From 975d05ff74affa199ee39d94e5b645a10df7c672 Mon Sep 17 00:00:00 2001 From: rchikov Date: Fri, 12 Jun 2026 11:21:16 +0200 Subject: [PATCH 1/5] Created control file for SLES 15 DISA STIG profile --- .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../audit_rules_execution_chacl/rule.yml | 1 - .../audit_rules_execution_chmod/rule.yml | 1 - .../audit_rules_execution_setfacl/rule.yml | 1 - .../audit_rules_execution_chcon/rule.yml | 1 - .../audit_rules_execution_rm/rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../audit_rules_login_events_lastlog/rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../audit_rules_etc_cron_d/rule.yml | 1 - .../audit_rules_media_export/rule.yml | 1 - .../audit_rules_session_events_btmp/rule.yml | 1 - .../audit_rules_session_events_utmp/rule.yml | 1 - .../audit_rules_session_events_wtmp/rule.yml | 1 - .../rule.yml | 1 - .../audit_rules_sysadmin_actions/rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../audit_rules_var_spool_cron/rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../auditd_audispd_disk_full_action/rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../auditd_data_disk_full_action/rule.yml | 1 - .../rule.yml | 1 - .../auditd_data_retention_space_left/rule.yml | 1 - .../rule.yml | 1 - .../auditing/package_audit_installed/rule.yml | 1 - .../auditing/service_auditd_enabled/rule.yml | 1 - .../base/service_kdump_disabled/rule.yml | 1 - .../package_vsftpd_removed/rule.yml | 1 - .../mail/package_mailx_installed/rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml | 1 - .../r_services/no_host_based_files/rule.yml | 1 - .../no_user_host_based_files/rule.yml | 1 - .../package_telnet-server_removed/rule.yml | 1 - .../rule.yml | 1 - .../file_permissions_sshd_pub_key/rule.yml | 1 - .../ssh/service_sshd_enabled/rule.yml | 1 - .../sshd_disable_empty_passwords/rule.yml | 1 - .../sshd_disable_root_login/rule.yml | 1 - .../sshd_disable_user_known_hosts/rule.yml | 1 - .../sshd_disable_x11_forwarding/rule.yml | 1 - .../sshd_do_not_permit_user_env/rule.yml | 1 - .../sshd_enable_strictmodes/rule.yml | 1 - .../sshd_enable_warning_banner/rule.yml | 1 - .../ssh_server/sshd_print_last_log/rule.yml | 1 - .../ssh_server/sshd_set_idle_timeout/rule.yml | 1 - .../ssh_server/sshd_set_keepalive/rule.yml | 1 - .../ssh_server/sshd_set_keepalive_0/rule.yml | 1 - .../sshd_set_loglevel_verbose/rule.yml | 1 - .../sshd_use_approved_ciphers/rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../sshd_use_approved_macs/rule.yml | 1 - .../rule.yml | 1 - .../sshd_use_priv_separation/rule.yml | 2 +- .../sssd/sssd_memcache_timeout/rule.yml | 1 - .../sssd_offline_cred_expiration/rule.yml | 1 - .../banner_etc_issue/rule.yml | 1 - .../banner_etc_gdm_banner/rule.yml | 1 - .../dconf_gnome_banner_enabled/rule.yml | 1 - .../dconf_gnome_login_banner_text/rule.yml | 1 - .../gui_login_dod_acknowledgement/rule.yml | 1 - .../disallow_bypass_password_sudo/rule.yml | 1 - .../display_login_attempts/rule.yml | 2 +- .../rule.yml | 1 - .../accounts_passwords_pam_tally2/rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../disable_ctrlaltdel_burstaction/rule.yml | 1 - .../disable_ctrlaltdel_reboot/rule.yml | 1 - .../vlock_installed/rule.yml | 1 - .../install_smartcard_packages/rule.yml | 1 - .../smartcard_configure_ca/rule.yml | 1 - .../rule.yml | 1 - .../smartcard_pam_enabled/rule.yml | 1 - .../rule.yml | 1 - .../account_emergency_admin/rule.yml | 1 - .../account_temp_expire_date/rule.yml | 1 - .../account_unique_id/rule.yml | 1 - .../accounts_authorized_local_users/rule.yml | 1 - .../accounts_maximum_age_login_defs/rule.yml | 1 - .../accounts_minimum_age_login_defs/rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../no_empty_passwords/rule.yml | 1 - .../no_empty_passwords_etc_shadow/rule.yml | 1 - .../accounts_no_uid_except_zero/rule.yml | 1 - .../no_shelllogin_for_systemaccounts/rule.yml | 1 - .../accounts_have_homedir_login_defs/rule.yml | 1 - .../rule.yml | 1 - .../accounts-session/accounts_tmout/rule.yml | 1 - .../rule.yml | 1 - .../accounts_user_home_paths_only/rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../file_permission_user_init_files/rule.yml | 1 - .../rule.yml | 1 - .../accounts_umask_etc_login_defs/rule.yml | 1 - .../apparmor/apparmor_configured/rule.yml | 1 - .../package_pam_apparmor_installed/rule.yml | 1 - .../non-uefi/grub2_password/rule.yml | 1 - .../uefi/grub2_uefi_password/rule.yml | 1 - .../ensure_rtc_utc_configuration/rule.yml | 1 - .../rsyslog_remote_loghost/rule.yml | 1 - .../package_firewalld_installed/rule.yml | 1 - .../service_firewalld_enabled/rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../sysctl_net_ipv4_tcp_syncookies/rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../sysctl_net_ipv4_ip_forward/rule.yml | 1 - .../wireless_disable_interfaces/rule.yml | 1 - .../network/network_sniffer_disabled/rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../dir_system_commands_root_owned/rule.yml | 1 - .../file_permissions_ungroupowned/rule.yml | 1 - .../files/no_files_unowned_by_user/rule.yml | 1 - .../files/permissions_local_var_log/rule.yml | 1 - .../dir_group_ownership_library_dirs/rule.yml | 1 - .../dir_ownership_library_dirs/rule.yml | 1 - .../dir_permissions_library_dirs/rule.yml | 1 - .../rule.yml | 1 - .../file_ownership_binary_dirs/rule.yml | 1 - .../file_ownership_library_dirs/rule.yml | 1 - .../file_permissions_binary_dirs/rule.yml | 1 - .../file_permissions_library_dirs/rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../mounting/service_autofs_disabled/rule.yml | 1 - .../mount_option_home_nosuid/rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../permissions_local_audit_binaries/rule.yml | 1 - .../permissions_local_var_log_audit/rule.yml | 1 - .../sysctl_kernel_kptr_restrict/rule.yml | 1 - .../sysctl_kernel_randomize_va_space/rule.yml | 1 - .../sysctl_kernel_dmesg_restrict/rule.yml | 1 - .../encrypt_partitions/rule.yml | 1 - .../partition_for_home/rule.yml | 1 - .../partition_for_var/rule.yml | 1 - .../partition_for_var_log_audit/rule.yml | 1 - .../gnome/dconf_db_up_to_date/rule.yml | 1 - .../gnome/enable_dconf_user_profile/rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../installed_OS_is_vendor_supported/rule.yml | 1 - .../fips/is_fips_mode_enabled/rule.yml | 1 - .../aide/aide_build_database/rule.yml | 1 - .../aide/aide_check_audit_tools/rule.yml | 1 - .../rule.yml | 1 - .../aide/aide_periodic_cron_checking/rule.yml | 1 - .../aide/aide_scan_notification/rule.yml | 1 - .../aide/aide_verify_acls/rule.yml | 1 - .../aide/aide_verify_ext_attributes/rule.yml | 1 - .../aide/package_aide_installed/rule.yml | 1 - .../sudo/sudo_remove_no_authenticate/rule.yml | 1 - .../sudo/sudo_remove_nopasswd/rule.yml | 1 - .../sudo/sudo_require_authentication/rule.yml | 1 - .../sudo_require_reauthentication/rule.yml | 1 - .../rule.yml | 1 - .../sudo/sudoers_default_includedir/rule.yml | 1 - .../sudo/sudoers_validate_passwd/rule.yml | 1 - .../clean_components_post_updating/rule.yml | 1 - .../rule.yml | 1 - .../security_patches_up_to_date/rule.yml | 1 - products/sle15/profiles/stig.profile | 287 +----------------- 250 files changed, 3 insertions(+), 535 deletions(-) diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml index bf0bd48403dc..c359d10a7564 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chmod/rule.yml @@ -58,7 +58,6 @@ references: stigid@ol7: OL07-00-030410 stigid@ol8: OL08-00-030490 stigid@sle12: SLES-12-020460 - stigid@sle15: SLES-15-030290 ocil_clause: 'the system is not configured to audit permission changes' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml index d25df1bbd7d3..71b8b9cd9a78 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_chown/rule.yml @@ -58,7 +58,6 @@ references: stigid@ol7: OL07-00-030370 stigid@ol8: OL08-00-030480 stigid@sle12: SLES-12-020420 - stigid@sle15: SLES-15-030250 {{{ complete_ocil_entry_audit_syscall(syscall="chown") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml index eaac617a07c7..96b83a58a929 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml @@ -56,7 +56,6 @@ references: stigid@ol7: OL07-00-030410 stigid@ol8: OL08-00-030490 stigid@sle12: SLES-12-020460 - stigid@sle15: SLES-15-030290 {{{ complete_ocil_entry_audit_syscall(syscall="fchmod") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml index e947bb93ef8d..a569528ec071 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmodat/rule.yml @@ -55,7 +55,6 @@ references: stigid@ol7: OL07-00-030410 stigid@ol8: OL08-00-030490 stigid@sle12: SLES-12-020460 - stigid@sle15: SLES-15-030290 {{{ complete_ocil_entry_audit_syscall(syscall="fchmodat") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml index 5f260a163ff8..1ad364fb717a 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchown/rule.yml @@ -58,7 +58,6 @@ references: stigid@ol7: OL07-00-030370 stigid@ol8: OL08-00-030480 stigid@sle12: SLES-12-020420 - stigid@sle15: SLES-15-030250 {{{ complete_ocil_entry_audit_syscall(syscall="fchown") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml index ced1e57df1d8..1361dbe3be5d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchownat/rule.yml @@ -55,7 +55,6 @@ references: stigid@ol7: OL07-00-030370 stigid@ol8: OL08-00-030480 stigid@sle12: SLES-12-020420 - stigid@sle15: SLES-15-030250 {{{ complete_ocil_entry_audit_syscall(syscall="fchownat") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml index 9c142b436839..93d7698e8216 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml @@ -73,7 +73,6 @@ references: stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 stigid@sle12: SLES-12-020370 - stigid@sle15: SLES-15-030190 {{{ complete_ocil_entry_audit_syscall(syscall="fremovexattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml index 2f8460a1475f..3ca88c4b2fd1 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fsetxattr/rule.yml @@ -67,7 +67,6 @@ references: stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 stigid@sle12: SLES-12-020370 - stigid@sle15: SLES-15-030190 {{{ complete_ocil_entry_audit_syscall(syscall="fsetxattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml index 71228638c5b7..1205fe57cb5c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml @@ -59,7 +59,6 @@ references: stigid@ol7: OL07-00-030370 stigid@ol8: OL08-00-030480 stigid@sle12: SLES-12-020420 - stigid@sle15: SLES-15-030250 {{{ complete_ocil_entry_audit_syscall(syscall="lchown") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml index 74af5cb4a474..d4b352cc6c1b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lremovexattr/rule.yml @@ -72,7 +72,6 @@ references: stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 stigid@sle12: SLES-12-020370 - stigid@sle15: SLES-15-030190 {{{ complete_ocil_entry_audit_syscall(syscall="lremovexattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml index d1c6b36cfe18..9f606707d3d1 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lsetxattr/rule.yml @@ -67,7 +67,6 @@ references: stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 stigid@sle12: SLES-12-020370 - stigid@sle15: SLES-15-030190 {{{ complete_ocil_entry_audit_syscall(syscall="lsetxattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml index f66be4ce29f9..d28bce273e24 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_removexattr/rule.yml @@ -71,7 +71,6 @@ references: stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 stigid@sle12: SLES-12-020370 - stigid@sle15: SLES-15-030190 {{{ complete_ocil_entry_audit_syscall(syscall="removexattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml index 24c5c5128f12..e9b0e54f6220 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_setxattr/rule.yml @@ -67,7 +67,6 @@ references: stigid@ol7: OL07-00-030440 stigid@ol8: OL08-00-030200 stigid@sle12: SLES-12-020370 - stigid@sle15: SLES-15-030190 {{{ complete_ocil_entry_audit_syscall(syscall="setxattr") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount/rule.yml index 5615f21a3b85..d95c0e113e52 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount/rule.yml @@ -35,7 +35,6 @@ references: nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235 stigid@sle12: SLES-12-020300 - stigid@sle15: SLES-15-030360 ocil_clause: '{{{ ocil_clause_audit() }}}' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml index 6d3821a97db7..c9721e260a56 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml @@ -40,7 +40,6 @@ references: nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235 stigid@sle12: SLES-12-020300 - stigid@sle15: SLES-15-030360 {{{ complete_ocil_entry_audit_syscall(syscall="umount2") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml index 2d545e951385..46c16dfd003f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chacl/rule.yml @@ -30,7 +30,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255 stigid@ol8: OL08-00-030570 stigid@sle12: SLES-12-020620 - stigid@sle15: SLES-15-030440 {{{ ocil_fix_srg_privileged_command("chacl", "/usr/bin/", "perm_mod") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chmod/rule.yml index d1291a88c512..8fe1302e271b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chmod/rule.yml @@ -27,7 +27,6 @@ references: nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@sle12: SLES-12-020600 - stigid@sle15: SLES-15-030420 ocil: |- To verify that execution of the command is being audited, run the following command: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml index 56b841cb2fcb..c9a7cd950019 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_setfacl/rule.yml @@ -29,7 +29,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235 stigid@ol8: OL08-00-030330 stigid@sle12: SLES-12-020610 - stigid@sle15: SLES-15-030430 {{{ ocil_fix_srg_privileged_command("setfacl", "/usr/bin/", "perm_mod") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml index 46c526ac68f7..9ba329f94c42 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_chcon/rule.yml @@ -46,7 +46,6 @@ references: stigid@ol7: OL07-00-030580 stigid@ol8: OL08-00-030260 stigid@sle12: SLES-12-020630 - stigid@sle15: SLES-15-030450 {{{ ocil_fix_srg_privileged_command("chcon", "/usr/bin/", "perm_mod") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_rm/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_rm/rule.yml index f44a5385e761..d4b221cfa8a2 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_rm/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_rm/rule.yml @@ -27,7 +27,6 @@ references: nist@sle12: AU-3,AU-3.1,AU-12.1(ii),AU-12(a),AU-12.1(iv),AU-12(c),MA-4(1)(a) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 stigid@sle12: SLES-12-020640 - stigid@sle15: SLES-15-030460 ocil: |- To verify that execution of the command is being audited, run the following command: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml index 24bbb5c20e6a..c563651b4d4e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml @@ -62,7 +62,6 @@ references: stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 stigid@sle12: SLES-12-020490 - stigid@sle15: SLES-15-030150 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("creat", "access") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml index 2028094a96f3..c3df4964cb97 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml @@ -62,7 +62,6 @@ references: stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 stigid@sle12: SLES-12-020490 - stigid@sle15: SLES-15-030150 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("ftruncate", "access") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml index fe58f9ccd263..15861002b09b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml @@ -66,7 +66,6 @@ references: stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 stigid@sle12: SLES-12-020490 - stigid@sle15: SLES-15-030150 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("open", "access") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml index 71a6883e4cd1..0f2584da7c21 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml @@ -56,7 +56,6 @@ references: stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 stigid@sle12: SLES-12-020490 - stigid@sle15: SLES-15-030150 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("open_by_handle_at", "access") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml index 60f10c9d79ba..1fb647e1a7db 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml @@ -62,7 +62,6 @@ references: stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 stigid@sle12: SLES-12-020490 - stigid@sle15: SLES-15-030150 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("openat", "access") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml index a8fa3b592b4b..f6979d523457 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml @@ -53,7 +53,6 @@ references: pcidss: Req-10.2.4,Req-10.2.1 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@sle12: SLES-12-020411 - stigid@sle15: SLES-15-030740 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("rename", "unsuccessful-delete") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml index e1aafd60d663..ed1576ab8dc9 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml @@ -59,7 +59,6 @@ references: pcidss: Req-10.2.4,Req-10.2.1 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@sle12: SLES-12-020411 - stigid@sle15: SLES-15-030740 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("renameat", "unsuccessful-delete") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml index 8597ce55eec9..6cae54d1c0d4 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml @@ -26,7 +26,6 @@ identifiers: references: nist@sle15: AU-12(c),AU-12.1(iv) srg: SRG-OS-000468-GPOS-00212 - stigid@sle15: SLES-15-030740 {{{ complete_ocil_entry_audit_unsuccessful_syscall(syscall="renameat2") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml index 7f24feabc8e3..4dd4e9aa01df 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml @@ -61,7 +61,6 @@ references: stigid@ol7: OL07-00-030510 stigid@ol8: OL08-00-030420 stigid@sle12: SLES-12-020490 - stigid@sle15: SLES-15-030150 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("truncate", "access") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml index bfb9b645fd48..b8a8bde22990 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml @@ -65,7 +65,6 @@ references: pcidss: Req-10.2.4,Req-10.2.1 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@sle12: SLES-12-020411 - stigid@sle15: SLES-15-030740 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("unlink", "unsuccessful-delete") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml index 1511b5a81fe8..242daceadf10 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml @@ -62,7 +62,6 @@ references: pcidss: Req-10.2.4,Req-10.2.1 srg: SRG-OS-000064-GPOS-00033,SRG-OS-000392-GPOS-00172,SRG-OS-000458-GPOS-00203,SRG-OS-000461-GPOS-00205,SRG-OS-000468-GPOS-00212,SRG-APP-000501-CTR-001265,SRG-APP-000502-CTR-001270 stigid@sle12: SLES-12-020411 - stigid@sle15: SLES-15-030740 ocil: |- {{{ ocil_audit_rules_unsuccessful_file_modification("unlinkat", "unsuccessful-delete") | indent(4) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml index 25f668b942e6..532b63321448 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/rule.yml @@ -42,7 +42,6 @@ references: stigid@ol7: OL07-00-030830 stigid@ol8: OL08-00-030390 stigid@sle12: SLES-12-020730 - stigid@sle15: SLES-15-030520 {{{ complete_ocil_entry_audit_syscall(syscall="delete_module") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml index 4117218a3287..46880f6833fd 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/rule.yml @@ -40,7 +40,6 @@ references: stigid@ol7: OL07-00-030820 stigid@ol8: OL08-00-030360 stigid@sle12: SLES-12-020740 - stigid@sle15: SLES-15-030530 {{{ complete_ocil_entry_audit_syscall(syscall="finit_module") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml index 2947c3fe297e..b6eefe06ed29 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/rule.yml @@ -41,7 +41,6 @@ references: stigid@ol7: OL07-00-030820 stigid@ol8: OL08-00-030360 stigid@sle12: SLES-12-020740 - stigid@sle15: SLES-15-030530 {{{ complete_ocil_entry_audit_syscall(syscall="init_module") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml index 6fb6c3cca539..2e1a28d286a8 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_lastlog/rule.yml @@ -42,7 +42,6 @@ references: stigid@ol7: OL07-00-030620 stigid@ol8: OL08-00-030600 stigid@sle12: SLES-12-020660 - stigid@sle15: SLES-15-030480 ocil_clause: 'the command does not return a line, or the line is commented out' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml index b4f178c19111..07fdf2a2e701 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml @@ -39,7 +39,6 @@ references: pcidss: Req-10.2.3 srg: SRG-OS-000392-GPOS-00172,SRG-OS-000470-GPOS-00214,SRG-OS-000473-GPOS-00218,SRG-APP-000503-CTR-001275 stigid@sle12: SLES-12-020650 - stigid@sle15: SLES-15-030470 ocil_clause: 'the command does not return a line, or the line is commented out' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml index cf71821e6937..89ede770ae94 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml @@ -45,7 +45,6 @@ references: stigid@ol7: OL07-00-030660 stigid@ol8: OL08-00-030250 stigid@sle12: SLES-12-020690 - stigid@sle15: SLES-15-030120 {{{ ocil_fix_srg_privileged_command("chage") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chfn/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chfn/rule.yml index 7bb2ee7bf5e5..1aedae1806c3 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chfn/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chfn/rule.yml @@ -26,7 +26,6 @@ identifiers: references: nist: AU-3,AU-12(a),AU-12(c),MA-4(1)(a) stigid@sle12: SLES-12-020280 - stigid@sle15: SLES-15-030340 ocil_clause: '{{{ ocil_clause_audit() }}}' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml index db76114e7c52..685d4fde3fa3 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml @@ -45,7 +45,6 @@ references: stigid@ol7: OL07-00-030720 stigid@ol8: OL08-00-030410 stigid@sle12: SLES-12-020580 - stigid@sle15: SLES-15-030100 {{{ ocil_fix_srg_privileged_command("chsh") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml index bed9679415a5..990a6f0a037c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-030800 stigid@ol8: OL08-00-030400 stigid@sle12: SLES-12-020710 - stigid@sle15: SLES-15-030130 {{{ ocil_fix_srg_privileged_command("crontab") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml index 3e6b252e92c8..aded41a6b1ca 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml @@ -45,7 +45,6 @@ references: stigid@ol7: OL07-00-030650 stigid@ol8: OL08-00-030370 stigid@sle12: SLES-12-020560 - stigid@sle15: SLES-15-030080 {{{ ocil_fix_srg_privileged_command("gpasswd") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml index 6b2f502687d1..a4bcb4689174 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_insmod/rule.yml @@ -39,7 +39,6 @@ references: cis@sle15: 4.1.16 nist: AU-12(c),AU-12.1(iv),AU-3,AU-3.1,AU-12(a),AU-12.1(ii),MA-4(1)(a) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 - stigid@sle15: SLES-15-030380 ocil_clause: '{{{ ocil_clause_audit() }}}' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml index 4d321ba3a10a..78aad6361769 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_kmod/rule.yml @@ -32,7 +32,6 @@ references: stigid@ol7: OL07-00-030840 stigid@ol8: OL08-00-030580 stigid@sle12: SLES-12-020360 - stigid@sle15: SLES-15-030410 {{{ ocil_fix_srg_privileged_command("kmod") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml index 4ccc58df4968..d01767bbd54d 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_modprobe/rule.yml @@ -43,7 +43,6 @@ references: cis@sle15: 4.1.16 nist: AU-12(a),AU-12.1(ii),AU-3,AU-3.1,AU-12(c),AU-12.1(iv),MA-4(1)(a) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 - stigid@sle15: SLES-15-030400 ocil_clause: '{{{ ocil_clause_audit() }}}' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml index 2c62fc261037..b1754b93d7df 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml @@ -45,7 +45,6 @@ references: stigid@ol7: OL07-00-030710 stigid@ol8: OL08-00-030350 stigid@sle12: SLES-12-020570 - stigid@sle15: SLES-15-030090 {{{ ocil_fix_srg_privileged_command("newgrp") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml index 1d5bc10c572b..078aeb86a920 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pam_timestamp_check/rule.yml @@ -50,7 +50,6 @@ references: stigid@ol7: OL07-00-030810 stigid@ol8: OL08-00-030340 stigid@sle12: SLES-12-020720 - stigid@sle15: SLES-15-030510 {{% if product not in ["sle12", "sle15", "slmicro5", "slmicro6"] %}} {{{ ocil_fix_srg_privileged_command("pam_timestamp_check", "/usr/sbin/") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passmass/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passmass/rule.yml index 34d8c9bc20d4..183af2589520 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passmass/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passmass/rule.yml @@ -27,7 +27,6 @@ references: nist@sle12: AU-3,AU-12(a),AU-12(c),MA-4(1)(a) srg: SRG-OS-000037-GPOS-00015 stigid@sle12: SLES-12-020670 - stigid@sle15: SLES-15-030490 ocil_clause: '{{{ ocil_clause_audit() }}}' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml index 641ae6b92b5f..4acca3afa661 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml @@ -45,7 +45,6 @@ references: stigid@ol7: OL07-00-030630 stigid@ol8: OL08-00-030290 stigid@sle12: SLES-12-020550 - stigid@sle15: SLES-15-030070 {{{ ocil_fix_srg_privileged_command("passwd") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml index 40f76e0fcbea..70a02c49991a 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_rmmod/rule.yml @@ -39,7 +39,6 @@ references: cis@sle15: 4.1.16 nist@sle15: AU-12(c),AU-12.1(iv),AU-3,AU-3.1,AU-12(a),AU-12.1(ii),MA-4(1)(a) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215 - stigid@sle15: SLES-15-030390 ocil_clause: '{{{ ocil_clause_audit() }}}' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml index c837ce565cfb..556889ead2a9 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_agent/rule.yml @@ -31,7 +31,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235 stigid@ol8: OL08-00-030280 stigid@sle12: SLES-12-020310 - stigid@sle15: SLES-15-030370 {{{ ocil_fix_srg_privileged_command("ssh-agent") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml index 1272c7f12834..9dd913d31d2f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml @@ -55,7 +55,6 @@ references: stigid@ol7: OL07-00-030780 stigid@ol8: OL08-00-030320 stigid@sle12: SLES-12-020320 - stigid@sle15: SLES-15-030060 {{{ ocil_fix_srg_privileged_command("ssh-keysign", ssh_keysign_path) }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml index b06051b91eb8..23ef16dd74e4 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_su/rule.yml @@ -44,7 +44,6 @@ references: stigid@ol7: OL07-00-030680 stigid@ol8: OL08-00-030190 stigid@sle12: SLES-12-020250 - stigid@sle15: SLES-15-030550 {{{ ocil_fix_srg_privileged_command("su") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml index f6ff8c742532..eb0dbd52a02e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudo/rule.yml @@ -44,7 +44,6 @@ references: stigid@ol7: OL07-00-030690 stigid@ol8: OL08-00-030550 stigid@sle12: SLES-12-020260 - stigid@sle15: SLES-15-030560 {{{ ocil_fix_srg_privileged_command("sudo") }}} template: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml index b759481795fa..cad432585f78 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml @@ -41,7 +41,6 @@ references: nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 nist@sle15: AU-3,AU-3.1,AU-12(a),AU-12.1(ii),AU-12.1(iv) srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-APP-000495-CTR-001235,SRG-OS-000755-GPOS-00220 - stigid@sle15: SLES-15-030330 {{{ ocil_fix_srg_privileged_command("sudoedit") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/rule.yml index 79d46e355833..daf3ab9d1524 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix2_chkpwd/rule.yml @@ -40,7 +40,6 @@ references: nist: AC-2(4),AU-2(d),AU-3,AU-3.1,AU-12(a),AU-12(c),AU-12.1(ii),AU-12.1(iv),AC-6(9),CM-6(a),MA-4(1)(a) nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1 srg: SRG-OS-000042-GPOS-00020,SRG-OS-000392-GPOS-00172,SRG-OS-000471-GPOS-00215,SRG-OS-000037-GPOS-00015 - stigid@sle15: SLES-15-030110 ocil_clause: '{{{ ocil_clause_audit() }}}' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml index e6232d15e0ec..7ea79357ec34 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml @@ -52,7 +52,6 @@ references: stigid@ol7: OL07-00-030640 stigid@ol8: OL08-00-030317 stigid@sle12: SLES-12-020680 - stigid@sle15: SLES-15-030110 {{{ ocil_fix_srg_privileged_command("unix_chkpwd") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml index a11911aa46bb..5e5db6abfde2 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_usermod/rule.yml @@ -34,7 +34,6 @@ references: srg: SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000471-GPOS-00215,SRG-OS-000466-GPOS-00210,SRG-APP-000495-CTR-001235,SRG-APP-000499-CTR-001255 stigid@ol8: OL08-00-030560 stigid@sle12: SLES-12-020700 - stigid@sle15: SLES-15-030500 {{{ ocil_fix_srg_privileged_command("usermod") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml index 73892895915f..f166c2ac0612 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_enable_syscall_auditing/rule.yml @@ -27,7 +27,6 @@ references: nist@sle15: CM-6(b),CM-6.1(iv) srg: SRG-OS-000480-GPOS-00227 stigid@sle12: SLES-12-020199 - stigid@sle15: SLES-15-030820 ocil_clause: 'syscall auditing is still disabled' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_etc_cron_d/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_etc_cron_d/rule.yml index ee6310e4b4ac..a99495e5f445 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_etc_cron_d/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_etc_cron_d/rule.yml @@ -25,7 +25,6 @@ identifiers: references: srg: SRG-OS-000471-GPOS-00215 stigid@ol8: OL08-00-030645 - stigid@sle15: SLES-15-030015 ocil_clause: 'the command does not return a line, or the line is commented out' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml index 34878e01a7eb..26d66e2637a5 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml @@ -55,7 +55,6 @@ references: stigid@ol7: OL07-00-030740 stigid@ol8: OL08-00-030302 stigid@sle12: SLES-12-020290 - stigid@sle15: SLES-15-030350 {{{ complete_ocil_entry_audit_syscall(syscall="mount") }}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_btmp/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_btmp/rule.yml index 0abf1d04bff6..83bfc83dfa07 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_btmp/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_btmp/rule.yml @@ -27,7 +27,6 @@ references: hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-12(c),AU-12.1(iv) srg: SRG-OS-000472-GPOS-00217 - stigid@sle15: SLES-15-030780 ocil_clause: 'Audit rule is not present' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_utmp/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_utmp/rule.yml index 9b6006221f70..700af289abff 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_utmp/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_utmp/rule.yml @@ -27,7 +27,6 @@ references: hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-12(c),AU-12.1(iv) srg: SRG-OS-000472-GPOS-00217 - stigid@sle15: SLES-15-030760 ocil_clause: 'Audit rule is not present' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml index 8123c1cf0486..37c025ce1f0c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml @@ -27,7 +27,6 @@ references: hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e) nist: AU-12(c),AU-12.1(iv) srg: SRG-OS-000472-GPOS-00217 - stigid@sle15: SLES-15-030770 ocil_clause: 'Audit rule is not present' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml index 6c5ecb7c051b..dbb71bf09081 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_suid_privilege_function/rule.yml @@ -55,7 +55,6 @@ references: stigid@ol7: OL07-00-030360 stigid@ol8: OL08-00-030000 stigid@sle12: SLES-12-020240 - stigid@sle15: SLES-15-030640 warnings: - general: |- diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml index afbf92bad9f3..dd5d67cccb85 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/rule.yml @@ -40,7 +40,6 @@ references: pcidss: Req-10.2.2,Req-10.2.5.b srg: SRG-OS-000004-GPOS-00004,SRG-OS-000037-GPOS-00015,SRG-OS-000042-GPOS-00020,SRG-OS-000062-GPOS-00031,SRG-OS-000304-GPOS-00121,SRG-OS-000392-GPOS-00172,SRG-OS-000462-GPOS-00206,SRG-OS-000470-GPOS-00214,SRG-OS-000471-GPOS-00215,SRG-OS-000239-GPOS-00089,SRG-OS-000240-GPOS-00090,SRG-OS-000241-GPOS-00091,SRG-OS-000303-GPOS-00120,SRG-OS-000304-GPOS-00121,SRG-OS-000466-GPOS-00210,SRG-OS-000476-GPOS-00221,SRG-APP-000026-CTR-000070,SRG-APP-000027-CTR-000075,SRG-APP-000028-CTR-000080,SRG-APP-000291-CTR-000675,SRG-APP-000292-CTR-000680,SRG-APP-000293-CTR-000685,SRG-APP-000294-CTR-000690,SRG-APP-000319-CTR-000745,SRG-APP-000320-CTR-000750,SRG-APP-000509-CTR-001305 stigid@ol7: OL07-00-030700 - stigid@sle15: SLES-15-030140 ocil_clause: 'there is not output' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml index 2cb871c443a5..e0fdb636d9d0 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-030871 stigid@ol8: OL08-00-030170 stigid@sle12: SLES-12-020210 - stigid@sle15: SLES-15-030010 ocil_clause: 'the command does not return a line, or the line is commented out' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml index 8a516287c055..a2a90e4ef448 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_gshadow/rule.yml @@ -42,7 +42,6 @@ references: stigid@ol7: OL07-00-030872 stigid@ol8: OL08-00-030160 stigid@sle12: SLES-12-020590 - stigid@sle15: SLES-15-030040 ocil_clause: 'the system is not configured to audit account changes' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml index fefa3e9986db..0220ee822f6e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml @@ -44,7 +44,6 @@ references: stigid@ol7: OL07-00-030874 stigid@ol8: OL08-00-030140 stigid@sle12: SLES-12-020230 - stigid@sle15: SLES-15-030030 ocil_clause: 'the command does not return a line, or the line is commented out' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml index 6ce2b2440e2d..fbc56cd1e9d3 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_passwd/rule.yml @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-030870 stigid@ol8: OL08-00-030150 stigid@sle12: SLES-12-020200 - stigid@sle15: SLES-15-030000 ocil_clause: 'the command does not return a line, or the line is commented out' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml index f2d70b0ad6db..c2635f61b69b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-030873 stigid@ol8: OL08-00-030130 stigid@sle12: SLES-12-020220 - stigid@sle15: SLES-15-030020 ocil_clause: 'command does not return a line, or the line is commented out' diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_var_spool_cron/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_var_spool_cron/rule.yml index 52ea2600f43d..256de8d5e40f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_var_spool_cron/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_var_spool_cron/rule.yml @@ -21,7 +21,6 @@ identifiers: references: srg: SRG-OS-000363-GPOS-00150,SRG-OS-000363-GPOS-00150,SRG-OS-000446-GPOS-00200,SRG-OS-000447-GPOS-00201 stigid@ol8: OL08-00-030645 - stigid@sle15: SLES-15-030015 ocil_clause: 'command does not return a line, or the line is commented out' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml index 75fa45032f97..96377ee9f4fd 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml @@ -36,7 +36,6 @@ references: srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 stigid@ol7: OL07-00-030300 stigid@sle12: SLES-12-020090 - stigid@sle15: SLES-15-030690 ocil_clause: 'audispd is not sending logs to a remote system' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml index a1de9a5f04ec..ac6a3f8b1d46 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml @@ -49,7 +49,6 @@ references: srg: SRG-OS-000341-GPOS-00132,SRG-OS-000342-GPOS-00133 stigid@ol8: OL08-00-030660 stigid@sle12: SLES-12-020020 - stigid@sle15: SLES-15-030660 ocil_clause: 'audispd is not sending logs to a remote system and the local partition has inadequate space' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml index d6550b17d4dc..0450e1257133 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action/rule.yml @@ -32,7 +32,6 @@ references: srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 stigid@ol7: OL07-00-030320 stigid@sle12: SLES-12-020110 - stigid@sle15: SLES-15-030800 ocil_clause: 'the system is not configured to switch to single user mode for corrective action' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml index 392f1d108eca..e58ffbc190cc 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/rule.yml @@ -36,7 +36,6 @@ references: srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 stigid@ol7: OL07-00-030310 stigid@sle12: SLES-12-020080 - stigid@sle15: SLES-15-030680 ocil_clause: 'audispd is not encrypting audit records when sent over the network' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml index a0b72828507b..9699111745fa 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml @@ -34,7 +34,6 @@ references: srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224 stigid@ol7: OL07-00-030321 stigid@sle12: SLES-12-020100 - stigid@sle15: SLES-15-030790 ocil_clause: 'the system is not configured to switch to single user mode for corrective action' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml index 1a082a24dd21..474732a91f3e 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml @@ -50,7 +50,6 @@ references: srg: SRG-OS-000047-GPOS-00023 stigid@ol8: OL08-00-030060 stigid@sle12: SLES-12-020060 - stigid@sle15: SLES-15-030590 ocil_clause: there is no evidence of appropriate action diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml index 89d28223895a..0ad31052f022 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml @@ -46,7 +46,6 @@ references: stigid@ol7: OL07-00-030350 stigid@ol8: OL08-00-030020 stigid@sle12: SLES-12-020040 - stigid@sle15: SLES-15-030570 ocil_clause: 'the value of the "action_mail_acct" keyword is not set to "{{{ xccdf_value("var_auditd_action_mail_acct") }}}" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure' diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml index b0142a0ae32f..14c366e67f49 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/rule.yml @@ -39,7 +39,6 @@ references: pcidss: Req-10.7 srg: SRG-OS-000343-GPOS-00134 stigid@sle12: SLES-12-020030 - stigid@sle15: SLES-15-030700 ocil_clause: 'the system is not configured a specific size in MB to notify administrators of an issue' diff --git a/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml b/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml index 7cce12f50fee..b2e539a90b9c 100644 --- a/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml +++ b/linux_os/guide/auditing/package_audit-audispd-plugins_installed/rule.yml @@ -25,7 +25,6 @@ references: pcidss: Req-10.5.3 srg: SRG-OS-000342-GPOS-00133 stigid@sle12: SLES-12-020070 - stigid@sle15: SLES-15-030670 template: name: package_installed diff --git a/linux_os/guide/auditing/package_audit_installed/rule.yml b/linux_os/guide/auditing/package_audit_installed/rule.yml index 47f71637a7a2..99a5b4b50ead 100644 --- a/linux_os/guide/auditing/package_audit_installed/rule.yml +++ b/linux_os/guide/auditing/package_audit_installed/rule.yml @@ -31,7 +31,6 @@ references: srg: SRG-OS-000062-GPOS-00031,SRG-OS-000037-GPOS-00015,SRG-OS-000038-GPOS-00016,SRG-OS-000039-GPOS-00017,SRG-OS-000040-GPOS-00018,SRG-OS-000041-GPOS-00019,SRG-OS-000042-GPOS-00021,SRG-OS-000051-GPOS-00024,SRG-OS-000054-GPOS-00025,SRG-OS-000122-GPOS-00063,SRG-OS-000254-GPOS-00095,SRG-OS-000255-GPOS-00096,SRG-OS-000337-GPOS-00129,SRG-OS-000348-GPOS-00136,SRG-OS-000349-GPOS-00137,SRG-OS-000350-GPOS-00138,SRG-OS-000351-GPOS-00139,SRG-OS-000352-GPOS-00140,SRG-OS-000353-GPOS-00141,SRG-OS-000354-GPOS-00142,SRG-OS-000358-GPOS-00145,SRG-OS-000365-GPOS-00152,SRG-OS-000392-GPOS-00172,SRG-OS-000475-GPOS-00220 stigid@ol8: OL08-00-030180 stigid@sle12: SLES-12-020000 - stigid@sle15: SLES-15-030650 {{{ complete_ocil_entry_package_installed("audit") }}} diff --git a/linux_os/guide/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/auditing/service_auditd_enabled/rule.yml index eed3adb9361c..9e2d7467b6d5 100644 --- a/linux_os/guide/auditing/service_auditd_enabled/rule.yml +++ b/linux_os/guide/auditing/service_auditd_enabled/rule.yml @@ -55,7 +55,6 @@ references: stigid@ol7: OL07-00-030000 stigid@ol8: OL08-00-030181 stigid@sle12: SLES-12-020010 - stigid@sle15: SLES-15-030050 ocil_clause: 'the auditd service is not running' diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml index 4ec2e5eb9b1d..51f081c92928 100644 --- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml +++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml @@ -47,7 +47,6 @@ references: stigid@ol7: OL07-00-021300 stigid@ol8: OL08-00-010670 stigid@sle12: SLES-12-010840 - stigid@sle15: SLES-15-040190 ocil_clause: |- {{{ ocil_clause_service_disabled(service=kdump_service) }}} diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml index 783ab5e16d83..b317e42603e5 100644 --- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml +++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml @@ -34,7 +34,6 @@ references: stigid@ol7: OL07-00-040690 stigid@ol8: OL08-00-040360 stigid@sle12: SLES-12-030011 - stigid@sle15: SLES-15-010030 {{{ complete_ocil_entry_package_removed("vsftpd") }}} diff --git a/linux_os/guide/services/mail/package_mailx_installed/rule.yml b/linux_os/guide/services/mail/package_mailx_installed/rule.yml index b61f166bb54b..53f880436871 100644 --- a/linux_os/guide/services/mail/package_mailx_installed/rule.yml +++ b/linux_os/guide/services/mail/package_mailx_installed/rule.yml @@ -24,7 +24,6 @@ references: stigid@ol7: OL07-00-020028 stigid@ol8: OL08-00-010358 stigid@sle12: SLES-12-010498 - stigid@sle15: SLES-15-010418 {{{ complete_ocil_entry_package_installed("mailx") }}} diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml index 721e16e03d13..dc6b5f92b1ae 100644 --- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml +++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml @@ -33,7 +33,6 @@ references: nist@sle12: AU-5(a),AU-5.1(ii) srg: SRG-OS-000046-GPOS-00022 stigid@sle12: SLES-12-020050 - stigid@sle15: SLES-15-030580 ocil_clause: 'the alias is not set' diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml index c40c189335a9..969fe8297b17 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_noexec_remote_filesystems/rule.yml @@ -33,7 +33,6 @@ references: stigid@ol7: OL07-00-021021 stigid@ol8: OL08-00-010630 stigid@sle12: SLES-12-010820 - stigid@sle15: SLES-15-040170 ocil_clause: 'the setting does not show' diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml index 38f6ec6e3b96..127a8a6bd73c 100644 --- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml +++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_nosuid_remote_filesystems/rule.yml @@ -31,7 +31,6 @@ references: stigid@ol7: OL07-00-021020 stigid@ol8: OL08-00-010650 stigid@sle12: SLES-12-010810 - stigid@sle15: SLES-15-040160 ocil_clause: 'the setting does not show' diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml index 44ddd9bffe6c..127107dd6931 100644 --- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml +++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml @@ -93,7 +93,6 @@ references: stigid@ol7: OL07-00-040500 stigid@ol8: OL08-00-030740 stigid@sle12: SLES-12-030300 - stigid@sle15: SLES-15-010400 ocil_clause: '"maxpoll" has not been set to the value of "{{{ xccdf_value("var_time_service_set_maxpoll") }}}", is commented out, or is missing' diff --git a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml index 8ce212e83bd9..21f616906a23 100644 --- a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml @@ -30,7 +30,6 @@ references: stigid@ol7: OL07-00-040550 stigid@ol8: OL08-00-010460 stigid@sle12: SLES-12-010410 - stigid@sle15: SLES-15-040030 ocil_clause: 'shosts.equiv files exist' diff --git a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml index 4006cb47e6b3..8f017817cb6c 100644 --- a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml @@ -33,7 +33,6 @@ references: stigid@ol7: OL07-00-040540 stigid@ol8: OL08-00-010470 stigid@sle12: SLES-12-010400 - stigid@sle15: SLES-15-040020 ocil_clause: '.shosts files exist' diff --git a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml index e561d5b0e872..cf53228d3f0d 100644 --- a/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml +++ b/linux_os/guide/services/obsolete/telnet/package_telnet-server_removed/rule.yml @@ -49,7 +49,6 @@ references: stigid@ol7: OL07-00-021710 stigid@ol8: OL08-00-040000 stigid@sle12: SLES-12-030000 - stigid@sle15: SLES-15-010180 {{{ complete_ocil_entry_package_removed("telnet-server") }}} diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml index 12abf9b815e0..19e271aeb554 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml @@ -53,7 +53,6 @@ references: stigid@ol7: OL07-00-040420 stigid@ol8: OL08-00-010490 stigid@sle12: SLES-12-030220 - stigid@sle15: SLES-15-040250 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*_key", perms=perms) }}}' diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml index 3b9cbd89a694..ff67037f7504 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml @@ -37,7 +37,6 @@ references: stigid@ol7: OL07-00-040410 stigid@ol8: OL08-00-010480 stigid@sle12: SLES-12-030210 - stigid@sle15: SLES-15-040240 ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/ssh/*.pub", perms="-rw-r--r--") }}}' diff --git a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml index 413c576c4c4e..d8db9865785a 100644 --- a/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml +++ b/linux_os/guide/services/ssh/service_sshd_enabled/rule.yml @@ -41,7 +41,6 @@ references: stigid@ol7: OL07-00-040310 stigid@ol8: OL08-00-040160 stigid@sle12: SLES-12-030100 - stigid@sle15: SLES-15-010530 ocil: |- {{{ ocil_service_enabled(service="sshd") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml index bf30c05996fd..8fdba2019c41 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml @@ -52,7 +52,6 @@ references: stigid@ol7: OL07-00-010300 stigid@ol8: OL08-00-020330 stigid@sle12: SLES-12-030150 - stigid@sle15: SLES-15-040440 {{{ complete_ocil_entry_sshd_option(default="yes", option="PermitEmptyPasswords", value="no") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml index 1ef15a5e2329..9611b90f49d6 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_root_login/rule.yml @@ -49,7 +49,6 @@ references: stigid@ol7: OL07-00-040370 stigid@ol8: OL08-00-010550 stigid@sle12: SLES-12-030140 - stigid@sle15: SLES-15-020040 {{{ complete_ocil_entry_sshd_option(default="no", option="PermitRootLogin", value="no") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml index d4abee5dde5a..12aaf6c0a1c6 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml @@ -41,7 +41,6 @@ references: stigid@ol7: OL07-00-040380 stigid@ol8: OL08-00-010520 stigid@sle12: SLES-12-030200 - stigid@sle15: SLES-15-040230 {{{ complete_ocil_entry_sshd_option(default="no", option="IgnoreUserKnownHosts", value="yes") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml index 1d33a6010b04..7cb3e19bb25a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -42,7 +42,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040710 stigid@ol8: OL08-00-040340 - stigid@sle15: SLES-15-040290 {{{ complete_ocil_entry_sshd_option(default="yes", option="X11Forwarding", value="no") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml index b750d64addb7..e7a296e61cd4 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml @@ -47,7 +47,6 @@ references: stigid@ol7: OL07-00-010460 stigid@ol8: OL08-00-010830 stigid@sle12: SLES-12-030151 - stigid@sle15: SLES-15-040440 {{{ complete_ocil_entry_sshd_option(default="yes", option="PermitUserEnvironment", value="no") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml index f5c61c48fb5a..36eba2f144da 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml @@ -45,7 +45,6 @@ references: stigid@ol7: OL07-00-040450 stigid@ol8: OL08-00-010500 stigid@sle12: SLES-12-030230 - stigid@sle15: SLES-15-040260 {{{ complete_ocil_entry_sshd_option(default="yes", option="StrictModes", value="yes") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml index 97a343d7f47d..6edaa7cb018f 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_warning_banner/rule.yml @@ -47,7 +47,6 @@ references: stigid@ol7: OL07-00-040170 stigid@ol8: OL08-00-010040 stigid@sle12: SLES-12-030050 - stigid@sle15: SLES-15-010040 {{{ complete_ocil_entry_sshd_option(default="no", option="Banner", value="/etc/issue") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml index 8f73ef35dde4..ab2ed4bfa1c0 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml @@ -39,7 +39,6 @@ references: stigid@ol7: OL07-00-040360 stigid@ol8: OL08-00-020350 stigid@sle12: SLES-12-030130 - stigid@sle15: SLES-15-020120 {{{ complete_ocil_entry_sshd_option(default="yes", option="PrintLastLog", value="yes") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml index 544ce16bf731..b3129efba1b9 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml @@ -53,7 +53,6 @@ references: stigid@ol7: OL07-00-040320 stigid@ol8: OL08-00-010201 stigid@sle12: SLES-12-030190 - stigid@sle15: SLES-15-010280 requires: - sshd_set_keepalive diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml index 64c59df51a54..efb4f21ef565 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml @@ -52,7 +52,6 @@ references: srg: SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109 stigid@ol8: OL08-00-010200 stigid@sle12: SLES-12-030191 - stigid@sle15: SLES-15-010320 requires: - sshd_set_idle_timeout diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml index 54b1c2a29e84..28615f381a19 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml @@ -48,7 +48,6 @@ references: srg: SRG-OS-000126-GPOS-00066,SRG-OS-000163-GPOS-00072,SRG-OS-000279-GPOS-00109 stigid@ol7: OL07-00-040340 stigid@sle12: SLES-12-030191 - stigid@sle15: SLES-15-010320 requires: - sshd_set_idle_timeout diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml index 43da92e7c0b8..0578a2c6e32c 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml @@ -38,7 +38,6 @@ references: pcidss: Req-2.2.4 srg: SRG-OS-000032-GPOS-00013 stigid@sle12: SLES-12-030110 - stigid@sle15: SLES-15-010150 {{{ complete_ocil_entry_sshd_option(default="no", option="LogLevel", value="VERBOSE") }}} diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml index cd40734f9337..1df6bc5c0b54 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml @@ -69,7 +69,6 @@ references: nist-csf: PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-1,PR.PT-1,PR.PT-3,PR.PT-4 srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 stigid@sle12: SLES-12-030170 - stigid@sle15: SLES-15-010160 ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml index b4be9801bb8c..cf22ac9ea35e 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml @@ -42,7 +42,6 @@ identifiers: references: srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174 stigid@ol7: OL07-00-040110 - stigid@sle15: SLES-15-010160 ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml index 7277f511fce2..06de73351bf6 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_kex_ordered_stig/rule.yml @@ -47,7 +47,6 @@ references: srg: SRG-OS-000250-GPOS-00093 stigid@ol7: OL07-00-040712 stigid@sle12: SLES-12-030270 - stigid@sle15: SLES-15-040450 ocil_clause: 'KexAlgorithms option is commented out, contains non-approved algorithms, or the FIPS-approved algorithms are not in the exact order' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml index 3bbdfb623b90..ffd406360c26 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml @@ -60,7 +60,6 @@ references: nist-csf: PR.AC-1,PR.AC-3,PR.DS-5,PR.PT-4 srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174 stigid@sle12: SLES-12-030180 - stigid@sle15: SLES-15-010270 ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml index 0f64f3deec7b..777525e2e876 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml @@ -35,7 +35,6 @@ identifiers: references: srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174 stigid@ol7: OL07-00-040400 - stigid@sle15: SLES-15-010270 ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms' diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml index 3925f749f3cb..151c3fc8178a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml @@ -37,7 +37,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040460 stigid@sle12: SLES-12-030240 - stigid@sle15: SLES-15-040270 + ocil_clause: 'it is commented out or is not enabled' diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml index 7d9555ff3306..8cfc3de81746 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml @@ -38,7 +38,6 @@ references: nist-csf: PR.AC-1,PR.AC-6,PR.AC-7 srg: SRG-OS-000383-GPOS-00166 stigid@sle12: SLES-12-010670 - stigid@sle15: SLES-15-010490 ocil_clause: 'it does not exist or is not configured properly' diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml index 8acb5361f37f..2d10b6536726 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml @@ -46,7 +46,6 @@ references: srg: SRG-OS-000383-GPOS-00166 stigid@ol8: OL08-00-020290 stigid@sle12: SLES-12-010680 - stigid@sle15: SLES-15-010500 ocil_clause: 'it does not exist or is not configured properly' diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml index cde6be2b7342..fab7fe742a8e 100644 --- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml @@ -119,7 +119,6 @@ references: stigid@ol7: OL07-00-010050 stigid@ol8: OL08-00-010060 stigid@sle12: SLES-12-010030 - stigid@sle15: SLES-15-010020 platform: system_with_kernel diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml index 9cce04ec9ae5..fce9aa9352c1 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/banner_etc_gdm_banner/rule.yml @@ -54,7 +54,6 @@ identifiers: references: nist: AC-8(b) stigid@sle12: SLES-12-030020 - stigid@sle15: SLES-15-010060 ocil_clause: 'it does not display the required banner' diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml index 8bcc7bc8f8ca..8c8d5b4a5827 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/rule.yml @@ -51,7 +51,6 @@ references: stigid@ol7: OL07-00-010030 stigid@ol8: OL08-00-010049 stigid@sle12: SLES-12-010040 - stigid@sle15: SLES-15-010080 ocil_clause: 'it is not' diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml index 38877d7ec66e..93aa7c489403 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/rule.yml @@ -55,7 +55,6 @@ references: stigid@ol7: OL07-00-010040 stigid@ol8: OL08-00-010050 stigid@sle12: SLES-12-010050 - stigid@sle15: SLES-15-010090 ocil_clause: 'it does not' diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gui_login_dod_acknowledgement/rule.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gui_login_dod_acknowledgement/rule.yml index ca4ae3b37f54..f686afc0aeb2 100644 --- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gui_login_dod_acknowledgement/rule.yml +++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gui_login_dod_acknowledgement/rule.yml @@ -59,7 +59,6 @@ references: nist: AC-8 a,AC-8.1 (ii),AC-8 b,AC-8.1 (iii) srg: SRG-OS-000023-GPOS-00006 stigid@sle12: SLES-12-010020 - stigid@sle15: SLES-15-010050 ocil_clause: 'the GNOME environment does not display the standard mandatory DoD notice and consent banner' diff --git a/linux_os/guide/system/accounts/accounts-pam/disallow_bypass_password_sudo/rule.yml b/linux_os/guide/system/accounts/accounts-pam/disallow_bypass_password_sudo/rule.yml index af715fd37ae7..ac5060bb0a26 100644 --- a/linux_os/guide/system/accounts/accounts-pam/disallow_bypass_password_sudo/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/disallow_bypass_password_sudo/rule.yml @@ -29,7 +29,6 @@ references: stigid@ol7: OL07-00-010344 stigid@ol8: OL08-00-010385 stigid@sle12: SLES-12-010114 - stigid@sle15: SLES-15-020104 ocil_clause: |- system is configured to bypass password requirements for privilege escalation diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml index 535d7f30c19c..9721547f0512 100644 --- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml @@ -60,7 +60,7 @@ references: stigid@ol7: OL07-00-040530 stigid@ol8: OL08-00-020340 stigid@sle12: SLES-12-010390 - stigid@sle15: SLES-15-020080 + platform: package[pam] and system_with_kernel diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml index 8555409a4c7b..6d4c44e265fc 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml @@ -26,7 +26,6 @@ references: nist@sle12: CM-6(b),CM-6.1(iv) srg: SRG-OS-000480-GPOS-00226 stigid@sle12: SLES-12-010370 - stigid@sle15: SLES-15-040010 ocil_clause: 'the value of delay is not set properly or the line is commented or missing' diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/rule.yml index a535d2645ea6..205f54d2f633 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2/rule.yml @@ -47,7 +47,6 @@ references: pcidss: Req-8.1.6 srg: SRG-OS-000021-GPOS-00005 stigid@sle12: SLES-12-010130 - stigid@sle15: SLES-15-020010 ocil_clause: 'the account option is missing or commented out' diff --git a/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml index 0c2f23c62d71..6749f438f535 100644 --- a/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/pam_disable_automatic_configuration/rule.yml @@ -26,7 +26,6 @@ references: nist@sle12: CM-6(b),CM-6.1(iv) srg: SRG-OS-000480-GPOS-00227 stigid@sle12: SLES-12-010910 - stigid@sle15: SLES-15-040220 ocil_clause: 'there is output' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_dcredit/rule.yml index 3a3d8a90382b..9d1339074db9 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_dcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_dcredit/rule.yml @@ -31,7 +31,6 @@ references: pcidss: Req-8.2.3 srg: SRG-OS-000071-GPOS-00039 stigid@sle12: SLES-12-010170 - stigid@sle15: SLES-15-020150 ocil_clause: 'dcredit is not found or not set to the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml index f7ce3211bbca..8979c17c24c5 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml @@ -32,7 +32,6 @@ references: nist@sle15: IA-5(1).1(v),IA-5(1)(b) srg: SRG-OS-000072-GPOS-00040 stigid@sle12: SLES-12-010190 - stigid@sle15: SLES-15-020160 ocil_clause: 'difok is not found or not set to the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_lcredit/rule.yml index ba21d26c306c..cec08d97d8c2 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_lcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_lcredit/rule.yml @@ -33,7 +33,6 @@ references: pcidss: Req-8.2.3 srg: SRG-OS-000070-GPOS-00038 stigid@sle12: SLES-12-010160 - stigid@sle15: SLES-15-020140 ocil_clause: 'lcredit is not found or not set to the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml index 9dcca5707ea8..df034053a731 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml @@ -30,7 +30,6 @@ references: pcidss: Req-8.2.3 srg: SRG-OS-000078-GPOS-00046 stigid@sle12: SLES-12-010250 - stigid@sle15: SLES-15-020260 ocil_clause: 'minlen is not found or not set to the required value (or higher)' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml index 06794ce968d2..f8c2b0195cb2 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml @@ -32,7 +32,6 @@ references: pcidss: Req-8.2.3 srg: SRG-OS-000266-GPOS-00101 stigid@sle12: SLES-12-010180 - stigid@sle15: SLES-15-020270 ocil_clause: 'ocredit is not found or not set to the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml index f0c3ceeafffb..dfd6923ddd5f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml @@ -28,7 +28,6 @@ references: pcidss: Req-8.1.6,Req-8.1.7 srg: SRG-OS-000480-GPOS-00225 stigid@sle12: SLES-12-010320 - stigid@sle15: SLES-15-020290 ocil_clause: 'retry is not found or not set to the required value (or lower)' diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml index f480c5d0113f..b757fc8f6b11 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml @@ -33,7 +33,6 @@ references: pcidss: Req-8.2.3 srg: SRG-OS-000069-GPOS-00037 stigid@sle12: SLES-12-010150 - stigid@sle15: SLES-15-020130 ocil_clause: 'ucredit is not found or not set to the required value' diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml index ba6db029b603..8e2b38dac3bf 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/rule.yml @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-010210 stigid@ol8: OL08-00-010110 stigid@sle12: SLES-12-010210 - stigid@sle15: SLES-15-010260 ocil_clause: 'ENCRYPT_METHOD is not set to {{{ xccdf_value("var_password_hashing_algorithm") }}}' diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml index 8d6623d17811..61800d37c1b6 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/rule.yml @@ -66,7 +66,6 @@ references: stigid@ol7: OL07-00-010200 stigid@ol8: OL08-00-010159 stigid@sle12: SLES-12-010230 - stigid@sle15: SLES-15-020170 ocil_clause: '"{{{ xccdf_value("var_password_hashing_algorithm_pam") }}}" is missing, or is commented out' diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml index 6c728f535085..fea6421daef7 100644 --- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_min_rounds_logindefs/rule.yml @@ -38,7 +38,6 @@ references: srg: SRG-OS-000073-GPOS-00041,SRG-OS-000120-GPOS-00061 stigid@ol8: OL08-00-010130 stigid@sle12: SLES-12-010240 - stigid@sle15: SLES-15-020190 ocil_clause: 'it does not' diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml index 66c9bd659b04..d0c80daa536a 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/rule.yml @@ -71,7 +71,6 @@ references: ospp: FAU_GEN.1.2 srg: SRG-OS-000324-GPOS-00125,SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040172 - stigid@sle15: SLES-15-040062 ocil_clause: 'the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.' diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml index bd8d28cd1e6c..65a97968651d 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml @@ -78,7 +78,6 @@ references: stigid@ol7: OL07-00-020230 stigid@ol8: OL08-00-040170 stigid@sle12: SLES-12-010610 - stigid@sle15: SLES-15-040060 {{% if pkg_system == "dpkg" %}} platform: not container diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/vlock_installed/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/vlock_installed/rule.yml index 847d74aedec5..51d7c49af4c9 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/vlock_installed/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/vlock_installed/rule.yml @@ -41,7 +41,6 @@ references: srg: SRG-OS-000028-GPOS-00009,SRG-OS-000030-GPOS-00011 stigid@ol8: OL08-00-020043 stigid@sle12: SLES-12-010070 - stigid@sle15: SLES-15-010110 {{{ complete_ocil_entry_package_installed(package) }}} diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml index cd2393b0c761..1b850e2167b1 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml @@ -55,7 +55,6 @@ references: stigid@ol7: OL07-00-041001 stigid@ol8: OL08-00-010390 stigid@sle12: SLES-12-030500 - stigid@sle15: SLES-15-010460 ocil_clause: 'smartcard software is not installed' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_ca/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_ca/rule.yml index 2d2231f7a7dc..b366b958ed9c 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_ca/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_ca/rule.yml @@ -32,7 +32,6 @@ references: nist@sle12: IA-5 (2),IA-5(2)(a),IA-5 (2).1,IA-5(2)(d) srg: SRG-OS-000066-GPOS-00034,SRG-OS-000384-GPOS-00167 stigid@sle12: SLES-12-030530 - stigid@sle15: SLES-15-010170 ocil_clause: 'ca is not configured' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml index d81afeb2601d..3ddaaf4141fb 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml @@ -36,7 +36,6 @@ references: srg: SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161,SRG-OS-000377-GPOS-00162,SRG-OS-000384-GPOS-00167 stigid@ol7: OL07-00-041003 stigid@sle12: SLES-12-030510 - stigid@sle15: SLES-15-010470 ocil_clause: 'ocsp_on is not configured' diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/rule.yml index 5e7b27deaa46..2e588ecac7d8 100644 --- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/rule.yml @@ -61,7 +61,6 @@ references: nist@sle12: IA-2(1),IA-2(1).1,IA-2(2),IA-2(2).1,IA-2(3),IA-2(3).1,IA-2(4),IA-2(4).1,IA-5(2),IA-5(2).1,IA-5(2)(c),IA-2(11),IA-2(12) srg: SRG-OS-000068-GPOS-00036,SRG-OS-000105-GPOS-00052,SRG-OS-000106-GPOS-00053,SRG-OS-000107-GPOS-00054,SRG-OS-000108-GPOS-00055,SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162 stigid@sle12: SLES-12-030520 - stigid@sle15: SLES-15-020030 ocil_clause: 'non-exempt accounts are not using CAC authentication' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml index 25e02f369671..178aa93473c1 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml @@ -52,7 +52,6 @@ references: stigid@ol7: OL07-00-010310 stigid@ol8: OL08-00-020260 stigid@sle12: SLES-12-010340 - stigid@sle15: SLES-15-020050 ocil_clause: 'the value of INACTIVE is greater than the expected value or is -1' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_admin/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_admin/rule.yml index 3a6a09dc1967..79553b52f773 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_admin/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_emergency_admin/rule.yml @@ -47,7 +47,6 @@ references: nist@sle12: AC-2(2),AC-2(2).1(ii) srg: SRG-OS-000123-GPOS-00064 stigid@sle12: SLES-12-010330 - stigid@sle15: SLES-15-020060 ocil_clause: 'any emergency administrator account or account password has an expiration date set' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml index b18ceb489871..d938157ec508 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_temp_expire_date/rule.yml @@ -46,7 +46,6 @@ references: stigid@ol7: OL07-00-010271 stigid@ol8: OL08-00-020000,OL08-00-020270 stigid@sle12: SLES-12-010331 - stigid@sle15: SLES-15-020061 ocil_clause: 'any temporary accounts have no expiration date set or do not expire within 72 hours' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml index 72635c289207..ca5bdbc43213 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/account_unique_id/rule.yml @@ -27,7 +27,6 @@ references: srg: SRG-OS-000104-GPOS-00051,SRG-OS-000121-GPOS-00062 stigid@ol8: OL08-00-020240 stigid@sle12: SLES-12-010640 - stigid@sle15: SLES-15-010230 # The rule check uses password probe, which doesn't support offline mode platform: system_with_kernel diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml index d5ef8e9d5908..de1ef38b809d 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml @@ -40,7 +40,6 @@ references: stigid@ol7: OL07-00-020270 stigid@ol8: OL08-00-020320 stigid@sle12: SLES-12-010630 - stigid@sle15: SLES-15-020090 ocil_clause: 'there are unauthorized local user accounts on the system' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml index 638bb17ea5c8..fddbdb3844f1 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml @@ -49,7 +49,6 @@ references: stigid@ol7: OL07-00-010250 stigid@ol8: OL08-00-020200 stigid@sle12: SLES-12-010280 - stigid@sle15: SLES-15-020220 ocil_clause: 'the "PASS_MAX_DAYS" parameter value is greater than "{{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}", or commented out' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml index 942c30a87863..3c7cb3be412c 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml @@ -49,7 +49,6 @@ references: stigid@ol7: OL07-00-010230 stigid@ol8: OL08-00-020190 stigid@sle12: SLES-12-010260 - stigid@sle15: SLES-15-020200 ocil_clause: 'the "PASS_MIN_DAYS" parameter value is not "{{{ xccdf_value("var_accounts_minimum_age_login_defs") }}}" or greater, or is commented out' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml index d7d3318a2c51..e8459f0eb311 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_max_life_existing/rule.yml @@ -39,7 +39,6 @@ references: stigid@ol7: OL07-00-010260 stigid@ol8: OL08-00-020210 stigid@sle12: SLES-12-010290 - stigid@sle15: SLES-15-020230 ocil_clause: 'any results are returned that are not associated with a system account' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml index 3967d6123bdf..6589ae29b325 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_set_min_life_existing/rule.yml @@ -35,7 +35,6 @@ references: stigid@ol7: OL07-00-010240 stigid@ol8: OL08-00-020180 stigid@sle12: SLES-12-010270 - stigid@sle15: SLES-15-020210 ocil_clause: 'any results are returned that are not associated with a system account' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed_sha512/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed_sha512/rule.yml index f6d7d43f7c6d..b191a83151b7 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed_sha512/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed_sha512/rule.yml @@ -39,7 +39,6 @@ references: srg: SRG-OS-000073-GPOS-00041,SRG-OS-000120-GPOS-00061 stigid@ol8: OL08-00-010120 stigid@sle12: SLES-12-010220 - stigid@sle15: SLES-15-020180 ocil_clause: 'any interactive user password hash does not begin with "$6"' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml index b88e482f57ca..cb75ad37779d 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml @@ -54,7 +54,6 @@ references: stigid@ol7: OL07-00-010290 stigid@ol8: OL08-00-020331,OL08-00-020332 stigid@sle12: SLES-12-010231 - stigid@sle15: SLES-15-020300 ocil_clause: 'NULL passwords can be used' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml index c6801ba6a896..042c0f84de87 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml @@ -39,7 +39,6 @@ references: stigid@ol7: OL07-00-010291 stigid@ol8: OL08-00-010121 stigid@sle12: SLES-12-010221 - stigid@sle15: SLES-15-020181 ocil_clause: 'Blank or NULL passwords can be used' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml index 5293b2a6695f..8dc33ccd86e0 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml @@ -51,7 +51,6 @@ references: stigid@ol7: OL07-00-020310 stigid@ol8: OL08-00-040200 stigid@sle12: SLES-12-010650 - stigid@sle15: SLES-15-020100 ocil_clause: 'any accounts other than "root" have a UID of "0"' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml index 47d8886b01a1..afc05beadbd9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml @@ -43,7 +43,6 @@ references: nist-csf: DE.CM-1,DE.CM-3,PR.AC-1,PR.AC-4,PR.AC-6 srg: SRG-OS-000480-GPOS-00227 stigid@sle12: SLES-12-010631 - stigid@sle15: SLES-15-020091 ocil_clause: 'any system account other than root has a login shell' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml index f794fe8ac0f3..06b0de56471e 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/rule.yml @@ -31,7 +31,6 @@ references: stigid@ol7: OL07-00-020610 stigid@ol8: OL08-00-010760 stigid@sle12: SLES-12-010720 - stigid@sle15: SLES-15-020110 ocil_clause: 'the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml index 771b65d58cd3..f56d49c0e422 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml @@ -40,7 +40,6 @@ references: stigid@ol7: OL07-00-040000 stigid@ol8: OL08-00-020024 stigid@sle12: SLES-12-010120 - stigid@sle15: SLES-15-020020 ocil_clause: |- the "maxlogins" item is missing, commented out, or the value is set greater diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml index 99464727bf99..234fa57c274c 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml @@ -64,7 +64,6 @@ references: srg: SRG-OS-000163-GPOS-00072,SRG-OS-000029-GPOS-00010 stigid@ol7: OL07-00-040160 stigid@sle12: SLES-12-010090 - stigid@sle15: SLES-15-010130 ocil_clause: 'the TMOUT value is not configured, is set to 0, or is not less than or equal to the expected setting' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml index cc67d332fa5b..2d9ad731e6c9 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml @@ -33,7 +33,6 @@ references: stigid@ol7: OL07-00-020730 stigid@ol8: OL08-00-010660 stigid@sle12: SLES-12-010780 - stigid@sle15: SLES-15-040130 ocil_clause: 'any local initialization files are found to reference world-writable files' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml index c2d22a1d002e..71d2afa2358c 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml @@ -35,7 +35,6 @@ references: stigid@ol7: OL07-00-020720 stigid@ol8: OL08-00-010690 stigid@sle12: SLES-12-010770 - stigid@sle15: SLES-15-040120 ocil_clause: 'any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml index 152a206f9719..c611897b5cf9 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml @@ -31,7 +31,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-010720 stigid@sle12: SLES-12-010710 - stigid@sle15: SLES-15-040070 ocil_clause: 'users home directory is not defined' diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml index 14fc7d40a7be..bfd456b92d6d 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml @@ -34,7 +34,6 @@ references: stigid@ol7: OL07-00-020620 stigid@ol8: OL08-00-010750 stigid@sle12: SLES-12-010730 - stigid@sle15: SLES-15-040080 ocil_clause: 'users home directory does not exist' diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml index 46c14a7f18e4..9a873ecafe35 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml @@ -38,7 +38,6 @@ references: stigid@ol7: OL07-00-020650 stigid@ol8: OL08-00-010740 stigid@sle12: SLES-12-010750 - stigid@sle15: SLES-15-040100 ocil_clause: 'the group ownership is incorrect' diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml index aa4101b1bb1a..5a7c5553b925 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml @@ -30,7 +30,6 @@ references: stigid@ol7: OL07-00-020710 stigid@ol8: OL08-00-010770 stigid@sle12: SLES-12-010760 - stigid@sle15: SLES-15-040110 ocil_clause: 'they are not 0740 or more permissive' diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml index 7dddff5ce8b2..f08d317a7863 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml @@ -31,7 +31,6 @@ references: stigid@ol7: OL07-00-020630 stigid@ol8: OL08-00-010730 stigid@sle12: SLES-12-010740 - stigid@sle15: SLES-15-040090 ocil_clause: 'they are more permissive' diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml index d58c68770f4a..4ba21c40c14d 100644 --- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml @@ -39,7 +39,6 @@ references: stigid@ol7: OL07-00-020240 stigid@ol8: OL08-00-020351 stigid@sle12: SLES-12-010620 - stigid@sle15: SLES-15-040420 ocil_clause: 'the value for the "UMASK" parameter is not "{{{ xccdf_value("var_accounts_user_umask") }}}", or the "UMASK" parameter is missing or is commented out' diff --git a/linux_os/guide/system/apparmor/apparmor_configured/rule.yml b/linux_os/guide/system/apparmor/apparmor_configured/rule.yml index cb2776276677..e11ec847afc4 100644 --- a/linux_os/guide/system/apparmor/apparmor_configured/rule.yml +++ b/linux_os/guide/system/apparmor/apparmor_configured/rule.yml @@ -44,7 +44,6 @@ references: nist: AC-3(4),AC-6(8),AC-6(10),CM-7(5)(b),CM-7(2),SC-7(21),CM-6(a) srg: SRG-OS-000312-GPOS-00122,SRG-OS-000312-GPOS-00123,SRG-OS-000312-GPOS-00124,SRG-OS-000324-GPOS-00125,SRG-OS-000326-GPOS-00126,SRG-OS-000370-GPOS-00155,SRG-OS-000480-GPOS-00230,SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00231,SRG-OS-000480-GPOS-00232 stigid@sle12: SLES-12-010600 - stigid@sle15: SLES-15-010390 ocil_clause: 'it is not' diff --git a/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml b/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml index e5bbb94e024c..84d243a3084c 100644 --- a/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml +++ b/linux_os/guide/system/apparmor/package_pam_apparmor_installed/rule.yml @@ -23,7 +23,6 @@ references: nist: AC-3(4),AC-6(8),AC-6(10),CM-7(5)(b),CM-7(2),SC-7(21),CM-6(a) srg: SRG-OS-000312-GPOS-00122,SRG-OS-000312-GPOS-00123,SRG-OS-000312-GPOS-00124,SRG-OS-000324-GPOS-00125,SRG-OS-000326-GPOS-00126,SRG-OS-000370-GPOS-00155,SRG-OS-000480-GPOS-00230,SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00231,SRG-OS-000480-GPOS-00232 stigid@sle12: SLES-12-010600 - stigid@sle15: SLES-15-010390 {{{ complete_ocil_entry_package_installed("pam_apparmor") }}} diff --git a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml index c1f8cd5e485f..d1014f68475e 100644 --- a/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_password/rule.yml @@ -69,7 +69,6 @@ references: stigid@ol7: OL07-00-010482 stigid@ol8: OL08-00-010150 stigid@sle12: SLES-12-010430 - stigid@sle15: SLES-15-010190 ocil_clause: 'it does not produce any output' diff --git a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml index 6af1a9a3cefb..e500f3aefed2 100644 --- a/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml +++ b/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/rule.yml @@ -70,7 +70,6 @@ references: stigid@ol7: OL07-00-010491 stigid@ol8: OL08-00-010140 stigid@sle12: SLES-12-010440 - stigid@sle15: SLES-15-010200 ocil_clause: 'no password is set' diff --git a/linux_os/guide/system/logging/ensure_rtc_utc_configuration/rule.yml b/linux_os/guide/system/logging/ensure_rtc_utc_configuration/rule.yml index 8b1c52aeb909..5c81f4e2dfb6 100644 --- a/linux_os/guide/system/logging/ensure_rtc_utc_configuration/rule.yml +++ b/linux_os/guide/system/logging/ensure_rtc_utc_configuration/rule.yml @@ -24,7 +24,6 @@ references: nist@sle15: AU-8(b) srg: SRG-OS-000359-GPOS-00146 stigid@sle12: SLES-12-030310 - stigid@sle15: SLES-15-010410 ocil_clause: 'the system real-time clock is not configured to use UTC as its time base' diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml index 0dad6580056c..1a87564649f4 100644 --- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml +++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml @@ -68,7 +68,6 @@ references: stigid@ol7: OL07-00-031000 stigid@ol8: OL08-00-030690 stigid@sle12: SLES-12-030340 - stigid@sle15: SLES-15-010580 ocil_clause: 'no evidence that the audit logs are being off-loaded to another system or media' diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml index 64e521807275..66d8a5629ec5 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/package_firewalld_installed/rule.yml @@ -36,7 +36,6 @@ references: srg: SRG-OS-000096-GPOS-00050,SRG-OS-000297-GPOS-00115,SRG-OS-000298-GPOS-00116,SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00232 stigid@ol7: OL07-00-040520 stigid@ol8: OL08-00-040100 - stigid@sle15: SLES-15-010220 {{{ complete_ocil_entry_package_installed("firewalld") }}} diff --git a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml index 2ae1eb0991d0..060e04ac813f 100644 --- a/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml +++ b/linux_os/guide/system/network/network-firewalld/firewalld_activation/service_firewalld_enabled/rule.yml @@ -42,7 +42,6 @@ references: srg: SRG-OS-000096-GPOS-00050,SRG-OS-000297-GPOS-00115,SRG-OS-000480-GPOS-00227,SRG-OS-000480-GPOS-00231,SRG-OS-000480-GPOS-00232 stigid@ol7: OL07-00-040520 stigid@ol8: OL08-00-040101 - stigid@sle15: SLES-15-010220 ocil_clause: '{{{ ocil_clause_service_enabled("firewalld") }}}' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml index 027e308f53db..d1a716ad639f 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml @@ -34,7 +34,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040280 stigid@sle12: SLES-12-030363 - stigid@sle15: SLES-15-040341 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml index a96d1af2a24b..b63941343a6e 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-040830 stigid@ol8: OL08-00-040240 stigid@sle12: SLES-12-030361 - stigid@sle15: SLES-15-040310 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.all.accept_source_route", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml index 3bd288088266..e80c108494f9 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml @@ -34,7 +34,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040260 stigid@sle12: SLES-12-030364 - stigid@sle15: SLES-15-040381 ocil_clause: 'IP forwarding value is "1" and the system is not router' diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml index 8f8f0be40d5b..2d11ee02feca 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml @@ -37,7 +37,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040210 stigid@sle12: SLES-12-030401 - stigid@sle15: SLES-15-040350 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml index d85dc0121fc2..e9ee1d89ce81 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml @@ -43,7 +43,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040250 stigid@sle12: SLES-12-030362 - stigid@sle15: SLES-15-040321 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv6.conf.default.accept_source_route", value="0") }}} diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml index 0325334a4d14..5320fadffcb7 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml @@ -24,7 +24,6 @@ references: nist: CM-6(b),CM-6.1(iv) srg: SRG-OS-000480-GPOS-00227 stigid@sle12: SLES-12-030365 - stigid@sle15: SLES-15-040382 ocil_clause: 'IPv6 Forwarding is not disabled' diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml index 654a99a37f0d..ad798b8e43b7 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-040641 stigid@ol8: OL08-00-040279 stigid@sle12: SLES-12-030390 - stigid@sle15: SLES-15-040330 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.accept_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml index 9bd302a891fb..0a52ff93a9ca 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml @@ -44,7 +44,6 @@ references: stigid@ol7: OL07-00-040610 stigid@ol8: OL08-00-040239 stigid@sle12: SLES-12-030360 - stigid@sle15: SLES-15-040300 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.accept_source_route", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml index ab07f2c78520..c7b1b31bea06 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-040640 stigid@ol8: OL08-00-040209 stigid@sle12: SLES-12-030400 - stigid@sle15: SLES-15-040340 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.accept_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml index 8658fc9a8c75..1051426dbe00 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml @@ -45,7 +45,6 @@ references: stigid@ol7: OL07-00-040620 stigid@ol8: OL08-00-040249 stigid@sle12: SLES-12-030370 - stigid@sle15: SLES-15-040320 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.accept_source_route", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml index 762c418e453b..f18a6daf2ced 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml @@ -41,7 +41,6 @@ references: pcidss: Req-1.4.1 srg: SRG-OS-000480-GPOS-00227,SRG-OS-000420-GPOS-00186,SRG-OS-000142-GPOS-00071 stigid@sle12: SLES-12-030350 - stigid@sle15: SLES-15-010310 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.tcp_syncookies", value="1") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml index ac926343a9f9..dcad0b9621c1 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml @@ -42,7 +42,6 @@ references: stigid@ol7: OL07-00-040660 stigid@ol8: OL08-00-040220 stigid@sle12: SLES-12-030420 - stigid@sle15: SLES-15-040370 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.all.send_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml index 30280a66307a..af141d383019 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml @@ -42,7 +42,6 @@ references: stigid@ol7: OL07-00-040650 stigid@ol8: OL08-00-040270 stigid@sle12: SLES-12-030410 - stigid@sle15: SLES-15-040360 {{{ complete_ocil_entry_sysctl_option_value(sysctl="net.ipv4.conf.default.send_redirects", value="0") }}} diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml index 240192691c53..d5be283cd59a 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml @@ -41,7 +41,6 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040740 stigid@sle12: SLES-12-030430 - stigid@sle15: SLES-15-040380 ocil_clause: "the correct value is not returned" diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml index ae3153889f0d..473d41c5da24 100644 --- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml +++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/rule.yml @@ -62,7 +62,6 @@ references: stigid@ol7: OL07-00-041010 stigid@ol8: OL08-00-040110 stigid@sle12: SLES-12-030450 - stigid@sle15: SLES-15-010380 ocil_clause: 'a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO)' diff --git a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml index 02203bf1fc40..c248d60eeb79 100644 --- a/linux_os/guide/system/network/network_sniffer_disabled/rule.yml +++ b/linux_os/guide/system/network/network_sniffer_disabled/rule.yml @@ -48,7 +48,6 @@ references: stigid@ol7: OL07-00-040670 stigid@ol8: OL08-00-040330 stigid@sle12: SLES-12-030440 - stigid@sle15: SLES-15-040390 ocil_clause: 'any network device is in promiscuous mode' diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml index 975a75074f48..a738d1684bb3 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml @@ -50,7 +50,6 @@ references: srg: SRG-OS-000138-GPOS-00069 stigid@ol8: OL08-00-010190 stigid@sle12: SLES-12-010460 - stigid@sle15: SLES-15-010300 ocil_clause: 'any world-writable directories are missing the sticky bit' diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml index 0baffa7ac782..d2161f2d33be 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml @@ -39,7 +39,6 @@ references: stigid@ol7: OL07-00-021030 stigid@ol8: OL08-00-010710 stigid@sle12: SLES-12-010830 - stigid@sle15: SLES-15-040180 ocil_clause: 'there is output' diff --git a/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml index 4a300fcd8a49..8f3de2032ed7 100644 --- a/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml @@ -48,7 +48,6 @@ references: nist: CM-5(6),CM-5(6).1 srg: SRG-OS-000259-GPOS-00100 stigid@sle12: SLES-12-010883 - stigid@sle15: SLES-15-010362 ocil_clause: 'any of these directories are not group owned by root' diff --git a/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml index 12dc621b7fde..f5522edd8361 100644 --- a/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml @@ -46,7 +46,6 @@ references: nist: CM-5(6),CM-5(6).1 srg: SRG-OS-000259-GPOS-00100 stigid@sle12: SLES-12-010881 - stigid@sle15: SLES-15-010360 ocil_clause: 'any of these directories are not owned by root' diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml index f04a923cd2c1..1c07f1b46b99 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml @@ -50,7 +50,6 @@ references: stigid@ol7: OL07-00-020330 stigid@ol8: OL08-00-010790 stigid@sle12: SLES-12-010700 - stigid@sle15: SLES-15-040410 ocil_clause: 'there is output' diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml index bae321639396..58b0ea7d907d 100644 --- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml @@ -47,7 +47,6 @@ references: stigid@ol7: OL07-00-020320 stigid@ol8: OL08-00-010780 stigid@sle12: SLES-12-010690 - stigid@sle15: SLES-15-040400 # The rule check uses password probe, which doesn't support offline mode platform: system_with_kernel diff --git a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml index 192383d53e40..daae0440207a 100644 --- a/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_local_var_log/rule.yml @@ -38,7 +38,6 @@ references: nist: SI-11(a),SI-11(b),SI-11.1(iii) nist-csf: PR.AC-4,PR.DS-5 srg: SRG-OS-000205-GPOS-00083 - stigid@sle15: SLES-15-010340 ocil_clause: 'not all log files have permission 640 or stricter' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml index e1780a7da884..a8b3b56d187e 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml @@ -45,7 +45,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010351 stigid@sle12: SLES-12-010876 - stigid@sle15: SLES-15-010356 ocil_clause: any system-wide shared library directory is returned and is not group-owned by a required system account diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml index 83037dba7333..8679ea58a561 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml @@ -44,7 +44,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010341 stigid@sle12: SLES-12-010874 - stigid@sle15: SLES-15-010354 ocil_clause: any system-wide shared library directory is not owned by root diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml index 2236a9f16be3..4821a4f8c58d 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml @@ -51,7 +51,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010331 stigid@sle12: SLES-12-010872 - stigid@sle15: SLES-15-010352 ocil_clause: 'any of these files are group-writable or world-writable' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml index 950ff7cc9d11..33ee24fb56c6 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml @@ -51,7 +51,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010320 stigid@sle12: SLES-12-010882 - stigid@sle15: SLES-15-010361 ocil_clause: 'any system commands are returned and is not group-owned by a required system account' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml index fade0c0a085e..8635ed911c34 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/rule.yml @@ -46,7 +46,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010310 stigid@sle12: SLES-12-010879 - stigid@sle15: SLES-15-010359 ocil_clause: 'any system commands are found to not be owned by root' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml index 609309761ae5..074c54158a8b 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml @@ -50,7 +50,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010340 stigid@sle12: SLES-12-010873 - stigid@sle15: SLES-15-010353 ocil_clause: 'any system wide shared library file is not owned by root' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml index 5cd917fc6c08..548b22059e11 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/rule.yml @@ -46,7 +46,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010300 stigid@sle12: SLES-12-010878 - stigid@sle15: SLES-15-010358 ocil_clause: any system commands are found to be group-writable or world-writable diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml index 3361cf819a9f..82a6c1fd55ca 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml @@ -50,7 +50,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010330 stigid@sle12: SLES-12-010871 - stigid@sle15: SLES-15-010351 ocil_clause: any system-wide shared library file is found to be group-writable or world-writable diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_system_commands_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_system_commands_dirs/rule.yml index d404048840be..67499085dc0c 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_system_commands_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_system_commands_dirs/rule.yml @@ -32,7 +32,6 @@ references: nist: CM-5(6),CM-5(6).1 srg: SRG-OS-000259-GPOS-00100 stigid@sle12: SLES-12-010877 - stigid@sle15: SLES-15-010357 ocil_clause: 'any system commands are found to be group or world writable' diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml index 91ea1c5933f6..3dd6e903985e 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml @@ -44,7 +44,6 @@ references: srg: SRG-OS-000259-GPOS-00100 stigid@ol8: OL08-00-010350 stigid@sle12: SLES-12-010875 - stigid@sle15: SLES-15-010355 ocil_clause: any system wide shared library file is returned and is not group-owned by root diff --git a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml index 082a67cf3ed5..4bdc36e8a7b9 100644 --- a/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/kernel_module_usb-storage_disabled/rule.yml @@ -44,7 +44,6 @@ references: stigid@ol7: OL07-00-020100 stigid@ol8: OL08-00-040080 stigid@sle12: SLES-12-010580 - stigid@sle15: SLES-15-010480 {{{ complete_ocil_entry_module_disable(module="usb-storage") }}} diff --git a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml index 6a7de2130bde..6280ab63b03d 100644 --- a/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml +++ b/linux_os/guide/system/permissions/mounting/service_autofs_disabled/rule.yml @@ -49,7 +49,6 @@ references: stigid@ol7: OL07-00-020110 stigid@ol8: OL08-00-040070 stigid@sle12: SLES-12-010590 - stigid@sle15: SLES-15-010240 ocil_clause: |- {{{ ocil_clause_service_disabled(service="autofs") }}} diff --git a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml index ccb05ba12ef7..bfc934af81b1 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_home_nosuid/rule.yml @@ -38,7 +38,6 @@ references: stigid@ol7: OL07-00-021000 stigid@ol8: OL08-00-010570 stigid@sle12: SLES-12-010790 - stigid@sle15: SLES-15-040140 {{{ complete_ocil_entry_mount_option("/home", "nosuid") }}} diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml index 3ca9021f3182..07d5d93eef41 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml @@ -43,7 +43,6 @@ references: stigid@ol7: OL07-00-021010 stigid@ol8: OL08-00-010620 stigid@sle12: SLES-12-010800 - stigid@sle15: SLES-15-040150 ocil_clause: 'file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set' diff --git a/linux_os/guide/system/permissions/permissions_local/file_permissions_local_var_log_messages/rule.yml b/linux_os/guide/system/permissions/permissions_local/file_permissions_local_var_log_messages/rule.yml index 65494238b9d5..45d10c721109 100644 --- a/linux_os/guide/system/permissions/permissions_local/file_permissions_local_var_log_messages/rule.yml +++ b/linux_os/guide/system/permissions/permissions_local/file_permissions_local_var_log_messages/rule.yml @@ -34,7 +34,6 @@ references: nist@sle12: SI-11(c) srg: SRG-OS-000206-GPOS-00084 stigid@sle12: SLES-12-010890 - stigid@sle15: SLES-15-010350 ocil_clause: 'Make sure /var/log/messages is not world-readable' diff --git a/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml b/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml index 4adf4c7a838d..9f7fd99c59f0 100644 --- a/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml +++ b/linux_os/guide/system/permissions/permissions_local/permissions_local_audit_binaries/rule.yml @@ -48,7 +48,6 @@ references: nist@sle12: AU-9 srg: SRG-OS-000256-GPOS-00097,SRG-OS-000257-GPOS-00098,SRG-OS-000258-GPOS-00099 stigid@sle12: SLES-12-020130 - stigid@sle15: SLES-15-030620 ocil: |- Check that permissions.local file contains the correct permissions diff --git a/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml index 4dfe55312fbe..0684547c060f 100644 --- a/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml +++ b/linux_os/guide/system/permissions/permissions_local/permissions_local_var_log_audit/rule.yml @@ -45,7 +45,6 @@ references: nist: AU-9 srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029 stigid@sle12: SLES-12-020120 - stigid@sle15: SLES-15-030600 ocil: |- {{% if product in slmicro %}} diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml index 1f235a2e6506..03d0b130d556 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml @@ -31,7 +31,6 @@ references: srg: SRG-OS-000132-GPOS-00067,SRG-OS-000433-GPOS-00192,SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040283 stigid@sle12: SLES-12-030320 - stigid@sle15: SLES-15-010540 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.kptr_restrict", value="1") }}} diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml index 74ee0861e9a2..b9d14f920126 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml @@ -37,7 +37,6 @@ references: stigid@ol7: OL07-00-040201 stigid@ol8: OL08-00-010430 stigid@sle12: SLES-12-030330 - stigid@sle15: SLES-15-010550 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.randomize_va_space", value="2") }}} diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml index 98e18049e172..04645fe52e46 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml @@ -31,7 +31,6 @@ references: stigid@ol7: OL07-00-010375 stigid@ol8: OL08-00-010375 stigid@sle12: SLES-12-010375 - stigid@sle15: SLES-15-010375 {{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.dmesg_restrict", value="1") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml index 7d0c8aa188f6..af69270e7a07 100644 --- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml @@ -87,7 +87,6 @@ references: srg: SRG-OS-000405-GPOS-00184,SRG-OS-000185-GPOS-00079,SRG-OS-000404-GPOS-00183 stigid@ol8: OL08-00-010030 stigid@sle12: SLES-12-010450 - stigid@sle15: SLES-15-010330 ocil_clause: 'partitions do not have a type of crypto_LUKS' diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml index 9ea58be5c905..51bf65c7a0d2 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml @@ -40,7 +40,6 @@ references: stigid@ol7: OL07-00-021310 stigid@ol8: OL08-00-010800 stigid@sle12: SLES-12-010850 - stigid@sle15: SLES-15-040200 {{{ complete_ocil_entry_separate_partition(part="/home") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml index 0c9ca10087f2..c5e497ff976e 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml @@ -39,7 +39,6 @@ references: stigid@ol7: OL07-00-021320 stigid@ol8: OL08-00-010540 stigid@sle12: SLES-12-010860 - stigid@sle15: SLES-15-040210 {{{ complete_ocil_entry_separate_partition(part="/var") }}} diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml index bf3efecdf5c4..2dc71b9279fa 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml @@ -45,7 +45,6 @@ references: stigid@ol7: OL07-00-021330 stigid@ol8: OL08-00-010542 stigid@sle12: SLES-12-010870 - stigid@sle15: SLES-15-030810 {{{ complete_ocil_entry_separate_partition(part="/var/log/audit") }}} diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml index 1e4ea5eeff96..f04ec5d4a586 100644 --- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml +++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/rule.yml @@ -34,7 +34,6 @@ references: pcidss: Req-6.2 srg: SRG-OS-000480-GPOS-00227 stigid@sle12: SLES-12-010040 - stigid@sle15: SLES-15-010090 ocil_clause: 'The system-wide dconf databases are up-to-date with regards to respective keyfiles' diff --git a/linux_os/guide/system/software/gnome/enable_dconf_user_profile/rule.yml b/linux_os/guide/system/software/gnome/enable_dconf_user_profile/rule.yml index a6e661bccf2d..db9198b5c2c7 100644 --- a/linux_os/guide/system/software/gnome/enable_dconf_user_profile/rule.yml +++ b/linux_os/guide/system/software/gnome/enable_dconf_user_profile/rule.yml @@ -51,7 +51,6 @@ references: cis@sle12: '1.10' cis@sle15: '1.10' stigid@sle12: SLES-12-010611 - stigid@sle15: SLES-15-040061 ocil_clause: 'DConf User profile does not exist or is not configured correctly' diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml index bab08ccef959..d00237db83d4 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml @@ -29,7 +29,6 @@ references: nist: CM-6(b),CM-6.1(iv) srg: SRG-OS-000480-GPOS-00229 stigid@sle12: SLES-12-010380 - stigid@sle15: SLES-15-040430 ocil_clause: 'GDM allows users to automatically login or unattended login' diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml index 6689d0bd7a5a..43409171aa20 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml @@ -47,7 +47,6 @@ references: stigid@ol7: OL07-00-010070 stigid@ol8: OL08-00-020060 stigid@sle12: SLES-12-010080 - stigid@sle15: SLES-15-010120 ocil_clause: 'idle-delay is set to 0 or a value greater than {{{ xccdf_value("inactivity_timeout_value") }}}' diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml index 52cd9f02e1d1..32be53c6324c 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/rule.yml @@ -54,7 +54,6 @@ references: stigid@ol7: OL07-00-010060 stigid@ol8: OL08-00-020030,OL08-00-020082 stigid@sle12: SLES-12-010060 - stigid@sle15: SLES-15-010100 ocil_clause: 'screensaver locking is not enabled and/or has not been set or configured correctly' diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml index d333b030f189..cfdfde610685 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/rule.yml @@ -66,7 +66,6 @@ references: pcidss: Req-8.1.8 srg: SRG-OS-000031-GPOS-00012 stigid@sle12: SLES-12-010100 - stigid@sle15: SLES-15-010140 ocil_clause: 'it is not set or configured properly' diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml index 8660efc708bf..d431bf75be20 100644 --- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/rule.yml @@ -42,7 +42,6 @@ references: stigid@ol7: OL07-00-010082 stigid@ol8: OL08-00-020081 stigid@sle12: SLES-12-010080 - stigid@sle15: SLES-15-010120 ocil_clause: 'idle-delay is not locked' diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml index 35e234c7d031..1a86b3a7a036 100644 --- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml +++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/rule.yml @@ -53,7 +53,6 @@ references: stigid@ol7: OL07-00-020250 stigid@ol8: OL08-00-010000 stigid@sle12: SLES-12-010000 - stigid@sle15: SLES-15-010000 ocil_clause: 'the installed operating system is not supported' diff --git a/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml b/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml index bc62444573da..8a57c3bfcb6a 100644 --- a/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml +++ b/linux_os/guide/system/software/integrity/fips/is_fips_mode_enabled/rule.yml @@ -26,7 +26,6 @@ references: nist: SC-12(2),SC-12(3),SC-13 srg: SRG-OS-000396-GPOS-00176,SRG-OS-000478-GPOS-00223 stigid@sle12: SLES-12-010420 - stigid@sle15: SLES-15-010510 ocil_clause: the command 'cat /proc/sys/crypto/fips_enabled' returns nothing or '0' or the file does not exist diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml index cdf4ae2f1477..0bed1fdd1d2d 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/rule.yml @@ -72,7 +72,6 @@ references: stigid@ol7: OL07-00-020029 stigid@ol8: OL08-00-010359 stigid@sle12: SLES-12-010499 - stigid@sle15: SLES-15-010419 ocil_clause: 'there is no database file' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml index 71f2c91aad5e..6b88ab8de378 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_check_audit_tools/rule.yml @@ -43,7 +43,6 @@ references: srg: SRG-OS-000278-GPOS-00108 stigid@ol8: OL08-00-030650 stigid@sle12: SLES-12-010540 - stigid@sle15: SLES-15-030630 ocil_clause: 'integrity checks of the audit tools are missing or incomplete' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_checking_systemd_timer/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_checking_systemd_timer/rule.yml index c8bbd12a0744..96146c62a683 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_checking_systemd_timer/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_checking_systemd_timer/rule.yml @@ -39,7 +39,6 @@ references: pcidss: Req-11.5 srg: SRG-OS-000363-GPOS-00150,SRG-OS-000446-GPOS-00200,SRG-OS-000447-GPOS-00201 stigid@ol7: OL07-00-020030 - stigid@sle15: SLES-15-010570 platform: package[aide] and package[systemd] diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml index 6d56cfe2f76b..73916c24a211 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/rule.yml @@ -58,7 +58,6 @@ references: srg: SRG-OS-000363-GPOS-00150,SRG-OS-000446-GPOS-00200,SRG-OS-000447-GPOS-00201 stigid@ol7: OL07-00-020030 stigid@sle12: SLES-12-010500 - stigid@sle15: SLES-15-010420 ocil_clause: 'AIDE is not configured to scan periodically' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml index 1b959ae04a4a..5788f259eac1 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/rule.yml @@ -49,7 +49,6 @@ references: stigid@ol7: OL07-00-020040 stigid@ol8: OL08-00-010360 stigid@sle12: SLES-12-010510 - stigid@sle15: SLES-15-010570 ocil_clause: 'AIDE has not been configured or has not been configured to notify personnel of scan details' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml index 6563fe6a637b..95816ee1ef3e 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml @@ -48,7 +48,6 @@ references: stigid@ol7: OL07-00-021600 stigid@ol8: OL08-00-040310 stigid@sle12: SLES-12-010520 - stigid@sle15: SLES-15-040040 ocil_clause: 'the acl option is missing or not added to the correct ruleset' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml index 35ed5b595891..414f2d1b34a9 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml @@ -48,7 +48,6 @@ references: stigid@ol7: OL07-00-021610 stigid@ol8: OL08-00-040300 stigid@sle12: SLES-12-010530 - stigid@sle15: SLES-15-040050 ocil_clause: 'the xattrs option is missing or not added to the correct ruleset' diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml index dc497c0c7b9a..8ccf88085ed3 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/package_aide_installed/rule.yml @@ -36,7 +36,6 @@ references: stigid@ol7: OL07-00-020029 stigid@ol8: OL08-00-010359 stigid@sle12: SLES-12-010499 - stigid@sle15: SLES-15-010419 {{{ complete_ocil_entry_package_installed("aide") }}} diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml index 7a41b181031c..09d6dfbc0656 100644 --- a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml @@ -38,7 +38,6 @@ references: stigid@ol7: OL07-00-010350 stigid@ol8: OL08-00-010381 stigid@sle12: SLES-12-010110 - stigid@sle15: SLES-15-010450 ocil_clause: "!authenticate is specified in the sudo config files" diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml index 9d78c69d2dc6..981527510a80 100644 --- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml @@ -39,7 +39,6 @@ references: stigid@ol7: OL07-00-010340 stigid@ol8: OL08-00-010380 stigid@sle12: SLES-12-010110 - stigid@sle15: SLES-15-010450 ocil_clause: 'nopasswd is specified in the sudo config files' diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml index 9fb1274aa2b6..4fd56cc5beab 100644 --- a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml @@ -37,7 +37,6 @@ references: nist: IA-11,CM-6(a) nist-csf: PR.AC-1,PR.AC-7 srg: SRG-OS-000373-GPOS-00156 - stigid@sle15: SLES-15-010450 ocil_clause: 'nopasswd and/or !authenticate is enabled in sudo' diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml index 3584ee4f2b91..7552734cfef8 100644 --- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml @@ -38,7 +38,6 @@ references: stigid@ol7: OL07-00-010343 stigid@ol8: OL08-00-010384 stigid@sle12: SLES-12-010113 - stigid@sle15: SLES-15-020102 ocil_clause: 'timestamp_timeout is not set with the appropriate value for sudo' diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml index 1ca4cdf4a962..ea28e36f7e93 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml @@ -33,7 +33,6 @@ references: stigid@ol7: OL07-00-010341 stigid@ol8: OL08-00-010382 stigid@sle12: SLES-12-010111 - stigid@sle15: SLES-15-020101 ocil_clause: 'either of the commands returned a line' diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml index 901058ee9d96..947f394f2c0a 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml @@ -35,7 +35,6 @@ references: stigid@ol7: OL07-00-010339 stigid@ol8: OL08-00-010379 stigid@sle12: SLES-12-010109 - stigid@sle15: SLES-15-020099 ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?" diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml index f25049786e28..3299039b27ee 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml @@ -38,7 +38,6 @@ references: stigid@ol7: OL07-00-010342 stigid@ol8: OL08-00-010383 stigid@sle12: SLES-12-010112 - stigid@sle15: SLES-15-020103 ocil_clause: 'invoke user passwd when using sudo' diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml index 34e82036e14b..d497c1d15e91 100644 --- a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml +++ b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml @@ -47,7 +47,6 @@ references: stigid@ol7: OL07-00-020200 stigid@ol8: OL08-00-010440 stigid@sle12: SLES-12-010570 - stigid@sle15: SLES-15-010560 ocil_clause: |- {{%- if 'sle' in product or 'slmicro' in product %}} diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml index b1d83b25cc89..ff8ad9b43613 100644 --- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml +++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/rule.yml @@ -57,7 +57,6 @@ references: srg: SRG-OS-000366-GPOS-00153 stigid@ol7: OL07-00-020050 stigid@sle12: SLES-12-010550 - stigid@sle15: SLES-15-010430 ocil_clause: 'there is no process to validate certificates that is approved by the organization' diff --git a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml index 609e377fdf8f..72bae3451b10 100644 --- a/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml +++ b/linux_os/guide/system/software/updating/security_patches_up_to_date/rule.yml @@ -67,7 +67,6 @@ references: stigid@ol7: OL07-00-020260 stigid@ol8: OL08-00-010010 stigid@sle12: SLES-12-010010 - stigid@sle15: SLES-15-010010 # SCAP 1.3 content should reference flat non compressed xml files {{% if oval_feed_url %}} diff --git a/products/sle15/profiles/stig.profile b/products/sle15/profiles/stig.profile index a4c36dd810bb..e19bb5fc9344 100644 --- a/products/sle15/profiles/stig.profile +++ b/products/sle15/profiles/stig.profile @@ -17,289 +17,4 @@ description: |- selections: - - var_account_disable_post_pw_expiration=35 - - var_accounts_fail_delay=4 - - var_accounts_tmout=10_min - - inactivity_timeout_value=15_minutes - - var_password_pam_dcredit=1 - - var_password_pam_lcredit=1 - - var_password_pam_minlen=15 - - var_password_pam_ocredit=1 - - var_password_pam_ucredit=1 - - var_sudo_timestamp_timeout=always_prompt - - var_password_pam_unix_remember=5 - - var_accounts_maximum_age_login_defs=60 - - var_password_pam_delay=4000000 - - login_banner_text=dod_banners - - login_banner_contents=dod_default - - dconf_login_banner_text=dod_banners - - dconf_login_banner_contents=dod_default - # - # Note: must configure "var_accounts_authorized_local_users_regex" when - # "accounts_authorized_local_users" rule is enabled - # - var_accounts_authorized_local_users_regex= - # - # NOTE: must configure "var_audispd_remote_server" when - # "auditd_audispd_configure_remote_server" rule is enabled - # - # - var_audispd_remote_server= - - var_removable_partition=dev_cdrom - - var_sssd_memcache_timeout=1_day - - var_time_service_set_maxpoll=18_hours - - var_accounts_minimum_age_login_defs=7 - - account_disable_post_pw_expiration - - account_emergency_admin - - account_disable_post_pw_expiration - - account_emergency_admin - - var_accounts_authorized_local_users_regex=sle15 - - accounts_authorized_local_users - - accounts_have_homedir_login_defs - - var_accounts_max_concurrent_login_sessions=10 - - accounts_max_concurrent_login_sessions - - accounts_maximum_age_login_defs - - accounts_no_uid_except_zero - - accounts_password_all_shadowed_sha512 - - accounts_password_set_max_life_existing - - accounts_password_set_min_life_existing - - accounts_passwords_pam_faildelay_delay - - accounts_passwords_pam_tally2 - - var_password_pam_tally2=3 - - accounts_tmout - - accounts_umask_etc_login_defs - - accounts_user_dot_no_world_writable_programs - - accounts_user_home_paths_only - - accounts_user_interactive_home_directory_defined - - accounts_user_interactive_home_directory_exists - - account_unique_id - - aide_build_database - - aide_check_audit_tools - - aide_periodic_cron_checking - - aide_scan_notification - - aide_verify_acls - - aide_verify_ext_attributes - - aide_periodic_checking_systemd_timer - - apparmor_configured - # - # NOTE: must configure "var_audispd_remote_server" when - # "auditd_audispd_configure_remote_server" rule is enabled - # - # - auditd_audispd_configure_remote_server - - auditd_audispd_configure_sufficiently_large_partition - - auditd_audispd_disk_full_action - - auditd_audispd_encrypt_sent_records - - auditd_audispd_network_failure_action - - var_auditd_disk_full_action=syslog - - auditd_data_disk_full_action - - auditd_data_retention_action_mail_acct - - auditd_data_retention_space_left - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - - audit_rules_enable_syscall_auditing - - audit_rules_etc_cron_d - - audit_rules_execution_chacl - - audit_rules_execution_chmod - - audit_rules_execution_chcon - - audit_rules_execution_rm - - audit_rules_execution_setfacl - - audit_rules_kernel_module_loading_delete - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - - audit_rules_login_events_lastlog - - audit_rules_login_events_tallylog - - audit_rules_media_export - - audit_rules_privileged_commands_chage - - audit_rules_privileged_commands_chfn - - audit_rules_privileged_commands_chsh - - audit_rules_privileged_commands_crontab - - audit_rules_privileged_commands_gpasswd - - audit_rules_privileged_commands_kmod - - audit_rules_privileged_commands_modprobe - - audit_rules_privileged_commands_newgrp - - audit_rules_privileged_commands_pam_timestamp_check - - audit_rules_privileged_commands_passmass - - audit_rules_privileged_commands_passwd - - audit_rules_privileged_commands_insmod - - audit_rules_privileged_commands_rmmod - - audit_rules_privileged_commands_ssh_agent - - audit_rules_privileged_commands_ssh_keysign - - audit_rules_privileged_commands_su - - audit_rules_privileged_commands_sudo - - audit_rules_privileged_commands_unix_chkpwd - - audit_rules_privileged_commands_unix2_chkpwd - - audit_rules_privileged_commands_usermod - - audit_rules_privileged_commands_sudoedit - - audit_rules_session_events_utmp - - audit_rules_session_events_wtmp - - audit_rules_suid_privilege_function - - audit_rules_sysadmin_actions - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_session_events_btmp - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_renameat2 - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_truncate - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - - audit_rules_usergroup_modification_group - - audit_rules_usergroup_modification_gshadow - - audit_rules_usergroup_modification_opasswd - - audit_rules_usergroup_modification_passwd - - audit_rules_usergroup_modification_shadow - - audit_rules_var_spool_cron - - banner_etc_gdm_banner - - banner_etc_issue - - chronyd_or_ntpd_set_maxpoll - - clean_components_post_updating - - cracklib_accounts_password_pam_dcredit - - cracklib_accounts_password_pam_difok - - cracklib_accounts_password_pam_lcredit - - cracklib_accounts_password_pam_minlen - - cracklib_accounts_password_pam_ocredit - - cracklib_accounts_password_pam_retry - - cracklib_accounts_password_pam_ucredit - - dconf_db_up_to_date - - dconf_gnome_banner_enabled - - dconf_gnome_login_banner_text - - dconf_gnome_screensaver_idle_delay - - dconf_gnome_session_idle_user_locks - - dconf_gnome_screensaver_mode_blank - - dir_group_ownership_library_dirs - - dir_ownership_library_dirs - - dir_permissions_library_dirs - - dconf_gnome_screensaver_lock_enabled - - dir_perms_world_writable_sticky_bits - - dir_system_commands_group_root_owned - - dir_system_commands_root_owned - - dir_perms_world_writable_system_owned_group - - disable_ctrlaltdel_burstaction - - disable_ctrlaltdel_reboot - - disable_ctrlaltdel_reboot - - disallow_bypass_password_sudo - - enable_dconf_user_profile - - encrypt_partitions - - ensure_gpgcheck_globally_activated - - ensure_rtc_utc_configuration - - file_groupownership_home_directories - - file_groupownership_system_commands_dirs - - file_ownership_binary_dirs - - file_permissions_binary_dirs - - file_ownership_library_dirs - - file_permissions_home_directories - - file_permissions_library_dirs - - file_permissions_sshd_private_key - - file_permissions_sshd_pub_key - - file_permissions_system_commands_dirs - - file_permissions_ungroupowned - - file_permissions_local_var_log_messages - - file_permission_user_init_files - - gnome_gdm_disable_unattended_automatic_login - - grub2_password - - grub2_uefi_password - - gui_login_dod_acknowledgement - - installed_OS_is_vendor_supported - - install_smartcard_packages - - is_fips_mode_enabled - - kernel_module_usb-storage_disabled - - mount_option_home_nosuid - - mount_option_noexec_remote_filesystems - - mount_option_nosuid_remote_filesystems - - mount_option_nosuid_removable_partitions - - network_sniffer_disabled - - no_empty_passwords - - no_empty_passwords_etc_shadow - - no_files_unowned_by_user - - no_host_based_files - - no_shelllogin_for_systemaccounts - - no_user_host_based_files - - package_aide_installed - - package_audit-audispd-plugins_installed - - package_audit_installed - - package_mailx_installed - - package_pam_apparmor_installed - - package_telnet-server_removed - - package_firewalld_installed - - package_vsftpd_removed - - pam_disable_automatic_configuration - - partition_for_home - - partition_for_var - - partition_for_var_log_audit - - permissions_local_audit_binaries - - permissions_local_var_log_audit - - permissions_local_var_log - - postfix_client_configure_mail_alias - - rsyslog_remote_loghost - - root_permissions_syslibrary_files - - security_patches_up_to_date - - service_auditd_enabled - - service_autofs_disabled - - service_firewalld_enabled - - service_kdump_disabled - - service_sshd_enabled - - set_password_hashing_algorithm_logindefs - - set_password_hashing_algorithm_systemauth - - var_password_hashing_min_rounds_login_defs=100000 - - set_password_hashing_min_rounds_logindefs - - smartcard_configure_ca - - smartcard_configure_cert_checking - - smartcard_pam_enabled - - sshd_disable_empty_passwords - - sshd_disable_root_login - - sshd_disable_user_known_hosts - - sshd_disable_x11_forwarding - - sshd_do_not_permit_user_env - - sshd_enable_strictmodes - - sshd_enable_warning_banner - - sshd_print_last_log - - sshd_idle_timeout_value=10_minutes - - sshd_set_idle_timeout - - var_sshd_set_keepalive=1 - - sshd_set_keepalive - - sshd_set_loglevel_verbose - - sshd_use_approved_ciphers_ordered_stig - - sshd_use_approved_kex_ordered_stig - - sshd_use_approved_macs_ordered_stig - - sssd_memcache_timeout - - sssd_offline_cred_expiration - - sudo_remove_no_authenticate - - sudo_remove_nopasswd - - sudo_restrict_privilege_elevation_to_authorized - - sudo_require_authentication - - sudo_require_reauthentication - - sudoers_default_includedir - - sudoers_validate_passwd - - sysctl_kernel_dmesg_restrict - - sysctl_kernel_kptr_restrict - - sysctl_kernel_randomize_va_space - - sysctl_net_ipv4_conf_all_accept_redirects - - sysctl_net_ipv4_conf_all_accept_source_route - - sysctl_net_ipv4_conf_all_send_redirects - - sysctl_net_ipv4_conf_default_accept_redirects - - sysctl_net_ipv4_conf_default_accept_source_route - - sysctl_net_ipv4_conf_default_send_redirects - - sysctl_net_ipv4_ip_forward - - sysctl_net_ipv4_tcp_syncookies - - sysctl_net_ipv6_conf_all_forwarding - - sysctl_net_ipv6_conf_all_accept_redirects - - sysctl_net_ipv6_conf_all_accept_source_route - - sysctl_net_ipv6_conf_default_accept_redirects - - sysctl_net_ipv6_conf_default_accept_source_route - - sysctl_net_ipv6_conf_default_forwarding - - vlock_installed - - wireless_disable_interfaces + - stig_sle15:all From 6484fe8531281790230e5fc60c4a03cf29990d9c Mon Sep 17 00:00:00 2001 From: rchikov Date: Fri, 12 Jun 2026 11:29:56 +0200 Subject: [PATCH 2/5] Added control file --- products/sle15/controls/stig_sle15.yml | 1780 ++++++++++++++++++++++++ 1 file changed, 1780 insertions(+) create mode 100644 products/sle15/controls/stig_sle15.yml diff --git a/products/sle15/controls/stig_sle15.yml b/products/sle15/controls/stig_sle15.yml new file mode 100644 index 000000000000..8a8d9f6e62cd --- /dev/null +++ b/products/sle15/controls/stig_sle15.yml @@ -0,0 +1,1780 @@ +policy: SUSE Linux Enterprise Server 15 Security Technical Implementation Guide +title: SUSE Linux Enterprise Server 15 Security Technical Implementation Guide +id: stig_sle15 +version: V2R7 +source: https://www.cyber.mil/stigs/downloads/ +reference_type: stigid +product: sle15 + +levels: + - id: high + - id: medium + - id: low + +controls: +- id: SLES-15-010000 + levels: + - high + title: The SUSE operating system must be a vendor-supported release. + rules: + - installed_OS_is_vendor_supported + status: automated +- id: SLES-15-010010 + levels: + - medium + title: Vendor-packaged SUSE operating system security patches and updates must be + installed and up to date. + rules: + - security_patches_up_to_date + status: automated +- id: SLES-15-010020 + levels: + - medium + title: The SUSE operating system must display the Standard Mandatory DOD Notice + and Consent Banner before granting access via local console. + rules: + - banner_etc_issue + - login_banner_text=dod_banners + - login_banner_contents=dod_default + status: automated +- id: SLES-15-010030 + levels: + - high + title: The SUSE operating system must not have the vsftpd package installed if not + required for operational support. + rules: + - package_vsftpd_removed + status: automated +- id: SLES-15-010040 + levels: + - medium + title: The SUSE operating system must display the Standard Mandatory DOD Notice + and Consent Banner before granting access via SSH. + rules: + - sshd_enable_warning_banner + status: automated +- id: SLES-15-010050 + levels: + - medium + title: The SUSE operating system must display the Standard Mandatory DoD Notice + and Consent Banner until users acknowledge the usage conditions and take explicit + actions to log on for further access to the local graphical user interface (GUI). + rules: + - gui_login_dod_acknowledgement + status: automated +- id: SLES-15-010060 + levels: + - medium + title: The SUSE operating system file /etc/gdm/banner must contain the Standard + Mandatory DoD Notice and Consent banner text. + rules: + - banner_etc_gdm_banner + status: automated +- id: SLES-15-010080 + levels: + - medium + title: The SUSE operating system must display a banner before granting local or + remote access to the system via a graphical user logon. + rules: + - dconf_gnome_banner_enabled + status: automated +- id: SLES-15-010090 + levels: + - medium + title: The SUSE operating system must display the approved Standard Mandatory DoD + Notice before granting local or remote access to the system via a graphical user + logon. + rules: + - dconf_db_up_to_date + - dconf_gnome_login_banner_text + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default + status: automated +- id: SLES-15-010100 + levels: + - medium + title: The SUSE operating system must be able to lock the graphical user interface + (GUI). + rules: + - dconf_gnome_screensaver_lock_enabled + status: automated +- id: SLES-15-010110 + levels: + - low + title: The SUSE operating system must utilize vlock to allow for session locking. + rules: + - vlock_installed + status: automated +- id: SLES-15-010120 + levels: + - medium + title: The SUSE operating system must initiate a session lock after a 15-minute + period of inactivity for the graphical user interface (GUI). + rules: + - dconf_gnome_screensaver_idle_delay + - inactivity_timeout_value=15_minutes + - dconf_gnome_session_idle_user_locks + status: automated +- id: SLES-15-010130 + levels: + - medium + title: The SUSE operating system must initiate a session lock after a 10-minute + period of inactivity. + rules: + - accounts_tmout + - var_accounts_tmout=10_min + status: automated +- id: SLES-15-010140 + levels: + - low + title: The SUSE operating system must conceal, via the session lock, information + previously visible on the display with a publicly viewable image in the graphical + user interface (GUI). + rules: + - dconf_gnome_screensaver_mode_blank + status: automated +- id: SLES-15-010150 + levels: + - medium + title: The SUSE operating system must log SSH connection attempts and failures to + the server. + rules: + - sshd_set_loglevel_verbose + status: automated +- id: SLES-15-010160 + levels: + - medium + title: The SUSE operating system must implement DOD-approved encryption to protect + the confidentiality of SSH remote connections. + rules: + - sshd_use_approved_ciphers + - sshd_use_approved_ciphers_ordered_stig + status: automated +- id: SLES-15-010170 + levels: + - medium + title: The SUSE operating system, for PKI-based authentication, must validate certificates + by constructing a certification path (which includes status information) to an + accepted trust anchor. + rules: + - smartcard_configure_ca + status: automated +- id: SLES-15-010180 + levels: + - high + title: The SUSE operating system must not have the telnet-server package installed. + rules: + - package_telnet-server_removed + status: automated +- id: SLES-15-010190 + levels: + - high + title: SUSE operating systems with a basic input/output system (BIOS) must require + authentication upon booting into single-user and maintenance modes. + rules: + - grub2_password + status: automated +- id: SLES-15-010200 + levels: + - high + title: SUSE operating systems with Unified Extensible Firmware Interface (UEFI) + implemented must require authentication upon booting into single-user mode and + maintenance. + rules: + - grub2_uefi_password + status: automated +- id: SLES-15-010220 + levels: + - medium + title: The SUSE operating system must be configured to prohibit or restrict the + use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, + and Services Management (PPSM) Category Assignments List (CAL) and vulnerability + assessments. + rules: + - package_firewalld_installed + - service_firewalld_enabled + status: automated +- id: SLES-15-010230 + levels: + - medium + title: The SUSE operating system must not have duplicate User IDs (UIDs) for interactive + users. + rules: + - account_unique_id + status: automated +- id: SLES-15-010240 + levels: + - medium + title: The SUSE operating system must disable the file system automounter. + rules: + - service_autofs_disabled + status: automated +- id: SLES-15-010260 + levels: + - medium + title: The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing + algorithm for system authentication (login.defs). + rules: + - set_password_hashing_algorithm_logindefs + status: automated +- id: SLES-15-010270 + levels: + - medium + title: The SUSE operating system SSH daemon must be configured to only use Message + Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. + rules: + - sshd_use_approved_macs + - sshd_use_approved_macs_ordered_stig + status: automated +- id: SLES-15-010280 + levels: + - medium + title: The SUSE operating system SSH daemon must be configured with a timeout interval. + rules: + - sshd_set_idle_timeout + - sshd_idle_timeout_value=10_minutes + status: automated +- id: SLES-15-010300 + levels: + - medium + title: The sticky bit must be set on all SUSE operating system world-writable directories. + rules: + - dir_perms_world_writable_sticky_bits + status: automated +- id: SLES-15-010310 + levels: + - medium + title: The SUSE operating system must be configured to use TCP syncookies. + rules: + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: SLES-15-010320 + levels: + - medium + title: The SUSE operating system, for all network connections associated with SSH + traffic, must immediately terminate at the end of the session or after 10 minutes + of inactivity. + rules: + - sshd_set_keepalive + - var_sshd_set_keepalive=1 + - sshd_set_keepalive_0 + status: automated +- id: SLES-15-010330 + levels: + - high + title: All SUSE operating system persistent disk partitions must implement cryptographic + mechanisms to prevent unauthorized disclosure or modification of all information + that requires at-rest protection. + rules: + - encrypt_partitions + status: automated +- id: SLES-15-010340 + levels: + - medium + title: The SUSE operating system must generate error messages that provide information + necessary for corrective actions without revealing information that could be exploited + by adversaries. + rules: + - permissions_local_var_log + status: automated +- id: SLES-15-010350 + levels: + - medium + title: The SUSE operating system must prevent unauthorized users from accessing + system error messages. + rules: + - file_permissions_local_var_log_messages + status: automated +- id: SLES-15-010351 + levels: + - medium + title: The SUSE operating system library files must have mode 0755 or less permissive. + rules: + - file_permissions_library_dirs + status: automated +- id: SLES-15-010352 + levels: + - medium + title: The SUSE operating system library directories must have mode 0755 or less + permissive. + rules: + - dir_permissions_library_dirs + status: automated +- id: SLES-15-010353 + levels: + - medium + title: The SUSE operating system library files must be owned by root. + rules: + - file_ownership_library_dirs + status: automated +- id: SLES-15-010354 + levels: + - medium + title: The SUSE operating system library directories must be owned by root. + rules: + - dir_ownership_library_dirs + status: automated +- id: SLES-15-010355 + levels: + - medium + title: The SUSE operating system library files must be group-owned by root. + rules: + - root_permissions_syslibrary_files + status: automated +- id: SLES-15-010356 + levels: + - medium + title: The SUSE operating system library directories must be group-owned by root. + rules: + - dir_group_ownership_library_dirs + status: automated +- id: SLES-15-010357 + levels: + - medium + title: The SUSE operating system must have system commands set to a mode of 0755 + or less permissive. + rules: + - file_permissions_system_commands_dirs + status: automated +- id: SLES-15-010358 + levels: + - medium + title: The SUSE operating system must have directories that contain system commands + set to a mode of 0755 or less permissive. + rules: + - file_permissions_binary_dirs + status: automated +- id: SLES-15-010359 + levels: + - medium + title: The SUSE operating system must have system commands owned by root. + rules: + - file_ownership_binary_dirs + status: automated +- id: SLES-15-010360 + levels: + - medium + title: The SUSE operating system must have directories that contain system commands + owned by root. + rules: + - dir_system_commands_root_owned + status: automated +- id: SLES-15-010361 + levels: + - medium + title: The SUSE operating system must have system commands group-owned by root or + a system account. + rules: + - file_groupownership_system_commands_dirs + status: automated +- id: SLES-15-010362 + levels: + - medium + title: The SUSE operating system must have directories that contain system commands + group-owned by root. + rules: + - dir_system_commands_group_root_owned + status: automated +- id: SLES-15-010370 + levels: + - medium + title: The SUSE operating system must have a firewall system installed to immediately + disconnect or disable remote access to the whole operating system. + rules: [] + status: pending +- id: SLES-15-010380 + levels: + - medium + title: The SUSE operating system wireless network adapters must be disabled unless + approved and documented. + rules: + - wireless_disable_interfaces + status: automated +- id: SLES-15-010390 + levels: + - medium + title: SUSE operating system AppArmor tool must be configured to control whitelisted + applications and user home directory access control. + rules: + - apparmor_configured + - package_pam_apparmor_installed + status: automated +- id: SLES-15-010400 + levels: + - medium + title: The SUSE operating system clock must, for networked systems, be synchronized + to an authoritative DOD time source at least every 24 hours. + rules: + - chronyd_or_ntpd_set_maxpoll + - var_time_service_set_maxpoll=18_hours + status: automated +- id: SLES-15-010410 + levels: + - low + title: The SUSE operating system must be configured to use Coordinated Universal + Time (UTC) or Greenwich Mean Time (GMT). + rules: + - ensure_rtc_utc_configuration + status: automated +- id: SLES-15-010420 + levels: + - medium + title: Advanced Intrusion Detection Environment (AIDE) must verify the baseline + SUSE operating system configuration at least weekly. + rules: + - aide_periodic_cron_checking + status: automated +- id: SLES-15-010430 + levels: + - high + title: The SUSE operating system tool zypper must have gpgcheck enabled. + rules: + - ensure_gpgcheck_globally_activated + status: automated +- id: SLES-15-010450 + levels: + - high + title: The SUSE operating system must reauthenticate users when changing authenticators, + roles, or escalating privileges. + rules: + - sudo_remove_no_authenticate + - sudo_remove_nopasswd + - sudo_require_authentication + status: automated +- id: SLES-15-010460 + levels: + - medium + title: The SUSE operating system must have the packages required for multifactor + authentication to be installed. + rules: + - install_smartcard_packages + status: automated +- id: SLES-15-010470 + levels: + - medium + title: The SUSE operating system must implement certificate status checking for + multifactor authentication. + rules: + - smartcard_configure_cert_checking + status: automated +- id: SLES-15-010480 + levels: + - medium + title: The SUSE operating system must disable the USB mass storage kernel module. + rules: + - kernel_module_usb-storage_disabled + status: automated +- id: SLES-15-010490 + levels: + - medium + title: If Network Security Services (NSS) is being used by the SUSE operating system + it must prohibit the use of cached authentications after one day. + rules: + - sssd_memcache_timeout + - var_sssd_memcache_timeout=1_day + status: automated +- id: SLES-15-010500 + levels: + - medium + title: The SUSE operating system must configure the Linux Pluggable Authentication + Modules (PAM) to prohibit the use of cached offline authentications after one + day. + rules: + - sssd_offline_cred_expiration + status: automated +- id: SLES-15-010510 + levels: + - high + title: FIPS 140-2 mode must be enabled on the SUSE operating system. + rules: + - is_fips_mode_enabled + status: automated +- id: SLES-15-010530 + levels: + - high + title: All networked SUSE operating systems must have and implement SSH to protect + the confidentiality and integrity of transmitted and received information, as + well as information during preparation for transmission. + rules: + - service_sshd_enabled + status: automated +- id: SLES-15-010540 + levels: + - medium + title: The SUSE operating system must implement kptr-restrict to prevent the leaking + of internal kernel addresses. + rules: + - sysctl_kernel_kptr_restrict + status: automated +- id: SLES-15-010550 + levels: + - medium + title: Address space layout randomization (ASLR) must be implemented by the SUSE + operating system to protect memory from unauthorized code execution. + rules: + - sysctl_kernel_randomize_va_space + status: automated +- id: SLES-15-010560 + levels: + - medium + title: The SUSE operating system must remove all outdated software components after + updated versions have been installed. + rules: + - clean_components_post_updating + status: automated +- id: SLES-15-010570 + levels: + - medium + title: The SUSE operating system must notify the System Administrator (SA) when + Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation + of any security functions. + rules: + - aide_periodic_checking_systemd_timer + - aide_scan_notification + status: automated +- id: SLES-15-010580 + levels: + - medium + title: The SUSE operating system must off-load rsyslog messages for networked systems + in real time and off-load standalone systems at least weekly. + rules: + - rsyslog_remote_loghost + status: automated +- id: SLES-15-020000 + levels: + - medium + title: The SUSE operating system must provision temporary accounts with an expiration + date for 72 hours. + rules: [] + status: pending +- id: SLES-15-020010 + levels: + - medium + title: The SUSE operating system must lock an account after three consecutive invalid + access attempts. + rules: + - accounts_passwords_pam_tally2 + - var_password_pam_tally2=3 + status: automated +- id: SLES-15-020020 + levels: + - low + title: The SUSE operating system must limit the number of concurrent sessions to + 10 for all accounts and/or account types. + rules: + - accounts_max_concurrent_login_sessions + - var_accounts_max_concurrent_login_sessions=10 + status: automated +- id: SLES-15-020030 + levels: + - medium + title: The SUSE operating system must implement multifactor authentication for access + to privileged accounts via pluggable authentication modules (PAM). + rules: + - smartcard_pam_enabled + status: automated +- id: SLES-15-020040 + levels: + - medium + title: The SUSE operating system must deny direct logons to the root account using + remote access via SSH. + rules: + - sshd_disable_root_login + status: automated +- id: SLES-15-020050 + levels: + - medium + title: The SUSE operating system must disable account identifiers (individuals, + groups, roles, and devices) after 35 days of inactivity after password expiration. + rules: + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=35 + status: automated +- id: SLES-15-020060 + levels: + - medium + title: The SUSE operating system must never automatically remove or disable emergency + administrator accounts. + rules: + - account_emergency_admin + status: manual +- id: SLES-15-020090 + levels: + - medium + title: The SUSE operating system must not have unnecessary accounts. + rules: + - accounts_authorized_local_users + # NOTE: must configure "var_accounts_authorized_local_users_regex" + # when the rule "accounts_authorized_local_users" is enabled + # - var_accounts_authorized_local_users_regex= + - var_accounts_authorized_local_users_regex=sle15 + status: automated +- id: SLES-15-020091 + levels: + - medium + title: The SUSE operating system must not have unnecessary account capabilities. + rules: + - no_shelllogin_for_systemaccounts + status: automated +- id: SLES-15-020100 + levels: + - high + title: The SUSE operating system root account must be the only account with unrestricted + access to the system. + rules: + - accounts_no_uid_except_zero + status: automated +- id: SLES-15-020101 + levels: + - medium + title: The SUSE operating system must restrict privilege elevation to authorized + personnel. + rules: + - sudo_restrict_privilege_elevation_to_authorized + status: automated +- id: SLES-15-020102 + levels: + - medium + title: The SUSE operating system must require reauthentication when using the "sudo" + command. + rules: + - sudo_require_reauthentication + - var_sudo_timestamp_timeout=always_prompt + status: automated +- id: SLES-15-020103 + levels: + - medium + title: The SUSE operating system must use the invoking user's password for privilege + escalation when using "sudo". + rules: + - sudoers_validate_passwd + status: automated +- id: SLES-15-020110 + levels: + - medium + title: All SUSE operating system local interactive user accounts, upon creation, + must be assigned a home directory. + rules: + - accounts_have_homedir_login_defs + status: automated +- id: SLES-15-020120 + levels: + - medium + title: The SUSE operating system must display the date and time of the last successful + account logon upon an SSH logon. + rules: + - sshd_print_last_log + status: automated +- id: SLES-15-020130 + levels: + - medium + title: The SUSE operating system must enforce passwords that contain at least one + uppercase character. + rules: + - cracklib_accounts_password_pam_ucredit + - var_password_pam_ucredit=1 + status: automated +- id: SLES-15-020140 + levels: + - medium + title: The SUSE operating system must enforce passwords that contain at least one + lowercase character. + rules: + - cracklib_accounts_password_pam_lcredit + - var_password_pam_lcredit=1 + status: automated +- id: SLES-15-020150 + levels: + - medium + title: The SUSE operating system must enforce passwords that contain at least one + numeric character. + rules: + - cracklib_accounts_password_pam_dcredit + - var_password_pam_dcredit=1 + status: automated +- id: SLES-15-020160 + levels: + - medium + title: The SUSE operating system must require the change of at least eight of the + total number of characters when passwords are changed. + rules: + - cracklib_accounts_password_pam_difok + status: automated +- id: SLES-15-020170 + levels: + - medium + title: The SUSE operating system must configure the Linux Pluggable Authentication + Modules (PAM) to only store encrypted representations of passwords. + rules: + - set_password_hashing_algorithm_systemauth + status: automated +- id: SLES-15-020180 + levels: + - medium + title: The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing + algorithms for all stored passwords. + rules: + - accounts_password_all_shadowed_sha512 + status: automated +- id: SLES-15-020190 + levels: + - medium + title: The SUSE operating system must employ FIPS 140-3 approved cryptographic hashing + algorithms for all stored passwords. + rules: + - set_password_hashing_min_rounds_logindefs + - var_password_hashing_min_rounds_login_defs=100000 + status: automated +- id: SLES-15-020200 + levels: + - medium + title: The SUSE operating system must be configured to create or update passwords + with a minimum lifetime of 24 hours (one day). + rules: + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=7 + status: automated +- id: SLES-15-020210 + levels: + - medium + title: The SUSE operating system must employ user passwords with a minimum lifetime + of 24 hours (one day). + rules: + - accounts_password_set_min_life_existing + status: automated +- id: SLES-15-020220 + levels: + - medium + title: The SUSE operating system must be configured to create or update passwords + with a maximum lifetime of 60 days. + rules: + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=60 + status: automated +- id: SLES-15-020230 + levels: + - medium + title: The SUSE operating system must employ user passwords with a maximum lifetime + of 60 days. + rules: + - accounts_password_set_max_life_existing + status: automated +- id: SLES-15-020260 + levels: + - medium + title: The SUSE operating system must employ passwords with a minimum of 15 characters. + rules: + - cracklib_accounts_password_pam_minlen + - var_password_pam_minlen=15 + status: automated +- id: SLES-15-020270 + levels: + - medium + title: The SUSE operating system must enforce passwords that contain at least one + special character. + rules: + - cracklib_accounts_password_pam_ocredit + - var_password_pam_ocredit=1 + status: automated +- id: SLES-15-020290 + levels: + - medium + title: The SUSE operating system must prevent the use of dictionary words for passwords. + rules: + - cracklib_accounts_password_pam_retry + status: automated +- id: SLES-15-020300 + levels: + - high + title: The SUSE operating system must not be configured to allow blank or null passwords. + rules: + - no_empty_passwords + status: automated +- id: SLES-15-030000 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/passwd. + rules: + - audit_rules_usergroup_modification_passwd + status: automated +- id: SLES-15-030010 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/group. + rules: + - audit_rules_usergroup_modification_group + status: automated +- id: SLES-15-030020 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/shadow. + rules: + - audit_rules_usergroup_modification_shadow + status: automated +- id: SLES-15-030030 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/security/opasswd. + rules: + - audit_rules_usergroup_modification_opasswd + status: automated +- id: SLES-15-030040 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/gshadow. + rules: + - audit_rules_usergroup_modification_gshadow + status: automated +- id: SLES-15-030050 + levels: + - medium + title: SUSE operating system audit records must contain information to establish + what type of events occurred, the source of events, where events occurred, and + the outcome of events. + rules: + - service_auditd_enabled + status: automated +- id: SLES-15-030060 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + ssh-keysign command. + rules: + - audit_rules_privileged_commands_ssh_keysign + status: automated +- id: SLES-15-030070 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + passwd command. + rules: + - audit_rules_privileged_commands_passwd + status: automated +- id: SLES-15-030080 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + gpasswd command. + rules: + - audit_rules_privileged_commands_gpasswd + status: automated +- id: SLES-15-030090 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + newgrp command. + rules: + - audit_rules_privileged_commands_newgrp + status: automated +- id: SLES-15-030100 + levels: + - low + title: The SUSE operating system must generate audit records for a uses of the chsh + command. + rules: + - audit_rules_privileged_commands_chsh + status: automated +- id: SLES-15-030110 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + unix_chkpwd or unix2_chkpwd commands. + rules: + - audit_rules_privileged_commands_unix2_chkpwd + - audit_rules_privileged_commands_unix_chkpwd + status: automated +- id: SLES-15-030120 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chage command. + rules: + - audit_rules_privileged_commands_chage + status: automated +- id: SLES-15-030130 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + crontab command. + rules: + - audit_rules_privileged_commands_crontab + status: automated +- id: SLES-15-030140 + levels: + - medium + title: The SUSE operating system must audit all uses of the sudoers file and all + files in the /etc/sudoers.d/ directory. + rules: + - audit_rules_sysadmin_actions + status: automated +- id: SLES-15-030150 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. + rules: + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate + status: automated +- id: SLES-15-030190 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system + calls. + rules: + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + status: automated +- id: SLES-15-030250 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chown, fchown, fchownat, and lchown system calls. + rules: + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_lchown + status: automated +- id: SLES-15-030290 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chmod, fchmod, and fchmodat system calls. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + status: automated +- id: SLES-15-030330 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + sudoedit command. + rules: + - audit_rules_privileged_commands_sudoedit + status: automated +- id: SLES-15-030340 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + chfn command. + rules: + - audit_rules_privileged_commands_chfn + status: automated +- id: SLES-15-030350 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + mount system call. + rules: + - audit_rules_media_export + status: automated +- id: SLES-15-030360 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + umount system call. + rules: + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + status: automated +- id: SLES-15-030370 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + ssh-agent command. + rules: + - audit_rules_privileged_commands_ssh_agent + status: automated +- id: SLES-15-030380 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + insmod command. + rules: + - audit_rules_privileged_commands_insmod + status: automated +- id: SLES-15-030390 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + rmmod command. + rules: + - audit_rules_privileged_commands_rmmod + status: automated +- id: SLES-15-030400 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + modprobe command. + rules: + - audit_rules_privileged_commands_modprobe + status: automated +- id: SLES-15-030410 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + kmod command. + rules: + - audit_rules_privileged_commands_kmod + status: automated +- id: SLES-15-030420 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chmod command. + rules: + - audit_rules_execution_chmod + status: automated +- id: SLES-15-030430 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + setfacl command. + rules: + - audit_rules_execution_setfacl + status: automated +- id: SLES-15-030440 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chacl command. + rules: + - audit_rules_execution_chacl + status: automated +- id: SLES-15-030450 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chcon command. + rules: + - audit_rules_execution_chcon + status: automated +- id: SLES-15-030460 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + rm command. + rules: + - audit_rules_execution_rm + status: automated +- id: SLES-15-030470 + levels: + - medium + title: The SUSE operating system must generate audit records for all modifications + to the tallylog file must generate an audit record. + rules: + - audit_rules_login_events_tallylog + status: automated +- id: SLES-15-030480 + levels: + - medium + title: The SUSE operating system must generate audit records for all modifications + to the lastlog file. + rules: + - audit_rules_login_events_lastlog + status: automated +- id: SLES-15-030490 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + passmass command. + rules: + - audit_rules_privileged_commands_passmass + status: automated +- id: SLES-15-030500 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + usermod command. + rules: + - audit_rules_privileged_commands_usermod + status: automated +- id: SLES-15-030510 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + pam_timestamp_check command. + rules: + - audit_rules_privileged_commands_pam_timestamp_check + status: automated +- id: SLES-15-030520 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + delete_module system call. + rules: + - audit_rules_kernel_module_loading_delete + status: automated +- id: SLES-15-030530 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + init_module and finit_module system calls. + rules: + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + status: automated +- id: SLES-15-030550 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + su command. + rules: + - audit_rules_privileged_commands_su + status: automated +- id: SLES-15-030560 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + sudo command. + rules: + - audit_rules_privileged_commands_sudo + status: automated +- id: SLES-15-030570 + levels: + - medium + title: The Information System Security Officer (ISSO) and System Administrator (SA), + at a minimum, must be alerted of a SUSE operating system audit processing failure + event. + rules: + - auditd_data_retention_action_mail_acct + status: automated +- id: SLES-15-030580 + levels: + - medium + title: The Information System Security Officer (ISSO) and System Administrator (SA), + at a minimum, must have mail aliases to be notified of a SUSE operating system + audit processing failure. + rules: + - postfix_client_configure_mail_alias + status: automated +- id: SLES-15-030590 + levels: + - medium + title: The SUSE operating system audit system must take appropriate action when + the audit storage volume is full. + rules: + - auditd_data_disk_full_action + - var_auditd_disk_full_action=syslog + status: automated +- id: SLES-15-030600 + levels: + - medium + title: The SUSE operating system must protect audit rules from unauthorized modification. + rules: + - permissions_local_var_log_audit + status: automated +- id: SLES-15-030620 + levels: + - medium + title: The SUSE operating system audit tools must have the proper permissions configured + to protect against unauthorized access. + rules: + - permissions_local_audit_binaries + status: automated +- id: SLES-15-030630 + levels: + - medium + title: The SUSE operating system file integrity tool must be configured to protect + the integrity of the audit tools. + rules: + - aide_check_audit_tools + status: automated +- id: SLES-15-030640 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + privileged functions. + rules: + - audit_rules_suid_privilege_function + status: automated +- id: SLES-15-030650 + levels: + - medium + title: The SUSE operating system must have the auditing package installed. + rules: + - package_audit_installed + status: automated +- id: SLES-15-030660 + levels: + - medium + title: The SUSE operating system must allocate audit record storage capacity to + store at least one week of audit records when audit records are not immediately + sent to a central audit record storage facility. + rules: + - auditd_audispd_configure_sufficiently_large_partition + status: manual +- id: SLES-15-030670 + levels: + - medium + title: The audit-audispd-plugins must be installed on the SUSE operating system. + rules: + - package_audit-audispd-plugins_installed + status: automated +- id: SLES-15-030680 + levels: + - low + title: The SUSE operating system audit event multiplexor must be configured to use + Kerberos. + rules: + - auditd_audispd_encrypt_sent_records + status: automated +- id: SLES-15-030690 + levels: + - low + title: Audispd must off-load audit records onto a different system or media from + the SUSE operating system being audited. + rules: + - auditd_audispd_configure_remote_server + # NOTE: must configure "var_audispd_remote_server" when the + # rule "auditd_audispd_configure_remote_server" is enabled + # - var_audispd_remote_server= + status: automated +- id: SLES-15-030700 + levels: + - medium + title: The SUSE operating system auditd service must notify the System Administrator + (SA) and Information System Security Officer (ISSO) immediately when audit storage + capacity is 75 percent full. + rules: + - auditd_data_retention_space_left + status: automated +- id: SLES-15-030740 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + unlink, unlinkat, rename, renameat, and rmdir system calls. + rules: + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_renameat2 + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + status: automated +- id: SLES-15-030760 + levels: + - medium + title: The SUSE operating system must generate audit records for the /run/utmp file. + rules: + - audit_rules_session_events_utmp + status: automated +- id: SLES-15-030770 + levels: + - medium + title: The SUSE operating system must generate audit records for the /var/log/wtmp + file. + rules: + - audit_rules_session_events_wtmp + status: automated +- id: SLES-15-030780 + levels: + - medium + title: The SUSE operating system must generate audit records for the /var/log/btmp + file. + rules: + - audit_rules_session_events_btmp + status: automated +- id: SLES-15-030790 + levels: + - medium + title: The SUSE operating system must off-load audit records onto a different system + or media from the system being audited. + rules: + - auditd_audispd_network_failure_action + status: automated +- id: SLES-15-030800 + levels: + - medium + title: Audispd must take appropriate action when the SUSE operating system audit + storage is full. + rules: + - auditd_audispd_disk_full_action + status: automated +- id: SLES-15-030810 + levels: + - low + title: The SUSE operating system must use a separate file system for the system + audit data path. + rules: + - partition_for_var_log_audit + status: automated +- id: SLES-15-030820 + levels: + - medium + title: The SUSE operating system must not disable syscall auditing. + rules: + - audit_rules_enable_syscall_auditing + status: automated +- id: SLES-15-040000 + levels: + - medium + title: The SUSE operating system must enforce a delay of at least four seconds between + logon prompts following a failed logon attempt. + rules: [] + status: pending +- id: SLES-15-040010 + levels: + - medium + title: The SUSE operating system must enforce a delay of at least four seconds between + logon prompts following a failed logon attempt. + rules: + - accounts_passwords_pam_faildelay_delay + - var_accounts_fail_delay=4 + - var_password_pam_delay=4000000 + status: automated +- id: SLES-15-040020 + levels: + - high + title: There must be no .shosts files on the SUSE operating system. + rules: + - no_user_host_based_files + status: automated +- id: SLES-15-040030 + levels: + - high + title: There must be no shosts.equiv files on the SUSE operating system. + rules: + - no_host_based_files + status: automated +- id: SLES-15-040040 + levels: + - low + title: The SUSE operating system file integrity tool must be configured to verify + Access Control Lists (ACLs). + rules: + - aide_verify_acls + status: automated +- id: SLES-15-040050 + levels: + - low + title: The SUSE operating system file integrity tool must be configured to verify + extended attributes. + rules: + - aide_verify_ext_attributes + status: automated +- id: SLES-15-040060 + levels: + - high + title: The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence. + rules: + - disable_ctrlaltdel_reboot + status: automated +- id: SLES-15-040061 + levels: + - high + title: The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence + for Graphical User Interfaces. + rules: + - enable_dconf_user_profile + status: automated +- id: SLES-15-040062 + levels: + - high + title: The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst + key sequence. + rules: + - disable_ctrlaltdel_burstaction + status: automated +- id: SLES-15-040070 + levels: + - medium + title: All SUSE operating system local interactive users must have a home directory + assigned in the /etc/passwd file. + rules: + - accounts_user_interactive_home_directory_defined + status: automated +- id: SLES-15-040080 + levels: + - medium + title: All SUSE operating system local interactive user home directories defined + in the /etc/passwd file must exist. + rules: + - accounts_user_interactive_home_directory_exists + status: automated +- id: SLES-15-040090 + levels: + - medium + title: All SUSE operating system local interactive user home directories must have + mode 0750 or less permissive. + rules: + - file_permissions_home_directories + status: automated +- id: SLES-15-040100 + levels: + - medium + title: All SUSE operating system local interactive user home directories must be + group-owned by the home directory owner's primary group. + rules: + - file_groupownership_home_directories + status: automated +- id: SLES-15-040110 + levels: + - medium + title: All SUSE operating system local initialization files must have mode 0740 + or less permissive. + rules: + - file_permission_user_init_files + status: automated +- id: SLES-15-040120 + levels: + - medium + title: All SUSE operating system local interactive user initialization files executable + search paths must contain only paths that resolve to the users home directory. + rules: + - accounts_user_home_paths_only + status: manual +- id: SLES-15-040130 + levels: + - medium + title: All SUSE operating system local initialization files must not execute world-writable + programs. + rules: + - accounts_user_dot_no_world_writable_programs + status: automated +- id: SLES-15-040140 + levels: + - medium + title: SUSE operating system file systems that contain user home directories must + be mounted to prevent files with the setuid and setgid bit set from being executed. + rules: + - mount_option_home_nosuid + status: automated +- id: SLES-15-040150 + levels: + - medium + title: SUSE operating system file systems that are used with removable media must + be mounted to prevent files with the setuid and setgid bit set from being executed. + rules: + - mount_option_nosuid_removable_partitions + - var_removable_partition=dev_cdrom + status: automated +- id: SLES-15-040160 + levels: + - medium + title: SUSE operating system file systems that are being imported via Network File + System (NFS) must be mounted to prevent files with the setuid and setgid bit set + from being executed. + rules: + - mount_option_nosuid_remote_filesystems + status: automated +- id: SLES-15-040170 + levels: + - medium + title: SUSE operating system file systems that are being imported via Network File + System (NFS) must be mounted to prevent binary files from being executed. + rules: + - mount_option_noexec_remote_filesystems + status: automated +- id: SLES-15-040180 + levels: + - medium + title: All SUSE operating system world-writable directories must be group-owned + by root, sys, bin, or an application group. + rules: + - dir_perms_world_writable_system_owned_group + status: automated +- id: SLES-15-040190 + levels: + - medium + title: SUSE operating system kernel core dumps must be disabled unless needed. + rules: + - service_kdump_disabled + status: automated +- id: SLES-15-040200 + levels: + - low + title: A separate file system must be used for SUSE operating system user home directories + (such as /home or an equivalent). + rules: + - partition_for_home + status: automated +- id: SLES-15-040210 + levels: + - low + title: The SUSE operating system must use a separate file system for /var. + rules: + - partition_for_var + status: automated +- id: SLES-15-040220 + levels: + - medium + title: The SUSE operating system must be configured to not overwrite Pluggable Authentication + Modules (PAM) configuration on package changes. + rules: + - pam_disable_automatic_configuration + status: automated +- id: SLES-15-040230 + levels: + - medium + title: The SUSE operating system SSH daemon must be configured to not allow authentication + using known hosts authentication. + rules: + - sshd_disable_user_known_hosts + status: automated +- id: SLES-15-040240 + levels: + - medium + title: The SUSE operating system SSH daemon public host key files must have mode + 0644 or less permissive. + rules: + - file_permissions_sshd_pub_key + status: automated +- id: SLES-15-040250 + levels: + - medium + title: The SUSE operating system SSH daemon private host key files must have mode + 0640 or less permissive. + rules: + - file_permissions_sshd_private_key + status: automated +- id: SLES-15-040260 + levels: + - medium + title: The SUSE operating system SSH daemon must perform strict mode checking of + home directory configuration files. + rules: + - sshd_enable_strictmodes + status: automated +- id: SLES-15-040290 + levels: + - medium + title: The SUSE operating system SSH daemon must disable forwarded remote X connections + for interactive users, unless to fulfill documented and validated mission requirements. + rules: + - sshd_disable_x11_forwarding + status: automated +- id: SLES-15-040300 + levels: + - medium + title: The SUSE operating system must not forward Internet Protocol version 4 (IPv4) + source-routed packets. + rules: + - sysctl_net_ipv4_conf_all_accept_source_route + status: automated +- id: SLES-15-040310 + levels: + - medium + title: The SUSE operating system must not forward Internet Protocol version 6 (IPv6) + source-routed packets. + rules: + - sysctl_net_ipv6_conf_all_accept_source_route + status: automated +- id: SLES-15-040320 + levels: + - medium + title: The SUSE operating system must not forward Internet Protocol version 4 (IPv4) + source-routed packets by default. + rules: + - sysctl_net_ipv4_conf_default_accept_source_route + status: automated +- id: SLES-15-040321 + levels: + - medium + title: The SUSE operating system must not forward Internet Protocol version 6 (IPv6) + source-routed packets by default. + rules: + - sysctl_net_ipv6_conf_default_accept_source_route + status: automated +- id: SLES-15-040330 + levels: + - medium + title: The SUSE operating system must prevent Internet Protocol version 4 (IPv4) + Internet Control Message Protocol (ICMP) redirect messages from being accepted. + rules: + - sysctl_net_ipv4_conf_all_accept_redirects + status: automated +- id: SLES-15-040340 + levels: + - medium + title: The SUSE operating system must not allow interfaces to accept Internet Protocol + version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by + default. + rules: + - sysctl_net_ipv4_conf_default_accept_redirects + status: automated +- id: SLES-15-040341 + levels: + - medium + title: The SUSE operating system must prevent Internet Protocol version 6 (IPv6) + Internet Control Message Protocol (ICMP) redirect messages from being accepted. + rules: + - sysctl_net_ipv6_conf_all_accept_redirects + status: automated +- id: SLES-15-040350 + levels: + - medium + title: The SUSE operating system must not allow interfaces to accept Internet Protocol + version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by + default. + rules: + - sysctl_net_ipv6_conf_default_accept_redirects + status: automated +- id: SLES-15-040360 + levels: + - medium + title: The SUSE operating system must not allow interfaces to send Internet Protocol + version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by + default. + rules: + - sysctl_net_ipv4_conf_default_send_redirects + status: automated +- id: SLES-15-040370 + levels: + - medium + title: The SUSE operating system must not send Internet Protocol version 4 (IPv4) + Internet Control Message Protocol (ICMP) redirects. + rules: + - sysctl_net_ipv4_conf_all_send_redirects + status: automated +- id: SLES-15-040380 + levels: + - medium + title: The SUSE operating system must not be performing Internet Protocol version + 4 (IPv4) packet forwarding unless the system is a router. + rules: + - sysctl_net_ipv4_ip_forward + status: automated +- id: SLES-15-040381 + levels: + - medium + title: The SUSE operating system must not be performing Internet Protocol version + 6 (IPv6) packet forwarding unless the system is a router. + rules: + - sysctl_net_ipv6_conf_all_forwarding + status: automated +- id: SLES-15-040382 + levels: + - medium + title: The SUSE operating system must not be performing Internet Protocol version + 6 (IPv6) packet forwarding by default unless the system is a router. + rules: + - sysctl_net_ipv6_conf_default_forwarding + status: automated +- id: SLES-15-040390 + levels: + - medium + title: The SUSE operating system must not have network interfaces in promiscuous + mode unless approved and documented. + rules: + - network_sniffer_disabled + status: automated +- id: SLES-15-040400 + levels: + - medium + title: All SUSE operating system files and directories must have a valid owner. + rules: + - no_files_unowned_by_user + status: automated +- id: SLES-15-040410 + levels: + - medium + title: All SUSE operating system files and directories must have a valid group owner. + rules: + - file_permissions_ungroupowned + status: automated +- id: SLES-15-040420 + levels: + - medium + title: The SUSE operating system default permissions must be defined in such a way + that all authenticated users can only read and modify their own files. + rules: + - accounts_umask_etc_login_defs + status: automated +- id: SLES-15-040430 + levels: + - high + title: The SUSE operating system must not allow unattended or automatic logon via + the graphical user interface (GUI). + rules: + - gnome_gdm_disable_unattended_automatic_login + status: automated +- id: SLES-15-040440 + levels: + - high + title: The SUSE operating system must not allow unattended or automatic logon via + SSH. + rules: + - sshd_disable_empty_passwords + - sshd_do_not_permit_user_env + status: automated +- id: SLES-15-020099 + levels: + - medium + title: The SUSE operating system must specify the default "include" directory for + the /etc/sudoers file. + rules: + - sudoers_default_includedir + status: automated +- id: SLES-15-020104 + levels: + - medium + title: The SUSE operating system must not be configured to bypass password requirements + for privilege escalation. + rules: + - disallow_bypass_password_sudo + status: automated +- id: SLES-15-020181 + levels: + - high + title: The SUSE operating system must not have accounts configured with blank or + null passwords. + rules: + - no_empty_passwords_etc_shadow + status: automated +- id: SLES-15-040450 + levels: + - medium + title: The SUSE operating system SSH server must be configured to use only FIPS-validated + key exchange algorithms. + rules: + - sshd_use_approved_kex_ordered_stig + status: automated +- id: SLES-15-010375 + levels: + - low + title: The SUSE operating system must restrict access to the kernel message buffer. + rules: + - sysctl_kernel_dmesg_restrict + status: automated +- id: SLES-15-010419 + levels: + - medium + title: The SUSE operating system must use a file integrity tool to verify correct + operation of all security functions. + rules: + - aide_build_database + - package_aide_installed + status: automated +- id: SLES-15-010418 + levels: + - medium + title: The SUSE operating system must be configured to allow sending email notifications + of unauthorized configuration changes to designated personnel. + rules: + - package_mailx_installed + status: automated +- id: SLES-15-030015 + levels: + - medium + title: The SUSE operating system must audit any script or executable called by cron + as root or by any privileged user. + rules: + - audit_rules_etc_cron_d + - audit_rules_var_spool_cron + status: automated From d4824026f1905a5fa342191b932c4b6ff76321e9 Mon Sep 17 00:00:00 2001 From: rchikov Date: Thu, 18 Jun 2026 10:50:15 +0200 Subject: [PATCH 3/5] Remove trailing spaces --- .../rule.yml | 6 +-- .../base/service_kdump_disabled/rule.yml | 2 +- .../r_services/no_host_based_files/rule.yml | 2 +- .../no_user_host_based_files/rule.yml | 2 +- .../rule.yml | 2 +- .../file_permissions_sshd_pub_key/rule.yml | 2 +- .../sshd_disable_empty_passwords/rule.yml | 2 +- .../sshd_disable_user_known_hosts/rule.yml | 2 +- .../sshd_disable_x11_forwarding/rule.yml | 2 +- .../sshd_do_not_permit_user_env/rule.yml | 2 +- .../sshd_enable_strictmodes/rule.yml | 2 +- .../ssh_server/sshd_print_last_log/rule.yml | 2 +- .../sshd_use_priv_separation/rule.yml | 2 +- .../disable_ctrlaltdel_reboot/rule.yml | 2 +- .../accounts_authorized_local_users/rule.yml | 2 +- .../no_empty_passwords_etc_shadow/rule.yml | 2 +- .../accounts_no_uid_except_zero/rule.yml | 2 +- .../no_shelllogin_for_systemaccounts/rule.yml | 2 +- .../rule.yml | 2 +- .../accounts_user_home_paths_only/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../file_permission_user_init_files/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 2 +- .../sysctl_net_ipv4_ip_forward/rule.yml | 2 +- .../rule.yml | 2 +- .../rule.yml | 42 +++++++++---------- .../dir_system_commands_root_owned/rule.yml | 40 +++++++++--------- .../file_permissions_ungroupowned/rule.yml | 2 +- .../files/no_files_unowned_by_user/rule.yml | 2 +- .../rule.yml | 2 +- .../encrypt_partitions/rule.yml | 18 ++++---- .../partition_for_home/rule.yml | 2 +- .../partition_for_var/rule.yml | 2 +- .../partition_for_var_log_audit/rule.yml | 2 +- .../aide/aide_verify_acls/rule.yml | 4 +- .../aide/aide_verify_ext_attributes/rule.yml | 4 +- .../rule.yml | 2 +- .../sudo/sudoers_default_includedir/rule.yml | 2 +- .../sudo/sudoers_validate_passwd/rule.yml | 2 +- 52 files changed, 103 insertions(+), 103 deletions(-) diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml index 6cae54d1c0d4..1baaf6ce2999 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat2/rule.yml @@ -5,11 +5,11 @@ title: 'Record Unsuccessful Delete Attempts to Files - renameat2' description: |- The operating system must generate audit records for all uses of the renameat2 system call. - Without generating audit records specific to the security and mission needs of the organization, it would be + Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). - Add or update the following lines to /etc/audit/rules.d/audit.rules to configure the operating system to generate - an audit record for all uses of the renameat2 system call: + Add or update the following lines to /etc/audit/rules.d/audit.rules to configure the operating system to generate + an audit record for all uses of the renameat2 system call:
     -a always,exit -F arch=b32 -S renameat2 -F auid>={{{ uid_min }}} -F auid!=-1 -k perm_mod
     -a always,exit -F arch=b64 -S renameat2 -F auid>={{{ uid_min }}} -F auid!=-1 -k perm_mod
diff --git a/linux_os/guide/services/base/service_kdump_disabled/rule.yml b/linux_os/guide/services/base/service_kdump_disabled/rule.yml index 51f081c92928..03d292d7af66 100644 --- a/linux_os/guide/services/base/service_kdump_disabled/rule.yml +++ b/linux_os/guide/services/base/service_kdump_disabled/rule.yml @@ -31,7 +31,7 @@ identifiers: cce@sle15: CCE-85638-5 cce@sle16: CCE-96052-6 cce@slmicro5: CCE-93773-0 - cce@slmicro6: CCE-95065-9 + cce@slmicro6: CCE-95065-9 references: cis-csc: 11,12,14,15,3,8,9 diff --git a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml index 21f616906a23..0549fcb89280 100644 --- a/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/no_host_based_files/rule.yml @@ -23,7 +23,7 @@ identifiers: cce@sle12: CCE-83022-4 cce@sle15: CCE-85622-9 cce@slmicro5: CCE-93741-7 - cce@slmicro6: CCE-95051-9 + cce@slmicro6: CCE-95051-9 references: srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml index 8f017817cb6c..c2086e2e7b26 100644 --- a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml +++ b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@sle12: CCE-83021-6 cce@sle15: CCE-85621-1 cce@slmicro5: CCE-93740-9 - cce@slmicro6: CCE-95049-3 + cce@slmicro6: CCE-95049-3 references: srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml index 19e271aeb554..91bb0fd02834 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_private_key/rule.yml @@ -34,7 +34,7 @@ identifiers: cce@sle15: CCE-85644-3 cce@sle16: CCE-96360-3 cce@slmicro5: CCE-93751-6 - cce@slmicro6: CCE-95070-9 + cce@slmicro6: CCE-95070-9 references: cis-csc: 12,13,14,15,16,18,3,5 diff --git a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml index ff67037f7504..0655c270a5d3 100644 --- a/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml +++ b/linux_os/guide/services/ssh/file_permissions_sshd_pub_key/rule.yml @@ -18,7 +18,7 @@ identifiers: cce@sle15: CCE-85643-5 cce@sle16: CCE-95850-4 cce@slmicro5: CCE-93663-3 - cce@slmicro6: CCE-95069-1 + cce@slmicro6: CCE-95069-1 references: cis-csc: 12,13,14,15,16,18,3,5 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml index 8fdba2019c41..608f5e6c169b 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_empty_passwords/rule.yml @@ -30,7 +30,7 @@ identifiers: cce@sle15: CCE-85667-4 cce@sle16: CCE-95818-1 cce@slmicro5: CCE-93650-0 - cce@slmicro6: CCE-95091-5 + cce@slmicro6: CCE-95091-5 references: cis-csc: 11,12,13,14,15,16,18,3,5,9 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml index 12aaf6c0a1c6..7d5ddadb36ba 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_user_known_hosts/rule.yml @@ -25,7 +25,7 @@ identifiers: cce@sle15: CCE-85642-7 cce@sle16: CCE-96499-9 cce@slmicro5: CCE-93646-8 - cce@slmicro6: CCE-95068-3 + cce@slmicro6: CCE-95068-3 references: cis-csc: 11,3,9 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml index 7cb3e19bb25a..96d9fc4bf522 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml @@ -32,7 +32,7 @@ identifiers: cce@sle15: CCE-85707-8 cce@sle16: CCE-96661-4 cce@slmicro5: CCE-93648-4 - cce@slmicro6: CCE-95072-5 + cce@slmicro6: CCE-95072-5 references: cis@sle12: 5.2.6 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml index e7a296e61cd4..2f56ad890353 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_do_not_permit_user_env/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@sle15: CCE-85666-6 cce@sle16: CCE-95825-6 cce@slmicro5: CCE-93649-2 - cce@slmicro6: CCE-95090-7 + cce@slmicro6: CCE-95090-7 references: cis-csc: 11,3,9 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml index 36eba2f144da..b9daf1136609 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_strictmodes/rule.yml @@ -28,7 +28,7 @@ identifiers: cce@sle15: CCE-85645-0 cce@sle16: CCE-95844-7 cce@slmicro5: CCE-93647-6 - cce@slmicro6: CCE-95071-7 + cce@slmicro6: CCE-95071-7 references: cis-csc: 12,13,14,15,16,18,3,5 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml index ab2ed4bfa1c0..b28bb1c307ee 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_print_last_log/rule.yml @@ -25,7 +25,7 @@ identifiers: cce@sle12: CCE-83083-6 cce@sle15: CCE-85563-5 cce@slmicro5: CCE-93645-0 - cce@slmicro6: CCE-95045-1 + cce@slmicro6: CCE-95045-1 references: cis-csc: 1,12,15,16 diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml index 151c3fc8178a..4da0f9102b5a 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml @@ -37,7 +37,7 @@ references: srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040460 stigid@sle12: SLES-12-030240 - + ocil_clause: 'it is commented out or is not enabled' diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml index 65a97968651d..d2d0e71b558d 100644 --- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml @@ -60,7 +60,7 @@ identifiers: cce@sle15: CCE-85625-2 cce@sle16: CCE-96667-1 cce@slmicro5: CCE-93744-1 - cce@slmicro6: CCE-95054-3 + cce@slmicro6: CCE-95054-3 references: cis-csc: 12,13,14,15,16,18,3,5 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml index de1ef38b809d..0093273c6ee9 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml @@ -32,7 +32,7 @@ identifiers: cce@sle12: CCE-83195-8 cce@sle15: CCE-85561-9 cce@slmicro5: CCE-93731-8 - cce@slmicro6: CCE-95038-6 + cce@slmicro6: CCE-95038-6 references: nist@sle12: CM-6(b),CM-6.1(iv) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml index 042c0f84de87..dfbedd28d14e 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml @@ -31,7 +31,7 @@ identifiers: cce@sle15: CCE-91155-2 cce@sle16: CCE-96014-6 cce@slmicro5: CCE-93737-5 - cce@slmicro6: CCE-95046-9 + cce@slmicro6: CCE-95046-9 references: nist: CM-6(b),CM-6.1(iv) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml index 8dc33ccd86e0..121128b66212 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/rule.yml @@ -30,7 +30,7 @@ identifiers: cce@sle15: CCE-85664-1 cce@sle16: CCE-96388-4 cce@slmicro5: CCE-93734-2 - cce@slmicro6: CCE-95041-0 + cce@slmicro6: CCE-95041-0 references: cis-csc: 1,12,13,14,15,16,18,3,5 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml index afc05beadbd9..f16dbf64f861 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/rule.yml @@ -29,7 +29,7 @@ identifiers: cce@sle15: CCE-85672-4 cce@sle16: CCE-95711-8 cce@slmicro5: CCE-93732-6 - cce@slmicro6: CCE-95039-4 + cce@slmicro6: CCE-95039-4 references: cis-csc: 1,12,13,14,15,16,18,3,5,7,8 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml index 2d9ad731e6c9..43669409233b 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_dot_no_world_writable_programs/rule.yml @@ -24,7 +24,7 @@ identifiers: cce@sle12: CCE-83099-2 cce@sle15: CCE-85632-8 cce@slmicro5: CCE-93790-4 - cce@slmicro6: CCE-95061-8 + cce@slmicro6: CCE-95061-8 references: cis@sle12: 6.2.8 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml index 71d2afa2358c..7d6b969cda02 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_home_paths_only/rule.yml @@ -28,7 +28,7 @@ identifiers: cce@sle12: CCE-83098-4 cce@sle15: CCE-85631-0 cce@slmicro5: CCE-93789-6 - cce@slmicro6: CCE-95060-0 + cce@slmicro6: CCE-95060-0 references: srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml index c611897b5cf9..7db29ab81ff6 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_defined/rule.yml @@ -25,7 +25,7 @@ identifiers: cce@sle12: CCE-83075-2 cce@sle15: CCE-85627-8 cce@slmicro5: CCE-93745-8 - cce@slmicro6: CCE-95055-0 + cce@slmicro6: CCE-95055-0 references: srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml index bfd456b92d6d..b6e9057edae9 100644 --- a/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/accounts_user_interactive_home_directory_exists/rule.yml @@ -25,7 +25,7 @@ identifiers: cce@sle12: CCE-83074-5 cce@sle15: CCE-85628-6 cce@slmicro5: CCE-93746-6 - cce@slmicro6: CCE-95056-8 + cce@slmicro6: CCE-95056-8 references: cis@sle12: 6.2.5 diff --git a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml index 9a873ecafe35..9fff2eddbf2a 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_groupownership_home_directories/rule.yml @@ -28,7 +28,7 @@ identifiers: cce@sle12: CCE-83096-8 cce@sle15: CCE-85711-0 cce@slmicro5: CCE-93748-2 - cce@slmicro6: CCE-95058-4 + cce@slmicro6: CCE-95058-4 references: cis@sle12: 6.2.7 diff --git a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml index 5a7c5553b925..7698dd4e60ec 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permission_user_init_files/rule.yml @@ -23,7 +23,7 @@ identifiers: cce@sle15: CCE-85630-2 cce@sle16: CCE-96448-6 cce@slmicro5: CCE-93749-0 - cce@slmicro6: CCE-95059-2 + cce@slmicro6: CCE-95059-2 references: srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml index f08d317a7863..811f063c65e7 100644 --- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml +++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_directories/rule.yml @@ -22,7 +22,7 @@ identifiers: cce@sle12: CCE-83076-0 cce@sle15: CCE-85629-4 cce@slmicro5: CCE-93747-4 - cce@slmicro6: CCE-95057-6 + cce@slmicro6: CCE-95057-6 references: cis@sle12: 6.2.6 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml index d1a716ad639f..2ff272cd0b97 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml @@ -18,7 +18,7 @@ identifiers: cce@sle15: CCE-85708-6 cce@sle16: CCE-96632-5 cce@slmicro5: CCE-93635-1 - cce@slmicro6: CCE-95079-0 + cce@slmicro6: CCE-95079-0 references: cis-csc: 11,14,3,9 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml index b63941343a6e..75a244b9b930 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@sle15: CCE-85649-2 cce@sle16: CCE-96132-6 cce@slmicro5: CCE-93630-2 - cce@slmicro6: CCE-95074-1 + cce@slmicro6: CCE-95074-1 references: cis-csc: 1,12,13,14,15,16,18,4,6,8,9 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml index e80c108494f9..83193a6fe999 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml @@ -19,7 +19,7 @@ identifiers: cce@sle12: CCE-83247-7 cce@sle15: CCE-85713-6 cce@slmicro5: CCE-93640-1 - cce@slmicro6: CCE-95084-0 + cce@slmicro6: CCE-95084-0 references: cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml index 2d11ee02feca..7e807d0f5916 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml @@ -18,7 +18,7 @@ identifiers: cce@sle15: CCE-85722-7 cce@sle16: CCE-96192-0 cce@slmicro5: CCE-93636-9 - cce@slmicro6: CCE-95080-8 + cce@slmicro6: CCE-95080-8 references: cis-csc: 11,14,3,9 diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml index e9ee1d89ce81..257db00d523f 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@sle15: CCE-85653-4 cce@sle16: CCE-96234-0 cce@slmicro5: CCE-93632-8 - cce@slmicro6: CCE-95076-6 + cce@slmicro6: CCE-95076-6 references: cis-csc: 1,12,13,14,15,16,18,4,6,8,9 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml index ad798b8e43b7..efe089ffe128 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml @@ -25,7 +25,7 @@ identifiers: cce@sle15: CCE-85651-8 cce@sle16: CCE-96527-7 cce@slmicro5: CCE-93633-6 - cce@slmicro6: CCE-95077-4 + cce@slmicro6: CCE-95077-4 references: cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml index 0a52ff93a9ca..7e66f2528502 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@sle15: CCE-85648-4 cce@sle16: CCE-96355-3 cce@slmicro5: CCE-93629-4 - cce@slmicro6: CCE-95073-3 + cce@slmicro6: CCE-95073-3 references: cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml index c7b1b31bea06..d196735894da 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml @@ -24,7 +24,7 @@ identifiers: cce@sle15: CCE-85652-6 cce@sle16: CCE-96155-7 cce@slmicro5: CCE-93634-4 - cce@slmicro6: CCE-95078-2 + cce@slmicro6: CCE-95078-2 references: cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml index 1051426dbe00..30e61cd34ed5 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@sle15: CCE-85650-0 cce@sle16: CCE-96076-5 cce@slmicro5: CCE-93631-0 - cce@slmicro6: CCE-95075-8 + cce@slmicro6: CCE-95075-8 references: cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml index dcad0b9621c1..90fc843bd69e 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml @@ -23,7 +23,7 @@ identifiers: cce@sle15: CCE-85655-9 cce@sle16: CCE-95931-2 cce@slmicro5: CCE-93638-5 - cce@slmicro6: CCE-95082-4 + cce@slmicro6: CCE-95082-4 references: cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml index af141d383019..d434006caf2c 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml @@ -23,7 +23,7 @@ identifiers: cce@sle15: CCE-85654-2 cce@sle16: CCE-96422-1 cce@slmicro5: CCE-93637-7 - cce@slmicro6: CCE-95081-6 + cce@slmicro6: CCE-95081-6 references: cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml index d5be283cd59a..b060456d2410 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml @@ -21,7 +21,7 @@ identifiers: cce@sle15: CCE-85709-4 cce@sle16: CCE-95846-2 cce@slmicro5: CCE-93639-3 - cce@slmicro6: CCE-95083-2 + cce@slmicro6: CCE-95083-2 references: cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9 diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml index d2161f2d33be..190f4a659746 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml @@ -24,7 +24,7 @@ identifiers: cce@sle12: CCE-83104-0 cce@sle15: CCE-85637-7 cce@slmicro5: CCE-93795-3 - cce@slmicro6: CCE-95064-2 + cce@slmicro6: CCE-95064-2 references: cis-csc: 12,13,14,15,16,18,3,5 diff --git a/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml index 8f3de2032ed7..aa2eea35b789 100644 --- a/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml @@ -7,29 +7,29 @@ title: 'Verify that system commands directories have root as a group owner' description: |- System commands are stored in the following directories: by default: -
/bin 
-    /sbin 
-    /usr/bin 
-    /usr/sbin 
-    /usr/local/bin 
+    
/bin
+    /sbin
+    /usr/bin
+    /usr/sbin
+    /usr/local/bin
     /usr/local/sbin
     
- All these directories should have root user as a group owner. - If any system command directory is not group owned by a user other than root + All these directories should have root user as a group owner. + If any system command directory is not group owned by a user other than root correct its ownership with the following command:
$ sudo chgrp root DIR
rationale: |- - If the operating system were to allow any user to make changes to - software libraries, then those changes might be implemented without - undergoing the appropriate testing and approvals that are part of a + If the operating system were to allow any user to make changes to + software libraries, then those changes might be implemented without + undergoing the appropriate testing and approvals that are part of a robust change management process. - + This requirement applies to operating systems with software libraries - that are accessible and configurable, as in the case of interpreted languages. - Software libraries also include privileged programs which execute with escalated - privileges. Only qualified and authorized individuals must be allowed to obtain - access to information system components for purposes of initiating changes, + that are accessible and configurable, as in the case of interpreted languages. + Software libraries also include privileged programs which execute with escalated + privileges. Only qualified and authorized individuals must be allowed to obtain + access to information system components for purposes of initiating changes, including upgrades and modifications. severity: medium @@ -46,7 +46,7 @@ identifiers: references: nist: CM-5(6),CM-5(6).1 - srg: SRG-OS-000259-GPOS-00100 + srg: SRG-OS-000259-GPOS-00100 stigid@sle12: SLES-12-010883 @@ -54,11 +54,11 @@ ocil_clause: 'any of these directories are not group owned by root' ocil: |- System commands are stored in the following directories: -
/bin 
-    /sbin 
-    /usr/bin 
-    /usr/sbin 
-    /usr/local/bin 
+    
/bin
+    /sbin
+    /usr/bin
+    /usr/sbin
+    /usr/local/bin
     /usr/local/sbin
For each of these directories, run the following command to find directories not owned by root: diff --git a/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml index f5522edd8361..4f242dd6ad5f 100644 --- a/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_system_commands_root_owned/rule.yml @@ -5,29 +5,29 @@ title: 'Verify that system commands directories have root ownership' description: |- System commands are stored in the following directories by default: -
/bin 
-    /sbin 
-    /usr/bin 
-    /usr/sbin 
-    /usr/local/bin 
+    
/bin
+    /sbin
+    /usr/bin
+    /usr/sbin
+    /usr/local/bin
     /usr/local/sbin
     
- All these directories should be owned by the root user. - If any system command directory is not owned by a user other than root + All these directories should be owned by the root user. + If any system command directory is not owned by a user other than root correct its ownership with the following command:
$ sudo chown root DIR
rationale: |- - If the operating system were to allow any user to make changes to - software libraries, then those changes might be implemented without - undergoing the appropriate testing and approvals that are part of a + If the operating system were to allow any user to make changes to + software libraries, then those changes might be implemented without + undergoing the appropriate testing and approvals that are part of a robust change management process. - + This requirement applies to operating systems with software libraries - that are accessible and configurable, as in the case of interpreted languages. - Software libraries also include privileged programs which execute with escalated - privileges. Only qualified and authorized individuals must be allowed to obtain - access to information system components for purposes of initiating changes, + that are accessible and configurable, as in the case of interpreted languages. + Software libraries also include privileged programs which execute with escalated + privileges. Only qualified and authorized individuals must be allowed to obtain + access to information system components for purposes of initiating changes, including upgrades and modifications. severity: medium @@ -51,11 +51,11 @@ ocil_clause: 'any of these directories are not owned by root' ocil: |- System commands are stored in the following directories: -
/bin 
-    /sbin 
-    /usr/bin 
-    /usr/sbin 
-    /usr/local/bin 
+    
/bin
+    /sbin
+    /usr/bin
+    /usr/sbin
+    /usr/local/bin
     /usr/local/sbin
For each of these directories, run the following command to find directories not owned by root: diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml index 1c07f1b46b99..8124e4b90123 100644 --- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml +++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml @@ -34,7 +34,7 @@ identifiers: cce@sle15: CCE-85658-3 cce@sle16: CCE-95705-0 cce@slmicro5: CCE-93799-5 - cce@slmicro6: CCE-95088-1 + cce@slmicro6: CCE-95088-1 references: cis-csc: 1,11,12,13,14,15,16,18,3,5 diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml index 58b0ea7d907d..9bcd740e26c5 100644 --- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml +++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/rule.yml @@ -31,7 +31,7 @@ identifiers: cce@sle15: CCE-85657-5 cce@sle16: CCE-95710-0 cce@slmicro5: CCE-93798-7 - cce@slmicro6: CCE-95087-3 + cce@slmicro6: CCE-95087-3 references: cis-csc: 11,12,13,14,15,16,18,3,5,9 diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml index 07d5d93eef41..9172941470f8 100644 --- a/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml +++ b/linux_os/guide/system/permissions/partitions/mount_option_nosuid_removable_partitions/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@sle12: CCE-83101-6 cce@sle15: CCE-85634-4 cce@slmicro5: CCE-93792-0 - cce@slmicro6: CCE-95063-4 + cce@slmicro6: CCE-95063-4 references: cis-csc: 11,12,13,14,15,16,18,3,5,8,9 diff --git a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml index af69270e7a07..f96fc012c368 100644 --- a/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/encrypt_partitions/rule.yml @@ -111,9 +111,9 @@ fixtext: |- To encrypt an entire partition, dedicate a partition for encryption in the partition layout. {{% if "slmicro" in product %}} - The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted + The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted partition by default. Add it manually in the partitioning dialog. - + The following set of commands will switch {{{ full_name }}} to work in FIPS mode:
$ sudo transactional-update pkg install -t pattern microos-fips
$ sudo reboot
@@ -143,19 +143,19 @@ checktext: |- /dev/sda2: "UUID=f5b8a790-14cb-4b82-882d-707d52f27765" TYPE="crypto_LUKS" /dev/sda3: "UUID=f2d86128-f975-478d-a5b0-25806c900eac" TYPE="crypto_LUKS" - Every persistent disk partition present must be of type "crypto_LUKS". - If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) or temporary file systems (that are tmpfs) - are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. + Every persistent disk partition present must be of type "crypto_LUKS". + If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) or temporary file systems (that are tmpfs) + are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.
$ sudo more /etc/cryptab


- Output will be similar to: + Output will be similar to: cr_root UUID=26d4a101-7f48-4394-b730-56dc00e65f64 cr_home UUID=f5b8a790-14cb-4b82-882d-707d52f27765 - cr_swap UUID=f2d86128-f975-478d-a5b0-25806c900eac - - Every persistent disk partition present on the system must have an entry in the /etc/crypttab file. + cr_swap UUID=f2d86128-f975-478d-a5b0-25806c900eac + + Every persistent disk partition present on the system must have an entry in the /etc/crypttab file. If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding. Verify the system works in FIPS mode with the following command: diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml index 51bf65c7a0d2..a139de0753ed 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_home/rule.yml @@ -25,7 +25,7 @@ identifiers: cce@sle15: CCE-85639-3 cce@sle16: CCE-95729-0 cce@slmicro5: CCE-93796-1 - cce@slmicro6: CCE-95066-7 + cce@slmicro6: CCE-95066-7 references: cis-csc: 12,15,8 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml index c5e497ff976e..4083b6c8060a 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var/rule.yml @@ -24,7 +24,7 @@ identifiers: cce@sle15: CCE-85640-1 cce@sle16: CCE-95761-3 cce@slmicro5: CCE-93797-9 - cce@slmicro6: CCE-95067-5 + cce@slmicro6: CCE-95067-5 references: cis-csc: 12,15,8 diff --git a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml index 2dc71b9279fa..96f7a75e22f5 100644 --- a/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml +++ b/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml @@ -26,7 +26,7 @@ identifiers: cce@sle15: CCE-85618-7 cce@sle16: CCE-96283-7 cce@slmicro5: CCE-93787-0 - cce@slmicro6: CCE-95048-5 + cce@slmicro6: CCE-95048-5 references: cis-csc: 1,12,13,14,15,16,2,3,5,6,8 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml index 95816ee1ef3e..b3733db43bac 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/rule.yml @@ -19,7 +19,7 @@ description: |- The remediation provided with this rule adds acl to all rule sets available in {{{ aide_conf_path }}} {{% endif %}} - + rationale: |- ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. @@ -34,7 +34,7 @@ identifiers: cce@sle15: CCE-85623-7 cce@sle16: CCE-96372-8 cce@slmicro5: CCE-93742-5 - cce@slmicro6: CCE-95052-7 + cce@slmicro6: CCE-95052-7 references: cis-csc: 2,3 diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml index 414f2d1b34a9..c0e28032c928 100644 --- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml +++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml @@ -19,7 +19,7 @@ description: |- The remediation provided with this rule adds xattrs to all rule sets available in {{{ aide_conf_path }}} {{% endif %}} - + rationale: |- Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. @@ -34,7 +34,7 @@ identifiers: cce@sle15: CCE-85624-5 cce@sle16: CCE-96620-0 cce@slmicro5: CCE-93743-3 - cce@slmicro6: CCE-95053-5 + cce@slmicro6: CCE-95053-5 references: cis-csc: 2,3 diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml index ea28e36f7e93..b1ac1d164fb1 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml @@ -25,7 +25,7 @@ identifiers: cce@sle12: CCE-83229-5 cce@sle15: CCE-85712-8 cce@slmicro5: CCE-93786-2 - cce@slmicro6: CCE-95042-8 + cce@slmicro6: CCE-95042-8 references: nist: CM-6(b),CM-6(iv) diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml index 947f394f2c0a..9703534af617 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml @@ -28,7 +28,7 @@ identifiers: cce@sle12: CCE-83255-0 cce@sle15: CCE-91151-1 cce@slmicro5: CCE-93733-4 - cce@slmicro6: CCE-95040-2 + cce@slmicro6: CCE-95040-2 references: srg: SRG-OS-000480-GPOS-00227 diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml index 3299039b27ee..b05f548b78a7 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml @@ -30,7 +30,7 @@ identifiers: cce@sle12: CCE-83230-3 cce@sle15: CCE-85747-4 cce@slmicro5: CCE-93735-9 - cce@slmicro6: CCE-95043-6 + cce@slmicro6: CCE-95043-6 references: nist: CM-6(b),CM-6.1(iv) From e4fe4c8603326529bcddc2cdd6317f5b24b7ffb2 Mon Sep 17 00:00:00 2001 From: rchikov Date: Mon, 29 Jun 2026 14:15:26 +0200 Subject: [PATCH 4/5] Fix warning empty lines and error indentation generated by yamllint --- .../audit_rules_execution_chmod/rule.yml | 1 - .../audit_rules_execution_rm/rule.yml | 1 - .../rule.yml | 12 +- .../rule.yml | 12 +- .../rule.yml | 12 +- .../rule.yml | 12 +- .../rule.yml | 12 +- .../rule.yml | 14 +- .../rule.yml | 14 +- .../rule.yml | 12 +- .../rule.yml | 14 +- .../rule.yml | 14 +- .../audit_rules_session_events_wtmp/rule.yml | 1 - .../auditd_data_disk_full_action/rule.yml | 2 +- .../ssh_server/sshd_set_keepalive_0/rule.yml | 14 +- .../rule.yml | 14 +- .../rule.yml | 14 +- .../rule.yml | 14 +- .../rule.yml | 22 +- .../rule.yml | 14 +- .../rule.yml | 14 +- .../rule.yml | 14 +- .../rule.yml | 14 +- .../no_empty_passwords_etc_shadow/rule.yml | 2 +- .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 1 - .../rule.yml | 6 +- products/sle15/controls/stig_sle15.yml | 3532 ++++++++--------- 29 files changed, 1902 insertions(+), 1908 deletions(-) diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chmod/rule.yml index 8fe1302e271b..5283ee411bf1 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chmod/rule.yml @@ -38,4 +38,3 @@ template: name: audit_rules_privileged_commands vars: path: /usr/bin/chmod - diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_rm/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_rm/rule.yml index d4b221cfa8a2..565a2621b593 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_rm/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_rm/rule.yml @@ -38,4 +38,3 @@ template: name: audit_rules_privileged_commands vars: path: /usr/bin/rm - diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml index c563651b4d4e..ebfbf6db6374 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml @@ -85,9 +85,9 @@ template: vars: name: creat syscall_grouping: - - creat - - ftruncate - - truncate - - open - - openat - - open_by_handle_at + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml index c3df4964cb97..9a71bce11f4a 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml @@ -85,9 +85,9 @@ template: vars: name: ftruncate syscall_grouping: - - creat - - ftruncate - - truncate - - open - - openat - - open_by_handle_at + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml index 15861002b09b..2f780c1d4572 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml @@ -89,9 +89,9 @@ template: vars: name: open syscall_grouping: - - creat - - ftruncate - - truncate - - open - - openat - - open_by_handle_at + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml index 0f2584da7c21..db8d72879893 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml @@ -79,9 +79,9 @@ template: vars: name: open_by_handle_at syscall_grouping: - - creat - - ftruncate - - truncate - - open - - openat - - open_by_handle_at + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml index 1fb647e1a7db..714f19717e5c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml @@ -85,9 +85,9 @@ template: vars: name: openat syscall_grouping: - - creat - - ftruncate - - truncate - - open - - openat - - open_by_handle_at + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml index f6979d523457..f631f37db387 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml @@ -77,13 +77,13 @@ template: vars: name: rename syscall_grouping: - - rename - - renameat - {{% if product in ['sle15', 'slmicro5', 'slmicro6'] %}} - - renameat2 - {{% endif %}} - - unlink - - unlinkat + - rename + - renameat + {{% if product in ['sle15', 'slmicro5', 'slmicro6'] %}} + - renameat2 + {{% endif %}} + - unlink + - unlinkat fixtext: |- {{%- if product in ['sle15' ,'slmicro5', 'slmicro6'] %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml index ed1576ab8dc9..94168cd67595 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml @@ -90,13 +90,13 @@ template: vars: name: renameat syscall_grouping: - - rename - - renameat - {{% if product in ['sle15'] %}} - - renameat2 - {{% endif %}} - - unlink - - unlinkat + - rename + - renameat + {{% if product in ['sle15'] %}} + - renameat2 + {{% endif %}} + - unlink + - unlinkat fixtext: |- {{%- if product in ['sle15'] %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml index 4dd4e9aa01df..15c9abc68d6f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml @@ -84,9 +84,9 @@ template: vars: name: truncate syscall_grouping: - - creat - - ftruncate - - truncate - - open - - openat - - open_by_handle_at + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml index b8a8bde22990..61d2b950d19f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml @@ -95,13 +95,13 @@ template: vars: name: unlink syscall_grouping: - - rename - - renameat - {{% if product in ['sle15'] %}} - - renameat2 - {{% endif %}} - - unlink - - unlinkat + - rename + - renameat + {{% if product in ['sle15'] %}} + - renameat2 + {{% endif %}} + - unlink + - unlinkat fixtext: |- diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml index 242daceadf10..50e8598096f9 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml @@ -92,13 +92,13 @@ template: vars: name: unlinkat syscall_grouping: - - rename - - renameat - {{% if product in ['sle15'] %}} - - renameat2 - {{% endif %}} - - unlink - - unlinkat + - rename + - renameat + {{% if product in ['sle15'] %}} + - renameat2 + {{% endif %}} + - unlink + - unlinkat fixtext: |- {{%- if product in ['sle15'] %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml index 37c025ce1f0c..2e1ce9f10c1f 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml @@ -38,4 +38,3 @@ template: vars: path: /var/log/wtmp key: session - diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml index 474732a91f3e..df7f4e29c2c1 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml @@ -78,4 +78,4 @@ fixtext: |- If availability has been determined to be more important, and this decision is documented with the ISSO, configure {{{ full_name }}} to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG". srg_requirement: - {{{ full_name }}} must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. + {{{ full_name }}} must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml index 28615f381a19..d9db47421a49 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml @@ -68,10 +68,10 @@ ocil: |- the ClientAliveInterval is set. template: - name: sshd_lineinfile - vars: - parameter: "ClientAliveCountMax" - value: "0" - datatype: int - backends: - kubernetes: "off" + name: sshd_lineinfile + vars: + parameter: "ClientAliveCountMax" + value: "0" + datatype: int + backends: + kubernetes: "off" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml index 6d4c44e265fc..75d2e80e8da1 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml @@ -44,12 +44,12 @@ ocil: |- template: name: pam_options vars: - path: /etc/pam.d/common-auth - type: auth - control_flag: required - module: pam_faildelay.so - arguments: - - variable: delay - operation: greater than or equal + path: /etc/pam.d/common-auth + type: auth + control_flag: required + module: pam_faildelay.so + arguments: + - variable: delay + operation: greater than or equal platform: package[pam] diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_dcredit/rule.yml index 9d1339074db9..52f31313be8b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_dcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_dcredit/rule.yml @@ -47,10 +47,10 @@ ocil: |- template: name: pam_options vars: - path: /etc/pam.d/common-password - type: password - control_flag: requisite - module: pam_cracklib.so - arguments: - - variable: dcredit - operation: less than or equal + path: /etc/pam.d/common-password + type: password + control_flag: requisite + module: pam_cracklib.so + arguments: + - variable: dcredit + operation: less than or equal diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml index 8979c17c24c5..0ce20ea314e4 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml @@ -47,10 +47,10 @@ ocil: |- template: name: pam_options vars: - path: /etc/pam.d/common-password - type: password - control_flag: requisite - module: pam_cracklib.so - arguments: - - variable: difok - operation: greater than or equal + path: /etc/pam.d/common-password + type: password + control_flag: requisite + module: pam_cracklib.so + arguments: + - variable: difok + operation: greater than or equal diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_lcredit/rule.yml index cec08d97d8c2..4c43bfbd3349 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_lcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_lcredit/rule.yml @@ -26,13 +26,13 @@ identifiers: cce@slmicro6: CCE-94638-4 references: - cis@sle12: 5.3.1 - cis@sle15: 5.3.1 - nist@sle12: IA-5(a),IA-5(v) - nist@sle15: IA-5(1)(a),IA-5(1).1(v) - pcidss: Req-8.2.3 - srg: SRG-OS-000070-GPOS-00038 - stigid@sle12: SLES-12-010160 + cis@sle12: 5.3.1 + cis@sle15: 5.3.1 + nist@sle12: IA-5(a),IA-5(v) + nist@sle15: IA-5(1)(a),IA-5(1).1(v) + pcidss: Req-8.2.3 + srg: SRG-OS-000070-GPOS-00038 + stigid@sle12: SLES-12-010160 ocil_clause: 'lcredit is not found or not set to the required value' @@ -52,12 +52,12 @@ ocil: |- This would appear as lcredit=-{{{ xccdf_value("var_password_pam_lcredit") }}}. template: - name: pam_options - vars: + name: pam_options + vars: path: /etc/pam.d/common-password type: password control_flag: requisite module: pam_cracklib.so arguments: - - variable: lcredit - operation: less than or equal + - variable: lcredit + operation: less than or equal diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml index df034053a731..1a6962f76bcd 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml @@ -41,10 +41,10 @@ ocil: |- template: name: pam_options vars: - path: /etc/pam.d/common-password - type: password - control_flag: requisite - module: pam_cracklib.so - arguments: - - variable: minlen - operation: greater than or equal + path: /etc/pam.d/common-password + type: password + control_flag: requisite + module: pam_cracklib.so + arguments: + - variable: minlen + operation: greater than or equal diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml index f8c2b0195cb2..d718e4ce8d04 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml @@ -48,10 +48,10 @@ ocil: |- template: name: pam_options vars: - path: /etc/pam.d/common-password - type: password - control_flag: requisite - module: pam_cracklib.so - arguments: - - variable: ocredit - operation: less than or equal + path: /etc/pam.d/common-password + type: password + control_flag: requisite + module: pam_cracklib.so + arguments: + - variable: ocredit + operation: less than or equal diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml index dfd6923ddd5f..cf17f9cf207b 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml @@ -46,10 +46,10 @@ ocil: |- template: name: pam_options vars: - path: /etc/pam.d/common-password - type: password - control_flag: requisite - module: pam_cracklib.so - arguments: - - variable: retry - operation: less than or equal + path: /etc/pam.d/common-password + type: password + control_flag: requisite + module: pam_cracklib.so + arguments: + - variable: retry + operation: less than or equal diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml index b757fc8f6b11..0be3735d72d7 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml @@ -49,10 +49,10 @@ ocil: |- template: name: pam_options vars: - path: /etc/pam.d/common-password - type: password - control_flag: requisite - module: pam_cracklib.so - arguments: - - variable: ucredit - operation: less than or equal + path: /etc/pam.d/common-password + type: password + control_flag: requisite + module: pam_cracklib.so + arguments: + - variable: ucredit + operation: less than or equal diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml index dfbedd28d14e..d7bada448663 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml @@ -61,7 +61,7 @@ srg_requirement: '{{{ full_name }}} must have no accounts with blank or null pas warnings: - general: - Note that this rule is not applicable for systems running within a + Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway. diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml index a738d1684bb3..8d4ef32d82f4 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml @@ -98,4 +98,3 @@ warnings: These immutable parts cannot be remediated because they are read-only. Example of such directories can be OStree deployments located at /sysroot/ostree/deploy. In such case, it is needed to make modifications to the underlying ostree snapshot and this is out of scope of regular rule remediation. - diff --git a/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml index aa2eea35b789..da4804f0d38b 100644 --- a/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml @@ -3,7 +3,6 @@ documentation_complete: true title: 'Verify that system commands directories have root as a group owner' - description: |- System commands are stored in the following directories: by default: diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml index d00237db83d4..83e2815728d6 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml @@ -38,4 +38,3 @@ ocil: |- The output should show the following:
DISPLAYMANAGER_AUTOLOGIN=""
          DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"
- diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml index b1ac1d164fb1..653f3b4ad455 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml @@ -51,6 +51,6 @@ srg_requirement: '{{{ full_name }}} must restrict privilege elevation to authori platform: package[sudo] warnings: -- general: |- - This rule doesn't come with a remediation, as the exact requirement allows exceptions, - and removing lines from the sudoers file can make the system non-administrable. + - general: |- + This rule doesn't come with a remediation, as the exact requirement allows exceptions, + and removing lines from the sudoers file can make the system non-administrable. diff --git a/products/sle15/controls/stig_sle15.yml b/products/sle15/controls/stig_sle15.yml index 8a8d9f6e62cd..9118665d8a61 100644 --- a/products/sle15/controls/stig_sle15.yml +++ b/products/sle15/controls/stig_sle15.yml @@ -12,1769 +12,1769 @@ levels: - id: low controls: -- id: SLES-15-010000 - levels: - - high - title: The SUSE operating system must be a vendor-supported release. - rules: - - installed_OS_is_vendor_supported - status: automated -- id: SLES-15-010010 - levels: - - medium - title: Vendor-packaged SUSE operating system security patches and updates must be - installed and up to date. - rules: - - security_patches_up_to_date - status: automated -- id: SLES-15-010020 - levels: - - medium - title: The SUSE operating system must display the Standard Mandatory DOD Notice - and Consent Banner before granting access via local console. - rules: - - banner_etc_issue - - login_banner_text=dod_banners - - login_banner_contents=dod_default - status: automated -- id: SLES-15-010030 - levels: - - high - title: The SUSE operating system must not have the vsftpd package installed if not - required for operational support. - rules: - - package_vsftpd_removed - status: automated -- id: SLES-15-010040 - levels: - - medium - title: The SUSE operating system must display the Standard Mandatory DOD Notice - and Consent Banner before granting access via SSH. - rules: - - sshd_enable_warning_banner - status: automated -- id: SLES-15-010050 - levels: - - medium - title: The SUSE operating system must display the Standard Mandatory DoD Notice - and Consent Banner until users acknowledge the usage conditions and take explicit - actions to log on for further access to the local graphical user interface (GUI). - rules: - - gui_login_dod_acknowledgement - status: automated -- id: SLES-15-010060 - levels: - - medium - title: The SUSE operating system file /etc/gdm/banner must contain the Standard - Mandatory DoD Notice and Consent banner text. - rules: - - banner_etc_gdm_banner - status: automated -- id: SLES-15-010080 - levels: - - medium - title: The SUSE operating system must display a banner before granting local or - remote access to the system via a graphical user logon. - rules: - - dconf_gnome_banner_enabled - status: automated -- id: SLES-15-010090 - levels: - - medium - title: The SUSE operating system must display the approved Standard Mandatory DoD - Notice before granting local or remote access to the system via a graphical user - logon. - rules: - - dconf_db_up_to_date - - dconf_gnome_login_banner_text - - dconf_login_banner_text=dod_banners - - dconf_login_banner_contents=dod_default - status: automated -- id: SLES-15-010100 - levels: - - medium - title: The SUSE operating system must be able to lock the graphical user interface - (GUI). - rules: - - dconf_gnome_screensaver_lock_enabled - status: automated -- id: SLES-15-010110 - levels: - - low - title: The SUSE operating system must utilize vlock to allow for session locking. - rules: - - vlock_installed - status: automated -- id: SLES-15-010120 - levels: - - medium - title: The SUSE operating system must initiate a session lock after a 15-minute - period of inactivity for the graphical user interface (GUI). - rules: - - dconf_gnome_screensaver_idle_delay - - inactivity_timeout_value=15_minutes - - dconf_gnome_session_idle_user_locks - status: automated -- id: SLES-15-010130 - levels: - - medium - title: The SUSE operating system must initiate a session lock after a 10-minute - period of inactivity. - rules: - - accounts_tmout - - var_accounts_tmout=10_min - status: automated -- id: SLES-15-010140 - levels: - - low - title: The SUSE operating system must conceal, via the session lock, information - previously visible on the display with a publicly viewable image in the graphical - user interface (GUI). - rules: - - dconf_gnome_screensaver_mode_blank - status: automated -- id: SLES-15-010150 - levels: - - medium - title: The SUSE operating system must log SSH connection attempts and failures to - the server. - rules: - - sshd_set_loglevel_verbose - status: automated -- id: SLES-15-010160 - levels: - - medium - title: The SUSE operating system must implement DOD-approved encryption to protect - the confidentiality of SSH remote connections. - rules: - - sshd_use_approved_ciphers - - sshd_use_approved_ciphers_ordered_stig - status: automated -- id: SLES-15-010170 - levels: - - medium - title: The SUSE operating system, for PKI-based authentication, must validate certificates - by constructing a certification path (which includes status information) to an - accepted trust anchor. - rules: - - smartcard_configure_ca - status: automated -- id: SLES-15-010180 - levels: - - high - title: The SUSE operating system must not have the telnet-server package installed. - rules: - - package_telnet-server_removed - status: automated -- id: SLES-15-010190 - levels: - - high - title: SUSE operating systems with a basic input/output system (BIOS) must require - authentication upon booting into single-user and maintenance modes. - rules: - - grub2_password - status: automated -- id: SLES-15-010200 - levels: - - high - title: SUSE operating systems with Unified Extensible Firmware Interface (UEFI) - implemented must require authentication upon booting into single-user mode and - maintenance. - rules: - - grub2_uefi_password - status: automated -- id: SLES-15-010220 - levels: - - medium - title: The SUSE operating system must be configured to prohibit or restrict the - use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, - and Services Management (PPSM) Category Assignments List (CAL) and vulnerability - assessments. - rules: - - package_firewalld_installed - - service_firewalld_enabled - status: automated -- id: SLES-15-010230 - levels: - - medium - title: The SUSE operating system must not have duplicate User IDs (UIDs) for interactive - users. - rules: - - account_unique_id - status: automated -- id: SLES-15-010240 - levels: - - medium - title: The SUSE operating system must disable the file system automounter. - rules: - - service_autofs_disabled - status: automated -- id: SLES-15-010260 - levels: - - medium - title: The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing - algorithm for system authentication (login.defs). - rules: - - set_password_hashing_algorithm_logindefs - status: automated -- id: SLES-15-010270 - levels: - - medium - title: The SUSE operating system SSH daemon must be configured to only use Message - Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. - rules: - - sshd_use_approved_macs - - sshd_use_approved_macs_ordered_stig - status: automated -- id: SLES-15-010280 - levels: - - medium - title: The SUSE operating system SSH daemon must be configured with a timeout interval. - rules: - - sshd_set_idle_timeout - - sshd_idle_timeout_value=10_minutes - status: automated -- id: SLES-15-010300 - levels: - - medium - title: The sticky bit must be set on all SUSE operating system world-writable directories. - rules: - - dir_perms_world_writable_sticky_bits - status: automated -- id: SLES-15-010310 - levels: - - medium - title: The SUSE operating system must be configured to use TCP syncookies. - rules: - - sysctl_net_ipv4_tcp_syncookies - status: automated -- id: SLES-15-010320 - levels: - - medium - title: The SUSE operating system, for all network connections associated with SSH - traffic, must immediately terminate at the end of the session or after 10 minutes - of inactivity. - rules: - - sshd_set_keepalive - - var_sshd_set_keepalive=1 - - sshd_set_keepalive_0 - status: automated -- id: SLES-15-010330 - levels: - - high - title: All SUSE operating system persistent disk partitions must implement cryptographic - mechanisms to prevent unauthorized disclosure or modification of all information - that requires at-rest protection. - rules: - - encrypt_partitions - status: automated -- id: SLES-15-010340 - levels: - - medium - title: The SUSE operating system must generate error messages that provide information - necessary for corrective actions without revealing information that could be exploited - by adversaries. - rules: - - permissions_local_var_log - status: automated -- id: SLES-15-010350 - levels: - - medium - title: The SUSE operating system must prevent unauthorized users from accessing - system error messages. - rules: - - file_permissions_local_var_log_messages - status: automated -- id: SLES-15-010351 - levels: - - medium - title: The SUSE operating system library files must have mode 0755 or less permissive. - rules: - - file_permissions_library_dirs - status: automated -- id: SLES-15-010352 - levels: - - medium - title: The SUSE operating system library directories must have mode 0755 or less - permissive. - rules: - - dir_permissions_library_dirs - status: automated -- id: SLES-15-010353 - levels: - - medium - title: The SUSE operating system library files must be owned by root. - rules: - - file_ownership_library_dirs - status: automated -- id: SLES-15-010354 - levels: - - medium - title: The SUSE operating system library directories must be owned by root. - rules: - - dir_ownership_library_dirs - status: automated -- id: SLES-15-010355 - levels: - - medium - title: The SUSE operating system library files must be group-owned by root. - rules: - - root_permissions_syslibrary_files - status: automated -- id: SLES-15-010356 - levels: - - medium - title: The SUSE operating system library directories must be group-owned by root. - rules: - - dir_group_ownership_library_dirs - status: automated -- id: SLES-15-010357 - levels: - - medium - title: The SUSE operating system must have system commands set to a mode of 0755 - or less permissive. - rules: - - file_permissions_system_commands_dirs - status: automated -- id: SLES-15-010358 - levels: - - medium - title: The SUSE operating system must have directories that contain system commands - set to a mode of 0755 or less permissive. - rules: - - file_permissions_binary_dirs - status: automated -- id: SLES-15-010359 - levels: - - medium - title: The SUSE operating system must have system commands owned by root. - rules: - - file_ownership_binary_dirs - status: automated -- id: SLES-15-010360 - levels: - - medium - title: The SUSE operating system must have directories that contain system commands - owned by root. - rules: - - dir_system_commands_root_owned - status: automated -- id: SLES-15-010361 - levels: - - medium - title: The SUSE operating system must have system commands group-owned by root or - a system account. - rules: - - file_groupownership_system_commands_dirs - status: automated -- id: SLES-15-010362 - levels: - - medium - title: The SUSE operating system must have directories that contain system commands - group-owned by root. - rules: - - dir_system_commands_group_root_owned - status: automated -- id: SLES-15-010370 - levels: - - medium - title: The SUSE operating system must have a firewall system installed to immediately - disconnect or disable remote access to the whole operating system. - rules: [] - status: pending -- id: SLES-15-010380 - levels: - - medium - title: The SUSE operating system wireless network adapters must be disabled unless - approved and documented. - rules: - - wireless_disable_interfaces - status: automated -- id: SLES-15-010390 - levels: - - medium - title: SUSE operating system AppArmor tool must be configured to control whitelisted - applications and user home directory access control. - rules: - - apparmor_configured - - package_pam_apparmor_installed - status: automated -- id: SLES-15-010400 - levels: - - medium - title: The SUSE operating system clock must, for networked systems, be synchronized - to an authoritative DOD time source at least every 24 hours. - rules: - - chronyd_or_ntpd_set_maxpoll - - var_time_service_set_maxpoll=18_hours - status: automated -- id: SLES-15-010410 - levels: - - low - title: The SUSE operating system must be configured to use Coordinated Universal - Time (UTC) or Greenwich Mean Time (GMT). - rules: - - ensure_rtc_utc_configuration - status: automated -- id: SLES-15-010420 - levels: - - medium - title: Advanced Intrusion Detection Environment (AIDE) must verify the baseline - SUSE operating system configuration at least weekly. - rules: - - aide_periodic_cron_checking - status: automated -- id: SLES-15-010430 - levels: - - high - title: The SUSE operating system tool zypper must have gpgcheck enabled. - rules: - - ensure_gpgcheck_globally_activated - status: automated -- id: SLES-15-010450 - levels: - - high - title: The SUSE operating system must reauthenticate users when changing authenticators, - roles, or escalating privileges. - rules: - - sudo_remove_no_authenticate - - sudo_remove_nopasswd - - sudo_require_authentication - status: automated -- id: SLES-15-010460 - levels: - - medium - title: The SUSE operating system must have the packages required for multifactor - authentication to be installed. - rules: - - install_smartcard_packages - status: automated -- id: SLES-15-010470 - levels: - - medium - title: The SUSE operating system must implement certificate status checking for - multifactor authentication. - rules: - - smartcard_configure_cert_checking - status: automated -- id: SLES-15-010480 - levels: - - medium - title: The SUSE operating system must disable the USB mass storage kernel module. - rules: - - kernel_module_usb-storage_disabled - status: automated -- id: SLES-15-010490 - levels: - - medium - title: If Network Security Services (NSS) is being used by the SUSE operating system - it must prohibit the use of cached authentications after one day. - rules: - - sssd_memcache_timeout - - var_sssd_memcache_timeout=1_day - status: automated -- id: SLES-15-010500 - levels: - - medium - title: The SUSE operating system must configure the Linux Pluggable Authentication - Modules (PAM) to prohibit the use of cached offline authentications after one - day. - rules: - - sssd_offline_cred_expiration - status: automated -- id: SLES-15-010510 - levels: - - high - title: FIPS 140-2 mode must be enabled on the SUSE operating system. - rules: - - is_fips_mode_enabled - status: automated -- id: SLES-15-010530 - levels: - - high - title: All networked SUSE operating systems must have and implement SSH to protect - the confidentiality and integrity of transmitted and received information, as - well as information during preparation for transmission. - rules: - - service_sshd_enabled - status: automated -- id: SLES-15-010540 - levels: - - medium - title: The SUSE operating system must implement kptr-restrict to prevent the leaking - of internal kernel addresses. - rules: - - sysctl_kernel_kptr_restrict - status: automated -- id: SLES-15-010550 - levels: - - medium - title: Address space layout randomization (ASLR) must be implemented by the SUSE - operating system to protect memory from unauthorized code execution. - rules: - - sysctl_kernel_randomize_va_space - status: automated -- id: SLES-15-010560 - levels: - - medium - title: The SUSE operating system must remove all outdated software components after - updated versions have been installed. - rules: - - clean_components_post_updating - status: automated -- id: SLES-15-010570 - levels: - - medium - title: The SUSE operating system must notify the System Administrator (SA) when - Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation - of any security functions. - rules: - - aide_periodic_checking_systemd_timer - - aide_scan_notification - status: automated -- id: SLES-15-010580 - levels: - - medium - title: The SUSE operating system must off-load rsyslog messages for networked systems - in real time and off-load standalone systems at least weekly. - rules: - - rsyslog_remote_loghost - status: automated -- id: SLES-15-020000 - levels: - - medium - title: The SUSE operating system must provision temporary accounts with an expiration - date for 72 hours. - rules: [] - status: pending -- id: SLES-15-020010 - levels: - - medium - title: The SUSE operating system must lock an account after three consecutive invalid - access attempts. - rules: - - accounts_passwords_pam_tally2 - - var_password_pam_tally2=3 - status: automated -- id: SLES-15-020020 - levels: - - low - title: The SUSE operating system must limit the number of concurrent sessions to - 10 for all accounts and/or account types. - rules: - - accounts_max_concurrent_login_sessions - - var_accounts_max_concurrent_login_sessions=10 - status: automated -- id: SLES-15-020030 - levels: - - medium - title: The SUSE operating system must implement multifactor authentication for access - to privileged accounts via pluggable authentication modules (PAM). - rules: - - smartcard_pam_enabled - status: automated -- id: SLES-15-020040 - levels: - - medium - title: The SUSE operating system must deny direct logons to the root account using - remote access via SSH. - rules: - - sshd_disable_root_login - status: automated -- id: SLES-15-020050 - levels: - - medium - title: The SUSE operating system must disable account identifiers (individuals, - groups, roles, and devices) after 35 days of inactivity after password expiration. - rules: - - account_disable_post_pw_expiration - - var_account_disable_post_pw_expiration=35 - status: automated -- id: SLES-15-020060 - levels: - - medium - title: The SUSE operating system must never automatically remove or disable emergency - administrator accounts. - rules: - - account_emergency_admin - status: manual -- id: SLES-15-020090 - levels: - - medium - title: The SUSE operating system must not have unnecessary accounts. - rules: - - accounts_authorized_local_users - # NOTE: must configure "var_accounts_authorized_local_users_regex" - # when the rule "accounts_authorized_local_users" is enabled - # - var_accounts_authorized_local_users_regex= - - var_accounts_authorized_local_users_regex=sle15 - status: automated -- id: SLES-15-020091 - levels: - - medium - title: The SUSE operating system must not have unnecessary account capabilities. - rules: - - no_shelllogin_for_systemaccounts - status: automated -- id: SLES-15-020100 - levels: - - high - title: The SUSE operating system root account must be the only account with unrestricted - access to the system. - rules: - - accounts_no_uid_except_zero - status: automated -- id: SLES-15-020101 - levels: - - medium - title: The SUSE operating system must restrict privilege elevation to authorized - personnel. - rules: - - sudo_restrict_privilege_elevation_to_authorized - status: automated -- id: SLES-15-020102 - levels: - - medium - title: The SUSE operating system must require reauthentication when using the "sudo" - command. - rules: - - sudo_require_reauthentication - - var_sudo_timestamp_timeout=always_prompt - status: automated -- id: SLES-15-020103 - levels: - - medium - title: The SUSE operating system must use the invoking user's password for privilege - escalation when using "sudo". - rules: - - sudoers_validate_passwd - status: automated -- id: SLES-15-020110 - levels: - - medium - title: All SUSE operating system local interactive user accounts, upon creation, - must be assigned a home directory. - rules: - - accounts_have_homedir_login_defs - status: automated -- id: SLES-15-020120 - levels: - - medium - title: The SUSE operating system must display the date and time of the last successful - account logon upon an SSH logon. - rules: - - sshd_print_last_log - status: automated -- id: SLES-15-020130 - levels: - - medium - title: The SUSE operating system must enforce passwords that contain at least one - uppercase character. - rules: - - cracklib_accounts_password_pam_ucredit - - var_password_pam_ucredit=1 - status: automated -- id: SLES-15-020140 - levels: - - medium - title: The SUSE operating system must enforce passwords that contain at least one - lowercase character. - rules: - - cracklib_accounts_password_pam_lcredit - - var_password_pam_lcredit=1 - status: automated -- id: SLES-15-020150 - levels: - - medium - title: The SUSE operating system must enforce passwords that contain at least one - numeric character. - rules: - - cracklib_accounts_password_pam_dcredit - - var_password_pam_dcredit=1 - status: automated -- id: SLES-15-020160 - levels: - - medium - title: The SUSE operating system must require the change of at least eight of the - total number of characters when passwords are changed. - rules: - - cracklib_accounts_password_pam_difok - status: automated -- id: SLES-15-020170 - levels: - - medium - title: The SUSE operating system must configure the Linux Pluggable Authentication - Modules (PAM) to only store encrypted representations of passwords. - rules: - - set_password_hashing_algorithm_systemauth - status: automated -- id: SLES-15-020180 - levels: - - medium - title: The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing - algorithms for all stored passwords. - rules: - - accounts_password_all_shadowed_sha512 - status: automated -- id: SLES-15-020190 - levels: - - medium - title: The SUSE operating system must employ FIPS 140-3 approved cryptographic hashing - algorithms for all stored passwords. - rules: - - set_password_hashing_min_rounds_logindefs - - var_password_hashing_min_rounds_login_defs=100000 - status: automated -- id: SLES-15-020200 - levels: - - medium - title: The SUSE operating system must be configured to create or update passwords - with a minimum lifetime of 24 hours (one day). - rules: - - accounts_minimum_age_login_defs - - var_accounts_minimum_age_login_defs=7 - status: automated -- id: SLES-15-020210 - levels: - - medium - title: The SUSE operating system must employ user passwords with a minimum lifetime - of 24 hours (one day). - rules: - - accounts_password_set_min_life_existing - status: automated -- id: SLES-15-020220 - levels: - - medium - title: The SUSE operating system must be configured to create or update passwords - with a maximum lifetime of 60 days. - rules: - - accounts_maximum_age_login_defs - - var_accounts_maximum_age_login_defs=60 - status: automated -- id: SLES-15-020230 - levels: - - medium - title: The SUSE operating system must employ user passwords with a maximum lifetime - of 60 days. - rules: - - accounts_password_set_max_life_existing - status: automated -- id: SLES-15-020260 - levels: - - medium - title: The SUSE operating system must employ passwords with a minimum of 15 characters. - rules: - - cracklib_accounts_password_pam_minlen - - var_password_pam_minlen=15 - status: automated -- id: SLES-15-020270 - levels: - - medium - title: The SUSE operating system must enforce passwords that contain at least one - special character. - rules: - - cracklib_accounts_password_pam_ocredit - - var_password_pam_ocredit=1 - status: automated -- id: SLES-15-020290 - levels: - - medium - title: The SUSE operating system must prevent the use of dictionary words for passwords. - rules: - - cracklib_accounts_password_pam_retry - status: automated -- id: SLES-15-020300 - levels: - - high - title: The SUSE operating system must not be configured to allow blank or null passwords. - rules: - - no_empty_passwords - status: automated -- id: SLES-15-030000 - levels: - - medium - title: The SUSE operating system must generate audit records for all account creations, - modifications, disabling, and termination events that affect /etc/passwd. - rules: - - audit_rules_usergroup_modification_passwd - status: automated -- id: SLES-15-030010 - levels: - - medium - title: The SUSE operating system must generate audit records for all account creations, - modifications, disabling, and termination events that affect /etc/group. - rules: - - audit_rules_usergroup_modification_group - status: automated -- id: SLES-15-030020 - levels: - - medium - title: The SUSE operating system must generate audit records for all account creations, - modifications, disabling, and termination events that affect /etc/shadow. - rules: - - audit_rules_usergroup_modification_shadow - status: automated -- id: SLES-15-030030 - levels: - - medium - title: The SUSE operating system must generate audit records for all account creations, - modifications, disabling, and termination events that affect /etc/security/opasswd. - rules: - - audit_rules_usergroup_modification_opasswd - status: automated -- id: SLES-15-030040 - levels: - - medium - title: The SUSE operating system must generate audit records for all account creations, - modifications, disabling, and termination events that affect /etc/gshadow. - rules: - - audit_rules_usergroup_modification_gshadow - status: automated -- id: SLES-15-030050 - levels: - - medium - title: SUSE operating system audit records must contain information to establish - what type of events occurred, the source of events, where events occurred, and - the outcome of events. - rules: - - service_auditd_enabled - status: automated -- id: SLES-15-030060 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - ssh-keysign command. - rules: - - audit_rules_privileged_commands_ssh_keysign - status: automated -- id: SLES-15-030070 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - passwd command. - rules: - - audit_rules_privileged_commands_passwd - status: automated -- id: SLES-15-030080 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - gpasswd command. - rules: - - audit_rules_privileged_commands_gpasswd - status: automated -- id: SLES-15-030090 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - newgrp command. - rules: - - audit_rules_privileged_commands_newgrp - status: automated -- id: SLES-15-030100 - levels: - - low - title: The SUSE operating system must generate audit records for a uses of the chsh - command. - rules: - - audit_rules_privileged_commands_chsh - status: automated -- id: SLES-15-030110 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - unix_chkpwd or unix2_chkpwd commands. - rules: - - audit_rules_privileged_commands_unix2_chkpwd - - audit_rules_privileged_commands_unix_chkpwd - status: automated -- id: SLES-15-030120 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - chage command. - rules: - - audit_rules_privileged_commands_chage - status: automated -- id: SLES-15-030130 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - crontab command. - rules: - - audit_rules_privileged_commands_crontab - status: automated -- id: SLES-15-030140 - levels: - - medium - title: The SUSE operating system must audit all uses of the sudoers file and all - files in the /etc/sudoers.d/ directory. - rules: - - audit_rules_sysadmin_actions - status: automated -- id: SLES-15-030150 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. - rules: - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_truncate - status: automated -- id: SLES-15-030190 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system - calls. - rules: - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - status: automated -- id: SLES-15-030250 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - chown, fchown, fchownat, and lchown system calls. - rules: - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_lchown - status: automated -- id: SLES-15-030290 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - chmod, fchmod, and fchmodat system calls. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - status: automated -- id: SLES-15-030330 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - sudoedit command. - rules: - - audit_rules_privileged_commands_sudoedit - status: automated -- id: SLES-15-030340 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - chfn command. - rules: - - audit_rules_privileged_commands_chfn - status: automated -- id: SLES-15-030350 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - mount system call. - rules: - - audit_rules_media_export - status: automated -- id: SLES-15-030360 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - umount system call. - rules: - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - status: automated -- id: SLES-15-030370 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - ssh-agent command. - rules: - - audit_rules_privileged_commands_ssh_agent - status: automated -- id: SLES-15-030380 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - insmod command. - rules: - - audit_rules_privileged_commands_insmod - status: automated -- id: SLES-15-030390 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - rmmod command. - rules: - - audit_rules_privileged_commands_rmmod - status: automated -- id: SLES-15-030400 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - modprobe command. - rules: - - audit_rules_privileged_commands_modprobe - status: automated -- id: SLES-15-030410 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - kmod command. - rules: - - audit_rules_privileged_commands_kmod - status: automated -- id: SLES-15-030420 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - chmod command. - rules: - - audit_rules_execution_chmod - status: automated -- id: SLES-15-030430 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - setfacl command. - rules: - - audit_rules_execution_setfacl - status: automated -- id: SLES-15-030440 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - chacl command. - rules: - - audit_rules_execution_chacl - status: automated -- id: SLES-15-030450 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - chcon command. - rules: - - audit_rules_execution_chcon - status: automated -- id: SLES-15-030460 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - rm command. - rules: - - audit_rules_execution_rm - status: automated -- id: SLES-15-030470 - levels: - - medium - title: The SUSE operating system must generate audit records for all modifications - to the tallylog file must generate an audit record. - rules: - - audit_rules_login_events_tallylog - status: automated -- id: SLES-15-030480 - levels: - - medium - title: The SUSE operating system must generate audit records for all modifications - to the lastlog file. - rules: - - audit_rules_login_events_lastlog - status: automated -- id: SLES-15-030490 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - passmass command. - rules: - - audit_rules_privileged_commands_passmass - status: automated -- id: SLES-15-030500 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - usermod command. - rules: - - audit_rules_privileged_commands_usermod - status: automated -- id: SLES-15-030510 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - pam_timestamp_check command. - rules: - - audit_rules_privileged_commands_pam_timestamp_check - status: automated -- id: SLES-15-030520 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - delete_module system call. - rules: - - audit_rules_kernel_module_loading_delete - status: automated -- id: SLES-15-030530 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - init_module and finit_module system calls. - rules: - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - status: automated -- id: SLES-15-030550 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - su command. - rules: - - audit_rules_privileged_commands_su - status: automated -- id: SLES-15-030560 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - sudo command. - rules: - - audit_rules_privileged_commands_sudo - status: automated -- id: SLES-15-030570 - levels: - - medium - title: The Information System Security Officer (ISSO) and System Administrator (SA), - at a minimum, must be alerted of a SUSE operating system audit processing failure - event. - rules: - - auditd_data_retention_action_mail_acct - status: automated -- id: SLES-15-030580 - levels: - - medium - title: The Information System Security Officer (ISSO) and System Administrator (SA), - at a minimum, must have mail aliases to be notified of a SUSE operating system - audit processing failure. - rules: - - postfix_client_configure_mail_alias - status: automated -- id: SLES-15-030590 - levels: - - medium - title: The SUSE operating system audit system must take appropriate action when - the audit storage volume is full. - rules: - - auditd_data_disk_full_action - - var_auditd_disk_full_action=syslog - status: automated -- id: SLES-15-030600 - levels: - - medium - title: The SUSE operating system must protect audit rules from unauthorized modification. - rules: - - permissions_local_var_log_audit - status: automated -- id: SLES-15-030620 - levels: - - medium - title: The SUSE operating system audit tools must have the proper permissions configured - to protect against unauthorized access. - rules: - - permissions_local_audit_binaries - status: automated -- id: SLES-15-030630 - levels: - - medium - title: The SUSE operating system file integrity tool must be configured to protect - the integrity of the audit tools. - rules: - - aide_check_audit_tools - status: automated -- id: SLES-15-030640 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - privileged functions. - rules: - - audit_rules_suid_privilege_function - status: automated -- id: SLES-15-030650 - levels: - - medium - title: The SUSE operating system must have the auditing package installed. - rules: - - package_audit_installed - status: automated -- id: SLES-15-030660 - levels: - - medium - title: The SUSE operating system must allocate audit record storage capacity to - store at least one week of audit records when audit records are not immediately - sent to a central audit record storage facility. - rules: - - auditd_audispd_configure_sufficiently_large_partition - status: manual -- id: SLES-15-030670 - levels: - - medium - title: The audit-audispd-plugins must be installed on the SUSE operating system. - rules: - - package_audit-audispd-plugins_installed - status: automated -- id: SLES-15-030680 - levels: - - low - title: The SUSE operating system audit event multiplexor must be configured to use - Kerberos. - rules: - - auditd_audispd_encrypt_sent_records - status: automated -- id: SLES-15-030690 - levels: - - low - title: Audispd must off-load audit records onto a different system or media from - the SUSE operating system being audited. - rules: - - auditd_audispd_configure_remote_server - # NOTE: must configure "var_audispd_remote_server" when the - # rule "auditd_audispd_configure_remote_server" is enabled - # - var_audispd_remote_server= - status: automated -- id: SLES-15-030700 - levels: - - medium - title: The SUSE operating system auditd service must notify the System Administrator - (SA) and Information System Security Officer (ISSO) immediately when audit storage - capacity is 75 percent full. - rules: - - auditd_data_retention_space_left - status: automated -- id: SLES-15-030740 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - unlink, unlinkat, rename, renameat, and rmdir system calls. - rules: - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_renameat2 - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - status: automated -- id: SLES-15-030760 - levels: - - medium - title: The SUSE operating system must generate audit records for the /run/utmp file. - rules: - - audit_rules_session_events_utmp - status: automated -- id: SLES-15-030770 - levels: - - medium - title: The SUSE operating system must generate audit records for the /var/log/wtmp - file. - rules: - - audit_rules_session_events_wtmp - status: automated -- id: SLES-15-030780 - levels: - - medium - title: The SUSE operating system must generate audit records for the /var/log/btmp - file. - rules: - - audit_rules_session_events_btmp - status: automated -- id: SLES-15-030790 - levels: - - medium - title: The SUSE operating system must off-load audit records onto a different system - or media from the system being audited. - rules: - - auditd_audispd_network_failure_action - status: automated -- id: SLES-15-030800 - levels: - - medium - title: Audispd must take appropriate action when the SUSE operating system audit - storage is full. - rules: - - auditd_audispd_disk_full_action - status: automated -- id: SLES-15-030810 - levels: - - low - title: The SUSE operating system must use a separate file system for the system - audit data path. - rules: - - partition_for_var_log_audit - status: automated -- id: SLES-15-030820 - levels: - - medium - title: The SUSE operating system must not disable syscall auditing. - rules: - - audit_rules_enable_syscall_auditing - status: automated -- id: SLES-15-040000 - levels: - - medium - title: The SUSE operating system must enforce a delay of at least four seconds between - logon prompts following a failed logon attempt. - rules: [] - status: pending -- id: SLES-15-040010 - levels: - - medium - title: The SUSE operating system must enforce a delay of at least four seconds between - logon prompts following a failed logon attempt. - rules: - - accounts_passwords_pam_faildelay_delay - - var_accounts_fail_delay=4 - - var_password_pam_delay=4000000 - status: automated -- id: SLES-15-040020 - levels: - - high - title: There must be no .shosts files on the SUSE operating system. - rules: - - no_user_host_based_files - status: automated -- id: SLES-15-040030 - levels: - - high - title: There must be no shosts.equiv files on the SUSE operating system. - rules: - - no_host_based_files - status: automated -- id: SLES-15-040040 - levels: - - low - title: The SUSE operating system file integrity tool must be configured to verify - Access Control Lists (ACLs). - rules: - - aide_verify_acls - status: automated -- id: SLES-15-040050 - levels: - - low - title: The SUSE operating system file integrity tool must be configured to verify - extended attributes. - rules: - - aide_verify_ext_attributes - status: automated -- id: SLES-15-040060 - levels: - - high - title: The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence. - rules: - - disable_ctrlaltdel_reboot - status: automated -- id: SLES-15-040061 - levels: - - high - title: The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence - for Graphical User Interfaces. - rules: - - enable_dconf_user_profile - status: automated -- id: SLES-15-040062 - levels: - - high - title: The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst - key sequence. - rules: - - disable_ctrlaltdel_burstaction - status: automated -- id: SLES-15-040070 - levels: - - medium - title: All SUSE operating system local interactive users must have a home directory - assigned in the /etc/passwd file. - rules: - - accounts_user_interactive_home_directory_defined - status: automated -- id: SLES-15-040080 - levels: - - medium - title: All SUSE operating system local interactive user home directories defined - in the /etc/passwd file must exist. - rules: - - accounts_user_interactive_home_directory_exists - status: automated -- id: SLES-15-040090 - levels: - - medium - title: All SUSE operating system local interactive user home directories must have - mode 0750 or less permissive. - rules: - - file_permissions_home_directories - status: automated -- id: SLES-15-040100 - levels: - - medium - title: All SUSE operating system local interactive user home directories must be - group-owned by the home directory owner's primary group. - rules: - - file_groupownership_home_directories - status: automated -- id: SLES-15-040110 - levels: - - medium - title: All SUSE operating system local initialization files must have mode 0740 - or less permissive. - rules: - - file_permission_user_init_files - status: automated -- id: SLES-15-040120 - levels: - - medium - title: All SUSE operating system local interactive user initialization files executable - search paths must contain only paths that resolve to the users home directory. - rules: - - accounts_user_home_paths_only - status: manual -- id: SLES-15-040130 - levels: - - medium - title: All SUSE operating system local initialization files must not execute world-writable - programs. - rules: - - accounts_user_dot_no_world_writable_programs - status: automated -- id: SLES-15-040140 - levels: - - medium - title: SUSE operating system file systems that contain user home directories must - be mounted to prevent files with the setuid and setgid bit set from being executed. - rules: - - mount_option_home_nosuid - status: automated -- id: SLES-15-040150 - levels: - - medium - title: SUSE operating system file systems that are used with removable media must - be mounted to prevent files with the setuid and setgid bit set from being executed. - rules: - - mount_option_nosuid_removable_partitions - - var_removable_partition=dev_cdrom - status: automated -- id: SLES-15-040160 - levels: - - medium - title: SUSE operating system file systems that are being imported via Network File - System (NFS) must be mounted to prevent files with the setuid and setgid bit set - from being executed. - rules: - - mount_option_nosuid_remote_filesystems - status: automated -- id: SLES-15-040170 - levels: - - medium - title: SUSE operating system file systems that are being imported via Network File - System (NFS) must be mounted to prevent binary files from being executed. - rules: - - mount_option_noexec_remote_filesystems - status: automated -- id: SLES-15-040180 - levels: - - medium - title: All SUSE operating system world-writable directories must be group-owned - by root, sys, bin, or an application group. - rules: - - dir_perms_world_writable_system_owned_group - status: automated -- id: SLES-15-040190 - levels: - - medium - title: SUSE operating system kernel core dumps must be disabled unless needed. - rules: - - service_kdump_disabled - status: automated -- id: SLES-15-040200 - levels: - - low - title: A separate file system must be used for SUSE operating system user home directories - (such as /home or an equivalent). - rules: - - partition_for_home - status: automated -- id: SLES-15-040210 - levels: - - low - title: The SUSE operating system must use a separate file system for /var. - rules: - - partition_for_var - status: automated -- id: SLES-15-040220 - levels: - - medium - title: The SUSE operating system must be configured to not overwrite Pluggable Authentication - Modules (PAM) configuration on package changes. - rules: - - pam_disable_automatic_configuration - status: automated -- id: SLES-15-040230 - levels: - - medium - title: The SUSE operating system SSH daemon must be configured to not allow authentication - using known hosts authentication. - rules: - - sshd_disable_user_known_hosts - status: automated -- id: SLES-15-040240 - levels: - - medium - title: The SUSE operating system SSH daemon public host key files must have mode - 0644 or less permissive. - rules: - - file_permissions_sshd_pub_key - status: automated -- id: SLES-15-040250 - levels: - - medium - title: The SUSE operating system SSH daemon private host key files must have mode - 0640 or less permissive. - rules: - - file_permissions_sshd_private_key - status: automated -- id: SLES-15-040260 - levels: - - medium - title: The SUSE operating system SSH daemon must perform strict mode checking of - home directory configuration files. - rules: - - sshd_enable_strictmodes - status: automated -- id: SLES-15-040290 - levels: - - medium - title: The SUSE operating system SSH daemon must disable forwarded remote X connections - for interactive users, unless to fulfill documented and validated mission requirements. - rules: - - sshd_disable_x11_forwarding - status: automated -- id: SLES-15-040300 - levels: - - medium - title: The SUSE operating system must not forward Internet Protocol version 4 (IPv4) - source-routed packets. - rules: - - sysctl_net_ipv4_conf_all_accept_source_route - status: automated -- id: SLES-15-040310 - levels: - - medium - title: The SUSE operating system must not forward Internet Protocol version 6 (IPv6) - source-routed packets. - rules: - - sysctl_net_ipv6_conf_all_accept_source_route - status: automated -- id: SLES-15-040320 - levels: - - medium - title: The SUSE operating system must not forward Internet Protocol version 4 (IPv4) - source-routed packets by default. - rules: - - sysctl_net_ipv4_conf_default_accept_source_route - status: automated -- id: SLES-15-040321 - levels: - - medium - title: The SUSE operating system must not forward Internet Protocol version 6 (IPv6) - source-routed packets by default. - rules: - - sysctl_net_ipv6_conf_default_accept_source_route - status: automated -- id: SLES-15-040330 - levels: - - medium - title: The SUSE operating system must prevent Internet Protocol version 4 (IPv4) - Internet Control Message Protocol (ICMP) redirect messages from being accepted. - rules: - - sysctl_net_ipv4_conf_all_accept_redirects - status: automated -- id: SLES-15-040340 - levels: - - medium - title: The SUSE operating system must not allow interfaces to accept Internet Protocol - version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by - default. - rules: - - sysctl_net_ipv4_conf_default_accept_redirects - status: automated -- id: SLES-15-040341 - levels: - - medium - title: The SUSE operating system must prevent Internet Protocol version 6 (IPv6) - Internet Control Message Protocol (ICMP) redirect messages from being accepted. - rules: - - sysctl_net_ipv6_conf_all_accept_redirects - status: automated -- id: SLES-15-040350 - levels: - - medium - title: The SUSE operating system must not allow interfaces to accept Internet Protocol - version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by - default. - rules: - - sysctl_net_ipv6_conf_default_accept_redirects - status: automated -- id: SLES-15-040360 - levels: - - medium - title: The SUSE operating system must not allow interfaces to send Internet Protocol - version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by - default. - rules: - - sysctl_net_ipv4_conf_default_send_redirects - status: automated -- id: SLES-15-040370 - levels: - - medium - title: The SUSE operating system must not send Internet Protocol version 4 (IPv4) - Internet Control Message Protocol (ICMP) redirects. - rules: - - sysctl_net_ipv4_conf_all_send_redirects - status: automated -- id: SLES-15-040380 - levels: - - medium - title: The SUSE operating system must not be performing Internet Protocol version - 4 (IPv4) packet forwarding unless the system is a router. - rules: - - sysctl_net_ipv4_ip_forward - status: automated -- id: SLES-15-040381 - levels: - - medium - title: The SUSE operating system must not be performing Internet Protocol version - 6 (IPv6) packet forwarding unless the system is a router. - rules: - - sysctl_net_ipv6_conf_all_forwarding - status: automated -- id: SLES-15-040382 - levels: - - medium - title: The SUSE operating system must not be performing Internet Protocol version - 6 (IPv6) packet forwarding by default unless the system is a router. - rules: - - sysctl_net_ipv6_conf_default_forwarding - status: automated -- id: SLES-15-040390 - levels: - - medium - title: The SUSE operating system must not have network interfaces in promiscuous - mode unless approved and documented. - rules: - - network_sniffer_disabled - status: automated -- id: SLES-15-040400 - levels: - - medium - title: All SUSE operating system files and directories must have a valid owner. - rules: - - no_files_unowned_by_user - status: automated -- id: SLES-15-040410 - levels: - - medium - title: All SUSE operating system files and directories must have a valid group owner. - rules: - - file_permissions_ungroupowned - status: automated -- id: SLES-15-040420 - levels: - - medium - title: The SUSE operating system default permissions must be defined in such a way - that all authenticated users can only read and modify their own files. - rules: - - accounts_umask_etc_login_defs - status: automated -- id: SLES-15-040430 - levels: - - high - title: The SUSE operating system must not allow unattended or automatic logon via - the graphical user interface (GUI). - rules: - - gnome_gdm_disable_unattended_automatic_login - status: automated -- id: SLES-15-040440 - levels: - - high - title: The SUSE operating system must not allow unattended or automatic logon via - SSH. - rules: - - sshd_disable_empty_passwords - - sshd_do_not_permit_user_env - status: automated -- id: SLES-15-020099 - levels: - - medium - title: The SUSE operating system must specify the default "include" directory for - the /etc/sudoers file. - rules: - - sudoers_default_includedir - status: automated -- id: SLES-15-020104 - levels: - - medium - title: The SUSE operating system must not be configured to bypass password requirements - for privilege escalation. - rules: - - disallow_bypass_password_sudo - status: automated -- id: SLES-15-020181 - levels: - - high - title: The SUSE operating system must not have accounts configured with blank or - null passwords. - rules: - - no_empty_passwords_etc_shadow - status: automated -- id: SLES-15-040450 - levels: - - medium - title: The SUSE operating system SSH server must be configured to use only FIPS-validated - key exchange algorithms. - rules: - - sshd_use_approved_kex_ordered_stig - status: automated -- id: SLES-15-010375 - levels: - - low - title: The SUSE operating system must restrict access to the kernel message buffer. - rules: - - sysctl_kernel_dmesg_restrict - status: automated -- id: SLES-15-010419 - levels: - - medium - title: The SUSE operating system must use a file integrity tool to verify correct - operation of all security functions. - rules: - - aide_build_database - - package_aide_installed - status: automated -- id: SLES-15-010418 - levels: - - medium - title: The SUSE operating system must be configured to allow sending email notifications - of unauthorized configuration changes to designated personnel. - rules: - - package_mailx_installed - status: automated -- id: SLES-15-030015 - levels: - - medium - title: The SUSE operating system must audit any script or executable called by cron - as root or by any privileged user. - rules: - - audit_rules_etc_cron_d - - audit_rules_var_spool_cron - status: automated + - id: SLES-15-010000 + levels: + - high + title: The SUSE operating system must be a vendor-supported release. + rules: + - installed_OS_is_vendor_supported + status: automated + - id: SLES-15-010010 + levels: + - medium + title: Vendor-packaged SUSE operating system security patches and updates must be + installed and up to date. + rules: + - security_patches_up_to_date + status: automated + - id: SLES-15-010020 + levels: + - medium + title: The SUSE operating system must display the Standard Mandatory DOD Notice + and Consent Banner before granting access via local console. + rules: + - banner_etc_issue + - login_banner_text=dod_banners + - login_banner_contents=dod_default + status: automated + - id: SLES-15-010030 + levels: + - high + title: The SUSE operating system must not have the vsftpd package installed if not + required for operational support. + rules: + - package_vsftpd_removed + status: automated + - id: SLES-15-010040 + levels: + - medium + title: The SUSE operating system must display the Standard Mandatory DOD Notice + and Consent Banner before granting access via SSH. + rules: + - sshd_enable_warning_banner + status: automated + - id: SLES-15-010050 + levels: + - medium + title: The SUSE operating system must display the Standard Mandatory DoD Notice + and Consent Banner until users acknowledge the usage conditions and take explicit + actions to log on for further access to the local graphical user interface (GUI). + rules: + - gui_login_dod_acknowledgement + status: automated + - id: SLES-15-010060 + levels: + - medium + title: The SUSE operating system file /etc/gdm/banner must contain the Standard + Mandatory DoD Notice and Consent banner text. + rules: + - banner_etc_gdm_banner + status: automated + - id: SLES-15-010080 + levels: + - medium + title: The SUSE operating system must display a banner before granting local or + remote access to the system via a graphical user logon. + rules: + - dconf_gnome_banner_enabled + status: automated + - id: SLES-15-010090 + levels: + - medium + title: The SUSE operating system must display the approved Standard Mandatory DoD + Notice before granting local or remote access to the system via a graphical user + logon. + rules: + - dconf_db_up_to_date + - dconf_gnome_login_banner_text + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default + status: automated + - id: SLES-15-010100 + levels: + - medium + title: The SUSE operating system must be able to lock the graphical user interface + (GUI). + rules: + - dconf_gnome_screensaver_lock_enabled + status: automated + - id: SLES-15-010110 + levels: + - low + title: The SUSE operating system must utilize vlock to allow for session locking. + rules: + - vlock_installed + status: automated + - id: SLES-15-010120 + levels: + - medium + title: The SUSE operating system must initiate a session lock after a 15-minute + period of inactivity for the graphical user interface (GUI). + rules: + - dconf_gnome_screensaver_idle_delay + - inactivity_timeout_value=15_minutes + - dconf_gnome_session_idle_user_locks + status: automated + - id: SLES-15-010130 + levels: + - medium + title: The SUSE operating system must initiate a session lock after a 10-minute + period of inactivity. + rules: + - accounts_tmout + - var_accounts_tmout=10_min + status: automated + - id: SLES-15-010140 + levels: + - low + title: The SUSE operating system must conceal, via the session lock, information + previously visible on the display with a publicly viewable image in the graphical + user interface (GUI). + rules: + - dconf_gnome_screensaver_mode_blank + status: automated + - id: SLES-15-010150 + levels: + - medium + title: The SUSE operating system must log SSH connection attempts and failures to + the server. + rules: + - sshd_set_loglevel_verbose + status: automated + - id: SLES-15-010160 + levels: + - medium + title: The SUSE operating system must implement DOD-approved encryption to protect + the confidentiality of SSH remote connections. + rules: + - sshd_use_approved_ciphers + - sshd_use_approved_ciphers_ordered_stig + status: automated + - id: SLES-15-010170 + levels: + - medium + title: The SUSE operating system, for PKI-based authentication, must validate certificates + by constructing a certification path (which includes status information) to an + accepted trust anchor. + rules: + - smartcard_configure_ca + status: automated + - id: SLES-15-010180 + levels: + - high + title: The SUSE operating system must not have the telnet-server package installed. + rules: + - package_telnet-server_removed + status: automated + - id: SLES-15-010190 + levels: + - high + title: SUSE operating systems with a basic input/output system (BIOS) must require + authentication upon booting into single-user and maintenance modes. + rules: + - grub2_password + status: automated + - id: SLES-15-010200 + levels: + - high + title: SUSE operating systems with Unified Extensible Firmware Interface (UEFI) + implemented must require authentication upon booting into single-user mode and + maintenance. + rules: + - grub2_uefi_password + status: automated + - id: SLES-15-010220 + levels: + - medium + title: The SUSE operating system must be configured to prohibit or restrict the + use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, + and Services Management (PPSM) Category Assignments List (CAL) and vulnerability + assessments. + rules: + - package_firewalld_installed + - service_firewalld_enabled + status: automated + - id: SLES-15-010230 + levels: + - medium + title: The SUSE operating system must not have duplicate User IDs (UIDs) for interactive + users. + rules: + - account_unique_id + status: automated + - id: SLES-15-010240 + levels: + - medium + title: The SUSE operating system must disable the file system automounter. + rules: + - service_autofs_disabled + status: automated + - id: SLES-15-010260 + levels: + - medium + title: The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing + algorithm for system authentication (login.defs). + rules: + - set_password_hashing_algorithm_logindefs + status: automated + - id: SLES-15-010270 + levels: + - medium + title: The SUSE operating system SSH daemon must be configured to only use Message + Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. + rules: + - sshd_use_approved_macs + - sshd_use_approved_macs_ordered_stig + status: automated + - id: SLES-15-010280 + levels: + - medium + title: The SUSE operating system SSH daemon must be configured with a timeout interval. + rules: + - sshd_set_idle_timeout + - sshd_idle_timeout_value=10_minutes + status: automated + - id: SLES-15-010300 + levels: + - medium + title: The sticky bit must be set on all SUSE operating system world-writable directories. + rules: + - dir_perms_world_writable_sticky_bits + status: automated + - id: SLES-15-010310 + levels: + - medium + title: The SUSE operating system must be configured to use TCP syncookies. + rules: + - sysctl_net_ipv4_tcp_syncookies + status: automated + - id: SLES-15-010320 + levels: + - medium + title: The SUSE operating system, for all network connections associated with SSH + traffic, must immediately terminate at the end of the session or after 10 minutes + of inactivity. + rules: + - sshd_set_keepalive + - var_sshd_set_keepalive=1 + - sshd_set_keepalive_0 + status: automated + - id: SLES-15-010330 + levels: + - high + title: All SUSE operating system persistent disk partitions must implement cryptographic + mechanisms to prevent unauthorized disclosure or modification of all information + that requires at-rest protection. + rules: + - encrypt_partitions + status: automated + - id: SLES-15-010340 + levels: + - medium + title: The SUSE operating system must generate error messages that provide information + necessary for corrective actions without revealing information that could be exploited + by adversaries. + rules: + - permissions_local_var_log + status: automated + - id: SLES-15-010350 + levels: + - medium + title: The SUSE operating system must prevent unauthorized users from accessing + system error messages. + rules: + - file_permissions_local_var_log_messages + status: automated + - id: SLES-15-010351 + levels: + - medium + title: The SUSE operating system library files must have mode 0755 or less permissive. + rules: + - file_permissions_library_dirs + status: automated + - id: SLES-15-010352 + levels: + - medium + title: The SUSE operating system library directories must have mode 0755 or less + permissive. + rules: + - dir_permissions_library_dirs + status: automated + - id: SLES-15-010353 + levels: + - medium + title: The SUSE operating system library files must be owned by root. + rules: + - file_ownership_library_dirs + status: automated + - id: SLES-15-010354 + levels: + - medium + title: The SUSE operating system library directories must be owned by root. + rules: + - dir_ownership_library_dirs + status: automated + - id: SLES-15-010355 + levels: + - medium + title: The SUSE operating system library files must be group-owned by root. + rules: + - root_permissions_syslibrary_files + status: automated + - id: SLES-15-010356 + levels: + - medium + title: The SUSE operating system library directories must be group-owned by root. + rules: + - dir_group_ownership_library_dirs + status: automated + - id: SLES-15-010357 + levels: + - medium + title: The SUSE operating system must have system commands set to a mode of 0755 + or less permissive. + rules: + - file_permissions_system_commands_dirs + status: automated + - id: SLES-15-010358 + levels: + - medium + title: The SUSE operating system must have directories that contain system commands + set to a mode of 0755 or less permissive. + rules: + - file_permissions_binary_dirs + status: automated + - id: SLES-15-010359 + levels: + - medium + title: The SUSE operating system must have system commands owned by root. + rules: + - file_ownership_binary_dirs + status: automated + - id: SLES-15-010360 + levels: + - medium + title: The SUSE operating system must have directories that contain system commands + owned by root. + rules: + - dir_system_commands_root_owned + status: automated + - id: SLES-15-010361 + levels: + - medium + title: The SUSE operating system must have system commands group-owned by root or + a system account. + rules: + - file_groupownership_system_commands_dirs + status: automated + - id: SLES-15-010362 + levels: + - medium + title: The SUSE operating system must have directories that contain system commands + group-owned by root. + rules: + - dir_system_commands_group_root_owned + status: automated + - id: SLES-15-010370 + levels: + - medium + title: The SUSE operating system must have a firewall system installed to immediately + disconnect or disable remote access to the whole operating system. + rules: [] + status: pending + - id: SLES-15-010380 + levels: + - medium + title: The SUSE operating system wireless network adapters must be disabled unless + approved and documented. + rules: + - wireless_disable_interfaces + status: automated + - id: SLES-15-010390 + levels: + - medium + title: SUSE operating system AppArmor tool must be configured to control whitelisted + applications and user home directory access control. + rules: + - apparmor_configured + - package_pam_apparmor_installed + status: automated + - id: SLES-15-010400 + levels: + - medium + title: The SUSE operating system clock must, for networked systems, be synchronized + to an authoritative DOD time source at least every 24 hours. + rules: + - chronyd_or_ntpd_set_maxpoll + - var_time_service_set_maxpoll=18_hours + status: automated + - id: SLES-15-010410 + levels: + - low + title: The SUSE operating system must be configured to use Coordinated Universal + Time (UTC) or Greenwich Mean Time (GMT). + rules: + - ensure_rtc_utc_configuration + status: automated + - id: SLES-15-010420 + levels: + - medium + title: Advanced Intrusion Detection Environment (AIDE) must verify the baseline + SUSE operating system configuration at least weekly. + rules: + - aide_periodic_cron_checking + status: automated + - id: SLES-15-010430 + levels: + - high + title: The SUSE operating system tool zypper must have gpgcheck enabled. + rules: + - ensure_gpgcheck_globally_activated + status: automated + - id: SLES-15-010450 + levels: + - high + title: The SUSE operating system must reauthenticate users when changing authenticators, + roles, or escalating privileges. + rules: + - sudo_remove_no_authenticate + - sudo_remove_nopasswd + - sudo_require_authentication + status: automated + - id: SLES-15-010460 + levels: + - medium + title: The SUSE operating system must have the packages required for multifactor + authentication to be installed. + rules: + - install_smartcard_packages + status: automated + - id: SLES-15-010470 + levels: + - medium + title: The SUSE operating system must implement certificate status checking for + multifactor authentication. + rules: + - smartcard_configure_cert_checking + status: automated + - id: SLES-15-010480 + levels: + - medium + title: The SUSE operating system must disable the USB mass storage kernel module. + rules: + - kernel_module_usb-storage_disabled + status: automated + - id: SLES-15-010490 + levels: + - medium + title: If Network Security Services (NSS) is being used by the SUSE operating system + it must prohibit the use of cached authentications after one day. + rules: + - sssd_memcache_timeout + - var_sssd_memcache_timeout=1_day + status: automated + - id: SLES-15-010500 + levels: + - medium + title: The SUSE operating system must configure the Linux Pluggable Authentication + Modules (PAM) to prohibit the use of cached offline authentications after one + day. + rules: + - sssd_offline_cred_expiration + status: automated + - id: SLES-15-010510 + levels: + - high + title: FIPS 140-2 mode must be enabled on the SUSE operating system. + rules: + - is_fips_mode_enabled + status: automated + - id: SLES-15-010530 + levels: + - high + title: All networked SUSE operating systems must have and implement SSH to protect + the confidentiality and integrity of transmitted and received information, as + well as information during preparation for transmission. + rules: + - service_sshd_enabled + status: automated + - id: SLES-15-010540 + levels: + - medium + title: The SUSE operating system must implement kptr-restrict to prevent the leaking + of internal kernel addresses. + rules: + - sysctl_kernel_kptr_restrict + status: automated + - id: SLES-15-010550 + levels: + - medium + title: Address space layout randomization (ASLR) must be implemented by the SUSE + operating system to protect memory from unauthorized code execution. + rules: + - sysctl_kernel_randomize_va_space + status: automated + - id: SLES-15-010560 + levels: + - medium + title: The SUSE operating system must remove all outdated software components after + updated versions have been installed. + rules: + - clean_components_post_updating + status: automated + - id: SLES-15-010570 + levels: + - medium + title: The SUSE operating system must notify the System Administrator (SA) when + Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation + of any security functions. + rules: + - aide_periodic_checking_systemd_timer + - aide_scan_notification + status: automated + - id: SLES-15-010580 + levels: + - medium + title: The SUSE operating system must off-load rsyslog messages for networked systems + in real time and off-load standalone systems at least weekly. + rules: + - rsyslog_remote_loghost + status: automated + - id: SLES-15-020000 + levels: + - medium + title: The SUSE operating system must provision temporary accounts with an expiration + date for 72 hours. + rules: [] + status: pending + - id: SLES-15-020010 + levels: + - medium + title: The SUSE operating system must lock an account after three consecutive invalid + access attempts. + rules: + - accounts_passwords_pam_tally2 + - var_password_pam_tally2=3 + status: automated + - id: SLES-15-020020 + levels: + - low + title: The SUSE operating system must limit the number of concurrent sessions to + 10 for all accounts and/or account types. + rules: + - accounts_max_concurrent_login_sessions + - var_accounts_max_concurrent_login_sessions=10 + status: automated + - id: SLES-15-020030 + levels: + - medium + title: The SUSE operating system must implement multifactor authentication for access + to privileged accounts via pluggable authentication modules (PAM). + rules: + - smartcard_pam_enabled + status: automated + - id: SLES-15-020040 + levels: + - medium + title: The SUSE operating system must deny direct logons to the root account using + remote access via SSH. + rules: + - sshd_disable_root_login + status: automated + - id: SLES-15-020050 + levels: + - medium + title: The SUSE operating system must disable account identifiers (individuals, + groups, roles, and devices) after 35 days of inactivity after password expiration. + rules: + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=35 + status: automated + - id: SLES-15-020060 + levels: + - medium + title: The SUSE operating system must never automatically remove or disable emergency + administrator accounts. + rules: + - account_emergency_admin + status: manual + - id: SLES-15-020090 + levels: + - medium + title: The SUSE operating system must not have unnecessary accounts. + rules: + - accounts_authorized_local_users + # NOTE: must configure "var_accounts_authorized_local_users_regex" + # when the rule "accounts_authorized_local_users" is enabled + # - var_accounts_authorized_local_users_regex= + - var_accounts_authorized_local_users_regex=sle15 + status: automated + - id: SLES-15-020091 + levels: + - medium + title: The SUSE operating system must not have unnecessary account capabilities. + rules: + - no_shelllogin_for_systemaccounts + status: automated + - id: SLES-15-020100 + levels: + - high + title: The SUSE operating system root account must be the only account with unrestricted + access to the system. + rules: + - accounts_no_uid_except_zero + status: automated + - id: SLES-15-020101 + levels: + - medium + title: The SUSE operating system must restrict privilege elevation to authorized + personnel. + rules: + - sudo_restrict_privilege_elevation_to_authorized + status: automated + - id: SLES-15-020102 + levels: + - medium + title: The SUSE operating system must require reauthentication when using the "sudo" + command. + rules: + - sudo_require_reauthentication + - var_sudo_timestamp_timeout=always_prompt + status: automated + - id: SLES-15-020103 + levels: + - medium + title: The SUSE operating system must use the invoking user's password for privilege + escalation when using "sudo". + rules: + - sudoers_validate_passwd + status: automated + - id: SLES-15-020110 + levels: + - medium + title: All SUSE operating system local interactive user accounts, upon creation, + must be assigned a home directory. + rules: + - accounts_have_homedir_login_defs + status: automated + - id: SLES-15-020120 + levels: + - medium + title: The SUSE operating system must display the date and time of the last successful + account logon upon an SSH logon. + rules: + - sshd_print_last_log + status: automated + - id: SLES-15-020130 + levels: + - medium + title: The SUSE operating system must enforce passwords that contain at least one + uppercase character. + rules: + - cracklib_accounts_password_pam_ucredit + - var_password_pam_ucredit=1 + status: automated + - id: SLES-15-020140 + levels: + - medium + title: The SUSE operating system must enforce passwords that contain at least one + lowercase character. + rules: + - cracklib_accounts_password_pam_lcredit + - var_password_pam_lcredit=1 + status: automated + - id: SLES-15-020150 + levels: + - medium + title: The SUSE operating system must enforce passwords that contain at least one + numeric character. + rules: + - cracklib_accounts_password_pam_dcredit + - var_password_pam_dcredit=1 + status: automated + - id: SLES-15-020160 + levels: + - medium + title: The SUSE operating system must require the change of at least eight of the + total number of characters when passwords are changed. + rules: + - cracklib_accounts_password_pam_difok + status: automated + - id: SLES-15-020170 + levels: + - medium + title: The SUSE operating system must configure the Linux Pluggable Authentication + Modules (PAM) to only store encrypted representations of passwords. + rules: + - set_password_hashing_algorithm_systemauth + status: automated + - id: SLES-15-020180 + levels: + - medium + title: The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing + algorithms for all stored passwords. + rules: + - accounts_password_all_shadowed_sha512 + status: automated + - id: SLES-15-020190 + levels: + - medium + title: The SUSE operating system must employ FIPS 140-3 approved cryptographic hashing + algorithms for all stored passwords. + rules: + - set_password_hashing_min_rounds_logindefs + - var_password_hashing_min_rounds_login_defs=100000 + status: automated + - id: SLES-15-020200 + levels: + - medium + title: The SUSE operating system must be configured to create or update passwords + with a minimum lifetime of 24 hours (one day). + rules: + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=7 + status: automated + - id: SLES-15-020210 + levels: + - medium + title: The SUSE operating system must employ user passwords with a minimum lifetime + of 24 hours (one day). + rules: + - accounts_password_set_min_life_existing + status: automated + - id: SLES-15-020220 + levels: + - medium + title: The SUSE operating system must be configured to create or update passwords + with a maximum lifetime of 60 days. + rules: + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=60 + status: automated + - id: SLES-15-020230 + levels: + - medium + title: The SUSE operating system must employ user passwords with a maximum lifetime + of 60 days. + rules: + - accounts_password_set_max_life_existing + status: automated + - id: SLES-15-020260 + levels: + - medium + title: The SUSE operating system must employ passwords with a minimum of 15 characters. + rules: + - cracklib_accounts_password_pam_minlen + - var_password_pam_minlen=15 + status: automated + - id: SLES-15-020270 + levels: + - medium + title: The SUSE operating system must enforce passwords that contain at least one + special character. + rules: + - cracklib_accounts_password_pam_ocredit + - var_password_pam_ocredit=1 + status: automated + - id: SLES-15-020290 + levels: + - medium + title: The SUSE operating system must prevent the use of dictionary words for passwords. + rules: + - cracklib_accounts_password_pam_retry + status: automated + - id: SLES-15-020300 + levels: + - high + title: The SUSE operating system must not be configured to allow blank or null passwords. + rules: + - no_empty_passwords + status: automated + - id: SLES-15-030000 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/passwd. + rules: + - audit_rules_usergroup_modification_passwd + status: automated + - id: SLES-15-030010 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/group. + rules: + - audit_rules_usergroup_modification_group + status: automated + - id: SLES-15-030020 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/shadow. + rules: + - audit_rules_usergroup_modification_shadow + status: automated + - id: SLES-15-030030 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/security/opasswd. + rules: + - audit_rules_usergroup_modification_opasswd + status: automated + - id: SLES-15-030040 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/gshadow. + rules: + - audit_rules_usergroup_modification_gshadow + status: automated + - id: SLES-15-030050 + levels: + - medium + title: SUSE operating system audit records must contain information to establish + what type of events occurred, the source of events, where events occurred, and + the outcome of events. + rules: + - service_auditd_enabled + status: automated + - id: SLES-15-030060 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + ssh-keysign command. + rules: + - audit_rules_privileged_commands_ssh_keysign + status: automated + - id: SLES-15-030070 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + passwd command. + rules: + - audit_rules_privileged_commands_passwd + status: automated + - id: SLES-15-030080 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + gpasswd command. + rules: + - audit_rules_privileged_commands_gpasswd + status: automated + - id: SLES-15-030090 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + newgrp command. + rules: + - audit_rules_privileged_commands_newgrp + status: automated + - id: SLES-15-030100 + levels: + - low + title: The SUSE operating system must generate audit records for a uses of the chsh + command. + rules: + - audit_rules_privileged_commands_chsh + status: automated + - id: SLES-15-030110 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + unix_chkpwd or unix2_chkpwd commands. + rules: + - audit_rules_privileged_commands_unix2_chkpwd + - audit_rules_privileged_commands_unix_chkpwd + status: automated + - id: SLES-15-030120 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chage command. + rules: + - audit_rules_privileged_commands_chage + status: automated + - id: SLES-15-030130 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + crontab command. + rules: + - audit_rules_privileged_commands_crontab + status: automated + - id: SLES-15-030140 + levels: + - medium + title: The SUSE operating system must audit all uses of the sudoers file and all + files in the /etc/sudoers.d/ directory. + rules: + - audit_rules_sysadmin_actions + status: automated + - id: SLES-15-030150 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. + rules: + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate + status: automated + - id: SLES-15-030190 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system + calls. + rules: + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + status: automated + - id: SLES-15-030250 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chown, fchown, fchownat, and lchown system calls. + rules: + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_lchown + status: automated + - id: SLES-15-030290 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chmod, fchmod, and fchmodat system calls. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + status: automated + - id: SLES-15-030330 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + sudoedit command. + rules: + - audit_rules_privileged_commands_sudoedit + status: automated + - id: SLES-15-030340 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + chfn command. + rules: + - audit_rules_privileged_commands_chfn + status: automated + - id: SLES-15-030350 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + mount system call. + rules: + - audit_rules_media_export + status: automated + - id: SLES-15-030360 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + umount system call. + rules: + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + status: automated + - id: SLES-15-030370 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + ssh-agent command. + rules: + - audit_rules_privileged_commands_ssh_agent + status: automated + - id: SLES-15-030380 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + insmod command. + rules: + - audit_rules_privileged_commands_insmod + status: automated + - id: SLES-15-030390 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + rmmod command. + rules: + - audit_rules_privileged_commands_rmmod + status: automated + - id: SLES-15-030400 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + modprobe command. + rules: + - audit_rules_privileged_commands_modprobe + status: automated + - id: SLES-15-030410 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + kmod command. + rules: + - audit_rules_privileged_commands_kmod + status: automated + - id: SLES-15-030420 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chmod command. + rules: + - audit_rules_execution_chmod + status: automated + - id: SLES-15-030430 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + setfacl command. + rules: + - audit_rules_execution_setfacl + status: automated + - id: SLES-15-030440 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chacl command. + rules: + - audit_rules_execution_chacl + status: automated + - id: SLES-15-030450 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chcon command. + rules: + - audit_rules_execution_chcon + status: automated + - id: SLES-15-030460 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + rm command. + rules: + - audit_rules_execution_rm + status: automated + - id: SLES-15-030470 + levels: + - medium + title: The SUSE operating system must generate audit records for all modifications + to the tallylog file must generate an audit record. + rules: + - audit_rules_login_events_tallylog + status: automated + - id: SLES-15-030480 + levels: + - medium + title: The SUSE operating system must generate audit records for all modifications + to the lastlog file. + rules: + - audit_rules_login_events_lastlog + status: automated + - id: SLES-15-030490 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + passmass command. + rules: + - audit_rules_privileged_commands_passmass + status: automated + - id: SLES-15-030500 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + usermod command. + rules: + - audit_rules_privileged_commands_usermod + status: automated + - id: SLES-15-030510 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + pam_timestamp_check command. + rules: + - audit_rules_privileged_commands_pam_timestamp_check + status: automated + - id: SLES-15-030520 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + delete_module system call. + rules: + - audit_rules_kernel_module_loading_delete + status: automated + - id: SLES-15-030530 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + init_module and finit_module system calls. + rules: + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + status: automated + - id: SLES-15-030550 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + su command. + rules: + - audit_rules_privileged_commands_su + status: automated + - id: SLES-15-030560 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + sudo command. + rules: + - audit_rules_privileged_commands_sudo + status: automated + - id: SLES-15-030570 + levels: + - medium + title: The Information System Security Officer (ISSO) and System Administrator (SA), + at a minimum, must be alerted of a SUSE operating system audit processing failure + event. + rules: + - auditd_data_retention_action_mail_acct + status: automated + - id: SLES-15-030580 + levels: + - medium + title: The Information System Security Officer (ISSO) and System Administrator (SA), + at a minimum, must have mail aliases to be notified of a SUSE operating system + audit processing failure. + rules: + - postfix_client_configure_mail_alias + status: automated + - id: SLES-15-030590 + levels: + - medium + title: The SUSE operating system audit system must take appropriate action when + the audit storage volume is full. + rules: + - auditd_data_disk_full_action + - var_auditd_disk_full_action=syslog + status: automated + - id: SLES-15-030600 + levels: + - medium + title: The SUSE operating system must protect audit rules from unauthorized modification. + rules: + - permissions_local_var_log_audit + status: automated + - id: SLES-15-030620 + levels: + - medium + title: The SUSE operating system audit tools must have the proper permissions configured + to protect against unauthorized access. + rules: + - permissions_local_audit_binaries + status: automated + - id: SLES-15-030630 + levels: + - medium + title: The SUSE operating system file integrity tool must be configured to protect + the integrity of the audit tools. + rules: + - aide_check_audit_tools + status: automated + - id: SLES-15-030640 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + privileged functions. + rules: + - audit_rules_suid_privilege_function + status: automated + - id: SLES-15-030650 + levels: + - medium + title: The SUSE operating system must have the auditing package installed. + rules: + - package_audit_installed + status: automated + - id: SLES-15-030660 + levels: + - medium + title: The SUSE operating system must allocate audit record storage capacity to + store at least one week of audit records when audit records are not immediately + sent to a central audit record storage facility. + rules: + - auditd_audispd_configure_sufficiently_large_partition + status: manual + - id: SLES-15-030670 + levels: + - medium + title: The audit-audispd-plugins must be installed on the SUSE operating system. + rules: + - package_audit-audispd-plugins_installed + status: automated + - id: SLES-15-030680 + levels: + - low + title: The SUSE operating system audit event multiplexor must be configured to use + Kerberos. + rules: + - auditd_audispd_encrypt_sent_records + status: automated + - id: SLES-15-030690 + levels: + - low + title: Audispd must off-load audit records onto a different system or media from + the SUSE operating system being audited. + rules: + - auditd_audispd_configure_remote_server + # NOTE: must configure "var_audispd_remote_server" when the + # rule "auditd_audispd_configure_remote_server" is enabled + # - var_audispd_remote_server= + status: automated + - id: SLES-15-030700 + levels: + - medium + title: The SUSE operating system auditd service must notify the System Administrator + (SA) and Information System Security Officer (ISSO) immediately when audit storage + capacity is 75 percent full. + rules: + - auditd_data_retention_space_left + status: automated + - id: SLES-15-030740 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + unlink, unlinkat, rename, renameat, and rmdir system calls. + rules: + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_renameat2 + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + status: automated + - id: SLES-15-030760 + levels: + - medium + title: The SUSE operating system must generate audit records for the /run/utmp file. + rules: + - audit_rules_session_events_utmp + status: automated + - id: SLES-15-030770 + levels: + - medium + title: The SUSE operating system must generate audit records for the /var/log/wtmp + file. + rules: + - audit_rules_session_events_wtmp + status: automated + - id: SLES-15-030780 + levels: + - medium + title: The SUSE operating system must generate audit records for the /var/log/btmp + file. + rules: + - audit_rules_session_events_btmp + status: automated + - id: SLES-15-030790 + levels: + - medium + title: The SUSE operating system must off-load audit records onto a different system + or media from the system being audited. + rules: + - auditd_audispd_network_failure_action + status: automated + - id: SLES-15-030800 + levels: + - medium + title: Audispd must take appropriate action when the SUSE operating system audit + storage is full. + rules: + - auditd_audispd_disk_full_action + status: automated + - id: SLES-15-030810 + levels: + - low + title: The SUSE operating system must use a separate file system for the system + audit data path. + rules: + - partition_for_var_log_audit + status: automated + - id: SLES-15-030820 + levels: + - medium + title: The SUSE operating system must not disable syscall auditing. + rules: + - audit_rules_enable_syscall_auditing + status: automated + - id: SLES-15-040000 + levels: + - medium + title: The SUSE operating system must enforce a delay of at least four seconds between + logon prompts following a failed logon attempt. + rules: [] + status: pending + - id: SLES-15-040010 + levels: + - medium + title: The SUSE operating system must enforce a delay of at least four seconds between + logon prompts following a failed logon attempt. + rules: + - accounts_passwords_pam_faildelay_delay + - var_accounts_fail_delay=4 + - var_password_pam_delay=4000000 + status: automated + - id: SLES-15-040020 + levels: + - high + title: There must be no .shosts files on the SUSE operating system. + rules: + - no_user_host_based_files + status: automated + - id: SLES-15-040030 + levels: + - high + title: There must be no shosts.equiv files on the SUSE operating system. + rules: + - no_host_based_files + status: automated + - id: SLES-15-040040 + levels: + - low + title: The SUSE operating system file integrity tool must be configured to verify + Access Control Lists (ACLs). + rules: + - aide_verify_acls + status: automated + - id: SLES-15-040050 + levels: + - low + title: The SUSE operating system file integrity tool must be configured to verify + extended attributes. + rules: + - aide_verify_ext_attributes + status: automated + - id: SLES-15-040060 + levels: + - high + title: The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence. + rules: + - disable_ctrlaltdel_reboot + status: automated + - id: SLES-15-040061 + levels: + - high + title: The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence + for Graphical User Interfaces. + rules: + - enable_dconf_user_profile + status: automated + - id: SLES-15-040062 + levels: + - high + title: The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst + key sequence. + rules: + - disable_ctrlaltdel_burstaction + status: automated + - id: SLES-15-040070 + levels: + - medium + title: All SUSE operating system local interactive users must have a home directory + assigned in the /etc/passwd file. + rules: + - accounts_user_interactive_home_directory_defined + status: automated + - id: SLES-15-040080 + levels: + - medium + title: All SUSE operating system local interactive user home directories defined + in the /etc/passwd file must exist. + rules: + - accounts_user_interactive_home_directory_exists + status: automated + - id: SLES-15-040090 + levels: + - medium + title: All SUSE operating system local interactive user home directories must have + mode 0750 or less permissive. + rules: + - file_permissions_home_directories + status: automated + - id: SLES-15-040100 + levels: + - medium + title: All SUSE operating system local interactive user home directories must be + group-owned by the home directory owner's primary group. + rules: + - file_groupownership_home_directories + status: automated + - id: SLES-15-040110 + levels: + - medium + title: All SUSE operating system local initialization files must have mode 0740 + or less permissive. + rules: + - file_permission_user_init_files + status: automated + - id: SLES-15-040120 + levels: + - medium + title: All SUSE operating system local interactive user initialization files executable + search paths must contain only paths that resolve to the users home directory. + rules: + - accounts_user_home_paths_only + status: manual + - id: SLES-15-040130 + levels: + - medium + title: All SUSE operating system local initialization files must not execute world-writable + programs. + rules: + - accounts_user_dot_no_world_writable_programs + status: automated + - id: SLES-15-040140 + levels: + - medium + title: SUSE operating system file systems that contain user home directories must + be mounted to prevent files with the setuid and setgid bit set from being executed. + rules: + - mount_option_home_nosuid + status: automated + - id: SLES-15-040150 + levels: + - medium + title: SUSE operating system file systems that are used with removable media must + be mounted to prevent files with the setuid and setgid bit set from being executed. + rules: + - mount_option_nosuid_removable_partitions + - var_removable_partition=dev_cdrom + status: automated + - id: SLES-15-040160 + levels: + - medium + title: SUSE operating system file systems that are being imported via Network File + System (NFS) must be mounted to prevent files with the setuid and setgid bit set + from being executed. + rules: + - mount_option_nosuid_remote_filesystems + status: automated + - id: SLES-15-040170 + levels: + - medium + title: SUSE operating system file systems that are being imported via Network File + System (NFS) must be mounted to prevent binary files from being executed. + rules: + - mount_option_noexec_remote_filesystems + status: automated + - id: SLES-15-040180 + levels: + - medium + title: All SUSE operating system world-writable directories must be group-owned + by root, sys, bin, or an application group. + rules: + - dir_perms_world_writable_system_owned_group + status: automated + - id: SLES-15-040190 + levels: + - medium + title: SUSE operating system kernel core dumps must be disabled unless needed. + rules: + - service_kdump_disabled + status: automated + - id: SLES-15-040200 + levels: + - low + title: A separate file system must be used for SUSE operating system user home directories + (such as /home or an equivalent). + rules: + - partition_for_home + status: automated + - id: SLES-15-040210 + levels: + - low + title: The SUSE operating system must use a separate file system for /var. + rules: + - partition_for_var + status: automated + - id: SLES-15-040220 + levels: + - medium + title: The SUSE operating system must be configured to not overwrite Pluggable Authentication + Modules (PAM) configuration on package changes. + rules: + - pam_disable_automatic_configuration + status: automated + - id: SLES-15-040230 + levels: + - medium + title: The SUSE operating system SSH daemon must be configured to not allow authentication + using known hosts authentication. + rules: + - sshd_disable_user_known_hosts + status: automated + - id: SLES-15-040240 + levels: + - medium + title: The SUSE operating system SSH daemon public host key files must have mode + 0644 or less permissive. + rules: + - file_permissions_sshd_pub_key + status: automated + - id: SLES-15-040250 + levels: + - medium + title: The SUSE operating system SSH daemon private host key files must have mode + 0640 or less permissive. + rules: + - file_permissions_sshd_private_key + status: automated + - id: SLES-15-040260 + levels: + - medium + title: The SUSE operating system SSH daemon must perform strict mode checking of + home directory configuration files. + rules: + - sshd_enable_strictmodes + status: automated + - id: SLES-15-040290 + levels: + - medium + title: The SUSE operating system SSH daemon must disable forwarded remote X connections + for interactive users, unless to fulfill documented and validated mission requirements. + rules: + - sshd_disable_x11_forwarding + status: automated + - id: SLES-15-040300 + levels: + - medium + title: The SUSE operating system must not forward Internet Protocol version 4 (IPv4) + source-routed packets. + rules: + - sysctl_net_ipv4_conf_all_accept_source_route + status: automated + - id: SLES-15-040310 + levels: + - medium + title: The SUSE operating system must not forward Internet Protocol version 6 (IPv6) + source-routed packets. + rules: + - sysctl_net_ipv6_conf_all_accept_source_route + status: automated + - id: SLES-15-040320 + levels: + - medium + title: The SUSE operating system must not forward Internet Protocol version 4 (IPv4) + source-routed packets by default. + rules: + - sysctl_net_ipv4_conf_default_accept_source_route + status: automated + - id: SLES-15-040321 + levels: + - medium + title: The SUSE operating system must not forward Internet Protocol version 6 (IPv6) + source-routed packets by default. + rules: + - sysctl_net_ipv6_conf_default_accept_source_route + status: automated + - id: SLES-15-040330 + levels: + - medium + title: The SUSE operating system must prevent Internet Protocol version 4 (IPv4) + Internet Control Message Protocol (ICMP) redirect messages from being accepted. + rules: + - sysctl_net_ipv4_conf_all_accept_redirects + status: automated + - id: SLES-15-040340 + levels: + - medium + title: The SUSE operating system must not allow interfaces to accept Internet Protocol + version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by + default. + rules: + - sysctl_net_ipv4_conf_default_accept_redirects + status: automated + - id: SLES-15-040341 + levels: + - medium + title: The SUSE operating system must prevent Internet Protocol version 6 (IPv6) + Internet Control Message Protocol (ICMP) redirect messages from being accepted. + rules: + - sysctl_net_ipv6_conf_all_accept_redirects + status: automated + - id: SLES-15-040350 + levels: + - medium + title: The SUSE operating system must not allow interfaces to accept Internet Protocol + version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by + default. + rules: + - sysctl_net_ipv6_conf_default_accept_redirects + status: automated + - id: SLES-15-040360 + levels: + - medium + title: The SUSE operating system must not allow interfaces to send Internet Protocol + version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by + default. + rules: + - sysctl_net_ipv4_conf_default_send_redirects + status: automated + - id: SLES-15-040370 + levels: + - medium + title: The SUSE operating system must not send Internet Protocol version 4 (IPv4) + Internet Control Message Protocol (ICMP) redirects. + rules: + - sysctl_net_ipv4_conf_all_send_redirects + status: automated + - id: SLES-15-040380 + levels: + - medium + title: The SUSE operating system must not be performing Internet Protocol version + 4 (IPv4) packet forwarding unless the system is a router. + rules: + - sysctl_net_ipv4_ip_forward + status: automated + - id: SLES-15-040381 + levels: + - medium + title: The SUSE operating system must not be performing Internet Protocol version + 6 (IPv6) packet forwarding unless the system is a router. + rules: + - sysctl_net_ipv6_conf_all_forwarding + status: automated + - id: SLES-15-040382 + levels: + - medium + title: The SUSE operating system must not be performing Internet Protocol version + 6 (IPv6) packet forwarding by default unless the system is a router. + rules: + - sysctl_net_ipv6_conf_default_forwarding + status: automated + - id: SLES-15-040390 + levels: + - medium + title: The SUSE operating system must not have network interfaces in promiscuous + mode unless approved and documented. + rules: + - network_sniffer_disabled + status: automated + - id: SLES-15-040400 + levels: + - medium + title: All SUSE operating system files and directories must have a valid owner. + rules: + - no_files_unowned_by_user + status: automated + - id: SLES-15-040410 + levels: + - medium + title: All SUSE operating system files and directories must have a valid group owner. + rules: + - file_permissions_ungroupowned + status: automated + - id: SLES-15-040420 + levels: + - medium + title: The SUSE operating system default permissions must be defined in such a way + that all authenticated users can only read and modify their own files. + rules: + - accounts_umask_etc_login_defs + status: automated + - id: SLES-15-040430 + levels: + - high + title: The SUSE operating system must not allow unattended or automatic logon via + the graphical user interface (GUI). + rules: + - gnome_gdm_disable_unattended_automatic_login + status: automated + - id: SLES-15-040440 + levels: + - high + title: The SUSE operating system must not allow unattended or automatic logon via + SSH. + rules: + - sshd_disable_empty_passwords + - sshd_do_not_permit_user_env + status: automated + - id: SLES-15-020099 + levels: + - medium + title: The SUSE operating system must specify the default "include" directory for + the /etc/sudoers file. + rules: + - sudoers_default_includedir + status: automated + - id: SLES-15-020104 + levels: + - medium + title: The SUSE operating system must not be configured to bypass password requirements + for privilege escalation. + rules: + - disallow_bypass_password_sudo + status: automated + - id: SLES-15-020181 + levels: + - high + title: The SUSE operating system must not have accounts configured with blank or + null passwords. + rules: + - no_empty_passwords_etc_shadow + status: automated + - id: SLES-15-040450 + levels: + - medium + title: The SUSE operating system SSH server must be configured to use only FIPS-validated + key exchange algorithms. + rules: + - sshd_use_approved_kex_ordered_stig + status: automated + - id: SLES-15-010375 + levels: + - low + title: The SUSE operating system must restrict access to the kernel message buffer. + rules: + - sysctl_kernel_dmesg_restrict + status: automated + - id: SLES-15-010419 + levels: + - medium + title: The SUSE operating system must use a file integrity tool to verify correct + operation of all security functions. + rules: + - aide_build_database + - package_aide_installed + status: automated + - id: SLES-15-010418 + levels: + - medium + title: The SUSE operating system must be configured to allow sending email notifications + of unauthorized configuration changes to designated personnel. + rules: + - package_mailx_installed + status: automated + - id: SLES-15-030015 + levels: + - medium + title: The SUSE operating system must audit any script or executable called by cron + as root or by any privileged user. + rules: + - audit_rules_etc_cron_d + - audit_rules_var_spool_cron + status: automated From 52667703c199f286e28469baef14491e9d5ccc4b Mon Sep 17 00:00:00 2001 From: rchikov Date: Thu, 2 Jul 2026 16:08:30 +0200 Subject: [PATCH 5/5] Revert "Fix warning empty lines and error indentation generated by yamllint" This reverts commit e4fe4c8603326529bcddc2cdd6317f5b24b7ffb2. --- .../audit_rules_execution_chmod/rule.yml | 1 + .../audit_rules_execution_rm/rule.yml | 1 + .../rule.yml | 12 +- .../rule.yml | 12 +- .../rule.yml | 12 +- .../rule.yml | 12 +- .../rule.yml | 12 +- .../rule.yml | 14 +- .../rule.yml | 14 +- .../rule.yml | 12 +- .../rule.yml | 14 +- .../rule.yml | 14 +- .../audit_rules_session_events_wtmp/rule.yml | 1 + .../auditd_data_disk_full_action/rule.yml | 2 +- .../ssh_server/sshd_set_keepalive_0/rule.yml | 14 +- .../rule.yml | 14 +- .../rule.yml | 14 +- .../rule.yml | 14 +- .../rule.yml | 22 +- .../rule.yml | 14 +- .../rule.yml | 14 +- .../rule.yml | 14 +- .../rule.yml | 14 +- .../no_empty_passwords_etc_shadow/rule.yml | 2 +- .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 1 + .../rule.yml | 6 +- products/sle15/controls/stig_sle15.yml | 3532 ++++++++--------- 29 files changed, 1908 insertions(+), 1902 deletions(-) diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chmod/rule.yml index 5283ee411bf1..8fe1302e271b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_acl_commands/audit_rules_execution_chmod/rule.yml @@ -38,3 +38,4 @@ template: name: audit_rules_privileged_commands vars: path: /usr/bin/chmod + diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_rm/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_rm/rule.yml index 565a2621b593..d4b221cfa8a2 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_rm/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_execution_selinux_commands/audit_rules_execution_rm/rule.yml @@ -38,3 +38,4 @@ template: name: audit_rules_privileged_commands vars: path: /usr/bin/rm + diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml index ebfbf6db6374..c563651b4d4e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_creat/rule.yml @@ -85,9 +85,9 @@ template: vars: name: creat syscall_grouping: - - creat - - ftruncate - - truncate - - open - - openat - - open_by_handle_at + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml index 9a71bce11f4a..c3df4964cb97 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_ftruncate/rule.yml @@ -85,9 +85,9 @@ template: vars: name: ftruncate syscall_grouping: - - creat - - ftruncate - - truncate - - open - - openat - - open_by_handle_at + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml index 2f780c1d4572..15861002b09b 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open/rule.yml @@ -89,9 +89,9 @@ template: vars: name: open syscall_grouping: - - creat - - ftruncate - - truncate - - open - - openat - - open_by_handle_at + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml index db8d72879893..0f2584da7c21 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_open_by_handle_at/rule.yml @@ -79,9 +79,9 @@ template: vars: name: open_by_handle_at syscall_grouping: - - creat - - ftruncate - - truncate - - open - - openat - - open_by_handle_at + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml index 714f19717e5c..1fb647e1a7db 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_openat/rule.yml @@ -85,9 +85,9 @@ template: vars: name: openat syscall_grouping: - - creat - - ftruncate - - truncate - - open - - openat - - open_by_handle_at + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml index f631f37db387..f6979d523457 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_rename/rule.yml @@ -77,13 +77,13 @@ template: vars: name: rename syscall_grouping: - - rename - - renameat - {{% if product in ['sle15', 'slmicro5', 'slmicro6'] %}} - - renameat2 - {{% endif %}} - - unlink - - unlinkat + - rename + - renameat + {{% if product in ['sle15', 'slmicro5', 'slmicro6'] %}} + - renameat2 + {{% endif %}} + - unlink + - unlinkat fixtext: |- {{%- if product in ['sle15' ,'slmicro5', 'slmicro6'] %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml index 94168cd67595..ed1576ab8dc9 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_renameat/rule.yml @@ -90,13 +90,13 @@ template: vars: name: renameat syscall_grouping: - - rename - - renameat - {{% if product in ['sle15'] %}} - - renameat2 - {{% endif %}} - - unlink - - unlinkat + - rename + - renameat + {{% if product in ['sle15'] %}} + - renameat2 + {{% endif %}} + - unlink + - unlinkat fixtext: |- {{%- if product in ['sle15'] %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml index 15c9abc68d6f..4dd4e9aa01df 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_truncate/rule.yml @@ -84,9 +84,9 @@ template: vars: name: truncate syscall_grouping: - - creat - - ftruncate - - truncate - - open - - openat - - open_by_handle_at + - creat + - ftruncate + - truncate + - open + - openat + - open_by_handle_at diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml index 61d2b950d19f..b8a8bde22990 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlink/rule.yml @@ -95,13 +95,13 @@ template: vars: name: unlink syscall_grouping: - - rename - - renameat - {{% if product in ['sle15'] %}} - - renameat2 - {{% endif %}} - - unlink - - unlinkat + - rename + - renameat + {{% if product in ['sle15'] %}} + - renameat2 + {{% endif %}} + - unlink + - unlinkat fixtext: |- diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml index 50e8598096f9..242daceadf10 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification_unlinkat/rule.yml @@ -92,13 +92,13 @@ template: vars: name: unlinkat syscall_grouping: - - rename - - renameat - {{% if product in ['sle15'] %}} - - renameat2 - {{% endif %}} - - unlink - - unlinkat + - rename + - renameat + {{% if product in ['sle15'] %}} + - renameat2 + {{% endif %}} + - unlink + - unlinkat fixtext: |- {{%- if product in ['sle15'] %}} diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml index 2e1ce9f10c1f..37c025ce1f0c 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml @@ -38,3 +38,4 @@ template: vars: path: /var/log/wtmp key: session + diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml index df7f4e29c2c1..474732a91f3e 100644 --- a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml +++ b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml @@ -78,4 +78,4 @@ fixtext: |- If availability has been determined to be more important, and this decision is documented with the ISSO, configure {{{ full_name }}} to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG". srg_requirement: - {{{ full_name }}} must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. + {{{ full_name }}} must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml index d9db47421a49..28615f381a19 100644 --- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml +++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive_0/rule.yml @@ -68,10 +68,10 @@ ocil: |- the ClientAliveInterval is set. template: - name: sshd_lineinfile - vars: - parameter: "ClientAliveCountMax" - value: "0" - datatype: int - backends: - kubernetes: "off" + name: sshd_lineinfile + vars: + parameter: "ClientAliveCountMax" + value: "0" + datatype: int + backends: + kubernetes: "off" diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml index 75d2e80e8da1..6d4c44e265fc 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faildelay_delay/rule.yml @@ -44,12 +44,12 @@ ocil: |- template: name: pam_options vars: - path: /etc/pam.d/common-auth - type: auth - control_flag: required - module: pam_faildelay.so - arguments: - - variable: delay - operation: greater than or equal + path: /etc/pam.d/common-auth + type: auth + control_flag: required + module: pam_faildelay.so + arguments: + - variable: delay + operation: greater than or equal platform: package[pam] diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_dcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_dcredit/rule.yml index 52f31313be8b..9d1339074db9 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_dcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_dcredit/rule.yml @@ -47,10 +47,10 @@ ocil: |- template: name: pam_options vars: - path: /etc/pam.d/common-password - type: password - control_flag: requisite - module: pam_cracklib.so - arguments: - - variable: dcredit - operation: less than or equal + path: /etc/pam.d/common-password + type: password + control_flag: requisite + module: pam_cracklib.so + arguments: + - variable: dcredit + operation: less than or equal diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml index 0ce20ea314e4..8979c17c24c5 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml @@ -47,10 +47,10 @@ ocil: |- template: name: pam_options vars: - path: /etc/pam.d/common-password - type: password - control_flag: requisite - module: pam_cracklib.so - arguments: - - variable: difok - operation: greater than or equal + path: /etc/pam.d/common-password + type: password + control_flag: requisite + module: pam_cracklib.so + arguments: + - variable: difok + operation: greater than or equal diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_lcredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_lcredit/rule.yml index 4c43bfbd3349..cec08d97d8c2 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_lcredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_lcredit/rule.yml @@ -26,13 +26,13 @@ identifiers: cce@slmicro6: CCE-94638-4 references: - cis@sle12: 5.3.1 - cis@sle15: 5.3.1 - nist@sle12: IA-5(a),IA-5(v) - nist@sle15: IA-5(1)(a),IA-5(1).1(v) - pcidss: Req-8.2.3 - srg: SRG-OS-000070-GPOS-00038 - stigid@sle12: SLES-12-010160 + cis@sle12: 5.3.1 + cis@sle15: 5.3.1 + nist@sle12: IA-5(a),IA-5(v) + nist@sle15: IA-5(1)(a),IA-5(1).1(v) + pcidss: Req-8.2.3 + srg: SRG-OS-000070-GPOS-00038 + stigid@sle12: SLES-12-010160 ocil_clause: 'lcredit is not found or not set to the required value' @@ -52,12 +52,12 @@ ocil: |- This would appear as lcredit=-{{{ xccdf_value("var_password_pam_lcredit") }}}. template: - name: pam_options - vars: + name: pam_options + vars: path: /etc/pam.d/common-password type: password control_flag: requisite module: pam_cracklib.so arguments: - - variable: lcredit - operation: less than or equal + - variable: lcredit + operation: less than or equal diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml index 1a6962f76bcd..df034053a731 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml @@ -41,10 +41,10 @@ ocil: |- template: name: pam_options vars: - path: /etc/pam.d/common-password - type: password - control_flag: requisite - module: pam_cracklib.so - arguments: - - variable: minlen - operation: greater than or equal + path: /etc/pam.d/common-password + type: password + control_flag: requisite + module: pam_cracklib.so + arguments: + - variable: minlen + operation: greater than or equal diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml index d718e4ce8d04..f8c2b0195cb2 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml @@ -48,10 +48,10 @@ ocil: |- template: name: pam_options vars: - path: /etc/pam.d/common-password - type: password - control_flag: requisite - module: pam_cracklib.so - arguments: - - variable: ocredit - operation: less than or equal + path: /etc/pam.d/common-password + type: password + control_flag: requisite + module: pam_cracklib.so + arguments: + - variable: ocredit + operation: less than or equal diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml index cf17f9cf207b..dfd6923ddd5f 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml @@ -46,10 +46,10 @@ ocil: |- template: name: pam_options vars: - path: /etc/pam.d/common-password - type: password - control_flag: requisite - module: pam_cracklib.so - arguments: - - variable: retry - operation: less than or equal + path: /etc/pam.d/common-password + type: password + control_flag: requisite + module: pam_cracklib.so + arguments: + - variable: retry + operation: less than or equal diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml index 0be3735d72d7..b757fc8f6b11 100644 --- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml +++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ucredit/rule.yml @@ -49,10 +49,10 @@ ocil: |- template: name: pam_options vars: - path: /etc/pam.d/common-password - type: password - control_flag: requisite - module: pam_cracklib.so - arguments: - - variable: ucredit - operation: less than or equal + path: /etc/pam.d/common-password + type: password + control_flag: requisite + module: pam_cracklib.so + arguments: + - variable: ucredit + operation: less than or equal diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml index d7bada448663..dfbedd28d14e 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_etc_shadow/rule.yml @@ -61,7 +61,7 @@ srg_requirement: '{{{ full_name }}} must have no accounts with blank or null pas warnings: - general: - Note that this rule is not applicable for systems running within a + Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway. diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml index 8d4ef32d82f4..a738d1684bb3 100644 --- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/rule.yml @@ -98,3 +98,4 @@ warnings: These immutable parts cannot be remediated because they are read-only. Example of such directories can be OStree deployments located at /sysroot/ostree/deploy. In such case, it is needed to make modifications to the underlying ostree snapshot and this is out of scope of regular rule remediation. + diff --git a/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml index da4804f0d38b..aa2eea35b789 100644 --- a/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml +++ b/linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/rule.yml @@ -3,6 +3,7 @@ documentation_complete: true title: 'Verify that system commands directories have root as a group owner' + description: |- System commands are stored in the following directories: by default: diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml index 83e2815728d6..d00237db83d4 100644 --- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml +++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_unattended_automatic_login/rule.yml @@ -38,3 +38,4 @@ ocil: |- The output should show the following:
DISPLAYMANAGER_AUTOLOGIN=""
          DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"
+ diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml index 653f3b4ad455..b1ac1d164fb1 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml @@ -51,6 +51,6 @@ srg_requirement: '{{{ full_name }}} must restrict privilege elevation to authori platform: package[sudo] warnings: - - general: |- - This rule doesn't come with a remediation, as the exact requirement allows exceptions, - and removing lines from the sudoers file can make the system non-administrable. +- general: |- + This rule doesn't come with a remediation, as the exact requirement allows exceptions, + and removing lines from the sudoers file can make the system non-administrable. diff --git a/products/sle15/controls/stig_sle15.yml b/products/sle15/controls/stig_sle15.yml index 9118665d8a61..8a8d9f6e62cd 100644 --- a/products/sle15/controls/stig_sle15.yml +++ b/products/sle15/controls/stig_sle15.yml @@ -12,1769 +12,1769 @@ levels: - id: low controls: - - id: SLES-15-010000 - levels: - - high - title: The SUSE operating system must be a vendor-supported release. - rules: - - installed_OS_is_vendor_supported - status: automated - - id: SLES-15-010010 - levels: - - medium - title: Vendor-packaged SUSE operating system security patches and updates must be - installed and up to date. - rules: - - security_patches_up_to_date - status: automated - - id: SLES-15-010020 - levels: - - medium - title: The SUSE operating system must display the Standard Mandatory DOD Notice - and Consent Banner before granting access via local console. - rules: - - banner_etc_issue - - login_banner_text=dod_banners - - login_banner_contents=dod_default - status: automated - - id: SLES-15-010030 - levels: - - high - title: The SUSE operating system must not have the vsftpd package installed if not - required for operational support. - rules: - - package_vsftpd_removed - status: automated - - id: SLES-15-010040 - levels: - - medium - title: The SUSE operating system must display the Standard Mandatory DOD Notice - and Consent Banner before granting access via SSH. - rules: - - sshd_enable_warning_banner - status: automated - - id: SLES-15-010050 - levels: - - medium - title: The SUSE operating system must display the Standard Mandatory DoD Notice - and Consent Banner until users acknowledge the usage conditions and take explicit - actions to log on for further access to the local graphical user interface (GUI). - rules: - - gui_login_dod_acknowledgement - status: automated - - id: SLES-15-010060 - levels: - - medium - title: The SUSE operating system file /etc/gdm/banner must contain the Standard - Mandatory DoD Notice and Consent banner text. - rules: - - banner_etc_gdm_banner - status: automated - - id: SLES-15-010080 - levels: - - medium - title: The SUSE operating system must display a banner before granting local or - remote access to the system via a graphical user logon. - rules: - - dconf_gnome_banner_enabled - status: automated - - id: SLES-15-010090 - levels: - - medium - title: The SUSE operating system must display the approved Standard Mandatory DoD - Notice before granting local or remote access to the system via a graphical user - logon. - rules: - - dconf_db_up_to_date - - dconf_gnome_login_banner_text - - dconf_login_banner_text=dod_banners - - dconf_login_banner_contents=dod_default - status: automated - - id: SLES-15-010100 - levels: - - medium - title: The SUSE operating system must be able to lock the graphical user interface - (GUI). - rules: - - dconf_gnome_screensaver_lock_enabled - status: automated - - id: SLES-15-010110 - levels: - - low - title: The SUSE operating system must utilize vlock to allow for session locking. - rules: - - vlock_installed - status: automated - - id: SLES-15-010120 - levels: - - medium - title: The SUSE operating system must initiate a session lock after a 15-minute - period of inactivity for the graphical user interface (GUI). - rules: - - dconf_gnome_screensaver_idle_delay - - inactivity_timeout_value=15_minutes - - dconf_gnome_session_idle_user_locks - status: automated - - id: SLES-15-010130 - levels: - - medium - title: The SUSE operating system must initiate a session lock after a 10-minute - period of inactivity. - rules: - - accounts_tmout - - var_accounts_tmout=10_min - status: automated - - id: SLES-15-010140 - levels: - - low - title: The SUSE operating system must conceal, via the session lock, information - previously visible on the display with a publicly viewable image in the graphical - user interface (GUI). - rules: - - dconf_gnome_screensaver_mode_blank - status: automated - - id: SLES-15-010150 - levels: - - medium - title: The SUSE operating system must log SSH connection attempts and failures to - the server. - rules: - - sshd_set_loglevel_verbose - status: automated - - id: SLES-15-010160 - levels: - - medium - title: The SUSE operating system must implement DOD-approved encryption to protect - the confidentiality of SSH remote connections. - rules: - - sshd_use_approved_ciphers - - sshd_use_approved_ciphers_ordered_stig - status: automated - - id: SLES-15-010170 - levels: - - medium - title: The SUSE operating system, for PKI-based authentication, must validate certificates - by constructing a certification path (which includes status information) to an - accepted trust anchor. - rules: - - smartcard_configure_ca - status: automated - - id: SLES-15-010180 - levels: - - high - title: The SUSE operating system must not have the telnet-server package installed. - rules: - - package_telnet-server_removed - status: automated - - id: SLES-15-010190 - levels: - - high - title: SUSE operating systems with a basic input/output system (BIOS) must require - authentication upon booting into single-user and maintenance modes. - rules: - - grub2_password - status: automated - - id: SLES-15-010200 - levels: - - high - title: SUSE operating systems with Unified Extensible Firmware Interface (UEFI) - implemented must require authentication upon booting into single-user mode and - maintenance. - rules: - - grub2_uefi_password - status: automated - - id: SLES-15-010220 - levels: - - medium - title: The SUSE operating system must be configured to prohibit or restrict the - use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, - and Services Management (PPSM) Category Assignments List (CAL) and vulnerability - assessments. - rules: - - package_firewalld_installed - - service_firewalld_enabled - status: automated - - id: SLES-15-010230 - levels: - - medium - title: The SUSE operating system must not have duplicate User IDs (UIDs) for interactive - users. - rules: - - account_unique_id - status: automated - - id: SLES-15-010240 - levels: - - medium - title: The SUSE operating system must disable the file system automounter. - rules: - - service_autofs_disabled - status: automated - - id: SLES-15-010260 - levels: - - medium - title: The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing - algorithm for system authentication (login.defs). - rules: - - set_password_hashing_algorithm_logindefs - status: automated - - id: SLES-15-010270 - levels: - - medium - title: The SUSE operating system SSH daemon must be configured to only use Message - Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. - rules: - - sshd_use_approved_macs - - sshd_use_approved_macs_ordered_stig - status: automated - - id: SLES-15-010280 - levels: - - medium - title: The SUSE operating system SSH daemon must be configured with a timeout interval. - rules: - - sshd_set_idle_timeout - - sshd_idle_timeout_value=10_minutes - status: automated - - id: SLES-15-010300 - levels: - - medium - title: The sticky bit must be set on all SUSE operating system world-writable directories. - rules: - - dir_perms_world_writable_sticky_bits - status: automated - - id: SLES-15-010310 - levels: - - medium - title: The SUSE operating system must be configured to use TCP syncookies. - rules: - - sysctl_net_ipv4_tcp_syncookies - status: automated - - id: SLES-15-010320 - levels: - - medium - title: The SUSE operating system, for all network connections associated with SSH - traffic, must immediately terminate at the end of the session or after 10 minutes - of inactivity. - rules: - - sshd_set_keepalive - - var_sshd_set_keepalive=1 - - sshd_set_keepalive_0 - status: automated - - id: SLES-15-010330 - levels: - - high - title: All SUSE operating system persistent disk partitions must implement cryptographic - mechanisms to prevent unauthorized disclosure or modification of all information - that requires at-rest protection. - rules: - - encrypt_partitions - status: automated - - id: SLES-15-010340 - levels: - - medium - title: The SUSE operating system must generate error messages that provide information - necessary for corrective actions without revealing information that could be exploited - by adversaries. - rules: - - permissions_local_var_log - status: automated - - id: SLES-15-010350 - levels: - - medium - title: The SUSE operating system must prevent unauthorized users from accessing - system error messages. - rules: - - file_permissions_local_var_log_messages - status: automated - - id: SLES-15-010351 - levels: - - medium - title: The SUSE operating system library files must have mode 0755 or less permissive. - rules: - - file_permissions_library_dirs - status: automated - - id: SLES-15-010352 - levels: - - medium - title: The SUSE operating system library directories must have mode 0755 or less - permissive. - rules: - - dir_permissions_library_dirs - status: automated - - id: SLES-15-010353 - levels: - - medium - title: The SUSE operating system library files must be owned by root. - rules: - - file_ownership_library_dirs - status: automated - - id: SLES-15-010354 - levels: - - medium - title: The SUSE operating system library directories must be owned by root. - rules: - - dir_ownership_library_dirs - status: automated - - id: SLES-15-010355 - levels: - - medium - title: The SUSE operating system library files must be group-owned by root. - rules: - - root_permissions_syslibrary_files - status: automated - - id: SLES-15-010356 - levels: - - medium - title: The SUSE operating system library directories must be group-owned by root. - rules: - - dir_group_ownership_library_dirs - status: automated - - id: SLES-15-010357 - levels: - - medium - title: The SUSE operating system must have system commands set to a mode of 0755 - or less permissive. - rules: - - file_permissions_system_commands_dirs - status: automated - - id: SLES-15-010358 - levels: - - medium - title: The SUSE operating system must have directories that contain system commands - set to a mode of 0755 or less permissive. - rules: - - file_permissions_binary_dirs - status: automated - - id: SLES-15-010359 - levels: - - medium - title: The SUSE operating system must have system commands owned by root. - rules: - - file_ownership_binary_dirs - status: automated - - id: SLES-15-010360 - levels: - - medium - title: The SUSE operating system must have directories that contain system commands - owned by root. - rules: - - dir_system_commands_root_owned - status: automated - - id: SLES-15-010361 - levels: - - medium - title: The SUSE operating system must have system commands group-owned by root or - a system account. - rules: - - file_groupownership_system_commands_dirs - status: automated - - id: SLES-15-010362 - levels: - - medium - title: The SUSE operating system must have directories that contain system commands - group-owned by root. - rules: - - dir_system_commands_group_root_owned - status: automated - - id: SLES-15-010370 - levels: - - medium - title: The SUSE operating system must have a firewall system installed to immediately - disconnect or disable remote access to the whole operating system. - rules: [] - status: pending - - id: SLES-15-010380 - levels: - - medium - title: The SUSE operating system wireless network adapters must be disabled unless - approved and documented. - rules: - - wireless_disable_interfaces - status: automated - - id: SLES-15-010390 - levels: - - medium - title: SUSE operating system AppArmor tool must be configured to control whitelisted - applications and user home directory access control. - rules: - - apparmor_configured - - package_pam_apparmor_installed - status: automated - - id: SLES-15-010400 - levels: - - medium - title: The SUSE operating system clock must, for networked systems, be synchronized - to an authoritative DOD time source at least every 24 hours. - rules: - - chronyd_or_ntpd_set_maxpoll - - var_time_service_set_maxpoll=18_hours - status: automated - - id: SLES-15-010410 - levels: - - low - title: The SUSE operating system must be configured to use Coordinated Universal - Time (UTC) or Greenwich Mean Time (GMT). - rules: - - ensure_rtc_utc_configuration - status: automated - - id: SLES-15-010420 - levels: - - medium - title: Advanced Intrusion Detection Environment (AIDE) must verify the baseline - SUSE operating system configuration at least weekly. - rules: - - aide_periodic_cron_checking - status: automated - - id: SLES-15-010430 - levels: - - high - title: The SUSE operating system tool zypper must have gpgcheck enabled. - rules: - - ensure_gpgcheck_globally_activated - status: automated - - id: SLES-15-010450 - levels: - - high - title: The SUSE operating system must reauthenticate users when changing authenticators, - roles, or escalating privileges. - rules: - - sudo_remove_no_authenticate - - sudo_remove_nopasswd - - sudo_require_authentication - status: automated - - id: SLES-15-010460 - levels: - - medium - title: The SUSE operating system must have the packages required for multifactor - authentication to be installed. - rules: - - install_smartcard_packages - status: automated - - id: SLES-15-010470 - levels: - - medium - title: The SUSE operating system must implement certificate status checking for - multifactor authentication. - rules: - - smartcard_configure_cert_checking - status: automated - - id: SLES-15-010480 - levels: - - medium - title: The SUSE operating system must disable the USB mass storage kernel module. - rules: - - kernel_module_usb-storage_disabled - status: automated - - id: SLES-15-010490 - levels: - - medium - title: If Network Security Services (NSS) is being used by the SUSE operating system - it must prohibit the use of cached authentications after one day. - rules: - - sssd_memcache_timeout - - var_sssd_memcache_timeout=1_day - status: automated - - id: SLES-15-010500 - levels: - - medium - title: The SUSE operating system must configure the Linux Pluggable Authentication - Modules (PAM) to prohibit the use of cached offline authentications after one - day. - rules: - - sssd_offline_cred_expiration - status: automated - - id: SLES-15-010510 - levels: - - high - title: FIPS 140-2 mode must be enabled on the SUSE operating system. - rules: - - is_fips_mode_enabled - status: automated - - id: SLES-15-010530 - levels: - - high - title: All networked SUSE operating systems must have and implement SSH to protect - the confidentiality and integrity of transmitted and received information, as - well as information during preparation for transmission. - rules: - - service_sshd_enabled - status: automated - - id: SLES-15-010540 - levels: - - medium - title: The SUSE operating system must implement kptr-restrict to prevent the leaking - of internal kernel addresses. - rules: - - sysctl_kernel_kptr_restrict - status: automated - - id: SLES-15-010550 - levels: - - medium - title: Address space layout randomization (ASLR) must be implemented by the SUSE - operating system to protect memory from unauthorized code execution. - rules: - - sysctl_kernel_randomize_va_space - status: automated - - id: SLES-15-010560 - levels: - - medium - title: The SUSE operating system must remove all outdated software components after - updated versions have been installed. - rules: - - clean_components_post_updating - status: automated - - id: SLES-15-010570 - levels: - - medium - title: The SUSE operating system must notify the System Administrator (SA) when - Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation - of any security functions. - rules: - - aide_periodic_checking_systemd_timer - - aide_scan_notification - status: automated - - id: SLES-15-010580 - levels: - - medium - title: The SUSE operating system must off-load rsyslog messages for networked systems - in real time and off-load standalone systems at least weekly. - rules: - - rsyslog_remote_loghost - status: automated - - id: SLES-15-020000 - levels: - - medium - title: The SUSE operating system must provision temporary accounts with an expiration - date for 72 hours. - rules: [] - status: pending - - id: SLES-15-020010 - levels: - - medium - title: The SUSE operating system must lock an account after three consecutive invalid - access attempts. - rules: - - accounts_passwords_pam_tally2 - - var_password_pam_tally2=3 - status: automated - - id: SLES-15-020020 - levels: - - low - title: The SUSE operating system must limit the number of concurrent sessions to - 10 for all accounts and/or account types. - rules: - - accounts_max_concurrent_login_sessions - - var_accounts_max_concurrent_login_sessions=10 - status: automated - - id: SLES-15-020030 - levels: - - medium - title: The SUSE operating system must implement multifactor authentication for access - to privileged accounts via pluggable authentication modules (PAM). - rules: - - smartcard_pam_enabled - status: automated - - id: SLES-15-020040 - levels: - - medium - title: The SUSE operating system must deny direct logons to the root account using - remote access via SSH. - rules: - - sshd_disable_root_login - status: automated - - id: SLES-15-020050 - levels: - - medium - title: The SUSE operating system must disable account identifiers (individuals, - groups, roles, and devices) after 35 days of inactivity after password expiration. - rules: - - account_disable_post_pw_expiration - - var_account_disable_post_pw_expiration=35 - status: automated - - id: SLES-15-020060 - levels: - - medium - title: The SUSE operating system must never automatically remove or disable emergency - administrator accounts. - rules: - - account_emergency_admin - status: manual - - id: SLES-15-020090 - levels: - - medium - title: The SUSE operating system must not have unnecessary accounts. - rules: - - accounts_authorized_local_users - # NOTE: must configure "var_accounts_authorized_local_users_regex" - # when the rule "accounts_authorized_local_users" is enabled - # - var_accounts_authorized_local_users_regex= - - var_accounts_authorized_local_users_regex=sle15 - status: automated - - id: SLES-15-020091 - levels: - - medium - title: The SUSE operating system must not have unnecessary account capabilities. - rules: - - no_shelllogin_for_systemaccounts - status: automated - - id: SLES-15-020100 - levels: - - high - title: The SUSE operating system root account must be the only account with unrestricted - access to the system. - rules: - - accounts_no_uid_except_zero - status: automated - - id: SLES-15-020101 - levels: - - medium - title: The SUSE operating system must restrict privilege elevation to authorized - personnel. - rules: - - sudo_restrict_privilege_elevation_to_authorized - status: automated - - id: SLES-15-020102 - levels: - - medium - title: The SUSE operating system must require reauthentication when using the "sudo" - command. - rules: - - sudo_require_reauthentication - - var_sudo_timestamp_timeout=always_prompt - status: automated - - id: SLES-15-020103 - levels: - - medium - title: The SUSE operating system must use the invoking user's password for privilege - escalation when using "sudo". - rules: - - sudoers_validate_passwd - status: automated - - id: SLES-15-020110 - levels: - - medium - title: All SUSE operating system local interactive user accounts, upon creation, - must be assigned a home directory. - rules: - - accounts_have_homedir_login_defs - status: automated - - id: SLES-15-020120 - levels: - - medium - title: The SUSE operating system must display the date and time of the last successful - account logon upon an SSH logon. - rules: - - sshd_print_last_log - status: automated - - id: SLES-15-020130 - levels: - - medium - title: The SUSE operating system must enforce passwords that contain at least one - uppercase character. - rules: - - cracklib_accounts_password_pam_ucredit - - var_password_pam_ucredit=1 - status: automated - - id: SLES-15-020140 - levels: - - medium - title: The SUSE operating system must enforce passwords that contain at least one - lowercase character. - rules: - - cracklib_accounts_password_pam_lcredit - - var_password_pam_lcredit=1 - status: automated - - id: SLES-15-020150 - levels: - - medium - title: The SUSE operating system must enforce passwords that contain at least one - numeric character. - rules: - - cracklib_accounts_password_pam_dcredit - - var_password_pam_dcredit=1 - status: automated - - id: SLES-15-020160 - levels: - - medium - title: The SUSE operating system must require the change of at least eight of the - total number of characters when passwords are changed. - rules: - - cracklib_accounts_password_pam_difok - status: automated - - id: SLES-15-020170 - levels: - - medium - title: The SUSE operating system must configure the Linux Pluggable Authentication - Modules (PAM) to only store encrypted representations of passwords. - rules: - - set_password_hashing_algorithm_systemauth - status: automated - - id: SLES-15-020180 - levels: - - medium - title: The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing - algorithms for all stored passwords. - rules: - - accounts_password_all_shadowed_sha512 - status: automated - - id: SLES-15-020190 - levels: - - medium - title: The SUSE operating system must employ FIPS 140-3 approved cryptographic hashing - algorithms for all stored passwords. - rules: - - set_password_hashing_min_rounds_logindefs - - var_password_hashing_min_rounds_login_defs=100000 - status: automated - - id: SLES-15-020200 - levels: - - medium - title: The SUSE operating system must be configured to create or update passwords - with a minimum lifetime of 24 hours (one day). - rules: - - accounts_minimum_age_login_defs - - var_accounts_minimum_age_login_defs=7 - status: automated - - id: SLES-15-020210 - levels: - - medium - title: The SUSE operating system must employ user passwords with a minimum lifetime - of 24 hours (one day). - rules: - - accounts_password_set_min_life_existing - status: automated - - id: SLES-15-020220 - levels: - - medium - title: The SUSE operating system must be configured to create or update passwords - with a maximum lifetime of 60 days. - rules: - - accounts_maximum_age_login_defs - - var_accounts_maximum_age_login_defs=60 - status: automated - - id: SLES-15-020230 - levels: - - medium - title: The SUSE operating system must employ user passwords with a maximum lifetime - of 60 days. - rules: - - accounts_password_set_max_life_existing - status: automated - - id: SLES-15-020260 - levels: - - medium - title: The SUSE operating system must employ passwords with a minimum of 15 characters. - rules: - - cracklib_accounts_password_pam_minlen - - var_password_pam_minlen=15 - status: automated - - id: SLES-15-020270 - levels: - - medium - title: The SUSE operating system must enforce passwords that contain at least one - special character. - rules: - - cracklib_accounts_password_pam_ocredit - - var_password_pam_ocredit=1 - status: automated - - id: SLES-15-020290 - levels: - - medium - title: The SUSE operating system must prevent the use of dictionary words for passwords. - rules: - - cracklib_accounts_password_pam_retry - status: automated - - id: SLES-15-020300 - levels: - - high - title: The SUSE operating system must not be configured to allow blank or null passwords. - rules: - - no_empty_passwords - status: automated - - id: SLES-15-030000 - levels: - - medium - title: The SUSE operating system must generate audit records for all account creations, - modifications, disabling, and termination events that affect /etc/passwd. - rules: - - audit_rules_usergroup_modification_passwd - status: automated - - id: SLES-15-030010 - levels: - - medium - title: The SUSE operating system must generate audit records for all account creations, - modifications, disabling, and termination events that affect /etc/group. - rules: - - audit_rules_usergroup_modification_group - status: automated - - id: SLES-15-030020 - levels: - - medium - title: The SUSE operating system must generate audit records for all account creations, - modifications, disabling, and termination events that affect /etc/shadow. - rules: - - audit_rules_usergroup_modification_shadow - status: automated - - id: SLES-15-030030 - levels: - - medium - title: The SUSE operating system must generate audit records for all account creations, - modifications, disabling, and termination events that affect /etc/security/opasswd. - rules: - - audit_rules_usergroup_modification_opasswd - status: automated - - id: SLES-15-030040 - levels: - - medium - title: The SUSE operating system must generate audit records for all account creations, - modifications, disabling, and termination events that affect /etc/gshadow. - rules: - - audit_rules_usergroup_modification_gshadow - status: automated - - id: SLES-15-030050 - levels: - - medium - title: SUSE operating system audit records must contain information to establish - what type of events occurred, the source of events, where events occurred, and - the outcome of events. - rules: - - service_auditd_enabled - status: automated - - id: SLES-15-030060 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - ssh-keysign command. - rules: - - audit_rules_privileged_commands_ssh_keysign - status: automated - - id: SLES-15-030070 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - passwd command. - rules: - - audit_rules_privileged_commands_passwd - status: automated - - id: SLES-15-030080 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - gpasswd command. - rules: - - audit_rules_privileged_commands_gpasswd - status: automated - - id: SLES-15-030090 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - newgrp command. - rules: - - audit_rules_privileged_commands_newgrp - status: automated - - id: SLES-15-030100 - levels: - - low - title: The SUSE operating system must generate audit records for a uses of the chsh - command. - rules: - - audit_rules_privileged_commands_chsh - status: automated - - id: SLES-15-030110 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - unix_chkpwd or unix2_chkpwd commands. - rules: - - audit_rules_privileged_commands_unix2_chkpwd - - audit_rules_privileged_commands_unix_chkpwd - status: automated - - id: SLES-15-030120 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - chage command. - rules: - - audit_rules_privileged_commands_chage - status: automated - - id: SLES-15-030130 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - crontab command. - rules: - - audit_rules_privileged_commands_crontab - status: automated - - id: SLES-15-030140 - levels: - - medium - title: The SUSE operating system must audit all uses of the sudoers file and all - files in the /etc/sudoers.d/ directory. - rules: - - audit_rules_sysadmin_actions - status: automated - - id: SLES-15-030150 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. - rules: - - audit_rules_unsuccessful_file_modification_creat - - audit_rules_unsuccessful_file_modification_ftruncate - - audit_rules_unsuccessful_file_modification_open - - audit_rules_unsuccessful_file_modification_open_by_handle_at - - audit_rules_unsuccessful_file_modification_openat - - audit_rules_unsuccessful_file_modification_truncate - status: automated - - id: SLES-15-030190 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system - calls. - rules: - - audit_rules_dac_modification_fremovexattr - - audit_rules_dac_modification_fsetxattr - - audit_rules_dac_modification_lremovexattr - - audit_rules_dac_modification_lsetxattr - - audit_rules_dac_modification_removexattr - - audit_rules_dac_modification_setxattr - status: automated - - id: SLES-15-030250 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - chown, fchown, fchownat, and lchown system calls. - rules: - - audit_rules_dac_modification_chown - - audit_rules_dac_modification_fchown - - audit_rules_dac_modification_fchownat - - audit_rules_dac_modification_lchown - status: automated - - id: SLES-15-030290 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - chmod, fchmod, and fchmodat system calls. - rules: - - audit_rules_dac_modification_chmod - - audit_rules_dac_modification_fchmod - - audit_rules_dac_modification_fchmodat - status: automated - - id: SLES-15-030330 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - sudoedit command. - rules: - - audit_rules_privileged_commands_sudoedit - status: automated - - id: SLES-15-030340 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - chfn command. - rules: - - audit_rules_privileged_commands_chfn - status: automated - - id: SLES-15-030350 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - mount system call. - rules: - - audit_rules_media_export - status: automated - - id: SLES-15-030360 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - umount system call. - rules: - - audit_rules_dac_modification_umount - - audit_rules_dac_modification_umount2 - status: automated - - id: SLES-15-030370 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - ssh-agent command. - rules: - - audit_rules_privileged_commands_ssh_agent - status: automated - - id: SLES-15-030380 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - insmod command. - rules: - - audit_rules_privileged_commands_insmod - status: automated - - id: SLES-15-030390 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - rmmod command. - rules: - - audit_rules_privileged_commands_rmmod - status: automated - - id: SLES-15-030400 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - modprobe command. - rules: - - audit_rules_privileged_commands_modprobe - status: automated - - id: SLES-15-030410 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - kmod command. - rules: - - audit_rules_privileged_commands_kmod - status: automated - - id: SLES-15-030420 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - chmod command. - rules: - - audit_rules_execution_chmod - status: automated - - id: SLES-15-030430 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - setfacl command. - rules: - - audit_rules_execution_setfacl - status: automated - - id: SLES-15-030440 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - chacl command. - rules: - - audit_rules_execution_chacl - status: automated - - id: SLES-15-030450 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - chcon command. - rules: - - audit_rules_execution_chcon - status: automated - - id: SLES-15-030460 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - rm command. - rules: - - audit_rules_execution_rm - status: automated - - id: SLES-15-030470 - levels: - - medium - title: The SUSE operating system must generate audit records for all modifications - to the tallylog file must generate an audit record. - rules: - - audit_rules_login_events_tallylog - status: automated - - id: SLES-15-030480 - levels: - - medium - title: The SUSE operating system must generate audit records for all modifications - to the lastlog file. - rules: - - audit_rules_login_events_lastlog - status: automated - - id: SLES-15-030490 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - passmass command. - rules: - - audit_rules_privileged_commands_passmass - status: automated - - id: SLES-15-030500 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - usermod command. - rules: - - audit_rules_privileged_commands_usermod - status: automated - - id: SLES-15-030510 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - pam_timestamp_check command. - rules: - - audit_rules_privileged_commands_pam_timestamp_check - status: automated - - id: SLES-15-030520 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - delete_module system call. - rules: - - audit_rules_kernel_module_loading_delete - status: automated - - id: SLES-15-030530 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - init_module and finit_module system calls. - rules: - - audit_rules_kernel_module_loading_finit - - audit_rules_kernel_module_loading_init - status: automated - - id: SLES-15-030550 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - su command. - rules: - - audit_rules_privileged_commands_su - status: automated - - id: SLES-15-030560 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - sudo command. - rules: - - audit_rules_privileged_commands_sudo - status: automated - - id: SLES-15-030570 - levels: - - medium - title: The Information System Security Officer (ISSO) and System Administrator (SA), - at a minimum, must be alerted of a SUSE operating system audit processing failure - event. - rules: - - auditd_data_retention_action_mail_acct - status: automated - - id: SLES-15-030580 - levels: - - medium - title: The Information System Security Officer (ISSO) and System Administrator (SA), - at a minimum, must have mail aliases to be notified of a SUSE operating system - audit processing failure. - rules: - - postfix_client_configure_mail_alias - status: automated - - id: SLES-15-030590 - levels: - - medium - title: The SUSE operating system audit system must take appropriate action when - the audit storage volume is full. - rules: - - auditd_data_disk_full_action - - var_auditd_disk_full_action=syslog - status: automated - - id: SLES-15-030600 - levels: - - medium - title: The SUSE operating system must protect audit rules from unauthorized modification. - rules: - - permissions_local_var_log_audit - status: automated - - id: SLES-15-030620 - levels: - - medium - title: The SUSE operating system audit tools must have the proper permissions configured - to protect against unauthorized access. - rules: - - permissions_local_audit_binaries - status: automated - - id: SLES-15-030630 - levels: - - medium - title: The SUSE operating system file integrity tool must be configured to protect - the integrity of the audit tools. - rules: - - aide_check_audit_tools - status: automated - - id: SLES-15-030640 - levels: - - low - title: The SUSE operating system must generate audit records for all uses of the - privileged functions. - rules: - - audit_rules_suid_privilege_function - status: automated - - id: SLES-15-030650 - levels: - - medium - title: The SUSE operating system must have the auditing package installed. - rules: - - package_audit_installed - status: automated - - id: SLES-15-030660 - levels: - - medium - title: The SUSE operating system must allocate audit record storage capacity to - store at least one week of audit records when audit records are not immediately - sent to a central audit record storage facility. - rules: - - auditd_audispd_configure_sufficiently_large_partition - status: manual - - id: SLES-15-030670 - levels: - - medium - title: The audit-audispd-plugins must be installed on the SUSE operating system. - rules: - - package_audit-audispd-plugins_installed - status: automated - - id: SLES-15-030680 - levels: - - low - title: The SUSE operating system audit event multiplexor must be configured to use - Kerberos. - rules: - - auditd_audispd_encrypt_sent_records - status: automated - - id: SLES-15-030690 - levels: - - low - title: Audispd must off-load audit records onto a different system or media from - the SUSE operating system being audited. - rules: - - auditd_audispd_configure_remote_server - # NOTE: must configure "var_audispd_remote_server" when the - # rule "auditd_audispd_configure_remote_server" is enabled - # - var_audispd_remote_server= - status: automated - - id: SLES-15-030700 - levels: - - medium - title: The SUSE operating system auditd service must notify the System Administrator - (SA) and Information System Security Officer (ISSO) immediately when audit storage - capacity is 75 percent full. - rules: - - auditd_data_retention_space_left - status: automated - - id: SLES-15-030740 - levels: - - medium - title: The SUSE operating system must generate audit records for all uses of the - unlink, unlinkat, rename, renameat, and rmdir system calls. - rules: - - audit_rules_unsuccessful_file_modification_rename - - audit_rules_unsuccessful_file_modification_renameat - - audit_rules_unsuccessful_file_modification_renameat2 - - audit_rules_unsuccessful_file_modification_unlink - - audit_rules_unsuccessful_file_modification_unlinkat - status: automated - - id: SLES-15-030760 - levels: - - medium - title: The SUSE operating system must generate audit records for the /run/utmp file. - rules: - - audit_rules_session_events_utmp - status: automated - - id: SLES-15-030770 - levels: - - medium - title: The SUSE operating system must generate audit records for the /var/log/wtmp - file. - rules: - - audit_rules_session_events_wtmp - status: automated - - id: SLES-15-030780 - levels: - - medium - title: The SUSE operating system must generate audit records for the /var/log/btmp - file. - rules: - - audit_rules_session_events_btmp - status: automated - - id: SLES-15-030790 - levels: - - medium - title: The SUSE operating system must off-load audit records onto a different system - or media from the system being audited. - rules: - - auditd_audispd_network_failure_action - status: automated - - id: SLES-15-030800 - levels: - - medium - title: Audispd must take appropriate action when the SUSE operating system audit - storage is full. - rules: - - auditd_audispd_disk_full_action - status: automated - - id: SLES-15-030810 - levels: - - low - title: The SUSE operating system must use a separate file system for the system - audit data path. - rules: - - partition_for_var_log_audit - status: automated - - id: SLES-15-030820 - levels: - - medium - title: The SUSE operating system must not disable syscall auditing. - rules: - - audit_rules_enable_syscall_auditing - status: automated - - id: SLES-15-040000 - levels: - - medium - title: The SUSE operating system must enforce a delay of at least four seconds between - logon prompts following a failed logon attempt. - rules: [] - status: pending - - id: SLES-15-040010 - levels: - - medium - title: The SUSE operating system must enforce a delay of at least four seconds between - logon prompts following a failed logon attempt. - rules: - - accounts_passwords_pam_faildelay_delay - - var_accounts_fail_delay=4 - - var_password_pam_delay=4000000 - status: automated - - id: SLES-15-040020 - levels: - - high - title: There must be no .shosts files on the SUSE operating system. - rules: - - no_user_host_based_files - status: automated - - id: SLES-15-040030 - levels: - - high - title: There must be no shosts.equiv files on the SUSE operating system. - rules: - - no_host_based_files - status: automated - - id: SLES-15-040040 - levels: - - low - title: The SUSE operating system file integrity tool must be configured to verify - Access Control Lists (ACLs). - rules: - - aide_verify_acls - status: automated - - id: SLES-15-040050 - levels: - - low - title: The SUSE operating system file integrity tool must be configured to verify - extended attributes. - rules: - - aide_verify_ext_attributes - status: automated - - id: SLES-15-040060 - levels: - - high - title: The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence. - rules: - - disable_ctrlaltdel_reboot - status: automated - - id: SLES-15-040061 - levels: - - high - title: The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence - for Graphical User Interfaces. - rules: - - enable_dconf_user_profile - status: automated - - id: SLES-15-040062 - levels: - - high - title: The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst - key sequence. - rules: - - disable_ctrlaltdel_burstaction - status: automated - - id: SLES-15-040070 - levels: - - medium - title: All SUSE operating system local interactive users must have a home directory - assigned in the /etc/passwd file. - rules: - - accounts_user_interactive_home_directory_defined - status: automated - - id: SLES-15-040080 - levels: - - medium - title: All SUSE operating system local interactive user home directories defined - in the /etc/passwd file must exist. - rules: - - accounts_user_interactive_home_directory_exists - status: automated - - id: SLES-15-040090 - levels: - - medium - title: All SUSE operating system local interactive user home directories must have - mode 0750 or less permissive. - rules: - - file_permissions_home_directories - status: automated - - id: SLES-15-040100 - levels: - - medium - title: All SUSE operating system local interactive user home directories must be - group-owned by the home directory owner's primary group. - rules: - - file_groupownership_home_directories - status: automated - - id: SLES-15-040110 - levels: - - medium - title: All SUSE operating system local initialization files must have mode 0740 - or less permissive. - rules: - - file_permission_user_init_files - status: automated - - id: SLES-15-040120 - levels: - - medium - title: All SUSE operating system local interactive user initialization files executable - search paths must contain only paths that resolve to the users home directory. - rules: - - accounts_user_home_paths_only - status: manual - - id: SLES-15-040130 - levels: - - medium - title: All SUSE operating system local initialization files must not execute world-writable - programs. - rules: - - accounts_user_dot_no_world_writable_programs - status: automated - - id: SLES-15-040140 - levels: - - medium - title: SUSE operating system file systems that contain user home directories must - be mounted to prevent files with the setuid and setgid bit set from being executed. - rules: - - mount_option_home_nosuid - status: automated - - id: SLES-15-040150 - levels: - - medium - title: SUSE operating system file systems that are used with removable media must - be mounted to prevent files with the setuid and setgid bit set from being executed. - rules: - - mount_option_nosuid_removable_partitions - - var_removable_partition=dev_cdrom - status: automated - - id: SLES-15-040160 - levels: - - medium - title: SUSE operating system file systems that are being imported via Network File - System (NFS) must be mounted to prevent files with the setuid and setgid bit set - from being executed. - rules: - - mount_option_nosuid_remote_filesystems - status: automated - - id: SLES-15-040170 - levels: - - medium - title: SUSE operating system file systems that are being imported via Network File - System (NFS) must be mounted to prevent binary files from being executed. - rules: - - mount_option_noexec_remote_filesystems - status: automated - - id: SLES-15-040180 - levels: - - medium - title: All SUSE operating system world-writable directories must be group-owned - by root, sys, bin, or an application group. - rules: - - dir_perms_world_writable_system_owned_group - status: automated - - id: SLES-15-040190 - levels: - - medium - title: SUSE operating system kernel core dumps must be disabled unless needed. - rules: - - service_kdump_disabled - status: automated - - id: SLES-15-040200 - levels: - - low - title: A separate file system must be used for SUSE operating system user home directories - (such as /home or an equivalent). - rules: - - partition_for_home - status: automated - - id: SLES-15-040210 - levels: - - low - title: The SUSE operating system must use a separate file system for /var. - rules: - - partition_for_var - status: automated - - id: SLES-15-040220 - levels: - - medium - title: The SUSE operating system must be configured to not overwrite Pluggable Authentication - Modules (PAM) configuration on package changes. - rules: - - pam_disable_automatic_configuration - status: automated - - id: SLES-15-040230 - levels: - - medium - title: The SUSE operating system SSH daemon must be configured to not allow authentication - using known hosts authentication. - rules: - - sshd_disable_user_known_hosts - status: automated - - id: SLES-15-040240 - levels: - - medium - title: The SUSE operating system SSH daemon public host key files must have mode - 0644 or less permissive. - rules: - - file_permissions_sshd_pub_key - status: automated - - id: SLES-15-040250 - levels: - - medium - title: The SUSE operating system SSH daemon private host key files must have mode - 0640 or less permissive. - rules: - - file_permissions_sshd_private_key - status: automated - - id: SLES-15-040260 - levels: - - medium - title: The SUSE operating system SSH daemon must perform strict mode checking of - home directory configuration files. - rules: - - sshd_enable_strictmodes - status: automated - - id: SLES-15-040290 - levels: - - medium - title: The SUSE operating system SSH daemon must disable forwarded remote X connections - for interactive users, unless to fulfill documented and validated mission requirements. - rules: - - sshd_disable_x11_forwarding - status: automated - - id: SLES-15-040300 - levels: - - medium - title: The SUSE operating system must not forward Internet Protocol version 4 (IPv4) - source-routed packets. - rules: - - sysctl_net_ipv4_conf_all_accept_source_route - status: automated - - id: SLES-15-040310 - levels: - - medium - title: The SUSE operating system must not forward Internet Protocol version 6 (IPv6) - source-routed packets. - rules: - - sysctl_net_ipv6_conf_all_accept_source_route - status: automated - - id: SLES-15-040320 - levels: - - medium - title: The SUSE operating system must not forward Internet Protocol version 4 (IPv4) - source-routed packets by default. - rules: - - sysctl_net_ipv4_conf_default_accept_source_route - status: automated - - id: SLES-15-040321 - levels: - - medium - title: The SUSE operating system must not forward Internet Protocol version 6 (IPv6) - source-routed packets by default. - rules: - - sysctl_net_ipv6_conf_default_accept_source_route - status: automated - - id: SLES-15-040330 - levels: - - medium - title: The SUSE operating system must prevent Internet Protocol version 4 (IPv4) - Internet Control Message Protocol (ICMP) redirect messages from being accepted. - rules: - - sysctl_net_ipv4_conf_all_accept_redirects - status: automated - - id: SLES-15-040340 - levels: - - medium - title: The SUSE operating system must not allow interfaces to accept Internet Protocol - version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by - default. - rules: - - sysctl_net_ipv4_conf_default_accept_redirects - status: automated - - id: SLES-15-040341 - levels: - - medium - title: The SUSE operating system must prevent Internet Protocol version 6 (IPv6) - Internet Control Message Protocol (ICMP) redirect messages from being accepted. - rules: - - sysctl_net_ipv6_conf_all_accept_redirects - status: automated - - id: SLES-15-040350 - levels: - - medium - title: The SUSE operating system must not allow interfaces to accept Internet Protocol - version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by - default. - rules: - - sysctl_net_ipv6_conf_default_accept_redirects - status: automated - - id: SLES-15-040360 - levels: - - medium - title: The SUSE operating system must not allow interfaces to send Internet Protocol - version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by - default. - rules: - - sysctl_net_ipv4_conf_default_send_redirects - status: automated - - id: SLES-15-040370 - levels: - - medium - title: The SUSE operating system must not send Internet Protocol version 4 (IPv4) - Internet Control Message Protocol (ICMP) redirects. - rules: - - sysctl_net_ipv4_conf_all_send_redirects - status: automated - - id: SLES-15-040380 - levels: - - medium - title: The SUSE operating system must not be performing Internet Protocol version - 4 (IPv4) packet forwarding unless the system is a router. - rules: - - sysctl_net_ipv4_ip_forward - status: automated - - id: SLES-15-040381 - levels: - - medium - title: The SUSE operating system must not be performing Internet Protocol version - 6 (IPv6) packet forwarding unless the system is a router. - rules: - - sysctl_net_ipv6_conf_all_forwarding - status: automated - - id: SLES-15-040382 - levels: - - medium - title: The SUSE operating system must not be performing Internet Protocol version - 6 (IPv6) packet forwarding by default unless the system is a router. - rules: - - sysctl_net_ipv6_conf_default_forwarding - status: automated - - id: SLES-15-040390 - levels: - - medium - title: The SUSE operating system must not have network interfaces in promiscuous - mode unless approved and documented. - rules: - - network_sniffer_disabled - status: automated - - id: SLES-15-040400 - levels: - - medium - title: All SUSE operating system files and directories must have a valid owner. - rules: - - no_files_unowned_by_user - status: automated - - id: SLES-15-040410 - levels: - - medium - title: All SUSE operating system files and directories must have a valid group owner. - rules: - - file_permissions_ungroupowned - status: automated - - id: SLES-15-040420 - levels: - - medium - title: The SUSE operating system default permissions must be defined in such a way - that all authenticated users can only read and modify their own files. - rules: - - accounts_umask_etc_login_defs - status: automated - - id: SLES-15-040430 - levels: - - high - title: The SUSE operating system must not allow unattended or automatic logon via - the graphical user interface (GUI). - rules: - - gnome_gdm_disable_unattended_automatic_login - status: automated - - id: SLES-15-040440 - levels: - - high - title: The SUSE operating system must not allow unattended or automatic logon via - SSH. - rules: - - sshd_disable_empty_passwords - - sshd_do_not_permit_user_env - status: automated - - id: SLES-15-020099 - levels: - - medium - title: The SUSE operating system must specify the default "include" directory for - the /etc/sudoers file. - rules: - - sudoers_default_includedir - status: automated - - id: SLES-15-020104 - levels: - - medium - title: The SUSE operating system must not be configured to bypass password requirements - for privilege escalation. - rules: - - disallow_bypass_password_sudo - status: automated - - id: SLES-15-020181 - levels: - - high - title: The SUSE operating system must not have accounts configured with blank or - null passwords. - rules: - - no_empty_passwords_etc_shadow - status: automated - - id: SLES-15-040450 - levels: - - medium - title: The SUSE operating system SSH server must be configured to use only FIPS-validated - key exchange algorithms. - rules: - - sshd_use_approved_kex_ordered_stig - status: automated - - id: SLES-15-010375 - levels: - - low - title: The SUSE operating system must restrict access to the kernel message buffer. - rules: - - sysctl_kernel_dmesg_restrict - status: automated - - id: SLES-15-010419 - levels: - - medium - title: The SUSE operating system must use a file integrity tool to verify correct - operation of all security functions. - rules: - - aide_build_database - - package_aide_installed - status: automated - - id: SLES-15-010418 - levels: - - medium - title: The SUSE operating system must be configured to allow sending email notifications - of unauthorized configuration changes to designated personnel. - rules: - - package_mailx_installed - status: automated - - id: SLES-15-030015 - levels: - - medium - title: The SUSE operating system must audit any script or executable called by cron - as root or by any privileged user. - rules: - - audit_rules_etc_cron_d - - audit_rules_var_spool_cron - status: automated +- id: SLES-15-010000 + levels: + - high + title: The SUSE operating system must be a vendor-supported release. + rules: + - installed_OS_is_vendor_supported + status: automated +- id: SLES-15-010010 + levels: + - medium + title: Vendor-packaged SUSE operating system security patches and updates must be + installed and up to date. + rules: + - security_patches_up_to_date + status: automated +- id: SLES-15-010020 + levels: + - medium + title: The SUSE operating system must display the Standard Mandatory DOD Notice + and Consent Banner before granting access via local console. + rules: + - banner_etc_issue + - login_banner_text=dod_banners + - login_banner_contents=dod_default + status: automated +- id: SLES-15-010030 + levels: + - high + title: The SUSE operating system must not have the vsftpd package installed if not + required for operational support. + rules: + - package_vsftpd_removed + status: automated +- id: SLES-15-010040 + levels: + - medium + title: The SUSE operating system must display the Standard Mandatory DOD Notice + and Consent Banner before granting access via SSH. + rules: + - sshd_enable_warning_banner + status: automated +- id: SLES-15-010050 + levels: + - medium + title: The SUSE operating system must display the Standard Mandatory DoD Notice + and Consent Banner until users acknowledge the usage conditions and take explicit + actions to log on for further access to the local graphical user interface (GUI). + rules: + - gui_login_dod_acknowledgement + status: automated +- id: SLES-15-010060 + levels: + - medium + title: The SUSE operating system file /etc/gdm/banner must contain the Standard + Mandatory DoD Notice and Consent banner text. + rules: + - banner_etc_gdm_banner + status: automated +- id: SLES-15-010080 + levels: + - medium + title: The SUSE operating system must display a banner before granting local or + remote access to the system via a graphical user logon. + rules: + - dconf_gnome_banner_enabled + status: automated +- id: SLES-15-010090 + levels: + - medium + title: The SUSE operating system must display the approved Standard Mandatory DoD + Notice before granting local or remote access to the system via a graphical user + logon. + rules: + - dconf_db_up_to_date + - dconf_gnome_login_banner_text + - dconf_login_banner_text=dod_banners + - dconf_login_banner_contents=dod_default + status: automated +- id: SLES-15-010100 + levels: + - medium + title: The SUSE operating system must be able to lock the graphical user interface + (GUI). + rules: + - dconf_gnome_screensaver_lock_enabled + status: automated +- id: SLES-15-010110 + levels: + - low + title: The SUSE operating system must utilize vlock to allow for session locking. + rules: + - vlock_installed + status: automated +- id: SLES-15-010120 + levels: + - medium + title: The SUSE operating system must initiate a session lock after a 15-minute + period of inactivity for the graphical user interface (GUI). + rules: + - dconf_gnome_screensaver_idle_delay + - inactivity_timeout_value=15_minutes + - dconf_gnome_session_idle_user_locks + status: automated +- id: SLES-15-010130 + levels: + - medium + title: The SUSE operating system must initiate a session lock after a 10-minute + period of inactivity. + rules: + - accounts_tmout + - var_accounts_tmout=10_min + status: automated +- id: SLES-15-010140 + levels: + - low + title: The SUSE operating system must conceal, via the session lock, information + previously visible on the display with a publicly viewable image in the graphical + user interface (GUI). + rules: + - dconf_gnome_screensaver_mode_blank + status: automated +- id: SLES-15-010150 + levels: + - medium + title: The SUSE operating system must log SSH connection attempts and failures to + the server. + rules: + - sshd_set_loglevel_verbose + status: automated +- id: SLES-15-010160 + levels: + - medium + title: The SUSE operating system must implement DOD-approved encryption to protect + the confidentiality of SSH remote connections. + rules: + - sshd_use_approved_ciphers + - sshd_use_approved_ciphers_ordered_stig + status: automated +- id: SLES-15-010170 + levels: + - medium + title: The SUSE operating system, for PKI-based authentication, must validate certificates + by constructing a certification path (which includes status information) to an + accepted trust anchor. + rules: + - smartcard_configure_ca + status: automated +- id: SLES-15-010180 + levels: + - high + title: The SUSE operating system must not have the telnet-server package installed. + rules: + - package_telnet-server_removed + status: automated +- id: SLES-15-010190 + levels: + - high + title: SUSE operating systems with a basic input/output system (BIOS) must require + authentication upon booting into single-user and maintenance modes. + rules: + - grub2_password + status: automated +- id: SLES-15-010200 + levels: + - high + title: SUSE operating systems with Unified Extensible Firmware Interface (UEFI) + implemented must require authentication upon booting into single-user mode and + maintenance. + rules: + - grub2_uefi_password + status: automated +- id: SLES-15-010220 + levels: + - medium + title: The SUSE operating system must be configured to prohibit or restrict the + use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, + and Services Management (PPSM) Category Assignments List (CAL) and vulnerability + assessments. + rules: + - package_firewalld_installed + - service_firewalld_enabled + status: automated +- id: SLES-15-010230 + levels: + - medium + title: The SUSE operating system must not have duplicate User IDs (UIDs) for interactive + users. + rules: + - account_unique_id + status: automated +- id: SLES-15-010240 + levels: + - medium + title: The SUSE operating system must disable the file system automounter. + rules: + - service_autofs_disabled + status: automated +- id: SLES-15-010260 + levels: + - medium + title: The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing + algorithm for system authentication (login.defs). + rules: + - set_password_hashing_algorithm_logindefs + status: automated +- id: SLES-15-010270 + levels: + - medium + title: The SUSE operating system SSH daemon must be configured to only use Message + Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. + rules: + - sshd_use_approved_macs + - sshd_use_approved_macs_ordered_stig + status: automated +- id: SLES-15-010280 + levels: + - medium + title: The SUSE operating system SSH daemon must be configured with a timeout interval. + rules: + - sshd_set_idle_timeout + - sshd_idle_timeout_value=10_minutes + status: automated +- id: SLES-15-010300 + levels: + - medium + title: The sticky bit must be set on all SUSE operating system world-writable directories. + rules: + - dir_perms_world_writable_sticky_bits + status: automated +- id: SLES-15-010310 + levels: + - medium + title: The SUSE operating system must be configured to use TCP syncookies. + rules: + - sysctl_net_ipv4_tcp_syncookies + status: automated +- id: SLES-15-010320 + levels: + - medium + title: The SUSE operating system, for all network connections associated with SSH + traffic, must immediately terminate at the end of the session or after 10 minutes + of inactivity. + rules: + - sshd_set_keepalive + - var_sshd_set_keepalive=1 + - sshd_set_keepalive_0 + status: automated +- id: SLES-15-010330 + levels: + - high + title: All SUSE operating system persistent disk partitions must implement cryptographic + mechanisms to prevent unauthorized disclosure or modification of all information + that requires at-rest protection. + rules: + - encrypt_partitions + status: automated +- id: SLES-15-010340 + levels: + - medium + title: The SUSE operating system must generate error messages that provide information + necessary for corrective actions without revealing information that could be exploited + by adversaries. + rules: + - permissions_local_var_log + status: automated +- id: SLES-15-010350 + levels: + - medium + title: The SUSE operating system must prevent unauthorized users from accessing + system error messages. + rules: + - file_permissions_local_var_log_messages + status: automated +- id: SLES-15-010351 + levels: + - medium + title: The SUSE operating system library files must have mode 0755 or less permissive. + rules: + - file_permissions_library_dirs + status: automated +- id: SLES-15-010352 + levels: + - medium + title: The SUSE operating system library directories must have mode 0755 or less + permissive. + rules: + - dir_permissions_library_dirs + status: automated +- id: SLES-15-010353 + levels: + - medium + title: The SUSE operating system library files must be owned by root. + rules: + - file_ownership_library_dirs + status: automated +- id: SLES-15-010354 + levels: + - medium + title: The SUSE operating system library directories must be owned by root. + rules: + - dir_ownership_library_dirs + status: automated +- id: SLES-15-010355 + levels: + - medium + title: The SUSE operating system library files must be group-owned by root. + rules: + - root_permissions_syslibrary_files + status: automated +- id: SLES-15-010356 + levels: + - medium + title: The SUSE operating system library directories must be group-owned by root. + rules: + - dir_group_ownership_library_dirs + status: automated +- id: SLES-15-010357 + levels: + - medium + title: The SUSE operating system must have system commands set to a mode of 0755 + or less permissive. + rules: + - file_permissions_system_commands_dirs + status: automated +- id: SLES-15-010358 + levels: + - medium + title: The SUSE operating system must have directories that contain system commands + set to a mode of 0755 or less permissive. + rules: + - file_permissions_binary_dirs + status: automated +- id: SLES-15-010359 + levels: + - medium + title: The SUSE operating system must have system commands owned by root. + rules: + - file_ownership_binary_dirs + status: automated +- id: SLES-15-010360 + levels: + - medium + title: The SUSE operating system must have directories that contain system commands + owned by root. + rules: + - dir_system_commands_root_owned + status: automated +- id: SLES-15-010361 + levels: + - medium + title: The SUSE operating system must have system commands group-owned by root or + a system account. + rules: + - file_groupownership_system_commands_dirs + status: automated +- id: SLES-15-010362 + levels: + - medium + title: The SUSE operating system must have directories that contain system commands + group-owned by root. + rules: + - dir_system_commands_group_root_owned + status: automated +- id: SLES-15-010370 + levels: + - medium + title: The SUSE operating system must have a firewall system installed to immediately + disconnect or disable remote access to the whole operating system. + rules: [] + status: pending +- id: SLES-15-010380 + levels: + - medium + title: The SUSE operating system wireless network adapters must be disabled unless + approved and documented. + rules: + - wireless_disable_interfaces + status: automated +- id: SLES-15-010390 + levels: + - medium + title: SUSE operating system AppArmor tool must be configured to control whitelisted + applications and user home directory access control. + rules: + - apparmor_configured + - package_pam_apparmor_installed + status: automated +- id: SLES-15-010400 + levels: + - medium + title: The SUSE operating system clock must, for networked systems, be synchronized + to an authoritative DOD time source at least every 24 hours. + rules: + - chronyd_or_ntpd_set_maxpoll + - var_time_service_set_maxpoll=18_hours + status: automated +- id: SLES-15-010410 + levels: + - low + title: The SUSE operating system must be configured to use Coordinated Universal + Time (UTC) or Greenwich Mean Time (GMT). + rules: + - ensure_rtc_utc_configuration + status: automated +- id: SLES-15-010420 + levels: + - medium + title: Advanced Intrusion Detection Environment (AIDE) must verify the baseline + SUSE operating system configuration at least weekly. + rules: + - aide_periodic_cron_checking + status: automated +- id: SLES-15-010430 + levels: + - high + title: The SUSE operating system tool zypper must have gpgcheck enabled. + rules: + - ensure_gpgcheck_globally_activated + status: automated +- id: SLES-15-010450 + levels: + - high + title: The SUSE operating system must reauthenticate users when changing authenticators, + roles, or escalating privileges. + rules: + - sudo_remove_no_authenticate + - sudo_remove_nopasswd + - sudo_require_authentication + status: automated +- id: SLES-15-010460 + levels: + - medium + title: The SUSE operating system must have the packages required for multifactor + authentication to be installed. + rules: + - install_smartcard_packages + status: automated +- id: SLES-15-010470 + levels: + - medium + title: The SUSE operating system must implement certificate status checking for + multifactor authentication. + rules: + - smartcard_configure_cert_checking + status: automated +- id: SLES-15-010480 + levels: + - medium + title: The SUSE operating system must disable the USB mass storage kernel module. + rules: + - kernel_module_usb-storage_disabled + status: automated +- id: SLES-15-010490 + levels: + - medium + title: If Network Security Services (NSS) is being used by the SUSE operating system + it must prohibit the use of cached authentications after one day. + rules: + - sssd_memcache_timeout + - var_sssd_memcache_timeout=1_day + status: automated +- id: SLES-15-010500 + levels: + - medium + title: The SUSE operating system must configure the Linux Pluggable Authentication + Modules (PAM) to prohibit the use of cached offline authentications after one + day. + rules: + - sssd_offline_cred_expiration + status: automated +- id: SLES-15-010510 + levels: + - high + title: FIPS 140-2 mode must be enabled on the SUSE operating system. + rules: + - is_fips_mode_enabled + status: automated +- id: SLES-15-010530 + levels: + - high + title: All networked SUSE operating systems must have and implement SSH to protect + the confidentiality and integrity of transmitted and received information, as + well as information during preparation for transmission. + rules: + - service_sshd_enabled + status: automated +- id: SLES-15-010540 + levels: + - medium + title: The SUSE operating system must implement kptr-restrict to prevent the leaking + of internal kernel addresses. + rules: + - sysctl_kernel_kptr_restrict + status: automated +- id: SLES-15-010550 + levels: + - medium + title: Address space layout randomization (ASLR) must be implemented by the SUSE + operating system to protect memory from unauthorized code execution. + rules: + - sysctl_kernel_randomize_va_space + status: automated +- id: SLES-15-010560 + levels: + - medium + title: The SUSE operating system must remove all outdated software components after + updated versions have been installed. + rules: + - clean_components_post_updating + status: automated +- id: SLES-15-010570 + levels: + - medium + title: The SUSE operating system must notify the System Administrator (SA) when + Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation + of any security functions. + rules: + - aide_periodic_checking_systemd_timer + - aide_scan_notification + status: automated +- id: SLES-15-010580 + levels: + - medium + title: The SUSE operating system must off-load rsyslog messages for networked systems + in real time and off-load standalone systems at least weekly. + rules: + - rsyslog_remote_loghost + status: automated +- id: SLES-15-020000 + levels: + - medium + title: The SUSE operating system must provision temporary accounts with an expiration + date for 72 hours. + rules: [] + status: pending +- id: SLES-15-020010 + levels: + - medium + title: The SUSE operating system must lock an account after three consecutive invalid + access attempts. + rules: + - accounts_passwords_pam_tally2 + - var_password_pam_tally2=3 + status: automated +- id: SLES-15-020020 + levels: + - low + title: The SUSE operating system must limit the number of concurrent sessions to + 10 for all accounts and/or account types. + rules: + - accounts_max_concurrent_login_sessions + - var_accounts_max_concurrent_login_sessions=10 + status: automated +- id: SLES-15-020030 + levels: + - medium + title: The SUSE operating system must implement multifactor authentication for access + to privileged accounts via pluggable authentication modules (PAM). + rules: + - smartcard_pam_enabled + status: automated +- id: SLES-15-020040 + levels: + - medium + title: The SUSE operating system must deny direct logons to the root account using + remote access via SSH. + rules: + - sshd_disable_root_login + status: automated +- id: SLES-15-020050 + levels: + - medium + title: The SUSE operating system must disable account identifiers (individuals, + groups, roles, and devices) after 35 days of inactivity after password expiration. + rules: + - account_disable_post_pw_expiration + - var_account_disable_post_pw_expiration=35 + status: automated +- id: SLES-15-020060 + levels: + - medium + title: The SUSE operating system must never automatically remove or disable emergency + administrator accounts. + rules: + - account_emergency_admin + status: manual +- id: SLES-15-020090 + levels: + - medium + title: The SUSE operating system must not have unnecessary accounts. + rules: + - accounts_authorized_local_users + # NOTE: must configure "var_accounts_authorized_local_users_regex" + # when the rule "accounts_authorized_local_users" is enabled + # - var_accounts_authorized_local_users_regex= + - var_accounts_authorized_local_users_regex=sle15 + status: automated +- id: SLES-15-020091 + levels: + - medium + title: The SUSE operating system must not have unnecessary account capabilities. + rules: + - no_shelllogin_for_systemaccounts + status: automated +- id: SLES-15-020100 + levels: + - high + title: The SUSE operating system root account must be the only account with unrestricted + access to the system. + rules: + - accounts_no_uid_except_zero + status: automated +- id: SLES-15-020101 + levels: + - medium + title: The SUSE operating system must restrict privilege elevation to authorized + personnel. + rules: + - sudo_restrict_privilege_elevation_to_authorized + status: automated +- id: SLES-15-020102 + levels: + - medium + title: The SUSE operating system must require reauthentication when using the "sudo" + command. + rules: + - sudo_require_reauthentication + - var_sudo_timestamp_timeout=always_prompt + status: automated +- id: SLES-15-020103 + levels: + - medium + title: The SUSE operating system must use the invoking user's password for privilege + escalation when using "sudo". + rules: + - sudoers_validate_passwd + status: automated +- id: SLES-15-020110 + levels: + - medium + title: All SUSE operating system local interactive user accounts, upon creation, + must be assigned a home directory. + rules: + - accounts_have_homedir_login_defs + status: automated +- id: SLES-15-020120 + levels: + - medium + title: The SUSE operating system must display the date and time of the last successful + account logon upon an SSH logon. + rules: + - sshd_print_last_log + status: automated +- id: SLES-15-020130 + levels: + - medium + title: The SUSE operating system must enforce passwords that contain at least one + uppercase character. + rules: + - cracklib_accounts_password_pam_ucredit + - var_password_pam_ucredit=1 + status: automated +- id: SLES-15-020140 + levels: + - medium + title: The SUSE operating system must enforce passwords that contain at least one + lowercase character. + rules: + - cracklib_accounts_password_pam_lcredit + - var_password_pam_lcredit=1 + status: automated +- id: SLES-15-020150 + levels: + - medium + title: The SUSE operating system must enforce passwords that contain at least one + numeric character. + rules: + - cracklib_accounts_password_pam_dcredit + - var_password_pam_dcredit=1 + status: automated +- id: SLES-15-020160 + levels: + - medium + title: The SUSE operating system must require the change of at least eight of the + total number of characters when passwords are changed. + rules: + - cracklib_accounts_password_pam_difok + status: automated +- id: SLES-15-020170 + levels: + - medium + title: The SUSE operating system must configure the Linux Pluggable Authentication + Modules (PAM) to only store encrypted representations of passwords. + rules: + - set_password_hashing_algorithm_systemauth + status: automated +- id: SLES-15-020180 + levels: + - medium + title: The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing + algorithms for all stored passwords. + rules: + - accounts_password_all_shadowed_sha512 + status: automated +- id: SLES-15-020190 + levels: + - medium + title: The SUSE operating system must employ FIPS 140-3 approved cryptographic hashing + algorithms for all stored passwords. + rules: + - set_password_hashing_min_rounds_logindefs + - var_password_hashing_min_rounds_login_defs=100000 + status: automated +- id: SLES-15-020200 + levels: + - medium + title: The SUSE operating system must be configured to create or update passwords + with a minimum lifetime of 24 hours (one day). + rules: + - accounts_minimum_age_login_defs + - var_accounts_minimum_age_login_defs=7 + status: automated +- id: SLES-15-020210 + levels: + - medium + title: The SUSE operating system must employ user passwords with a minimum lifetime + of 24 hours (one day). + rules: + - accounts_password_set_min_life_existing + status: automated +- id: SLES-15-020220 + levels: + - medium + title: The SUSE operating system must be configured to create or update passwords + with a maximum lifetime of 60 days. + rules: + - accounts_maximum_age_login_defs + - var_accounts_maximum_age_login_defs=60 + status: automated +- id: SLES-15-020230 + levels: + - medium + title: The SUSE operating system must employ user passwords with a maximum lifetime + of 60 days. + rules: + - accounts_password_set_max_life_existing + status: automated +- id: SLES-15-020260 + levels: + - medium + title: The SUSE operating system must employ passwords with a minimum of 15 characters. + rules: + - cracklib_accounts_password_pam_minlen + - var_password_pam_minlen=15 + status: automated +- id: SLES-15-020270 + levels: + - medium + title: The SUSE operating system must enforce passwords that contain at least one + special character. + rules: + - cracklib_accounts_password_pam_ocredit + - var_password_pam_ocredit=1 + status: automated +- id: SLES-15-020290 + levels: + - medium + title: The SUSE operating system must prevent the use of dictionary words for passwords. + rules: + - cracklib_accounts_password_pam_retry + status: automated +- id: SLES-15-020300 + levels: + - high + title: The SUSE operating system must not be configured to allow blank or null passwords. + rules: + - no_empty_passwords + status: automated +- id: SLES-15-030000 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/passwd. + rules: + - audit_rules_usergroup_modification_passwd + status: automated +- id: SLES-15-030010 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/group. + rules: + - audit_rules_usergroup_modification_group + status: automated +- id: SLES-15-030020 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/shadow. + rules: + - audit_rules_usergroup_modification_shadow + status: automated +- id: SLES-15-030030 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/security/opasswd. + rules: + - audit_rules_usergroup_modification_opasswd + status: automated +- id: SLES-15-030040 + levels: + - medium + title: The SUSE operating system must generate audit records for all account creations, + modifications, disabling, and termination events that affect /etc/gshadow. + rules: + - audit_rules_usergroup_modification_gshadow + status: automated +- id: SLES-15-030050 + levels: + - medium + title: SUSE operating system audit records must contain information to establish + what type of events occurred, the source of events, where events occurred, and + the outcome of events. + rules: + - service_auditd_enabled + status: automated +- id: SLES-15-030060 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + ssh-keysign command. + rules: + - audit_rules_privileged_commands_ssh_keysign + status: automated +- id: SLES-15-030070 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + passwd command. + rules: + - audit_rules_privileged_commands_passwd + status: automated +- id: SLES-15-030080 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + gpasswd command. + rules: + - audit_rules_privileged_commands_gpasswd + status: automated +- id: SLES-15-030090 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + newgrp command. + rules: + - audit_rules_privileged_commands_newgrp + status: automated +- id: SLES-15-030100 + levels: + - low + title: The SUSE operating system must generate audit records for a uses of the chsh + command. + rules: + - audit_rules_privileged_commands_chsh + status: automated +- id: SLES-15-030110 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + unix_chkpwd or unix2_chkpwd commands. + rules: + - audit_rules_privileged_commands_unix2_chkpwd + - audit_rules_privileged_commands_unix_chkpwd + status: automated +- id: SLES-15-030120 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chage command. + rules: + - audit_rules_privileged_commands_chage + status: automated +- id: SLES-15-030130 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + crontab command. + rules: + - audit_rules_privileged_commands_crontab + status: automated +- id: SLES-15-030140 + levels: + - medium + title: The SUSE operating system must audit all uses of the sudoers file and all + files in the /etc/sudoers.d/ directory. + rules: + - audit_rules_sysadmin_actions + status: automated +- id: SLES-15-030150 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. + rules: + - audit_rules_unsuccessful_file_modification_creat + - audit_rules_unsuccessful_file_modification_ftruncate + - audit_rules_unsuccessful_file_modification_open + - audit_rules_unsuccessful_file_modification_open_by_handle_at + - audit_rules_unsuccessful_file_modification_openat + - audit_rules_unsuccessful_file_modification_truncate + status: automated +- id: SLES-15-030190 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system + calls. + rules: + - audit_rules_dac_modification_fremovexattr + - audit_rules_dac_modification_fsetxattr + - audit_rules_dac_modification_lremovexattr + - audit_rules_dac_modification_lsetxattr + - audit_rules_dac_modification_removexattr + - audit_rules_dac_modification_setxattr + status: automated +- id: SLES-15-030250 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chown, fchown, fchownat, and lchown system calls. + rules: + - audit_rules_dac_modification_chown + - audit_rules_dac_modification_fchown + - audit_rules_dac_modification_fchownat + - audit_rules_dac_modification_lchown + status: automated +- id: SLES-15-030290 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chmod, fchmod, and fchmodat system calls. + rules: + - audit_rules_dac_modification_chmod + - audit_rules_dac_modification_fchmod + - audit_rules_dac_modification_fchmodat + status: automated +- id: SLES-15-030330 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + sudoedit command. + rules: + - audit_rules_privileged_commands_sudoedit + status: automated +- id: SLES-15-030340 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + chfn command. + rules: + - audit_rules_privileged_commands_chfn + status: automated +- id: SLES-15-030350 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + mount system call. + rules: + - audit_rules_media_export + status: automated +- id: SLES-15-030360 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + umount system call. + rules: + - audit_rules_dac_modification_umount + - audit_rules_dac_modification_umount2 + status: automated +- id: SLES-15-030370 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + ssh-agent command. + rules: + - audit_rules_privileged_commands_ssh_agent + status: automated +- id: SLES-15-030380 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + insmod command. + rules: + - audit_rules_privileged_commands_insmod + status: automated +- id: SLES-15-030390 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + rmmod command. + rules: + - audit_rules_privileged_commands_rmmod + status: automated +- id: SLES-15-030400 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + modprobe command. + rules: + - audit_rules_privileged_commands_modprobe + status: automated +- id: SLES-15-030410 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + kmod command. + rules: + - audit_rules_privileged_commands_kmod + status: automated +- id: SLES-15-030420 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chmod command. + rules: + - audit_rules_execution_chmod + status: automated +- id: SLES-15-030430 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + setfacl command. + rules: + - audit_rules_execution_setfacl + status: automated +- id: SLES-15-030440 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chacl command. + rules: + - audit_rules_execution_chacl + status: automated +- id: SLES-15-030450 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + chcon command. + rules: + - audit_rules_execution_chcon + status: automated +- id: SLES-15-030460 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + rm command. + rules: + - audit_rules_execution_rm + status: automated +- id: SLES-15-030470 + levels: + - medium + title: The SUSE operating system must generate audit records for all modifications + to the tallylog file must generate an audit record. + rules: + - audit_rules_login_events_tallylog + status: automated +- id: SLES-15-030480 + levels: + - medium + title: The SUSE operating system must generate audit records for all modifications + to the lastlog file. + rules: + - audit_rules_login_events_lastlog + status: automated +- id: SLES-15-030490 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + passmass command. + rules: + - audit_rules_privileged_commands_passmass + status: automated +- id: SLES-15-030500 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + usermod command. + rules: + - audit_rules_privileged_commands_usermod + status: automated +- id: SLES-15-030510 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + pam_timestamp_check command. + rules: + - audit_rules_privileged_commands_pam_timestamp_check + status: automated +- id: SLES-15-030520 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + delete_module system call. + rules: + - audit_rules_kernel_module_loading_delete + status: automated +- id: SLES-15-030530 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + init_module and finit_module system calls. + rules: + - audit_rules_kernel_module_loading_finit + - audit_rules_kernel_module_loading_init + status: automated +- id: SLES-15-030550 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + su command. + rules: + - audit_rules_privileged_commands_su + status: automated +- id: SLES-15-030560 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + sudo command. + rules: + - audit_rules_privileged_commands_sudo + status: automated +- id: SLES-15-030570 + levels: + - medium + title: The Information System Security Officer (ISSO) and System Administrator (SA), + at a minimum, must be alerted of a SUSE operating system audit processing failure + event. + rules: + - auditd_data_retention_action_mail_acct + status: automated +- id: SLES-15-030580 + levels: + - medium + title: The Information System Security Officer (ISSO) and System Administrator (SA), + at a minimum, must have mail aliases to be notified of a SUSE operating system + audit processing failure. + rules: + - postfix_client_configure_mail_alias + status: automated +- id: SLES-15-030590 + levels: + - medium + title: The SUSE operating system audit system must take appropriate action when + the audit storage volume is full. + rules: + - auditd_data_disk_full_action + - var_auditd_disk_full_action=syslog + status: automated +- id: SLES-15-030600 + levels: + - medium + title: The SUSE operating system must protect audit rules from unauthorized modification. + rules: + - permissions_local_var_log_audit + status: automated +- id: SLES-15-030620 + levels: + - medium + title: The SUSE operating system audit tools must have the proper permissions configured + to protect against unauthorized access. + rules: + - permissions_local_audit_binaries + status: automated +- id: SLES-15-030630 + levels: + - medium + title: The SUSE operating system file integrity tool must be configured to protect + the integrity of the audit tools. + rules: + - aide_check_audit_tools + status: automated +- id: SLES-15-030640 + levels: + - low + title: The SUSE operating system must generate audit records for all uses of the + privileged functions. + rules: + - audit_rules_suid_privilege_function + status: automated +- id: SLES-15-030650 + levels: + - medium + title: The SUSE operating system must have the auditing package installed. + rules: + - package_audit_installed + status: automated +- id: SLES-15-030660 + levels: + - medium + title: The SUSE operating system must allocate audit record storage capacity to + store at least one week of audit records when audit records are not immediately + sent to a central audit record storage facility. + rules: + - auditd_audispd_configure_sufficiently_large_partition + status: manual +- id: SLES-15-030670 + levels: + - medium + title: The audit-audispd-plugins must be installed on the SUSE operating system. + rules: + - package_audit-audispd-plugins_installed + status: automated +- id: SLES-15-030680 + levels: + - low + title: The SUSE operating system audit event multiplexor must be configured to use + Kerberos. + rules: + - auditd_audispd_encrypt_sent_records + status: automated +- id: SLES-15-030690 + levels: + - low + title: Audispd must off-load audit records onto a different system or media from + the SUSE operating system being audited. + rules: + - auditd_audispd_configure_remote_server + # NOTE: must configure "var_audispd_remote_server" when the + # rule "auditd_audispd_configure_remote_server" is enabled + # - var_audispd_remote_server= + status: automated +- id: SLES-15-030700 + levels: + - medium + title: The SUSE operating system auditd service must notify the System Administrator + (SA) and Information System Security Officer (ISSO) immediately when audit storage + capacity is 75 percent full. + rules: + - auditd_data_retention_space_left + status: automated +- id: SLES-15-030740 + levels: + - medium + title: The SUSE operating system must generate audit records for all uses of the + unlink, unlinkat, rename, renameat, and rmdir system calls. + rules: + - audit_rules_unsuccessful_file_modification_rename + - audit_rules_unsuccessful_file_modification_renameat + - audit_rules_unsuccessful_file_modification_renameat2 + - audit_rules_unsuccessful_file_modification_unlink + - audit_rules_unsuccessful_file_modification_unlinkat + status: automated +- id: SLES-15-030760 + levels: + - medium + title: The SUSE operating system must generate audit records for the /run/utmp file. + rules: + - audit_rules_session_events_utmp + status: automated +- id: SLES-15-030770 + levels: + - medium + title: The SUSE operating system must generate audit records for the /var/log/wtmp + file. + rules: + - audit_rules_session_events_wtmp + status: automated +- id: SLES-15-030780 + levels: + - medium + title: The SUSE operating system must generate audit records for the /var/log/btmp + file. + rules: + - audit_rules_session_events_btmp + status: automated +- id: SLES-15-030790 + levels: + - medium + title: The SUSE operating system must off-load audit records onto a different system + or media from the system being audited. + rules: + - auditd_audispd_network_failure_action + status: automated +- id: SLES-15-030800 + levels: + - medium + title: Audispd must take appropriate action when the SUSE operating system audit + storage is full. + rules: + - auditd_audispd_disk_full_action + status: automated +- id: SLES-15-030810 + levels: + - low + title: The SUSE operating system must use a separate file system for the system + audit data path. + rules: + - partition_for_var_log_audit + status: automated +- id: SLES-15-030820 + levels: + - medium + title: The SUSE operating system must not disable syscall auditing. + rules: + - audit_rules_enable_syscall_auditing + status: automated +- id: SLES-15-040000 + levels: + - medium + title: The SUSE operating system must enforce a delay of at least four seconds between + logon prompts following a failed logon attempt. + rules: [] + status: pending +- id: SLES-15-040010 + levels: + - medium + title: The SUSE operating system must enforce a delay of at least four seconds between + logon prompts following a failed logon attempt. + rules: + - accounts_passwords_pam_faildelay_delay + - var_accounts_fail_delay=4 + - var_password_pam_delay=4000000 + status: automated +- id: SLES-15-040020 + levels: + - high + title: There must be no .shosts files on the SUSE operating system. + rules: + - no_user_host_based_files + status: automated +- id: SLES-15-040030 + levels: + - high + title: There must be no shosts.equiv files on the SUSE operating system. + rules: + - no_host_based_files + status: automated +- id: SLES-15-040040 + levels: + - low + title: The SUSE operating system file integrity tool must be configured to verify + Access Control Lists (ACLs). + rules: + - aide_verify_acls + status: automated +- id: SLES-15-040050 + levels: + - low + title: The SUSE operating system file integrity tool must be configured to verify + extended attributes. + rules: + - aide_verify_ext_attributes + status: automated +- id: SLES-15-040060 + levels: + - high + title: The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence. + rules: + - disable_ctrlaltdel_reboot + status: automated +- id: SLES-15-040061 + levels: + - high + title: The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence + for Graphical User Interfaces. + rules: + - enable_dconf_user_profile + status: automated +- id: SLES-15-040062 + levels: + - high + title: The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst + key sequence. + rules: + - disable_ctrlaltdel_burstaction + status: automated +- id: SLES-15-040070 + levels: + - medium + title: All SUSE operating system local interactive users must have a home directory + assigned in the /etc/passwd file. + rules: + - accounts_user_interactive_home_directory_defined + status: automated +- id: SLES-15-040080 + levels: + - medium + title: All SUSE operating system local interactive user home directories defined + in the /etc/passwd file must exist. + rules: + - accounts_user_interactive_home_directory_exists + status: automated +- id: SLES-15-040090 + levels: + - medium + title: All SUSE operating system local interactive user home directories must have + mode 0750 or less permissive. + rules: + - file_permissions_home_directories + status: automated +- id: SLES-15-040100 + levels: + - medium + title: All SUSE operating system local interactive user home directories must be + group-owned by the home directory owner's primary group. + rules: + - file_groupownership_home_directories + status: automated +- id: SLES-15-040110 + levels: + - medium + title: All SUSE operating system local initialization files must have mode 0740 + or less permissive. + rules: + - file_permission_user_init_files + status: automated +- id: SLES-15-040120 + levels: + - medium + title: All SUSE operating system local interactive user initialization files executable + search paths must contain only paths that resolve to the users home directory. + rules: + - accounts_user_home_paths_only + status: manual +- id: SLES-15-040130 + levels: + - medium + title: All SUSE operating system local initialization files must not execute world-writable + programs. + rules: + - accounts_user_dot_no_world_writable_programs + status: automated +- id: SLES-15-040140 + levels: + - medium + title: SUSE operating system file systems that contain user home directories must + be mounted to prevent files with the setuid and setgid bit set from being executed. + rules: + - mount_option_home_nosuid + status: automated +- id: SLES-15-040150 + levels: + - medium + title: SUSE operating system file systems that are used with removable media must + be mounted to prevent files with the setuid and setgid bit set from being executed. + rules: + - mount_option_nosuid_removable_partitions + - var_removable_partition=dev_cdrom + status: automated +- id: SLES-15-040160 + levels: + - medium + title: SUSE operating system file systems that are being imported via Network File + System (NFS) must be mounted to prevent files with the setuid and setgid bit set + from being executed. + rules: + - mount_option_nosuid_remote_filesystems + status: automated +- id: SLES-15-040170 + levels: + - medium + title: SUSE operating system file systems that are being imported via Network File + System (NFS) must be mounted to prevent binary files from being executed. + rules: + - mount_option_noexec_remote_filesystems + status: automated +- id: SLES-15-040180 + levels: + - medium + title: All SUSE operating system world-writable directories must be group-owned + by root, sys, bin, or an application group. + rules: + - dir_perms_world_writable_system_owned_group + status: automated +- id: SLES-15-040190 + levels: + - medium + title: SUSE operating system kernel core dumps must be disabled unless needed. + rules: + - service_kdump_disabled + status: automated +- id: SLES-15-040200 + levels: + - low + title: A separate file system must be used for SUSE operating system user home directories + (such as /home or an equivalent). + rules: + - partition_for_home + status: automated +- id: SLES-15-040210 + levels: + - low + title: The SUSE operating system must use a separate file system for /var. + rules: + - partition_for_var + status: automated +- id: SLES-15-040220 + levels: + - medium + title: The SUSE operating system must be configured to not overwrite Pluggable Authentication + Modules (PAM) configuration on package changes. + rules: + - pam_disable_automatic_configuration + status: automated +- id: SLES-15-040230 + levels: + - medium + title: The SUSE operating system SSH daemon must be configured to not allow authentication + using known hosts authentication. + rules: + - sshd_disable_user_known_hosts + status: automated +- id: SLES-15-040240 + levels: + - medium + title: The SUSE operating system SSH daemon public host key files must have mode + 0644 or less permissive. + rules: + - file_permissions_sshd_pub_key + status: automated +- id: SLES-15-040250 + levels: + - medium + title: The SUSE operating system SSH daemon private host key files must have mode + 0640 or less permissive. + rules: + - file_permissions_sshd_private_key + status: automated +- id: SLES-15-040260 + levels: + - medium + title: The SUSE operating system SSH daemon must perform strict mode checking of + home directory configuration files. + rules: + - sshd_enable_strictmodes + status: automated +- id: SLES-15-040290 + levels: + - medium + title: The SUSE operating system SSH daemon must disable forwarded remote X connections + for interactive users, unless to fulfill documented and validated mission requirements. + rules: + - sshd_disable_x11_forwarding + status: automated +- id: SLES-15-040300 + levels: + - medium + title: The SUSE operating system must not forward Internet Protocol version 4 (IPv4) + source-routed packets. + rules: + - sysctl_net_ipv4_conf_all_accept_source_route + status: automated +- id: SLES-15-040310 + levels: + - medium + title: The SUSE operating system must not forward Internet Protocol version 6 (IPv6) + source-routed packets. + rules: + - sysctl_net_ipv6_conf_all_accept_source_route + status: automated +- id: SLES-15-040320 + levels: + - medium + title: The SUSE operating system must not forward Internet Protocol version 4 (IPv4) + source-routed packets by default. + rules: + - sysctl_net_ipv4_conf_default_accept_source_route + status: automated +- id: SLES-15-040321 + levels: + - medium + title: The SUSE operating system must not forward Internet Protocol version 6 (IPv6) + source-routed packets by default. + rules: + - sysctl_net_ipv6_conf_default_accept_source_route + status: automated +- id: SLES-15-040330 + levels: + - medium + title: The SUSE operating system must prevent Internet Protocol version 4 (IPv4) + Internet Control Message Protocol (ICMP) redirect messages from being accepted. + rules: + - sysctl_net_ipv4_conf_all_accept_redirects + status: automated +- id: SLES-15-040340 + levels: + - medium + title: The SUSE operating system must not allow interfaces to accept Internet Protocol + version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by + default. + rules: + - sysctl_net_ipv4_conf_default_accept_redirects + status: automated +- id: SLES-15-040341 + levels: + - medium + title: The SUSE operating system must prevent Internet Protocol version 6 (IPv6) + Internet Control Message Protocol (ICMP) redirect messages from being accepted. + rules: + - sysctl_net_ipv6_conf_all_accept_redirects + status: automated +- id: SLES-15-040350 + levels: + - medium + title: The SUSE operating system must not allow interfaces to accept Internet Protocol + version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by + default. + rules: + - sysctl_net_ipv6_conf_default_accept_redirects + status: automated +- id: SLES-15-040360 + levels: + - medium + title: The SUSE operating system must not allow interfaces to send Internet Protocol + version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by + default. + rules: + - sysctl_net_ipv4_conf_default_send_redirects + status: automated +- id: SLES-15-040370 + levels: + - medium + title: The SUSE operating system must not send Internet Protocol version 4 (IPv4) + Internet Control Message Protocol (ICMP) redirects. + rules: + - sysctl_net_ipv4_conf_all_send_redirects + status: automated +- id: SLES-15-040380 + levels: + - medium + title: The SUSE operating system must not be performing Internet Protocol version + 4 (IPv4) packet forwarding unless the system is a router. + rules: + - sysctl_net_ipv4_ip_forward + status: automated +- id: SLES-15-040381 + levels: + - medium + title: The SUSE operating system must not be performing Internet Protocol version + 6 (IPv6) packet forwarding unless the system is a router. + rules: + - sysctl_net_ipv6_conf_all_forwarding + status: automated +- id: SLES-15-040382 + levels: + - medium + title: The SUSE operating system must not be performing Internet Protocol version + 6 (IPv6) packet forwarding by default unless the system is a router. + rules: + - sysctl_net_ipv6_conf_default_forwarding + status: automated +- id: SLES-15-040390 + levels: + - medium + title: The SUSE operating system must not have network interfaces in promiscuous + mode unless approved and documented. + rules: + - network_sniffer_disabled + status: automated +- id: SLES-15-040400 + levels: + - medium + title: All SUSE operating system files and directories must have a valid owner. + rules: + - no_files_unowned_by_user + status: automated +- id: SLES-15-040410 + levels: + - medium + title: All SUSE operating system files and directories must have a valid group owner. + rules: + - file_permissions_ungroupowned + status: automated +- id: SLES-15-040420 + levels: + - medium + title: The SUSE operating system default permissions must be defined in such a way + that all authenticated users can only read and modify their own files. + rules: + - accounts_umask_etc_login_defs + status: automated +- id: SLES-15-040430 + levels: + - high + title: The SUSE operating system must not allow unattended or automatic logon via + the graphical user interface (GUI). + rules: + - gnome_gdm_disable_unattended_automatic_login + status: automated +- id: SLES-15-040440 + levels: + - high + title: The SUSE operating system must not allow unattended or automatic logon via + SSH. + rules: + - sshd_disable_empty_passwords + - sshd_do_not_permit_user_env + status: automated +- id: SLES-15-020099 + levels: + - medium + title: The SUSE operating system must specify the default "include" directory for + the /etc/sudoers file. + rules: + - sudoers_default_includedir + status: automated +- id: SLES-15-020104 + levels: + - medium + title: The SUSE operating system must not be configured to bypass password requirements + for privilege escalation. + rules: + - disallow_bypass_password_sudo + status: automated +- id: SLES-15-020181 + levels: + - high + title: The SUSE operating system must not have accounts configured with blank or + null passwords. + rules: + - no_empty_passwords_etc_shadow + status: automated +- id: SLES-15-040450 + levels: + - medium + title: The SUSE operating system SSH server must be configured to use only FIPS-validated + key exchange algorithms. + rules: + - sshd_use_approved_kex_ordered_stig + status: automated +- id: SLES-15-010375 + levels: + - low + title: The SUSE operating system must restrict access to the kernel message buffer. + rules: + - sysctl_kernel_dmesg_restrict + status: automated +- id: SLES-15-010419 + levels: + - medium + title: The SUSE operating system must use a file integrity tool to verify correct + operation of all security functions. + rules: + - aide_build_database + - package_aide_installed + status: automated +- id: SLES-15-010418 + levels: + - medium + title: The SUSE operating system must be configured to allow sending email notifications + of unauthorized configuration changes to designated personnel. + rules: + - package_mailx_installed + status: automated +- id: SLES-15-030015 + levels: + - medium + title: The SUSE operating system must audit any script or executable called by cron + as root or by any privileged user. + rules: + - audit_rules_etc_cron_d + - audit_rules_var_spool_cron + status: automated