Merge pull request #12210 from rumch-se/update_rules_audit_rules_priv…

…ileged_commands_1

Updated 10 rules to support SLE Micro 5

controls/stig_slmicro5.yml

@@ -16,7 +16,7 @@ controls:
  title: SLEM 5 must be a vendor-supported release.
  rules:
  - installed_OS_is_vendor_supported
- status: automated 
+ status: automated
 - id: SLEM-05-211015
  levels:
  - medium
@@ -1108,8 +1108,9 @@ controls:
  levels:
  - medium
  title: SLEM 5 must generate audit records for all uses of the "chage" command.
- rules: []
- status: pending
+ rules:
+ - audit_rules_privileged_commands_chage
+ status: automated
 - id: SLEM-05-654020
  levels:
  - medium
@@ -1120,8 +1121,9 @@ controls:
  levels:
  - medium
  title: SLEM 5 must generate audit records for all uses of the "chfn" command.
- rules: []
- status: pending
+ rules:
+ - audit_rules_privileged_commands_chfn
+ status: automated
 - id: SLEM-05-654030
  levels:
  - medium
@@ -1132,20 +1134,23 @@ controls:
  levels:
  - medium
  title: SLEM 5 must generate audit records for a uses of the "chsh" command.
- rules: []
- status: pending
+ rules:
+ - audit_rules_privileged_commands_chsh
+ status: automated
 - id: SLEM-05-654040
  levels:
  - medium
  title: SLEM 5 must generate audit records for all uses of the "crontab" command.
- rules: []
- status: pending
+ rules:
+ - audit_rules_privileged_commands_crontab
+ status: automated
 - id: SLEM-05-654045
  levels:
  - medium
  title: SLEM 5 must generate audit records for all uses of the "gpasswd" command.
- rules: []
- status: pending
+ rules:
+ - audit_rules_privileged_commands_gpasswd
+ status: automated
 - id: SLEM-05-654050
  levels:
  - medium
@@ -1168,8 +1173,9 @@ controls:
  levels:
  - medium
  title: SLEM 5 must generate audit records for all uses of the "newgrp" command.
- rules: []
- status: pending
+ rules:
+ - audit_rules_privileged_commands_newgrp
+ status: automated
 - id: SLEM-05-654070
  levels:
  - medium
@@ -1181,8 +1187,9 @@ controls:
  levels:
  - medium
  title: SLEM 5 must generate audit records for all uses of the "passwd" command.
- rules: []
- status: pending
+ rules:
+ - audit_rules_privileged_commands_passwd
+ status: automated
 - id: SLEM-05-654080
  levels:
  - medium
@@ -1211,8 +1218,9 @@ controls:
  levels:
  - medium
  title: SLEM 5 must generate audit records for all uses of the "ssh-keysign" command.
- rules: []
- status: pending
+ rules:
+ - audit_rules_privileged_commands_ssh_keysign
+ status: automated
 - id: SLEM-05-654105
  levels:
  - medium
@@ -1229,15 +1237,17 @@ controls:
  levels:
  - medium
  title: SLEM 5 must generate audit records for all uses of the "sudoedit" command.
- rules: []
- status: pending
+ rules:
+ - audit_rules_privileged_commands_sudoedit
+ status: automated
 - id: SLEM-05-654120
  levels:
  - medium
  title: SLEM 5 must generate audit records for all uses of the "unix_chkpwd" or "unix2_chkpwd"
  commands.
- rules: []
- status: pending
+ rules:
+ - audit_rules_privileged_commands_unix_chkpwd
+ status: automated
 - id: SLEM-05-654125
  levels:
  - medium

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chage/rule.yml

@@ -1,4 +1,4 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}}
  {{%- set perm_x="-F perm=x " %}}
 {{%- endif %}}
 
@@ -40,6 +40,7 @@ identifiers:
  cce@rhel10: CCE-90143-9
  cce@sle12: CCE-83110-7
  cce@sle15: CCE-85587-4
+ cce@slmicro5: CCE-93607-0
 
 references:
  cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chfn/rule.yml

@@ -29,6 +29,7 @@ severity: medium
 identifiers:
  cce@sle12: CCE-83187-5
  cce@sle15: CCE-85589-0
+ cce@slmicro5: CCE-93610-4
 
 references:
  cis@ubuntu2004: 4.1.11

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_chsh/rule.yml

@@ -1,4 +1,4 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}}
  {{%- set perm_x="-F perm=x " %}}
 {{%- endif %}}
 
@@ -40,6 +40,7 @@ identifiers:
  cce@rhel10: CCE-89551-6
  cce@sle12: CCE-83163-6
  cce@sle15: CCE-85586-6
+ cce@slmicro5: CCE-93605-4
 
 references:
  cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_crontab/rule.yml

@@ -1,4 +1,4 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}}
  {{%- set perm_x="-F perm=x " %}}
 {{%- endif %}}
 
@@ -40,6 +40,7 @@ identifiers:
  cce@rhel10: CCE-89029-3
  cce@sle12: CCE-83126-3
  cce@sle15: CCE-85588-2
+ cce@slmicro5: CCE-93608-8
 
 references:
  cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_gpasswd/rule.yml

@@ -1,4 +1,4 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5" ,"ubuntu2004", "ubuntu2204"]%}}
  {{%- set perm_x="-F perm=x " %}}
 {{%- endif %}}
 
@@ -40,6 +40,7 @@ identifiers:
  cce@rhel10: CCE-89403-0
  cce@sle12: CCE-83161-0
  cce@sle15: CCE-85584-1
+ cce@slmicro5: CCE-93603-9
 
 references:
  cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_newgrp/rule.yml

@@ -1,4 +1,4 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"]%}}
  {{%- set perm_x="-F perm=x " %}}
 {{%- endif %}}
 
@@ -40,6 +40,7 @@ identifiers:
  cce@rhel10: CCE-88752-1
  cce@sle12: CCE-83162-8
  cce@sle15: CCE-85585-8
+ cce@slmicro5: CCE-93604-7
 
 references:
  cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_passwd/rule.yml

@@ -1,4 +1,4 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"]%}}
  {{%- set perm_x="-F perm=x " %}}
 {{%- endif %}}
 
@@ -40,6 +40,7 @@ identifiers:
  cce@rhel10: CCE-89215-8
  cce@sle12: CCE-83160-2
  cce@sle15: CCE-85583-3
+ cce@slmicro5: CCE-93602-1
 
 references:
  cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_ssh_keysign/rule.yml

@@ -1,8 +1,8 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}}
  {{%- set perm_x="-F perm=x " %}}
 {{%- endif %}}
 
-{{%- if product in ["sle12", "sle15"] %}}
+{{%- if product in ["sle12", "sle15", "slmicro5"] %}}
  {{%- set ssh_keysign_path="/usr/lib/ssh/ssh-keysign" %}}
 {{%- elif 'ubuntu' in product %}}
  {{%- set ssh_keysign_path="/usr/lib/openssh/ssh-keysign" %}}
@@ -48,6 +48,7 @@ identifiers:
  cce@rhel10: CCE-88874-3
  cce@sle12: CCE-83159-4
  cce@sle15: CCE-85582-5
+ cce@slmicro5: CCE-94071-8
 
 references:
  cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9
@@ -80,5 +81,6 @@ template:
  path: /usr/libexec/openssh/ssh-keysign
  path@sle12: /usr/lib/ssh/ssh-keysign
  path@sle15: /usr/lib/ssh/ssh-keysign
+ path@slmicro5: /usr/lib/ssh/ssh-keysign
  path@ubuntu2004: /usr/lib/openssh/ssh-keysign
  path@ubuntu2204: /usr/lib/openssh/ssh-keysign

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_sudoedit/rule.yml

@@ -1,4 +1,4 @@
-{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+{{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15", "slmicro5" ,"ubuntu2004", "ubuntu2204"] %}}
  {{%- set perm_x="-F perm=x " %}}
 {{%- endif %}}
 
@@ -39,6 +39,7 @@ identifiers:
  cce@rhel9: CCE-83764-1
  cce@rhel10: CCE-89601-9
  cce@sle15: CCE-85717-7
+ cce@slmicro5: CCE-93609-6
 
 references:
  cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9

linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_unix_chkpwd/rule.yml

@@ -1,4 +1,4 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"]%}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"]%}}
  {{%- set perm_x="-F perm=x " %}}
 {{%- endif %}}
 
@@ -40,6 +40,7 @@ identifiers:
  cce@rhel10: CCE-89529-2
  cce@sle12: CCE-83109-9
  cce@sle15: CCE-85727-6
+ cce@slmicro5: CCE-93606-2
 
 references:
  cis-csc: 1,12,13,14,15,16,2,3,5,6,7,8,9
@@ -71,3 +72,4 @@ template:
  path: /usr/sbin/unix_chkpwd
  path@sle12: /sbin/unix_chkpwd
  path@sle15: /sbin/unix_chkpwd
+ path@slmicro5: /sbin/unix_chkpwd

shared/references/cce-slmicro5-avail.txt

@@ -1,13 +1,3 @@
-CCE-93601-3
-CCE-93602-1
-CCE-93603-9
-CCE-93604-7
-CCE-93605-4
-CCE-93606-2
-CCE-93607-0
-CCE-93608-8
-CCE-93609-6
-CCE-93610-4
 CCE-93611-2
 CCE-93612-0
 CCE-93613-8
@@ -458,7 +448,6 @@ CCE-94067-6
 CCE-94068-4
 CCE-94069-2
 CCE-94070-0
-CCE-94071-8
 CCE-94072-6
 CCE-94073-4
 CCE-94074-2

shared/templates/audit_rules_privileged_commands/ansible.template

@@ -1,7 +1,7 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}}
  {{%- set perm_x=" -F perm=x" %}}
 {{%- endif %}}
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 # reboot = false
 # strategy = restrict
 # complexity = low

shared/templates/audit_rules_privileged_commands/bash.template

@@ -1,4 +1,4 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204", "debian12"] %}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204", "debian12"] %}}
  {{%- set perm_x=" -F perm=x" %}}
 {{%- endif %}}
 # platform = multi_platform_all

shared/templates/audit_rules_privileged_commands/oval.template

@@ -1,4 +1,4 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204", "debian12"] %}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204", "debian12"] %}}
  {{%- set perm_x="(?:[\s]+-F[\s]+perm=x)" %}}
 {{%- endif %}}
 <def-group>

shared/templates/audit_rules_privileged_commands/tests/auditctl_missing_perm_x.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 # packages = audit
 
 source common.sh

shared/templates/audit_rules_privileged_commands/tests/augenrules_missing_perm_x.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu
 
 source common.sh
 

shared/templates/audit_rules_privileged_commands/tests/common.sh

@@ -1,4 +1,4 @@
-{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}}
+{{%- if product in ["fedora", "ol7", "ol8", "ol9", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}}
 perm_x="-F perm=x"
 {{%- endif %}}