From c962a8f9669ed4bc3092afe28c2834fa937421fa Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 13:55:20 +0300 Subject: [PATCH 01/18] Add rule sysctl_kernel_dmesg_restrict to slmicro 5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../restrictions/sysctl_kernel_dmesg_restrict/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 921ea2d6d19..517b7836b06 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -64,8 +64,9 @@ controls: levels: - medium title: SLEM 5 must restrict access to the kernel message buffer. - rules: [] - status: pending + rules: + - sysctl_kernel_dmesg_restrict + status: automated - id: SLEM-05-213015 levels: diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml index 01c94c3261d..54f495f1567 100644 --- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml @@ -18,6 +18,7 @@ identifiers: cce@rhel10: CCE-89000-4 cce@sle12: CCE-91565-2 cce@sle15: CCE-91448-1 + cce@slmicro5: CCE-93625-2 references: cui: 3.1.5 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index f7b9c0ebd6f..b556ed93e62 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,3 @@ -CCE-93625-2 CCE-93626-0 CCE-93627-8 CCE-93628-6 From 26e293e5cd2c3164387328524751f225057d51b5 Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 13:59:45 +0300 Subject: [PATCH 02/18] Update sysctl template to support slmicro5 product --- shared/templates/sysctl/ansible.template | 4 ++-- shared/templates/sysctl/bash.template | 4 ++-- .../sysctl/tests/correct_value_usr_local_lib.pass.sh | 2 +- .../templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/shared/templates/sysctl/ansible.template b/shared/templates/sysctl/ansible.template index 607b305618c..982dee7dd31 100644 --- a/shared/templates/sysctl/ansible.template +++ b/shared/templates/sysctl/ansible.template @@ -5,7 +5,7 @@ # disruption = medium - name: List /etc/sysctl.d/*.conf files -{{% if product in ["sle12","sle15"] %}} +{{% if product in ["sle12", "sle15", "slmicro5"] %}} find: paths: - "/run/sysctl.d/" @@ -19,7 +19,7 @@ - "/run/sysctl.d/" - "/usr/local/lib/sysctl.d/" {{% endif %}} -{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "ubuntu2004", "ubuntu2204"] %}} +{{% if product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "sle12", "sle15", "slmicro5", "ubuntu2004", "ubuntu2204"] %}} - "/usr/lib/sysctl.d/" {{% endif %}} contains: '^[\s]*{{{ SYSCTLVAR }}}.*$' diff --git a/shared/templates/sysctl/bash.template b/shared/templates/sysctl/bash.template index 887adae43cf..b3aafbc2757 100644 --- a/shared/templates/sysctl/bash.template +++ b/shared/templates/sysctl/bash.template @@ -1,11 +1,11 @@ -# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_ubuntu,multi_platform_sle,multi_platform_debian +# platform = multi_platform_debian,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro,multi_platform_ubuntu # reboot = true # strategy = disable # complexity = low # disruption = medium # Comment out any occurrences of {{{ SYSCTLVAR }}} from /etc/sysctl.d/*.conf files -{{% if product in [ "sle12", "sle15"] %}} +{{% if product in [ "sle12", "sle15", "slmicro5"] %}} for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do {{% elif product not in [ "ol7", "ol8", "ol9", "rhcos4", "rhel8", "rhel9", "rhel10", "ubuntu2004", "ubuntu2204"] %}} for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf; do diff --git a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh index e8810e1682d..2a53fcf5ba5 100644 --- a/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh +++ b/shared/templates/sysctl/tests/correct_value_usr_local_lib.pass.sh @@ -4,7 +4,7 @@ {{% endif %}} # Clean sysctl config directories -{{% if product not in ["sle12","sle15"] %}} +{{% if product not in ["sle12", "sle15", "slmicro5"] %}} rm -rf /usr/lib/sysctl.d/* /usr/local/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf diff --git a/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh index 2f5c5a35645..a9e8ac6f6d9 100644 --- a/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh +++ b/shared/templates/sysctl/tests/wrong_value_usr_local_lib.fail.sh @@ -4,7 +4,7 @@ {{% endif %}} # Clean sysctl config directories -{{% if product not in ["sle12","sle15"] %}} +{{% if product not in ["sle12", "sle15", "slmicro5"] %}} rm -rf /usr/lib/sysctl.d/* /run/sysctl.d/* /etc/sysctl.d/* sed -i "/{{{ SYSCTLVAR }}}/d" /etc/sysctl.conf From c23f62cc808103d1493b793468723f5a54463b2f Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 14:03:57 +0300 Subject: [PATCH 03/18] Add rule sysctl_net_ipv4_tcp_syncookies to slmicro 5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../sysctl_net_ipv4_tcp_syncookies/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 517b7836b06..bf1ac72e914 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -483,8 +483,9 @@ controls: levels: - medium title: SLEM 5 must be configured to use TCP syncookies. - rules: [] - status: pending + rules: + - sysctl_net_ipv4_tcp_syncookies + status: automated - id: SLEM-05-254010 levels: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml index d3670de9c18..06a7a1367fa 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_syncookies/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel10: CCE-88084-9 cce@sle12: CCE-83179-2 cce@sle15: CCE-83283-2 + cce@slmicro5: CCE-93626-0 references: cis-csc: 1,12,13,14,15,16,18,2,4,6,7,8,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index b556ed93e62..e14350bafb9 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,3 @@ -CCE-93626-0 CCE-93627-8 CCE-93628-6 CCE-93629-4 From 2444f24f0ec428e2e40e209841f6043fc1459089 Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 14:06:42 +0300 Subject: [PATCH 04/18] Add rule sysctl_kernel_kptr_restrict to slmicro 5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../sysctl_kernel_kptr_restrict/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index bf1ac72e914..84292344ad8 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -90,8 +90,9 @@ controls: title: SLEM 5 must implement kptr-restrict to prevent the leaking of internal kernel addresses. - rules: [] - status: pending + rules: + - sysctl_kernel_kptr_restrict + status: automated - id: SLEM-05-214010 levels: diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml index b538bbc9f59..197f5867295 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml @@ -20,6 +20,7 @@ identifiers: cce@rhel10: CCE-88686-1 cce@sle12: CCE-83125-5 cce@sle15: CCE-83299-8 + cce@slmicro5: CCE-93627-8 references: disa: CCI-002824,CCI-000366 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index e14350bafb9..557a99fe4fa 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,3 @@ -CCE-93627-8 CCE-93628-6 CCE-93629-4 CCE-93630-2 From 0a6283eb694d52bd077a800c943c122df3bc95f4 Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 14:43:08 +0300 Subject: [PATCH 05/18] Add rule sysctl_kernel_randomize_va_space to slmicro 5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../sysctl_kernel_randomize_va_space/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 84292344ad8..76fc51f69e3 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -81,8 +81,9 @@ controls: title: Address space layout randomization (ASLR) must be implemented by SLEM 5 to protect memory from unauthorized code execution. - rules: [] - status: pending + rules: + - sysctl_kernel_randomize_va_space + status: automated - id: SLEM-05-213025 levels: diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml index 2001f2d513d..619ae8fee62 100644 --- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml +++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_randomize_va_space/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel10: CCE-87876-9 cce@sle12: CCE-83146-1 cce@sle15: CCE-83300-4 + cce@slmicro5: CCE-93628-6 references: cis@sle12: 1.6.3 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index 557a99fe4fa..402ca4bddf1 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,3 @@ -CCE-93628-6 CCE-93629-4 CCE-93630-2 CCE-93631-0 From 3c8419e5cc49de9ebd7b2dfd715f4c29b24c52f6 Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 14:45:29 +0300 Subject: [PATCH 06/18] Add rule sysctl_net_ipv4_conf_all_accept_source_route to slmicro 5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../sysctl_net_ipv4_conf_all_accept_source_route/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 76fc51f69e3..0592905d01d 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -424,8 +424,9 @@ controls: title: SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets. - rules: [] - status: pending + rules: + - sysctl_net_ipv4_conf_all_accept_source_route + status: automated - id: SLEM-05-253015 levels: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml index 45eb5ee6e51..97ceccc1fa3 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_source_route/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel10: CCE-90165-2 cce@sle12: CCE-83064-6 cce@sle15: CCE-85648-4 + cce@slmicro5: CCE-93629-4 references: cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index 402ca4bddf1..f9b03e20e4a 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,3 @@ -CCE-93629-4 CCE-93630-2 CCE-93631-0 CCE-93632-8 From 7854131022c94a560b70c92a8e317a115802b8af Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 14:50:08 +0300 Subject: [PATCH 07/18] Add rule sysctl_net_ipv6_conf_all_accept_source_route to slmicro 5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../sysctl_net_ipv6_conf_all_accept_source_route/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 0592905d01d..e80154c2704 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -496,8 +496,9 @@ controls: title: SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets. - rules: [] - status: pending + rules: + - sysctl_net_ipv6_conf_all_accept_source_route + status: automated - id: SLEM-05-254015 levels: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml index 601cd750711..0a49c19ca4a 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_source_route/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel10: CCE-90450-8 cce@sle12: CCE-83078-6 cce@sle15: CCE-85649-2 + cce@slmicro5: CCE-93630-2 references: cis-csc: 1,12,13,14,15,16,18,4,6,8,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index f9b03e20e4a..588c0a63bb8 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,3 @@ -CCE-93630-2 CCE-93631-0 CCE-93632-8 CCE-93633-6 From 75cb14b7713721900d39b67bc5adfba1b6130b40 Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 14:53:19 +0300 Subject: [PATCH 08/18] Add rule sysctl_net_ipv4_conf_default_accept_source_route to slmicro 5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index e80154c2704..67ac4599931 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -434,8 +434,9 @@ controls: title: SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets by default. - rules: [] - status: pending + rules: + - sysctl_net_ipv4_conf_default_accept_source_route + status: automated - id: SLEM-05-253020 levels: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml index ae65f4aca4a..721bb3d3d88 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_source_route/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel10: CCE-88071-6 cce@sle12: CCE-83079-4 cce@sle15: CCE-85650-0 + cce@slmicro5: CCE-93631-0 references: cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index 588c0a63bb8..7f495f0ae8c 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,3 @@ -CCE-93631-0 CCE-93632-8 CCE-93633-6 CCE-93634-4 From 823d127c83bedbcf9ad196fba3e0c634ad92e2b4 Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 15:00:57 +0300 Subject: [PATCH 09/18] Add rule sysctl_net_ipv6_conf_default_accept_source_route to slmicro 5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 67ac4599931..06feddcd879 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -507,8 +507,9 @@ controls: title: SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets by default. - rules: [] - status: pending + rules: + - sysctl_net_ipv6_conf_default_accept_source_route + status: automated - id: SLEM-05-254020 levels: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml index 8103a162599..eb89ba32d8c 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_source_route/rule.yml @@ -24,6 +24,7 @@ identifiers: cce@rhel10: CCE-89135-8 cce@sle12: CCE-83227-9 cce@sle15: CCE-85653-4 + cce@slmicro5: CCE-93632-8 references: cis-csc: 1,12,13,14,15,16,18,4,6,8,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index 7f495f0ae8c..3d3df5a0e94 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,3 @@ -CCE-93632-8 CCE-93633-6 CCE-93634-4 CCE-93635-1 From e98e6efeee6280c9cbfb738e8a2faf790e6a3f51 Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 15:03:36 +0300 Subject: [PATCH 10/18] Add rule sysctl_net_ipv4_conf_all_accept_redirects to slmicro 5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../sysctl_net_ipv4_conf_all_accept_redirects/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 06feddcd879..3f739e1b04a 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -444,8 +444,9 @@ controls: title: SLEM 5 must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted. - rules: [] - status: pending + rules: + - sysctl_net_ipv4_conf_all_accept_redirects + status: automated - id: SLEM-05-253025 levels: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml index 8982b97d56c..1248e7ba1fe 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_all_accept_redirects/rule.yml @@ -23,6 +23,7 @@ identifiers: cce@rhel10: CCE-90409-4 cce@sle12: CCE-83090-1 cce@sle15: CCE-85651-8 + cce@slmicro5: CCE-93633-6 references: cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index 3d3df5a0e94..ff0ce861ee1 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,3 @@ -CCE-93633-6 CCE-93634-4 CCE-93635-1 CCE-93636-9 From 7d3f0a4d1d101d4938788f15e22a33f66df32fc1 Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 15:34:34 +0300 Subject: [PATCH 11/18] Add rule sysctl_net_ipv4_conf_default_accept_redirects to slmicro 5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../sysctl_net_ipv4_conf_default_accept_redirects/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 3f739e1b04a..7cf2c36878d 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -454,8 +454,9 @@ controls: title: SLEM 5 must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default. - rules: [] - status: pending + rules: + - sysctl_net_ipv4_conf_default_accept_redirects + status: automated - id: SLEM-05-253030 levels: diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml index 2b34aa82a5a..b404c780345 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_conf_default_accept_redirects/rule.yml @@ -22,6 +22,7 @@ identifiers: cce@rhel10: CCE-86820-8 cce@sle12: CCE-83081-0 cce@sle15: CCE-85652-6 + cce@slmicro5: CCE-93634-4 references: cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index ff0ce861ee1..b3805d8e04a 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,3 @@ -CCE-93634-4 CCE-93635-1 CCE-93636-9 CCE-93637-7 From bd480a2f24f551d373834541a305f985a5179c11 Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 15:46:39 +0300 Subject: [PATCH 12/18] Add rule sysctl_net_ipv6_conf_all_accept_redirects to slmicro 5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../sysctl_net_ipv6_conf_all_accept_redirects/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 7cf2c36878d..7afd0858909 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -519,8 +519,9 @@ controls: title: SLEM 5 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted. - rules: [] - status: pending + rules: + - sysctl_net_ipv6_conf_all_accept_redirects + status: automated - id: SLEM-05-254025 levels: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml index 885dc918684..e5a5c514db0 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_accept_redirects/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel10: CCE-90083-7 cce@sle12: CCE-83246-9 cce@sle15: CCE-85708-6 + cce@slmicro5: CCE-93635-1 references: cis-csc: 11,14,3,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index b3805d8e04a..d4eaae6c4fa 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,3 @@ -CCE-93635-1 CCE-93636-9 CCE-93637-7 CCE-93638-5 From e94dcc21813f48329464a0a663259bd480c6461a Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 15:51:27 +0300 Subject: [PATCH 13/18] Add rule sysctl_net_ipv6_conf_default_accept_redirects to slmicro 5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../sysctl_net_ipv6_conf_default_accept_redirects/rule.yml | 2 ++ shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 7afd0858909..a985ce8bfd1 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -529,8 +529,9 @@ controls: title: SLEM 5 must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default. - rules: [] - status: pending + rules: + - sysctl_net_ipv6_conf_default_accept_redirects + status: automated - id: SLEM-05-254030 levels: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml index 76041ed3661..3450a01af74 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_accept_redirects/rule.yml @@ -16,6 +16,7 @@ identifiers: cce@rhel10: CCE-89486-5 cce@sle12: CCE-83223-8 cce@sle15: CCE-85722-7 + cce@slmicro5: CCE-93636-9 references: cis-csc: 11,14,3,9 @@ -33,6 +34,7 @@ references: nist-csf: PR.IP-1,PR.PT-3 nist@sle12: CM-6(b),CM-6.1(iv) nist@sle15: CM-6(b),CM-6.1(iv) + nist@slmicro5: CM-6(b),CM-6.1(iv) srg: SRG-OS-000480-GPOS-00227 stigid@ol8: OL08-00-040210 stigid@rhel8: RHEL-08-040210 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index d4eaae6c4fa..a3a66d2e99f 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,3 @@ -CCE-93636-9 CCE-93637-7 CCE-93638-5 CCE-93639-3 From 2f93361be95f7a2233cd5cf41ac0fe1ed021cf86 Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 15:58:38 +0300 Subject: [PATCH 14/18] Add rule sysctl_net_ipv4_conf_default_send_redirects to slmicro 5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../sysctl_net_ipv4_conf_default_send_redirects/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index a985ce8bfd1..1f4de2215ec 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -473,8 +473,9 @@ controls: title: SLEM 5 must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default. - rules: [] - status: pending + rules: + - sysctl_net_ipv4_conf_default_send_redirects + status: automated - id: SLEM-05-253040 levels: diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml index 96b82e9e813..5d3bbd88383 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_default_send_redirects/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel10: CCE-89177-0 cce@sle12: CCE-83086-9 cce@sle15: CCE-85654-2 + cce@slmicro5: CCE-93637-7 references: cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index a3a66d2e99f..30a02ac4a60 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,3 @@ -CCE-93637-7 CCE-93638-5 CCE-93639-3 CCE-93640-1 From a73bbd94311d441d1041fa4d1b5174ff28ac93f8 Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 16:01:09 +0300 Subject: [PATCH 15/18] Add rule sysctl_net_ipv4_conf_all_send_redirects to slmicro 5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../sysctl_net_ipv4_conf_all_send_redirects/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 1f4de2215ec..995276cca80 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -464,8 +464,9 @@ controls: title: SLEM 5 must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects. - rules: [] - status: pending + rules: + - sysctl_net_ipv4_conf_all_send_redirects + status: automated - id: SLEM-05-253035 levels: diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml index dff96b1445a..e0286fee8c7 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_conf_all_send_redirects/rule.yml @@ -21,6 +21,7 @@ identifiers: cce@rhel10: CCE-88360-3 cce@sle12: CCE-83089-3 cce@sle15: CCE-85655-9 + cce@slmicro5: CCE-93638-5 references: cis-csc: 1,11,12,13,14,15,16,18,2,3,4,6,7,8,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index 30a02ac4a60..7ffab9078df 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,3 @@ -CCE-93638-5 CCE-93639-3 CCE-93640-1 CCE-93641-9 From 6ffef6174e7089aae125594010f6d4cff35f50ea Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 16:04:48 +0300 Subject: [PATCH 16/18] Add rule sysctl_net_ipv4_ip_forward to slmicro 5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../sysctl_net_ipv4_ip_forward/rule.yml | 2 ++ shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index 995276cca80..d479a849981 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -484,8 +484,9 @@ controls: title: SLEM 5 must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router. - rules: [] - status: pending + rules: + - sysctl_net_ipv4_ip_forward + status: automated - id: SLEM-05-253045 levels: diff --git a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml index 1a5570b9624..d5cc1362fc0 100644 --- a/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml +++ b/linux_os/guide/system/network/network-kernel/network_host_parameters/sysctl_net_ipv4_ip_forward/rule.yml @@ -19,6 +19,7 @@ identifiers: cce@rhel10: CCE-87377-8 cce@sle12: CCE-83088-5 cce@sle15: CCE-85709-4 + cce@slmicro5: CCE-93639-3 references: cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9 @@ -36,6 +37,7 @@ references: nist: CM-7(a),CM-7(b),SC-5,CM-6(a),SC-7(a) nist-csf: DE.CM-1,PR.DS-4,PR.IP-1,PR.PT-3,PR.PT-4 nist@sle15: CM-6(b),CM-6.1(iv) + nist@slmicro5: CM-6(b),CM-6.1(iv) pcidss: Req-1.3.1,Req-1.3.2 srg: SRG-OS-000480-GPOS-00227 stigid@ol7: OL07-00-040740 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index 7ffab9078df..bc91acc488d 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,3 @@ -CCE-93639-3 CCE-93640-1 CCE-93641-9 CCE-93651-8 From 34c4bf4ad696663b5a5fcab8e7a3c93945993a2b Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 16:07:48 +0300 Subject: [PATCH 17/18] Add rule sysctl_net_ipv6_conf_all_forwarding to slmicro 5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../sysctl_net_ipv6_conf_all_forwarding/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index d479a849981..cfd0187c608 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -542,8 +542,9 @@ controls: title: SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router. - rules: [] - status: pending + rules: + - sysctl_net_ipv6_conf_all_forwarding + status: automated - id: SLEM-05-254035 levels: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml index 2c6ac8f1f21..235d4252640 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_all_forwarding/rule.yml @@ -18,6 +18,7 @@ identifiers: cce@rhel10: CCE-86882-8 cce@sle12: CCE-83247-7 cce@sle15: CCE-85713-6 + cce@slmicro5: CCE-93640-1 references: cis-csc: 1,11,12,13,14,15,16,2,3,7,8,9 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index bc91acc488d..48052ecce85 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,3 @@ -CCE-93640-1 CCE-93641-9 CCE-93651-8 CCE-93652-6 From f9a6838f81e6a88b51658c7c54837ea058342b19 Mon Sep 17 00:00:00 2001 From: svet-se Date: Mon, 5 Aug 2024 16:10:16 +0300 Subject: [PATCH 18/18] Add rule sysctl_net_ipv6_conf_default_forwarding to slmicro 5 stig profile --- controls/stig_slmicro5.yml | 5 +++-- .../sysctl_net_ipv6_conf_default_forwarding/rule.yml | 1 + shared/references/cce-slmicro5-avail.txt | 1 - 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml index cfd0187c608..ee8dd3e3ee1 100644 --- a/controls/stig_slmicro5.yml +++ b/controls/stig_slmicro5.yml @@ -552,8 +552,9 @@ controls: title: SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router. - rules: [] - status: pending + rules: + - sysctl_net_ipv6_conf_default_forwarding + status: automated - id: SLEM-05-255010 levels: diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml index e3e30fe82ae..3ead9da0994 100644 --- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml +++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/sysctl_net_ipv6_conf_default_forwarding/rule.yml @@ -15,6 +15,7 @@ severity: medium identifiers: cce@sle12: CCE-83248-5 cce@sle15: CCE-85725-0 + cce@slmicro5: CCE-93641-9 references: disa: CCI-000366 diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt index 48052ecce85..f280425ef3f 100644 --- a/shared/references/cce-slmicro5-avail.txt +++ b/shared/references/cce-slmicro5-avail.txt @@ -1,4 +1,3 @@ -CCE-93641-9 CCE-93651-8 CCE-93652-6 CCE-93653-4