @@ references: stigid@ol7: OL07-00-020250 stigid@ol8: OL08-00-010000 stigid@sle12: SLES-12-010000 - stigid@sle15: SLES-15-010000 ocil_clause: 'the installed operating system is not supported' diff --git a/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml index bc62444573da..8a57c3bfcb6a 100644 --- a/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml @@ -26,7 +26,6 @@ references: nist: SC-12(2),SC-12(3),SC-13 srg: SRG-OS-000396-GPOS-00176,SRG-OS-000478-GPOS-00223 stigid@sle12: SLES-12-010420 - stigid@sle15: SLES-15-010510 ocil_clause: the command 'cat /proc/sys/crypto/fips_enabled' returns nothing or '0' or the file does not exist diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml index cdf4ae2f1477..0bed1fdd1d2d 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml @@ -72,7 +72,6 @@ references: stigid@ol7: OL07-00-020029 stigid@ol8: OL08-00-010359 stigid@sle12: SLES-12-010499 - stigid@sle15: SLES-15-010419 ocil_clause: 'there is no database file' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml index 71f2c91aad5e..6b88ab8de378 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml @@ -43,7 +43,6 @@ references: srg: SRG-OS-000278-GPOS-00108 stigid@ol8: OL08-00-030650 stigid@sle12: SLES-12-010540 - stigid@sle15: SLES-15-030630 ocil_clause: 'integrity checks of the audit tools are missing or incomplete' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_checking_systemd_timer/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_checking_systemd_timer/rule.yml index c8bbd12a0744..96146c62a683 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_checking_systemd_timer/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_checking_systemd_timer/rule.yml @@ -39,7 +39,6 @@ references: pcidss: Req-11.5 srg: SRG-OS-000363-GPOS-00150,SRG-OS-000446-GPOS-00200,SRG-OS-000447-GPOS-00201 stigid@ol7: OL07-00-020030 - stigid@sle15: SLES-15-010570 platform: package[aide] and package[systemd] diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml index 6d56cfe2f76b..73916c24a211 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml @@ -58,7 +58,6 @@ references: srg: SRG-OS-000363-GPOS-00150,SRG-OS-000446-GPOS-00200,SRG-OS-000447-GPOS-00201 stigid@ol7: OL07-00-020030 stigid@sle12: SLES-12-010500 - stigid@sle15: SLES-15-010420 ocil_clause: 'AIDE is not configured to scan periodically' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml index 1b959ae04a4a..5788f259eac1 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml @@ -49,7 +49,6 @@ references: stigid@ol7: OL07-00-020040 stigid@ol8: OL08-00-010360 stigid@sle12: SLES-12-010510 - stigid@sle15: SLES-15-010570 ocil_clause: 'AIDE has not been configured or has not been configured to notify personnel of scan details' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml index 6563fe6a637b..b3733db43bac 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml @@ -19,7 +19,7 @@ description: |- The remediation provided with this rule adds acl to all rule sets available in {{{ aide_conf_path }}} {{% endif %}} - + rationale: |- ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. @@ -34,7 +34,7 @@ identifiers: cce@sle15: CCE-85623-7 cce@sle16: CCE-96372-8 cce@slmicro5: CCE-93742-5 - cce@slmicro6: CCE-95052-7 + cce@slmicro6: CCE-95052-7 references: cis-csc: 2,3 @@ -48,7 +48,6 @@ references: stigid@ol7: OL07-00-021600 stigid@ol8: OL08-00-040310 stigid@sle12: SLES-12-010520 - stigid@sle15: SLES-15-040040 ocil_clause: 'the acl option is missing or not added to the correct ruleset' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml index 35ed5b595891..c0e28032c928 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml @@ -19,7 +19,7 @@ description: |- The remediation provided with this rule adds xattrs to all rule sets available in {{{ aide_conf_path }}} {{% endif %}} - + rationale: |- Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. @@ -34,7 +34,7 @@ identifiers: cce@sle15: CCE-85624-5 cce@sle16: CCE-96620-0 cce@slmicro5: CCE-93743-3 - cce@slmicro6: CCE-95053-5 + cce@slmicro6: CCE-95053-5 references: cis-csc: 2,3 @@ -48,7 +48,6 @@ references: stigid@ol7: OL07-00-021610 stigid@ol8: OL08-00-040300 stigid@sle12: SLES-12-010530 - stigid@sle15: SLES-15-040050 ocil_clause: 'the xattrs option is missing or not added to the correct ruleset' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml index dc497c0c7b9a..8ccf88085ed3 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml @@ -36,7 +36,6 @@ references: stigid@ol7: OL07-00-020029 stigid@ol8: OL08-00-010359 stigid@sle12: SLES-12-010499 - stigid@sle15: SLES-15-010419 {{{ complete_ocil_entry_package_installed("aide") }}} diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml index 7a41b181031c..09d6dfbc0656 100644 --- a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml @@ -38,7 +38,6 @@ references: stigid@ol7: OL07-00-010350 stigid@ol8: OL08-00-010381 stigid@sle12: SLES-12-010110 - stigid@sle15: SLES-15-010450 ocil_clause: "!authenticate is specified in the sudo config files" diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml index 9d78c69d2dc6..981527510a80 100644 --- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml @@ -39,7 +39,6 @@ references: stigid@ol7: OL07-00-010340 stigid@ol8: OL08-00-010380 stigid@sle12: SLES-12-010110 - stigid@sle15: SLES-15-010450 ocil_clause: 'nopasswd is specified in the sudo config files' diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml index 9fb1274aa2b6..4fd56cc5beab 100644 --- a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml @@ -37,7 +37,6 @@ references: nist: IA-11,CM-6(a) nist-csf: PR.AC-1,PR.AC-7 srg: SRG-OS-000373-GPOS-00156 - stigid@sle15: SLES-15-010450 ocil_clause: 'nopasswd and/or !authenticate is enabled in sudo' diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml index 3584ee4f2b91..7552734cfef8 100644 --- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml @@ -38,7 +38,6 @@ references: stigid@ol7: OL07-00-010343 stigid@ol8: OL08-00-010384 stigid@sle12: SLES-12-010113 - stigid@sle15: SLES-15-020102 ocil_clause: 'timestamp_timeout is not set with the appropriate value for sudo' diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml index 1ca4cdf4a962..b1ac1d164fb1 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml @@ -25,7 +25,7 @@ identifiers: cce@sle12: CCE-83229-5 cce@sle15: CCE-85712-8 cce@slmicro5: CCE-93786-2 - cce@slmicro6: CCE-95042-8 + cce@slmicro6: CCE-95042-8 references: nist: CM-6(b),CM-6(iv) @@ -33,7 +33,6 @@ references: stigid@ol7: OL07-00-010341 stigid@ol8: OL08-00-010382 stigid@sle12: SLES-12-010111 - stigid@sle15: SLES-15-020101 ocil_clause: 'either of the commands returned a line' diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml index 901058ee9d96..9703534af617 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml @@ -28,14 +28,13 @@ identifiers: cce@sle12: CCE-83255-0 cce@sle15: CCE-91151-1 cce@slmicro5: CCE-93733-4 - cce@slmicro6: CCE-95040-2 + cce@slmicro6: CCE-95040-2 references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-010339 stigid@ol8: OL08-00-010379 stigid@sle12: SLES-12-010109 - stigid@sle15: SLES-15-020099 ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?" diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml index f25049786e28..b05f548b78a7 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml @@ -30,7 +30,7 @@ identifiers: cce@sle12: CCE-83230-3 cce@sle15: CCE-85747-4 cce@slmicro5: CCE-93735-9 - cce@slmicro6: CCE-95043-6 + cce@slmicro6: CCE-95043-6 references: nist: CM-6(b),CM-6.1(iv) @@ -38,7 +38,6 @@ references: stigid@ol7: OL07-00-010342 stigid@ol8: OL08-00-010383 stigid@sle12: SLES-12-010112 - stigid@sle15: SLES-15-020103 ocil_clause: 'invoke user passwd when using sudo' diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml index 34e82036e14b..d497c1d15e91 100644 --- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml +++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml @@ -47,7 +47,6 @@ references: stigid@ol7: OL07-00-020200 stigid@ol8: OL08-00-010440 stigid@sle12: SLES-12-010570 - stigid@sle15: SLES-15-010560 ocil_clause: |- {{%- if 'sle' in product or 'slmicro' in product %}} diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml index b1d83b25cc89..ff8ad9b43613 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml @@ -57,7 +57,6 @@ references: srg: SRG-OS-000366-GPOS-00153 stigid@ol7: OL07-00-020050 stigid@sle12: SLES-12-010550 - stigid@sle15: SLES-15-010430 ocil_clause: 'there is no process to validate certificates that is approved by the organization' diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml index 609e377fdf8f..72bae3451b10 100644 --- a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml +++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml @@ -67,7 +67,6 @@ references: stigid@ol7: OL07-00-020260 stigid@ol8: OL08-00-010010 stigid@sle12: SLES-12-010010 - stigid@sle15: SLES-15-010010 # SCAP 1.3 content should reference flat non compressed xml files {{% if oval_feed_url %}} diff --git a/products/sle15/controls/stig_sle15.yml b/products/sle15/controls/stig_sle15.yml new file mode 100644 index 000000000000..8a8d9f6e62cd --- /dev/null +++ b/products/sle15/controls/stig_sle15.yml @@ -0,0 +1,1780 @@ +policy: SUSE Linux Enterprise Server 15 Security Technical Implementation Guide +title: SUSE Linux Enterprise Server 15 Security Technical Implementation Guide +id: stig_sle15 +version: V2R7 +source: https://www.cyber.mil/stigs/downloads/ +reference_type: stigid +product: sle15 + +levels: + - id: high + - id: medium + - id: low + +controls: +- id: SLES-15-010000 + levels: + - high + title: The SUSE operating system must be a vendor-supported release. + rules: + - installed_OS_is_vendor_supported + status: automated +- id: SLES-15-010010 + levels: + - medium + title: Vendor-packaged SUSE operating system security patches and updates must be + installed and up to date. + rules: + - security_patches_up_to_date + status: automated +- id: SLES-15-010020 + levels: + - medium + title: The SUSE operating system must display the Standard Mandatory DOD Notice + and Consent Banner before granting access via local console. + rules: + - banner_etc_issue + - login_banner_text=dod_banners + - login_banner_contents=dod_default + status: automated +- id: SLES-15-010030 + levels: + - high + title: The SUSE operating system must not have the vsftpd package installed if not + required for operational support. + rules: + - package_vsftpd_removed + status: automated +- id: SLES-15-010040 + levels: + - medium + title: The SUSE operating system must display the Standard Mandatory DOD Notice + and Consent Banner before granting access via SSH. + rules: + - sshd_enable_warning_banner + status: automated +- id: SLES-15-010050 + levels: + - medium + title: The SUSE operating system must display the Standard Mandatory DoD Notice + and Consent Banner until users acknowledge the usage conditions and take explicit + actions to log on for further access to the local graphical user interface (GUI). + rules: + - gui_login_dod_acknowledgement + status: automated +- id: SLES-15-010060 + levels: + - medium + title: The SUSE operating system file /etc/gdm/banner must contain the Standard + Mandatory DoD Notice and Consent banner text. + rules: + - banner_etc_gdm_banner + status: automated +- id: SLES-15-010080 + levels: + - medium + title: The SUSE operating system must display a banner before granting local or + remote access to the system via a graphical user logon. + rules: + - dconf_gnome_banner_enabled + status: automated +- id: SLES-15-010090 + levels: + - medium + title: The SUSE operating system must display the approved Standard Mandatory DoD + Notice before granting local or remote access to the system via a graphical user + logon. + rules: + - dconf_db_up_to_date + - dconf_gnome_login_banner_text + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default + status: automated +- id: SLES-15-010100 + levels: + - medium + title: The SUSE operating system must be able to lock the graphical user interface + (GUI). + rules: + - dconf_gnome_screensaver_lock_enabled + status: automated +- id: SLES-15-010110 + levels: + - low + title: The SUSE operating system must utilize vlock to allow for session locking. + rules: + - vlock_installed + status: automated +- id: SLES-15-010120 + levels: + - medium + title: The SUSE operating system must initiate a session lock after a 15-minute + period of inactivity for the graphical user interface (GUI). + rules: + - dconf_gnome_screensaver_idle_delay + - inactivity_timeout_value=15_minutes + - dconf_gnome_session_idle_user_locks + status: automated +- id: SLES-15-010130 + levels: + - medium + title: The SUSE operating system must initiate a session lock after a 10-minute + period of inactivity. + rules: + - accounts_tmout + - var_accounts_tmout=10_min + status: automated +- id: SLES-15-010140 + levels: + - low + title: The SUSE operating system must conceal, via the session lock, information + previously visible on the display with a publicly viewable image in the graphical + user interface (GUI). + rules: + - dconf_gnome_screensaver_mode_blank + status: automated +- id: SLES-15-010150 + levels: + - medium + title: The SUSE operating system must log SSH connection attempts and failures to + the server. + rules: + - sshd_set_loglevel_verbose + status: automated +- id: SLES-15-010160 + levels: + - medium + title: The SUSE operating system must implement DOD-approved encryption to protect + the confidentiality of SSH remote connections. + rules: + - sshd_use_approved_ciphers + - sshd_use_approved_ciphers_ordered_stig + status: automated +- id: SLES-15-010170 + levels: + - medium + title: The SUSE operating system, for PKI-based authentication, must validate certificates + by constructing a certification path (which includes status information) to an + accepted trust anchor. + rules: + - smartcard_configure_ca + status: automated +- id: SLES-15-010180 + levels: + - high + title: The SUSE operating system must not have the telnet-server package installed. + rules: + - package_telnet-server_removed + status: automated +- id: SLES-15-010190 + levels: + - high + title: SUSE operating systems with a basic input/output system (BIOS) must require + authentication upon booting into single-user and maintenance modes. + rules: + - grub2_password + status: automated +- id: SLES-15-010200 + levels: + - high + title: SUSE operating systems with Unified Extensible Firmware Interface (UEFI) + implemented must require authentication upon booting into single-user mode and + maintenance. + rules: + - grub2_uefi_password + status: automated +- id: SLES-15-010220 + levels: + - medium + title: The SUSE operating system must be configured to prohibit or restrict the + use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, + and Services Management (PPSM) Category Assignments List (CAL) and vulnerability + assessments. + rules: + - package_firewalld_installed + - service_firewalld_enabled + status: automated +- id: SLES-15-010230 + levels: + - medium + title: The SUSE operating system must not have duplicate User IDs (UIDs) for interactive + users. + rules: + - account_unique_id + status: automated +- id: SLES-15-010240 + levels: + - medium + title: The SUSE operating system must disable the file system automounter. + rules: + - service_autofs_disabled + status: automated +- id: SLES-15-010260 + levels: + - medium + title: The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing + algorithm for system authentication (login.defs). + rules: + - set_password_hashing_algorithm_logindefs + status: automated +- id: SLES-15-010270 + levels: + - medium + title: The SUSE operating system SSH daemon must be configured to only use Message + Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. + rules: + - sshd_use_approved_macs + - sshd_use_approved_macs_ordered_stig + status: automated +- id: SLES-15-010280 + levels: + - medium + title: The SUSE operating system SSH daemon must be configured with a timeout interval. + rules: + - sshd_set_idle_timeout + - sshd_idle_timeout_value=10_minutes + status: automated +- id: SLES-15-010300 + levels: + - medium + title: The sticky bit must be set on all SUSE operating system world-writable directories. + rules: + - dir_perms_world_writable_sticky_bits + status: automated +- id: SLES-15-010310 + levels: + - medium + title: The SUSE operating system must be configured to use TCP syncookies. + rules: + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: SLES-15-010320 + levels: + - medium + title: The SUSE operating system, for all network connections associated with SSH + traffic, must immediately terminate at the end of the session or after 10 minutes + of inactivity. + rules: + - sshd_set_keepalive + - var_sshd_set_keepalive=1 + - sshd_set_keepalive_0 + status: automated +- id: SLES-15-010330 + levels: + - high + title: All SUSE operating system persistent disk partitions must implement cryptographic + mechanisms to prevent unauthorized disclosure or modification of all information + that requires at-rest protection. + rules: + - encrypt_partitions + status: automated +- id: SLES-15-010340 + levels: + - medium + title: The SUSE operating system must generate error messages that provide information + necessary for corrective actions without revealing information that could be exploited + by adversaries. + rules: + - permissions_local_var_log + status: automated +- id: SLES-15-010350 + levels: + - medium + title: The SUSE operating system must prevent unauthorized users from accessing + system error messages. + rules: + - file_permissions_local_var_log_messages + status: automated +- id: SLES-15-010351 + levels: + - medium + title: The SUSE operating system library files must have mode 0755 or less permissive. + rules: + - file_permissions_library_dirs + status: automated +- id: SLES-15-010352 + levels: + - medium + title: The SUSE operating system library directories must have mode 0755 or less + permissive. + rules: + - dir_permissions_library_dirs + status: automated +- id: SLES-15-010353 + levels: + - medium + title: The SUSE operating system library files must be owned by root. + rules: + - file_ownership_library_dirs + status: automated +- id: SLES-15-010354 + levels: + - medium + title: The SUSE operating system library directories must be owned by root. + rules: + - dir_ownership_library_dirs + status: automated +- id: SLES-15-010355 + levels: + - medium + title: The SUSE operating system library files must be group-owned by root. + rules: + - root_permissions_syslibrary_files + status: automated +- id: SLES-15-010356 + levels: + - medium + title: The SUSE operating system library directories must be group-owned by root. + rules: + - dir_group_ownership_library_dirs + status: automated +- id: SLES-15-010357 + levels: + - medium + title: The SUSE operating system must have system commands set to a mode of 0755 + or less permissive. + rules: + - file_permissions_system_commands_dirs + status: automated +- id: SLES-15-010358 + levels: + - medium + title: The SUSE operating system must have directories that contain system commands + set to a mode of 0755 or less permissive. + rules: + - file_permissions_binary_dirs + status: automated +- id: SLES-15-010359 + levels: + - medium + title: The SUSE operating system must have system commands owned by root. + rules: + - file_ownership_binary_dirs + status: automated +- id: SLES-15-010360 + levels: + - medium + title: The SUSE operating system must have directories that contain system commands + owned by root. + rules: + - dir_system_commands_root_owned + status: automated +- id: SLES-15-010361 + levels: + - medium + title: The SUSE operating system must have system commands group-owned by root or + a system account. + rules: + - file_groupownership_system_commands_dirs + status: automated +- id: SLES-15-010362 + levels: + - medium + title: The SUSE operating system must have directories that contain system commands + group-owned by root. + rules: + - dir_system_commands_group_root_owned + status: automated +- id: SLES-15-010370 + levels: + - medium + title: The SUSE operating system must have a firewall system installed to immediately + disconnect or disable remote access to the whole operating system. + rules: [] + status: pending +- id: SLES-15-010380 + levels: + - medium + title: The SUSE operating system wireless network adapters must be disabled unless + approved and documented. + rules: + - wireless_disable_interfaces + status: automated +- id: SLES-15-010390 + levels: + - medium + title: SUSE operating system AppArmor tool must be configured to control whitelisted + applications and user home directory access control. + rules: + - apparmor_configured + - package_pam_apparmor_installed + status: automated +- id: SLES-15-010400 + levels: + - medium + title: The SUSE operating system clock must, for networked systems, be synchronized + to an authoritative DOD time source at least every 24 hours. + rules: + - chronyd_or_ntpd_set_maxpoll + - var_time_service_set_maxpoll=18_hours + status: automated +- id: SLES-15-010410 + levels: + - low + title: The SUSE operating system must be configured to use Coordinated Universal + Time (UTC) or Greenwich Mean Time (GMT). + rules: + - ensure_rtc_utc_configuration + status: automated +- id: SLES-15-010420 + levels: + - medium + title: Advanced Intrusion Detection Environment (AIDE) must verify the baseline + SUSE operating system configuration at least weekly. + rules: + - aide_periodic_cron_checking + status: automated +- id: SLES-15-010430 + levels: + - high + title: The SUSE operating system tool zypper must have gpgcheck enabled. + rules: + - ensure_gpgcheck_globally_activated + status: automated +- id: SLES-15-010450 + levels: + - high + title: The SUSE operating system must reauthenticate users when changing authenticators, + roles, or escalating privileges. + rules: + - sudo_remove_no_authenticate + - sudo_remove_nopasswd + - sudo_require_authentication + status: automated +- id: SLES-15-010460 + levels: + - medium + title: The SUSE operating system must have the packages required for multifactor + authentication to be installed. + rules: + - install_smartcard_packages + status: automated +- id: SLES-15-010470 + levels: + - medium + title: The SUSE operating system must implement certificate status checking for + multifactor authentication. + rules: + - smartcard_configure_cert_checking + status: automated +- id: SLES-15-010480 + levels: + - medium + title: The SUSE operating system must disable the USB mass storage kernel module. + rules: + - kernel_module_usb-storage_disabled + status: automated +- id: SLES-15-010490 + levels: + - medium + title: If Network Security Services (NSS) is being used by the SUSE operating system + it must prohibit the use of cached authentications after one day. + rules: + - sssd_memcache_timeout + - var_sssd_memcache_timeout=1_day + status: automated +- id: SLES-15-010500 + levels: + - medium + title: The SUSE operating system must configure the Linux Pluggable Authentication + Modules (PAM) to prohibit the use of cached offline authentications after one + day. + rules: + - sssd_offline_cred_expiration + status: automated +- id: SLES-15-010510 + levels: + - high + title: FIPS 140-2 mode must be enabled on the SUSE operating system. + rules: + - is_fips_mode_enabled + status: automated +- id: SLES-15-010530 + levels: + - high + title: All networked SUSE operating systems must have and implement SSH to protect + the confidentiality and integrity of transmitted and received information, as + well as information during preparation for transmission. + rules: + - service_sshd_enabled + status: automated +- id: SLES-15-010540 + levels: + - medium + title: The SUSE operating system must implement kptr-restrict to prevent the leaking + of internal kernel addresses. + rules: + - sysctl_kernel_kptr_restrict + status: automated +- id: SLES-15-010550 + levels: + - medium + title: Address space layout randomization (ASLR) must be implemented by the SUSE + operating system to protect memory from unauthorized code execution. + rules: + - sysctl_kernel_randomize_va_space + status: automated +- id: SLES-15-010560 + levels: + - medium + title: The SUSE operating system must remove all outdated software components after + updated versions have been installed. + rules: + - clean_components_post_updating + status: automated +- id: SLES-15-010570 + levels: + - medium + title: The SUSE operating system must notify the System Administrator (SA) when + Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation + of any security functions. + rules: + - aide_periodic_checking_systemd_timer + - aide_scan_notification + status: automated +- id: SLES-15-010580 + levels: + - medium + title: The SUSE operating system must off-load rsyslog messages for networked systems + in real time and off-load standalone systems at least weekly. + rules: + - rsyslog_remote_loghost + status: automated +- id: SLES-15-020000 + levels: + - medium + title: The SUSE operating system must provision temporary accounts with an expiration + date for 72 hours. + rules: [] + status: pending +- id: SLES-15-020010 + levels: + - medium + title: The SUSE operating system must lock an account after three consecutive invalid + access attempts. + rules: + - accounts_passwords_pam_tally2 + - var_password_pam_tally2=3 + status: automated +- id: SLES-15-020020 + levels: + - low + title: The SUSE operating system must limit the number of concurrent sessions to + 10 for all accounts and/or account types. + rules: + - accounts_max_concurrent_login_sessions + - var_accounts_max_concurrent_login_sessions=10 + status: automated +- id: SLES-15-020030 + levels: + - medium + title: The SUSE operating system must implement multifactor authentication for access + to privileged accounts via pluggable authentication modules (PAM). + rules: + - smartcard_pam_enabled + status: automated +- id: SLES-15-020040 + levels: + - medium + title: The SUSE operating system must deny direct logons to the root account using + remote access via SSH. + rules: + - sshd_disable_root_login + status: automated +- id: SLES-15-020050 + levels: + - medium + title: The SUSE operating system must disable account identifiers (individuals, + groups, roles, and devices) after 35 days of inactivity after password expiration. + rules: + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=35 + status: automated +- id: SLES-15-020060 + levels: + - medium + title: The SUSE operating system must never automatically remove or disable emergency + administrator accounts. + rules: + - account_emergency_admin + status: manual +- id: SLES-15-020090 + levels: + - medium + title: The SUSE operating system must not have unnecessary accounts. + rules: + - accounts_authorized_local_users + # NOTE: must configure "var_accounts_authorized_local_users_regex" + # when the rule "accounts_authorized_local_users" is enabled + # - var_accounts_authorized_local_users_regex= + - var_accounts_authorized_local_users_regex=sle15 + status: automated +- id: SLES-15-020091 + levels: + - medium + title: The SUSE operating system must not have unnecessary account capabilities. + rules: + - no_shelllogin_for_systemaccounts + status: automated +- id: SLES-15-020100 + levels: + - high + title: The SUSE operating system root account must be the only account with unrestricted + access to the system. + rules: + - accounts_no_uid_except_zero + status: automated +- id: SLES-15-020101 + levels: + - medium + title: The SUSE operating system must restrict privilege elevation to authorized + personnel. + rules: + - sudo_restrict_privilege_elevation_to_authorized + status: automated +- id: SLES-15-020102 + levels: + - medium + title: The SUSE operating system must require reauthentication when using the "sudo" + command. + rules: + - sudo_require_reauthentication + - var_sudo_timestamp_timeout=always_prompt + status: automated +- id: SLES-15-020103 + levels: + - medium + title: The SUSE operating system must use the invoking user's password for privilege + escalation when using "sudo". + rules: + - sudoers_validate_passwd + status: automated +- id: SLES-15-020110 + levels: + - medium + title: All SUSE operating system local interactive user accounts, upon creation, + must be assigned a home directory. + rules: + - accounts_have_homedir_login_defs + status: automated +- id: SLES-15-020120 + levels: + - medium + title: The SUSE operating system must display the date and time of the last successful + account logon upon an SSH logon. + rules: + - sshd_print_last_log + status: automated +- id: SLES-15-020130 + levels: + - medium + title: The SUSE operating system must enforce passwords that contain at least one + uppercase character. + rules: + - cracklib_accounts_password_pam_ucredit + - var_password_pam_ucredit=1 + status: automated +- id: SLES-15-020140 + levels: + - medium + title: The SUSE operating system must enforce passwords that contain at least one + lowercase character. + rules: + - cracklib_accounts_password_pam_lcredit + - var_password_pam_lcredit=1 + status: automated +- id: SLES-15-020150 + levels: + - medium + title: The SUSE operating system must enforce passwords that contain at least one + numeric character. + rules: + - cracklib_accounts_password_pam_dcredit + - var_password_pam_dcredit=1 + status: automated +- id: SLES-15-020160 + levels: + - medium + title: The SUSE operating system must require the change of at least eight of the + total number of characters when passwords are changed. + rules: + - cracklib_accounts_password_pam_difok + status: automated +- id: SLES-15-020170 + levels: + - medium + title: The SUSE operating system must configure the Linux Pluggable Authentication + Modules (PAM) to only store encrypted representations of passwords. + rules: + - set_password_hashing_algorithm_systemauth + status: automated +- id: SLES-15-020180 + levels: + - medium + title: The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing + algorithms for all stored passwords. + rules: + - accounts_password_all_shadowed_sha512 + status: automated +- id: SLES-15-020190 + levels: + - medium + title: The SUSE operating system must employ FIPS 140-3 approved cryptographic hashing + algorithms for all stored passwords. + rules: + - set_password_hashing_min_rounds_logindefs + - var_password_hashing_min_rounds_login_defs=100000 + status: automated +- id: SLES-15-020200 + levels: + - medium + title: The SUSE operating system must be configured to create or update passwords + with a minimum lifetime of 24 hours (one day). + rules: + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=7 + status: automated +- id: SLES-15-020210 + levels: + - medium + title: The SUSE operating system must employ user passwords with a minimum lifetime + of 24 hours (one day). + rules: + - accounts_password_set_min_life_existing + status: automated +- id: SLES-15-020220 + levels: + - medium + title: The SUSE operating system must be configured to create or update passwords + with a maximum lifetime of 60 days. + rules: + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=60 + status: automated +- id: SLES-15-020230 + levels: + - medium + title: The SUSE operating system must employ user passwords with a maximum lifetime + of 60 days. + rules: + - accounts_password_set_max_life_existing + status: automated +- id: SLES-15-020260 + levels: + - medium + title: The SUSE operating system must employ passwords with a minimum of 15 characters. + rules: + - cracklib_accounts_password_pam_minlen + - var_password_pam_minlen=15 + status: automated +- id: SLES-15-020270 + levels: + - medium + title: The SUSE operating system must enforce passwords that contain at least one + special character. + rules: + - cracklib_accounts_password_pam_ocredit + - var_password_pam_ocredit=1 + status: automated +- id: SLES-15-020290 + levels: + - medium + title: The SUSE operating system must prevent the use of dictionary words for passwords. + rules: + - cracklib_accounts_password_pam_retry + status: automated +- id: SLES-15-020300 + levels: + - high + title: The SUSE operating system must not be configured to allow blank or null passwords. + rules: + - no_empty_passwords + status: automated +- id: SLES-15-030000 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/passwd. + rules: + - audit_rules_usergroup_modification_passwd + status: automated +- id: SLES-15-030010 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/group. + rules: + - audit_rules_usergroup_modification_group + status: automated +- id: SLES-15-030020 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/shadow. + rules: + - audit_rules_usergroup_modification_shadow + status: automated +- id: SLES-15-030030 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/security/opasswd. + rules: + - audit_rules_usergroup_modification_opasswd + status: automated +- id: SLES-15-030040 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/gshadow. + rules: + - audit_rules_usergroup_modification_gshadow + status: automated +- id: SLES-15-030050 + levels: + - medium + title: SUSE operating system audit records must contain information to establish + what type of events occurred, the source of events, where events occurred, and + the outcome of events. + rules: + - service_auditd_enabled + status: automated +- id: SLES-15-030060 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + ssh-keysign command. + rules: + - audit_rules_privileged_commands_ssh_keysign + status: automated +- id: SLES-15-030070 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + passwd command. + rules: + - audit_rules_privileged_commands_passwd + status: automated +- id: SLES-15-030080 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + gpasswd command. + rules: + - audit_rules_privileged_commands_gpasswd + status: automated +- id: SLES-15-030090 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + newgrp command. + rules: + - audit_rules_privileged_commands_newgrp + status: automated +- id: SLES-15-030100 + levels: + - low + title: The SUSE operating system must generate audit records for a uses of the chsh + command. + rules: + - audit_rules_privileged_commands_chsh + status: automated +- id: SLES-15-030110 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + unix_chkpwd or unix2_chkpwd commands. + rules: + - audit_rules_privileged_commands_unix2_chkpwd + - audit_rules_privileged_commands_unix_chkpwd + status: automated +- id: SLES-15-030120 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chage command. + rules: + - audit_rules_privileged_commands_chage + status: automated +- id: SLES-15-030130 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + crontab command. + rules: + - audit_rules_privileged_commands_crontab + status: automated +- id: SLES-15-030140 + levels: + - medium + title: The SUSE operating system must audit all uses of the sudoers file and all + files in the /etc/sudoers.d/ directory. + rules: + - audit_rules_sysadmin_actions + status: automated +- id: SLES-15-030150 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. + rules: + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate + status: automated +- id: SLES-15-030190 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system + calls. + rules: + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + status: automated +- id: SLES-15-030250 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chown, fchown, fchownat, and lchown system calls. + rules: + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_lchown + status: automated +- id: SLES-15-030290 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chmod, fchmod, and fchmodat system calls. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + status: automated +- id: SLES-15-030330 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + sudoedit command. + rules: + - audit_rules_privileged_commands_sudoedit + status: automated +- id: SLES-15-030340 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + chfn command. + rules: + - audit_rules_privileged_commands_chfn + status: automated +- id: SLES-15-030350 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + mount system call. + rules: + - audit_rules_media_export + status: automated +- id: SLES-15-030360 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + umount system call. + rules: + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + status: automated +- id: SLES-15-030370 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + ssh-agent command. + rules: + - audit_rules_privileged_commands_ssh_agent + status: automated +- id: SLES-15-030380 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + insmod command. + rules: + - audit_rules_privileged_commands_insmod + status: automated +- id: SLES-15-030390 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + rmmod command. + rules: + - audit_rules_privileged_commands_rmmod + status: automated +- id: SLES-15-030400 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + modprobe command. + rules: + - audit_rules_privileged_commands_modprobe + status: automated +- id: SLES-15-030410 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + kmod command. + rules: + - audit_rules_privileged_commands_kmod + status: automated +- id: SLES-15-030420 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chmod command. + rules: + - audit_rules_execution_chmod + status: automated +- id: SLES-15-030430 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + setfacl command. + rules: + - audit_rules_execution_setfacl + status: automated +- id: SLES-15-030440 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chacl command. + rules: + - audit_rules_execution_chacl + status: automated +- id: SLES-15-030450 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chcon command. + rules: + - audit_rules_execution_chcon + status: automated +- id: SLES-15-030460 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + rm command. + rules: + - audit_rules_execution_rm + status: automated +- id: SLES-15-030470 + levels: + - medium + title: The SUSE operating system must generate audit records for all modifications + to the tallylog file must generate an audit record. + rules: + - audit_rules_login_events_tallylog + status: automated +- id: SLES-15-030480 + levels: + - medium + title: The SUSE operating system must generate audit records for all modifications + to the lastlog file. + rules: + - audit_rules_login_events_lastlog + status: automated +- id: SLES-15-030490 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + passmass command. + rules: + - audit_rules_privileged_commands_passmass + status: automated +- id: SLES-15-030500 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + usermod command. + rules: + - audit_rules_privileged_commands_usermod + status: automated +- id: SLES-15-030510 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + pam_timestamp_check command. + rules: + - audit_rules_privileged_commands_pam_timestamp_check + status: automated +- id: SLES-15-030520 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + delete_module system call. + rules: + - audit_rules_kernel_module_loading_delete + status: automated +- id: SLES-15-030530 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + init_module and finit_module system calls. + rules: + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + status: automated +- id: SLES-15-030550 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + su command. + rules: + - audit_rules_privileged_commands_su + status: automated +- id: SLES-15-030560 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + sudo command. + rules: + - audit_rules_privileged_commands_sudo + status: automated +- id: SLES-15-030570 + levels: + - medium + title: The Information System Security Officer (ISSO) and System Administrator (SA), + at a minimum, must be alerted of a SUSE operating system audit processing failure + event. + rules: + - auditd_data_retention_action_mail_acct + status: automated +- id: SLES-15-030580 + levels: + - medium + title: The Information System Security Officer (ISSO) and System Administrator (SA), + at a minimum, must have mail aliases to be notified of a SUSE operating system + audit processing failure. + rules: + - postfix_client_configure_mail_alias + status: automated +- id: SLES-15-030590 + levels: + - medium + title: The SUSE operating system audit system must take appropriate action when + the audit storage volume is full. + rules: + - auditd_data_disk_full_action + - var_auditd_disk_full_action=syslog + status: automated +- id: SLES-15-030600 + levels: + - medium + title: The SUSE operating system must protect audit rules from unauthorized modification. + rules: + - permissions_local_var_log_audit + status: automated +- id: SLES-15-030620 + levels: + - medium + title: The SUSE operating system audit tools must have the proper permissions configured + to protect against unauthorized access. + rules: + - permissions_local_audit_binaries + status: automated +- id: SLES-15-030630 + levels: + - medium + title: The SUSE operating system file integrity tool must be configured to protect + the integrity of the audit tools. + rules: + - aide_check_audit_tools + status: automated +- id: SLES-15-030640 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + privileged functions. + rules: + - audit_rules_suid_privilege_function + status: automated +- id: SLES-15-030650 + levels: + - medium + title: The SUSE operating system must have the auditing package installed. + rules: + - package_audit_installed + status: automated +- id: SLES-15-030660 + levels: + - medium + title: The SUSE operating system must allocate audit record storage capacity to + store at least one week of audit records when audit records are not immediately + sent to a central audit record storage facility. + rules: + - auditd_audispd_configure_sufficiently_large_partition + status: manual +- id: SLES-15-030670 + levels: + - medium + title: The audit-audispd-plugins must be installed on the SUSE operating system. + rules: + - package_audit-audispd-plugins_installed + status: automated +- id: SLES-15-030680 + levels: + - low + title: The SUSE operating system audit event multiplexor must be configured to use + Kerberos. + rules: + - auditd_audispd_encrypt_sent_records + status: automated +- id: SLES-15-030690 + levels: + - low + title: Audispd must off-load audit records onto a different system or media from + the SUSE operating system being audited. + rules: + - auditd_audispd_configure_remote_server + # NOTE: must configure "var_audispd_remote_server" when the + # rule "auditd_audispd_configure_remote_server" is enabled + # - var_audispd_remote_server= + status: automated +- id: SLES-15-030700 + levels: + - medium + title: The SUSE operating system auditd service must notify the System Administrator + (SA) and Information System Security Officer (ISSO) immediately when audit storage + capacity is 75 percent full. + rules: + - auditd_data_retention_space_left + status: automated +- id: SLES-15-030740 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + unlink, unlinkat, rename, renameat, and rmdir system calls. + rules: + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_renameat2 + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + status: automated +- id: SLES-15-030760 + levels: + - medium + title: The SUSE operating system must generate audit records for the /run/utmp file. + rules: + - audit_rules_session_events_utmp + status: automated +- id: SLES-15-030770 + levels: + - medium + title: The SUSE operating system must generate audit records for the /var/log/wtmp + file. + rules: + - audit_rules_session_events_wtmp + status: automated +- id: SLES-15-030780 + levels: + - medium + title: The SUSE operating system must generate audit records for the /var/log/btmp + file. + rules: + - audit_rules_session_events_btmp + status: automated +- id: SLES-15-030790 + levels: + - medium + title: The SUSE operating system must off-load audit records onto a different system + or media from the system being audited. + rules: + - auditd_audispd_network_failure_action + status: automated +- id: SLES-15-030800 + levels: + - medium + title: Audispd must take appropriate action when the SUSE operating system audit + storage is full. + rules: + - auditd_audispd_disk_full_action + status: automated +- id: SLES-15-030810 + levels: + - low + title: The SUSE operating system must use a separate file system for the system + audit data path. + rules: + - partition_for_var_log_audit + status: automated +- id: SLES-15-030820 + levels: + - medium + title: The SUSE operating system must not disable syscall auditing. + rules: + - audit_rules_enable_syscall_auditing + status: automated +- id: SLES-15-040000 + levels: + - medium + title: The SUSE operating system must enforce a delay of at least four seconds between + logon prompts following a failed logon attempt. + rules: [] + status: pending +- id: SLES-15-040010 + levels: + - medium + title: The SUSE operating system must enforce a delay of at least four seconds between + logon prompts following a failed logon attempt. + rules: + - accounts_passwords_pam_faildelay_delay + - var_accounts_fail_delay=4 + - var_password_pam_delay=4000000 + status: automated +- id: SLES-15-040020 + levels: + - high + title: There must be no .shosts files on the SUSE operating system. + rules: + - no_user_host_based_files + status: automated +- id: SLES-15-040030 + levels: + - high + title: There must be no shosts.equiv files on the SUSE operating system. + rules: + - no_host_based_files + status: automated +- id: SLES-15-040040 + levels: + - low + title: The SUSE operating system file integrity tool must be configured to verify + Access Control Lists (ACLs). + rules: + - aide_verify_acls + status: automated +- id: SLES-15-040050 + levels: + - low + title: The SUSE operating system file integrity tool must be configured to verify + extended attributes. + rules: + - aide_verify_ext_attributes + status: automated +- id: SLES-15-040060 + levels: + - high + title: The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence. + rules: + - disable_ctrlaltdel_reboot + status: automated +- id: SLES-15-040061 + levels: + - high + title: The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence + for Graphical User Interfaces. + rules: + - enable_dconf_user_profile + status: automated +- id: SLES-15-040062 + levels: + - high + title: The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst + key sequence. + rules: + - disable_ctrlaltdel_burstaction + status: automated +- id: SLES-15-040070 + levels: + - medium + title: All SUSE operating system local interactive users must have a home directory + assigned in the /etc/passwd file. + rules: + - accounts_user_interactive_home_directory_defined + status: automated +- id: SLES-15-040080 + levels: + - medium + title: All SUSE operating system local interactive user home directories defined + in the /etc/passwd file must exist. + rules: + - accounts_user_interactive_home_directory_exists + status: automated +- id: SLES-15-040090 + levels: + - medium + title: All SUSE operating system local interactive user home directories must have + mode 0750 or less permissive. + rules: + - file_permissions_home_directories + status: automated +- id: SLES-15-040100 + levels: + - medium + title: All SUSE operating system local interactive user home directories must be + group-owned by the home directory owner's primary group. + rules: + - file_groupownership_home_directories + status: automated +- id: SLES-15-040110 + levels: + - medium + title: All SUSE operating system local initialization files must have mode 0740 + or less permissive. + rules: + - file_permission_user_init_files + status: automated +- id: SLES-15-040120 + levels: + - medium + title: All SUSE operating system local interactive user initialization files executable + search paths must contain only paths that resolve to the users home directory. + rules: + - accounts_user_home_paths_only + status: manual +- id: SLES-15-040130 + levels: + - medium + title: All SUSE operating system local initialization files must not execute world-writable + programs. + rules: + - accounts_user_dot_no_world_writable_programs + status: automated +- id: SLES-15-040140 + levels: + - medium + title: SUSE operating system file systems that contain user home directories must + be mounted to prevent files with the setuid and setgid bit set from being executed. + rules: + - mount_option_home_nosuid + status: automated +- id: SLES-15-040150 + levels: + - medium + title: SUSE operating system file systems that are used with removable media must + be mounted to prevent files with the setuid and setgid bit set from being executed. + rules: + - mount_option_nosuid_removable_partitions + - var_removable_partition=dev_cdrom + status: automated +- id: SLES-15-040160 + levels: + - medium + title: SUSE operating system file systems that are being imported via Network File + System (NFS) must be mounted to prevent files with the setuid and setgid bit set + from being executed. + rules: + - mount_option_nosuid_remote_filesystems + status: automated +- id: SLES-15-040170 + levels: + - medium + title: SUSE operating system file systems that are being imported via Network File + System (NFS) must be mounted to prevent binary files from being executed. + rules: + - mount_option_noexec_remote_filesystems + status: automated +- id: SLES-15-040180 + levels: + - medium + title: All SUSE operating system world-writable directories must be group-owned + by root, sys, bin, or an application group. + rules: + - dir_perms_world_writable_system_owned_group + status: automated +- id: SLES-15-040190 + levels: + - medium + title: SUSE operating system kernel core dumps must be disabled unless needed. + rules: + - service_kdump_disabled + status: automated +- id: SLES-15-040200 + levels: + - low + title: A separate file system must be used for SUSE operating system user home directories + (such as /home or an equivalent). + rules: + - partition_for_home + status: automated +- id: SLES-15-040210 + levels: + - low + title: The SUSE operating system must use a separate file system for /var. + rules: + - partition_for_var + status: automated +- id: SLES-15-040220 + levels: + - medium + title: The SUSE operating system must be configured to not overwrite Pluggable Authentication + Modules (PAM) configuration on package changes. + rules: + - pam_disable_automatic_configuration + status: automated +- id: SLES-15-040230 + levels: + - medium + title: The SUSE operating system SSH daemon must be configured to not allow authentication + using known hosts authentication. + rules: + - sshd_disable_user_known_hosts + status: automated +- id: SLES-15-040240 + levels: + - medium + title: The SUSE operating system SSH daemon public host key files must have mode + 0644 or less permissive. + rules: + - file_permissions_sshd_pub_key + status: automated +- id: SLES-15-040250 + levels: + - medium + title: The SUSE operating system SSH daemon private host key files must have mode + 0640 or less permissive. + rules: + - file_permissions_sshd_private_key + status: automated +- id: SLES-15-040260 + levels: + - medium + title: The SUSE operating system SSH daemon must perform strict mode checking of + home directory configuration files. + rules: + - sshd_enable_strictmodes + status: automated +- id: SLES-15-040290 + levels: + - medium + title: The SUSE operating system SSH daemon must disable forwarded remote X connections + for interactive users, unless to fulfill documented and validated mission requirements. + rules: + - sshd_disable_x11_forwarding + status: automated +- id: SLES-15-040300 + levels: + - medium + title: The SUSE operating system must not forward Internet Protocol version 4 (IPv4) + source-routed packets. + rules: + - sysctl_net_ipv4_conf_all_accept_source_route + status: automated +- id: SLES-15-040310 + levels: + - medium + title: The SUSE operating system must not forward Internet Protocol version 6 (IPv6) + source-routed packets. + rules: + - sysctl_net_ipv6_conf_all_accept_source_route + status: automated +- id: SLES-15-040320 + levels: + - medium + title: The SUSE operating system must not forward Internet Protocol version 4 (IPv4) + source-routed packets by default. + rules: + - sysctl_net_ipv4_conf_default_accept_source_route + status: automated +- id: SLES-15-040321 + levels: + - medium + title: The SUSE operating system must not forward Internet Protocol version 6 (IPv6) + source-routed packets by default. + rules: + - sysctl_net_ipv6_conf_default_accept_source_route + status: automated +- id: SLES-15-040330 + levels: + - medium + title: The SUSE operating system must prevent Internet Protocol version 4 (IPv4) + Internet Control Message Protocol (ICMP) redirect messages from being accepted. + rules: + - sysctl_net_ipv4_conf_all_accept_redirects + status: automated +- id: SLES-15-040340 + levels: + - medium + title: The SUSE operating system must not allow interfaces to accept Internet Protocol + version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by + default. + rules: + - sysctl_net_ipv4_conf_default_accept_redirects + status: automated +- id: SLES-15-040341 + levels: + - medium + title: The SUSE operating system must prevent Internet Protocol version 6 (IPv6) + Internet Control Message Protocol (ICMP) redirect messages from being accepted. + rules: + - sysctl_net_ipv6_conf_all_accept_redirects + status: automated +- id: SLES-15-040350 + levels: + - medium + title: The SUSE operating system must not allow interfaces to accept Internet Protocol + version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by + default. + rules: + - sysctl_net_ipv6_conf_default_accept_redirects + status: automated +- id: SLES-15-040360 + levels: + - medium + title: The SUSE operating system must not allow interfaces to send Internet Protocol + version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by + default. + rules: + - sysctl_net_ipv4_conf_default_send_redirects + status: automated +- id: SLES-15-040370 + levels: + - medium + title: The SUSE operating system must not send Internet Protocol version 4 (IPv4) + Internet Control Message Protocol (ICMP) redirects. + rules: + - sysctl_net_ipv4_conf_all_send_redirects + status: automated +- id: SLES-15-040380 + levels: + - medium + title: The SUSE operating system must not be performing Internet Protocol version + 4 (IPv4) packet forwarding unless the system is a router. + rules: + - sysctl_net_ipv4_ip_forward + status: automated +- id: SLES-15-040381 + levels: + - medium + title: The SUSE operating system must not be performing Internet Protocol version + 6 (IPv6) packet forwarding unless the system is a router. + rules: + - sysctl_net_ipv6_conf_all_forwarding + status: automated +- id: SLES-15-040382 + levels: + - medium + title: The SUSE operating system must not be performing Internet Protocol version + 6 (IPv6) packet forwarding by default unless the system is a router. + rules: + - sysctl_net_ipv6_conf_default_forwarding + status: automated +- id: SLES-15-040390 + levels: + - medium + title: The SUSE operating system must not have network interfaces in promiscuous + mode unless approved and documented. + rules: + - network_sniffer_disabled + status: automated +- id: SLES-15-040400 + levels: + - medium + title: All SUSE operating system files and directories must have a valid owner. + rules: + - no_files_unowned_by_user + status: automated +- id: SLES-15-040410 + levels: + - medium + title: All SUSE operating system files and directories must have a valid group owner. + rules: + - file_permissions_ungroupowned + status: automated +- id: SLES-15-040420 + levels: + - medium + title: The SUSE operating system default permissions must be defined in such a way + that all authenticated users can only read and modify their own files. + rules: + - accounts_umask_etc_login_defs + status: automated +- id: SLES-15-040430 + levels: + - high + title: The SUSE operating system must not allow unattended or automatic logon via + the graphical user interface (GUI). + rules: + - gnome_gdm_disable_unattended_automatic_login + status: automated +- id: SLES-15-040440 + levels: + - high + title: The SUSE operating system must not allow unattended or automatic logon via + SSH. + rules: + - sshd_disable_empty_passwords + - sshd_do_not_permit_user_env + status: automated +- id: SLES-15-020099 + levels: + - medium + title: The SUSE operating system must specify the default "include" directory for + the /etc/sudoers file. + rules: + - sudoers_default_includedir + status: automated +- id: SLES-15-020104 + levels: + - medium + title: The SUSE operating system must not be configured to bypass password requirements + for privilege escalation. + rules: + - disallow_bypass_password_sudo + status: automated +- id: SLES-15-020181 + levels: + - high + title: The SUSE operating system must not have accounts configured with blank or + null passwords. + rules: + - no_empty_passwords_etc_shadow + status: automated +- id: SLES-15-040450 + levels: + - medium + title: The SUSE operating system SSH server must be configured to use only FIPS-validated + key exchange algorithms. + rules: + - sshd_use_approved_kex_ordered_stig + status: automated +- id: SLES-15-010375 + levels: + - low + title: The SUSE operating system must restrict access to the kernel message buffer. + rules: + - sysctl_kernel_dmesg_restrict + status: automated +- id: SLES-15-010419 + levels: + - medium + title: The SUSE operating system must use a file integrity tool to verify correct + operation of all security functions. + rules: + - aide_build_database + - package_aide_installed + status: automated +- id: SLES-15-010418 + levels: + - medium + title: The SUSE operating system must be configured to allow sending email notifications + of unauthorized configuration changes to designated personnel. + rules: + - package_mailx_installed + status: automated +- id: SLES-15-030015 + levels: + - medium + title: The SUSE operating system must audit any script or executable called by cron + as root or by any privileged user. + rules: + - audit_rules_etc_cron_d + - audit_rules_var_spool_cron + status: automated diff --git a/products/sle15/profiles/stig.profile b/products/sle15/profiles/stig.profile index a4c36dd810bb..e19bb5fc9344 100644 --- a/products/sle15/profiles/stig.profile +++ b/products/sle15/profiles/stig.profile @@ -17,289 +17,4 @@ description: |- selections: - - var_account_disable_post_pw_expiration=35 - - var_accounts_fail_delay=4 - - var_accounts_tmout=10_min - - inactivity_timeout_value=15_minutes - - var_password_pam_dcredit=1 - - var_password_pam_lcredit=1 - - var_password_pam_minlen=15 - - var_password_pam_ocredit=1 - - var_password_pam_ucredit=1 - - var_sudo_timestamp_timeout=always_prompt - - var_password_pam_unix_remember=5 - - var_accounts_maximum_age_login_defs=60 - - var_password_pam_delay=4000000 - - login_banner_text=dod_banners - - login_banner_contents=dod_default - - dconf_login_banner_text=dod_banners - - dconf_login_banner_contents=dod_default - # - # Note: must configure "var_accounts_authorized_local_users_regex" when - # "accounts_authorized_local_users" rule is enabled - # - var_accounts_authorized_local_users_regex= - # - # NOTE: must configure "var_audispd_remote_server" when - # "auditd_audispd_configure_remote_server" rule is enabled - # - # - var_audispd_remote_server= - - var_removable_partition=dev_cdrom - - var_sssd_memcache_timeout=1_day - - var_time_service_set_maxpoll=18_hours - - var_accounts_minimum_age_login_defs=7 - - account_disable_post_pw_expiration - - account_emergency_admin - - account_disable_post_pw_expiration - - account_emergency_admin - - var_accounts_authorized_local_users_regex=sle15 - - accounts_authorized_local_users - - accounts_have_homedir_login_defs - - var_accounts_max_concurrent_login_sessions=10 - - accounts_max_concurrent_login_sessions - - accounts_maximum_age_login_defs - - accounts_no_uid_except_zero - - accounts_password_all_shadowed_sha512 - - accounts_password_set_max_life_existing - - accounts_password_set_min_life_existing - - accounts_passwords_pam_faildelay_delay - - accounts_passwords_pam_tally2 - - var_password_pam_tally2=3 - - accounts_tmout - - accounts_umask_etc_login_defs - - accounts_user_dot_no_world_writable_programs - - accounts_user_home_paths_only - - accounts_user_interactive_home_directory_defined - - accounts_user_interactive_home_directory_exists - - account_unique_id - - aide_build_database - - aide_check_audit_tools - - aide_periodic_cron_checking - - aide_scan_notification - - aide_verify_acls - - aide_verify_ext_attributes - - aide_periodic_checking_systemd_timer - - apparmor_configured - # - # NOTE: must configure "var_audispd_remote_server" when - # "auditd_audispd_configure_remote_server" rule is enabled - # - # - auditd_audispd_configure_remote_server - - auditd_audispd_configure_sufficiently_large_partition - - auditd_audispd_disk_full_action - - auditd_audispd_encrypt_sent_records - - auditd_audispd_network_failure_action - - var_auditd_disk_full_action=syslog - - auditd_data_disk_full_action - - auditd_data_retention_action_mail_acct - - auditd_data_retention_space_left - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_enable_syscall_auditing - - audit_rules_etc_cron_d - - audit_rules_execution_chacl - - audit_rules_execution_chmod - - audit_rules_execution_chcon - - audit_rules_execution_rm - - audit_rules_execution_setfacl - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chfn - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passmass - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_insmod - - audit_rules_privileged_commands_rmmod - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix2_chkpwd - - audit_rules_privileged_commands_usermod - - audit_rules_privileged_commands_sudoedit - - audit_rules_session_events_utmp - - audit_rules_session_events_wtmp - - audit_rules_suid_privilege_function - - audit_rules_sysadmin_actions - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_session_events_btmp - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_renameat2 - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - audit_rules_var_spool_cron - - banner_etc_gdm_banner - - banner_etc_issue - - chronyd_or_ntpd_set_maxpoll - - clean_components_post_updating - - cracklib_accounts_password_pam_dcredit - - cracklib_accounts_password_pam_difok - - cracklib_accounts_password_pam_lcredit - - cracklib_accounts_password_pam_minlen - - cracklib_accounts_password_pam_ocredit - - cracklib_accounts_password_pam_retry - - cracklib_accounts_password_pam_ucredit - - dconf_db_up_to_date - - dconf_gnome_banner_enabled - - dconf_gnome_login_banner_text - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_session_idle_user_locks - - dconf_gnome_screensaver_mode_blank - - dir_group_ownership_library_dirs - - dir_ownership_library_dirs - - dir_permissions_library_dirs - - dconf_gnome_screensaver_lock_enabled - - dir_perms_world_writable_sticky_bits - - dir_system_commands_group_root_owned - - dir_system_commands_root_owned - - dir_perms_world_writable_system_owned_group - - disable_ctrlaltdel_burstaction - - disable_ctrlaltdel_reboot - - disable_ctrlaltdel_reboot - - disallow_bypass_password_sudo - - enable_dconf_user_profile - - encrypt_partitions - - ensure_gpgcheck_globally_activated - - ensure_rtc_utc_configuration - - file_groupownership_home_directories - - file_groupownership_system_commands_dirs - - file_ownership_binary_dirs - - file_permissions_binary_dirs - - file_ownership_library_dirs - - file_permissions_home_directories - - file_permissions_library_dirs - - file_permissions_sshd_private_key - - file_permissions_sshd_pub_key - - file_permissions_system_commands_dirs - - file_permissions_ungroupowned - - file_permissions_local_var_log_messages - - file_permission_user_init_files - - gnome_gdm_disable_unattended_automatic_login - - grub2_password - - grub2_uefi_password - - gui_login_dod_acknowledgement - - installed_OS_is_vendor_supported - - install_smartcard_packages - - is_fips_mode_enabled - - kernel_module_usb-storage_disabled - - mount_option_home_nosuid - - mount_option_noexec_remote_filesystems - - mount_option_nosuid_remote_filesystems - - mount_option_nosuid_removable_partitions - - network_sniffer_disabled - - no_empty_passwords - - no_empty_passwords_etc_shadow - - no_files_unowned_by_user - - no_host_based_files - - no_shelllogin_for_systemaccounts - - no_user_host_based_files - - package_aide_installed - - package_audit-audispd-plugins_installed - - package_audit_installed - - package_mailx_installed - - package_pam_apparmor_installed - - package_telnet-server_removed - - package_firewalld_installed - - package_vsftpd_removed - - pam_disable_automatic_configuration - - partition_for_home - - partition_for_var - - partition_for_var_log_audit - - permissions_local_audit_binaries - - permissions_local_var_log_audit - - permissions_local_var_log - - postfix_client_configure_mail_alias - - rsyslog_remote_loghost - - root_permissions_syslibrary_files - - security_patches_up_to_date - - service_auditd_enabled - - service_autofs_disabled - - service_firewalld_enabled - - service_kdump_disabled - - service_sshd_enabled - - set_password_hashing_algorithm_logindefs - - set_password_hashing_algorithm_systemauth - - var_password_hashing_min_rounds_login_defs=100000 - - set_password_hashing_min_rounds_logindefs - - smartcard_configure_ca - - smartcard_configure_cert_checking - - smartcard_pam_enabled - - sshd_disable_empty_passwords - - sshd_disable_root_login - - sshd_disable_user_known_hosts - - sshd_disable_x11_forwarding - - sshd_do_not_permit_user_env - - sshd_enable_strictmodes - - sshd_enable_warning_banner - - sshd_print_last_log - - sshd_idle_timeout_value=10_minutes - - sshd_set_idle_timeout - - var_sshd_set_keepalive=1 - - sshd_set_keepalive - - sshd_set_loglevel_verbose - - sshd_use_approved_ciphers_ordered_stig - - sshd_use_approved_kex_ordered_stig - - sshd_use_approved_macs_ordered_stig - - sssd_memcache_timeout - - sssd_offline_cred_expiration - - sudo_remove_no_authenticate - - sudo_remove_nopasswd - - sudo_restrict_privilege_elevation_to_authorized - - sudo_require_authentication - - sudo_require_reauthentication - - sudoers_default_includedir - - sudoers_validate_passwd - - sysctl_kernel_dmesg_restrict - - sysctl_kernel_kptr_restrict - - sysctl_kernel_randomize_va_space - - sysctl_net_ipv4_conf_all_accept_redirects - - sysctl_net_ipv4_conf_all_accept_source_route - - sysctl_net_ipv4_conf_all_send_redirects - - sysctl_net_ipv4_conf_default_accept_redirects - - sysctl_net_ipv4_conf_default_accept_source_route - - sysctl_net_ipv4_conf_default_send_redirects - - sysctl_net_ipv4_ip_forward - - sysctl_net_ipv4_tcp_syncookies - - sysctl_net_ipv6_conf_all_forwarding - - sysctl_net_ipv6_conf_all_accept_redirects - - sysctl_net_ipv6_conf_all_accept_source_route - - sysctl_net_ipv6_conf_default_accept_redirects - - sysctl_net_ipv6_conf_default_accept_source_route - - sysctl_net_ipv6_conf_default_forwarding - - vlock_installed - - wireless_disable_interfaces + - stig_sle15:all