From c70020f99b4528707bca202231fdebfbad6a8424 Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 7 Aug 2024 13:55:19 +0300 Subject: [PATCH 01/10] add rule audit_rules_dac_modification_fremovexattr to slmicro5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 17 +++++++++++++++++ .../ansible.template | 2 +- .../audit_rules_dac_modification/bash.template | 2 +- 5 files changed, 23 insertions(+), 4 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 29bd8d72ebe..880ea280cea 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -1778,8 +1778,9 @@ controls: title: SLEM 5 must generate audit records for all uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. - rules: [] - status: pending + rules: + - audit_rules_dac_modification_fremovexattr + status: automated - id: SLEM-05-654185 levels: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml index 3b17acca664..335f10729ea 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fremovexattr/rule.yml @@ -50,6 +50,7 @@ identifiers: cce@rhel10: CCE-88352-0 cce@sle12: CCE-83138-8 cce@sle15: CCE-85686-4 + cce@slmicro5: CCE-93651-8 references: cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index e2048cb7e6f..54bc9822106 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,21 @@ CCE-93651-8 +CCE-93625-2 +CCE-93626-0 +CCE-93627-8 +CCE-93628-6 +CCE-93629-4 +CCE-93630-2 +CCE-93631-0 +CCE-93632-8 +CCE-93633-6 +CCE-93634-4 +CCE-93635-1 +CCE-93636-9 +CCE-93637-7 +CCE-93638-5 +CCE-93639-3 +CCE-93640-1 +CCE-93641-9 CCE-93652-6 CCE-93653-4 CCE-93654-2 diff --git a/shared/templates/audit_rules_dac_modification/ansible.template b/shared/templates/audit_rules_dac_modification/ansible.template index 5a686b0b2fa..503895c33e7 100644 --- a/shared/templates/audit_rules_dac_modification/ansible.template +++ b/shared/templates/audit_rules_dac_modification/ansible.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_debian # reboot = true # strategy = restrict # complexity = low diff --git a/shared/templates/audit_rules_dac_modification/bash.template b/shared/templates/audit_rules_dac_modification/bash.template index daee7021078..5d782e0bdd3 100644 --- a/shared/templates/audit_rules_dac_modification/bash.template +++ b/shared/templates/audit_rules_dac_modification/bash.template @@ -1,4 +1,4 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu,multi_platform_debian +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu,multi_platform_debian # First perform the remediation of the syscall rule # Retrieve hardware architecture of the underlying system From 6b9613f3626a4bf6d19ee5640a16bc6b36e7f35f Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 7 Aug 2024 14:01:59 +0300 Subject: [PATCH 02/10] add rule audit_rules_dac_modification_lchown to slmicro5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../audit_rules_dac_modification_lchown/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 880ea280cea..5f51d581ef4 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -1732,8 +1732,9 @@ controls: title: SLEM 5 must generate audit records for all uses of the "chown", "fchown", "fchownat", and "lchown" system calls. - rules: [] - status: pending + rules: + - audit_rules_dac_modification_lchown + status: automated - id: SLEM-05-654160 levels: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml index 5953252372a..e1b34de4556 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_lchown/rule.yml @@ -36,6 +36,7 @@ identifiers: cce@rhel10: CCE-88243-1 cce@sle12: CCE-83135-4 cce@sle15: CCE-85691-4 + cce@slmicro5: CCE-93652-6 references: cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index 54bc9822106..51b2d05d6f7 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -16,7 +16,6 @@ CCE-93638-5 CCE-93639-3 CCE-93640-1 CCE-93641-9 -CCE-93652-6 CCE-93653-4 CCE-93654-2 CCE-93655-9 From e6c4bd15c1e0e3ba8a919f5078d1b77c64ac1927 Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 7 Aug 2024 14:06:16 +0300 Subject: [PATCH 03/10] add rule audit_rules_dac_modification_fchmod to slmicro5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../audit_rules_dac_modification_fchmod/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 5f51d581ef4..2a9931b6e39 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -1723,8 +1723,9 @@ controls: title: SLEM 5 must generate audit records for all uses of the "chmod", "fchmod" and "fchmodat" system calls. - rules: [] - status: pending + rules: + - audit_rules_dac_modification_fchmod + status: automated - id: SLEM-05-654155 levels: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml index 9156638e09b..87c9909cdee 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_fchmod/rule.yml @@ -33,6 +33,7 @@ identifiers: cce@rhel10: CCE-88200-1 cce@sle12: CCE-83133-9 cce@sle15: CCE-85694-8 + cce@slmicro5: CCE-93653-4 references: cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index 51b2d05d6f7..8a776b4f09f 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -16,7 +16,6 @@ CCE-93638-5 CCE-93639-3 CCE-93640-1 CCE-93641-9 -CCE-93653-4 CCE-93654-2 CCE-93655-9 CCE-93657-5 From 27802046adbf694796e5238aa202c65273d0b060 Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 7 Aug 2024 14:09:31 +0300 Subject: [PATCH 04/10] add rule audit_rules_dac_modification to slmicro5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../auditd_configure_rules/audit_rules_media_export/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 2a9931b6e39..f34ebfddbb6 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -1771,8 +1771,9 @@ controls: levels: - medium title: SLEM 5 must generate audit records for all uses of the "mount" system call. - rules: [] - status: pending + rules: + - audit_rules_dac_modification + status: automated - id: SLEM-05-654180 levels: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml index ffdb47ef86d..766663e81fd 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_media_export/rule.yml @@ -31,6 +31,7 @@ identifiers: cce@rhel10: CCE-86590-7 cce@sle12: CCE-83217-0 cce@sle15: CCE-85718-5 + cce@slmicro5: CCE-93654-2 references: cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index 8a776b4f09f..e4425289e7c 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -16,7 +16,6 @@ CCE-93638-5 CCE-93639-3 CCE-93640-1 CCE-93641-9 -CCE-93654-2 CCE-93655-9 CCE-93657-5 CCE-93658-3 From 1ff6d8ae0f569f557c3bff59b220d4ce1d30eaad Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 7 Aug 2024 14:27:24 +0300 Subject: [PATCH 05/10] add rule audit_rules_dac_modification_umount2 to slmicro5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../audit_rules_dac_modification_umount2/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index f34ebfddbb6..7d488c81149 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -1789,8 +1789,9 @@ controls: levels: - medium title: SLEM 5 must generate audit records for all uses of the "umount" system call. - rules: [] - status: pending + rules: + - audit_rules_dac_modification_umount2 + status: automated - id: SLEM-05-654190 levels: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml index 69171052d54..0c88fb55fcc 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_dac_actions/audit_rules_dac_modification_umount2/rule.yml @@ -32,6 +32,7 @@ identifiers: cce@rhel10: CCE-89822-1 cce@sle12: CCE-83219-6 cce@sle15: CCE-91250-1 + cce@slmicro5: CCE-93655-9 references: disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index e4425289e7c..3f4b7b7ecca 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -16,7 +16,6 @@ CCE-93638-5 CCE-93639-3 CCE-93640-1 CCE-93641-9 -CCE-93655-9 CCE-93657-5 CCE-93658-3 CCE-93659-1 From 19ab6a5bb0dbc032fff0ee3a64f417ecb65ae5d0 Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 7 Aug 2024 16:21:09 +0300 Subject: [PATCH 06/10] Fix SLEM-05-654175 --- controls/stig_slmicro5.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 7d488c81149..c4fcaa317b6 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -1772,7 +1772,7 @@ controls: - medium title: SLEM 5 must generate audit records for all uses of the "mount" system call. rules: - - audit_rules_dac_modification + - audit_rules_media_export status: automated - id: SLEM-05-654180 From b1147366abf59d540eab9cfbab714f426f7c1cc3 Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 7 Aug 2024 16:27:35 +0300 Subject: [PATCH 07/10] add rule audit_rules_usergroup_modification_group to slmicro5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../audit_rules_usergroup_modification_group/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index c4fcaa317b6..13b9a8035fd 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -1686,8 +1686,9 @@ controls: title: SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. - rules: [] - status: pending + rules: + - audit_rules_usergroup_modification_group + status: automated - id: SLEM-05-654135 levels: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml index cfbfe0714ab..7f42285a116 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_group/rule.yml @@ -33,6 +33,7 @@ identifiers: cce@rhel10: CCE-87111-1 cce@sle12: CCE-83121-4 cce@sle15: CCE-85578-3 + cce@slmicro5: CCE-93657-5 references: cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index 3f4b7b7ecca..645482d93ef 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -16,7 +16,6 @@ CCE-93638-5 CCE-93639-3 CCE-93640-1 CCE-93641-9 -CCE-93657-5 CCE-93658-3 CCE-93659-1 CCE-93661-7 From 237fae46299ff4a1f3d4dc16fce356e9cb355c2d Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 7 Aug 2024 16:30:41 +0300 Subject: [PATCH 08/10] add rule audit_rules_usergroup_modification_shadow to slmicro5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../audit_rules_usergroup_modification_shadow/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 13b9a8035fd..f05e006bce7 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -1715,8 +1715,9 @@ controls: title: SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. - rules: [] - status: pending + rules: + - audit_rules_usergroup_modification_shadow + status: automated - id: SLEM-05-654150 levels: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml index 8898621ec47..7b9cdc9a33e 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_shadow/rule.yml @@ -33,6 +33,7 @@ identifiers: cce@rhel10: CCE-88637-4 cce@sle12: CCE-83122-2 cce@sle15: CCE-85579-1 + cce@slmicro5: CCE-93658-3 references: cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index 645482d93ef..5dc3bf82cc0 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -16,7 +16,6 @@ CCE-93638-5 CCE-93639-3 CCE-93640-1 CCE-93641-9 -CCE-93658-3 CCE-93659-1 CCE-93661-7 CCE-93662-5 From 29fd3c3c096fa36bbb13122d3f3cceea05c3737f Mon Sep 17 00:00:00 2001 From: svet-se Date: Wed, 7 Aug 2024 16:32:59 +0300 Subject: [PATCH 09/10] add rule audit_rules_usergroup_modification_opasswd to slmicro5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../audit_rules_usergroup_modification_opasswd/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index f05e006bce7..5b262666cf4 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -1696,8 +1696,9 @@ controls: title: SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. - rules: [] - status: pending + rules: + - audit_rules_usergroup_modification_opasswd + status: automated - id: SLEM-05-654140 levels: diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml index 90c7bf27f5e..3d804044e64 100644 --- a/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml +++ b/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_opasswd/rule.yml @@ -33,6 +33,7 @@ identifiers: cce@rhel10: CCE-90664-4 cce@sle12: CCE-83123-0 cce@sle15: CCE-85728-4 + cce@slmicro5: CCE-93659-1 references: cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index 5dc3bf82cc0..12e10e967b5 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -17,6 +17,7 @@ CCE-93639-3 CCE-93640-1 CCE-93641-9 CCE-93659-1 +CCE-93660-9 CCE-93661-7 CCE-93662-5 CCE-93668-2 From aacd2014267b3bb642a68f1596518b442a47024a Mon Sep 17 00:00:00 2001 From: teacup-on-rockingchair <315160+teacup-on-rockingchair@users.noreply.github.com> Date: Tue, 20 Aug 2024 07:25:06 +0300 Subject: [PATCH 10/10] Align CCE availability --- shared/references/cce-slmicro5-avail.txt | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index 12e10e967b5..ec9dd22b6ac 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,23 +1,4 @@ -CCE-93651-8 -CCE-93625-2 -CCE-93626-0 -CCE-93627-8 -CCE-93628-6 -CCE-93629-4 -CCE-93630-2 -CCE-93631-0 -CCE-93632-8 -CCE-93633-6 -CCE-93634-4 -CCE-93635-1 -CCE-93636-9 -CCE-93637-7 -CCE-93638-5 -CCE-93639-3 -CCE-93640-1 -CCE-93641-9 CCE-93659-1 -CCE-93660-9 CCE-93661-7 CCE-93662-5 CCE-93668-2