Add rule clean_components_post_updating to sle micro 5 stig profile

ComplianceAsCode · Aug 19, 2024 · b52ccee · b52ccee
1 parent 888baf1
commit b52ccee
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 10 deletions.
diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml
@@ -118,8 +118,9 @@ controls:
       title:
           SLEM 5 must remove all outdated software components after updated versions
           have been installed.
-      rules: []
-      status: pending
+      rules:
+          - clean_components_post_updating
+      status: automated
 
     - id: SLEM-05-215010
       levels:

diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/ansible/shared.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/ansible/shared.yml
@@ -1,10 +1,10 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro
 # reboot = false
 # strategy = restrict
 # complexity = low
 # disruption = low
 
-{{% if 'sle' in product %}}
+{{% if 'sle' in product or 'slmicro' in product %}}
 - name: "{{{ rule_title }}} - Ensure Zypper Removes Previous Package Versions"
   ansible.builtin.ini_file:
     dest: /etc/zypp/zypp.conf

diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/bash/shared.sh b/linux_os/guide/system/software/updating/clean_components_post_updating/bash/shared.sh
@@ -1,6 +1,6 @@
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro
 
-{{% if 'sle' in product %}}
+{{% if 'sle' in product or 'slmicro' in product %}}
 {{{ bash_replace_or_append('/etc/zypp/zypp.conf', '^solver.upgradeRemoveDroppedPackages', 'true', '%s=%s') }}}
 {{% else %}}
 if grep --silent ^clean_requirements_on_remove {{{ pkg_manager_config_file }}} ; then

diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/oval/slmicro5.xml b/linux_os/guide/system/software/updating/clean_components_post_updating/oval/slmicro5.xml
@@ -0,0 +1,24 @@
+<def-group>
+  <definition class="compliance" id="clean_components_post_updating" version="1">
+    <metadata>
+      <title>Ensure Zypper Removes Previous Package Versions</title>
+      <affected family="unix">
+        <platform>SUSE Linux Enterprise Micro 5</platform>
+      </affected>
+      <description>The solver.upgradeRemoveDroppedPackages option should be used to ensure that old
+      versions of software components are removed after updating.</description>
+    </metadata>
+    <criteria>
+        <criterion comment="check value of solver.upgradeRemoveDroppedPackages in /etc/zypp/zypp.conf" test_ref="test_zypp_clean_components_post_updating" />
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of solver.upgradeRemoveDroppedPackages in /etc/zypp/zypp.conf" id="test_zypp_clean_components_post_updating" version="1">
+    <ind:object object_ref="object_zypp_clean_components_post_updating" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_zypp_clean_components_post_updating" comment="solver.upgradeRemoveDroppedPackages set in /etc/zypp/zypp.conf" version="1">
+    <ind:filepath>/etc/zypp/zypp.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^solver.upgradeRemoveDroppedPackages\s*=\s*(?i)true(?-i)\s*$</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
@@ -6,7 +6,7 @@ title: 'Ensure {{{ pkg_manager }}} Removes Previous Package Versions'
 description: |-
     <tt>{{{ pkg_manager }}}</tt> should be configured to remove previous software components after
     new versions have been installed. To configure <tt>{{{ pkg_manager }}}</tt> to remove the
-    {{% if 'sle' in product %}}
+    {{% if 'sle' in product or 'slmicro' in product %}}
     previous software components after updating, set the <tt>solver.upgradeRemoveDroppedPackages</tt>
     {{% elif 'ubuntu' in product %}}
     previous software components after updating, set the <tt>::Remove-Unused-Dependencies</tt> and
@@ -32,6 +32,7 @@ identifiers:
     cce@rhel10: CCE-88515-2
     cce@sle12: CCE-83186-7
     cce@sle15: CCE-85551-0
+    cce@slmicro5: CCE-93720-1
 
 references:
     cis-csc: 18,20,4
@@ -52,7 +53,7 @@ references:
     stigid@ubuntu2204: UBTU-22-214015
 
 ocil_clause: |-
-    {{%- if 'sle' in product %}}
+    {{%- if 'sle' in product or 'slmicro' in product %}}
     'solver.upgradeRemoveDroppedPackages is not enabled or configured correctly'
     {{%- elif 'ubuntu' in product %}}
     '::Remove-Unused-Dependencies and ::Remove-Unused-Kernel-Packages is not
@@ -64,7 +65,7 @@ ocil_clause: |-
 ocil: |-
     Verify {{{ full_name }}} removes all software components after updated versions have been installed.
 
-    {{% if 'sle' in product %}}
+    {{% if 'sle' in product or 'slmicro' in product %}}
     To verify that <tt>solver.upgradeRemoveDroppedPackages</tt> is configured properly, run the
     following command:
     <pre>$ grep -i upgradeRemoveDroppedPackages {{{ pkg_manager_config_file }}}</pre>

diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt
@@ -44,7 +44,6 @@ CCE-93710-2
 CCE-93713-6
 CCE-93711-0
 CCE-93712-8
-CCE-93720-1
 CCE-93721-9
 CCE-93722-7
 CCE-93723-5