Merge pull request #12395 from svet-se/slmicro5-stig-add-services-and…

…-software-rules-support Slmicro5 stig add services and software rules support
ComplianceAsCode · Sep 23, 2024 · b8bb026 · b8bb026
2 parents 4a8073c + 7de4e56
commit b8bb026
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 27 deletions.
diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml
@@ -32,7 +32,8 @@ controls:
           SLEM 5 must display the Standard Mandatory DOD Notice and Consent Banner
           before granting any local or remote connection to the system.
       rules:
-          - sshd_enable_warning_banner
+          - banner_etc_issue
+          - login_banner_text=dod_banners
       status: automated
 
     - id: SLEM-05-211025
@@ -234,8 +235,9 @@ controls:
       title:
           SLEM 5 must have directories that contain system commands set to a mode of
           755 or less permissive.
-      rules: []
-      status: pending
+      rules:
+          - dir_permissions_binary_dirs
+      status: automated
 
     - id: SLEM-05-232015
       levels:
@@ -249,15 +251,17 @@ controls:
       levels:
           - medium
       title: SLEM 5 library directories must have mode 755 or less permissive.
-      rules: []
-      status: pending
+      rules:
+          - dir_permissions_library_dirs
+      status: automated
 
     - id: SLEM-05-232025
       levels:
           - medium
       title: SLEM 5 library files must have mode 755 or less permissive.
-      rules: []
-      status: pending
+      rules:
+          - file_permissions_library_dirs
+      status: automated
 
     - id: SLEM-05-232030
       levels:
@@ -297,35 +301,33 @@ controls:
       levels:
           - medium
       title: SLEM 5 library files must be owned by root.
-      rules: []
-      status: pending
+      rules:
+          - file_ownership_library_dirs
+      status: automated
 
     - id: SLEM-05-232055
       levels:
           - medium
       title: SLEM 5 library files must be group-owned by root.
-      rules: []
-      status: pending
+      rules:
+          - root_permissions_syslibrary_files
+      status: automated
 
     - id: SLEM-05-232060
       levels:
           - medium
       title: SLEM 5 library directories must be owned by root.
       rules:
-        - dir_group_ownership_library_dirs
         - dir_ownership_library_dirs
-        - dir_permissions_library_dirs
-        - file_ownership_library_dirs
-        - file_permissions_library_dirs
-        - root_permissions_syslibrary_files
       status: automated
 
     - id: SLEM-05-232065
       levels:
           - medium
       title: SLEM 5 library directories must be group-owned by root.
-      rules: []
-      status: pending
+      rules:
+          - dir_group_ownership_library_dirs
+      status: automated
 
     - id: SLEM-05-232070
       levels:
@@ -617,8 +619,9 @@ controls:
       title:
           SLEM 5 must display the Standard Mandatory DOD Notice and Consent Banner
           before granting access via SSH.
-      rules: []
-      status: pending
+      rules:
+          - sshd_enable_warning_banner
+      status: automated
 
     - id: SLEM-05-255025
       levels:
@@ -948,7 +951,7 @@ controls:
       rules:
           - accounts_passwords_pam_tally2
           - var_password_pam_tally2=3
-      status: pending
+      status: automated
 
     - id: SLEM-05-412025
       levels:

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
@@ -1,11 +1,11 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_sle,multi_platform_slmicro
 # reboot = false
 # strategy = unknown
 # complexity = low
 # disruption = medium
 {{{ ansible_instantiate_variables("login_banner_text") }}}
 
-{{%- if product not in ['sle15'] -%}}
+{{%- if product not in ['sle15', 'slmicro5'] -%}}
 - name: "{{{ rule_title }}} - Ensure Correct Banner"
   copy:
     dest: /etc/issue

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 {{{ bash_instantiate_variables("login_banner_text") }}}
 
@@ -16,7 +16,7 @@
 {{{ bash_deregexify_banner_backslash("login_banner_text") }}}
 formatted=$(echo "$login_banner_text" | fold -sw 80)
 
-{{%- if product not in ['sle15'] %}}
+{{%- if product not in ['sle15', 'slmicro5'] %}}
 cat <<EOF >/etc/issue
 $formatted
 EOF

diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/rule.yml
@@ -100,6 +100,7 @@ identifiers:
     cce@rhel10: CCE-88261-3
     cce@sle12: CCE-83054-7
     cce@sle15: CCE-83262-6
+    cce@slmicro5: CCE-93802-7
 
 references:
     cis-csc: 1,12,15,16

diff --git a/.../permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml b/.../permissions/files/permissions_within_important_dirs/dir_permissions_binary_dirs/rule.yml
@@ -21,6 +21,9 @@ rationale: |-
     and restrictive permissions are necessary to ensure execution of these programs
     cannot be co-opted.
 
+identifiers:
+    cce@slmicro5: CCE-93801-9
+
 severity: medium
 
 references:

diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt
@@ -14,8 +14,6 @@ CCE-93743-3
 CCE-93757-3
 CCE-93777-1
 CCE-93783-9
-CCE-93801-9
-CCE-93802-7
 CCE-93803-5
 CCE-93804-3
 CCE-93805-0