ComplianceAsCode · teacup-on-rockingchair · Aug 20, 2024 · Aug 19, 2024 · Aug 19, 2024 · Aug 19, 2024
diff --git a/controls/stig_slmicro5.yml b/controls/stig_slmicro5.yml
@@ -118,8 +118,9 @@ controls:
       title:
           SLEM 5 must remove all outdated software components after updated versions
           have been installed.
-      rules: []
-      status: pending
+      rules:
+          - clean_components_post_updating
+      status: automated
 
     - id: SLEM-05-215010
       levels:
@@ -970,15 +971,19 @@ controls:
       title:
           SLEM 5 must reauthenticate users when changing authenticators, roles, or
           escalating privileges.
-      rules: []
-      status: pending
+      rules:
+          - sudo_require_authentication
+          - sudo_remove_nopasswd
+          - sudo_remove_no_authenticate
+      status: automated
 
     - id: SLEM-05-432020
       levels:
           - medium
       title: SLEM 5 must require reauthentication when using the "sudo" command.
-      rules: []
-      status: pending
+      rules:
+          - sudo_require_reauthentication
+      status: automated
 
     - id: SLEM-05-432025
       levels:
@@ -1171,26 +1176,30 @@ controls:
       levels:
           - medium
       title: SLEM 5 must implement certificate status checking for multifactor authentication.
-      rules: []
-      status: pending
+      rules:
+          - smartcard_configure_cert_checking
+      status: automated
 
     - id: SLEM-05-631010
       levels:
           - medium
       title:
           If Network Security Services (NSS) is being used by SLEM 5 it must prohibit
           the use of cached authentications after one day.
-      rules: []
-      status: pending
+      rules:
+          - sssd_memcache_timeout
+          - var_sssd_memcache_timeout=1_day
+      status: automated
 
     - id: SLEM-05-631015
       levels:
           - medium
       title:
           SLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to
           prohibit the use of cached offline authentications after one day.
-      rules: []
-      status: pending
+      rules:
+          - sssd_offline_cred_expiration
+      status: automated
 
     - id: SLEM-05-631020
       levels:

diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro
 # reboot = false
 # strategy = unknown
 # complexity = low

diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro
 
 {{{ bash_instantiate_variables("var_sssd_memcache_timeout") }}}
 

diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml
@@ -27,6 +27,7 @@ identifiers:
     cce@rhel8: CCE-80910-3
     cce@sle12: CCE-83040-6
     cce@sle15: CCE-83295-6
+    cce@slmicro5: CCE-93718-5
 
 references:
     cis-csc: 1,12,15,16,5

diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/rule.yml
@@ -34,6 +34,7 @@ identifiers:
     cce@rhel10: CCE-90741-0
     cce@sle12: CCE-83206-3
     cce@sle15: CCE-83296-4
+    cce@slmicro5: CCE-93719-3
 
 references:
     cis-csc: 1,12,15,16,5

diff --git a/...ical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml b/...ical/screen_locking/smart_card_login/smartcard_configure_cert_checking/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,multi_platform_rhel
+# platform = multi_platform_sle,multi_platform_slmicro,multi_platform_rhel
 # reboot = false
 # strategy = restrict
 # complexity = low

diff --git a/...physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/bash/shared.sh b/...physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_sle
+# platform = Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_sle,multi_platform_slmicro
 
 {{{ bash_package_install("pam_pkcs11") }}}
 

diff --git a/...ounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml b/...ounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml
@@ -30,6 +30,7 @@ identifiers:
     cce@rhel8: CCE-82475-5
     cce@sle12: CCE-83178-4
     cce@sle15: CCE-83293-1
+    cce@slmicro5: CCE-93717-7
 
 references:
     disa: CCI-001948,CCI-001953,CCI-001954

diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml
@@ -23,6 +23,7 @@ identifiers:
     cce@rhel10: CCE-88892-5
     cce@sle12: CCE-83013-3
     cce@sle15: CCE-83291-5
+    cce@slmicro5: CCE-93715-1
 
 references:
     cis-csc: 1,12,15,16,5

diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel10: CCE-87015-4
     cce@sle12: CCE-83012-5
     cce@sle15: CCE-85663-3
+    cce@slmicro5: CCE-93714-4
 
 references:
     cis-csc: 1,12,15,16,5

diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml
@@ -24,6 +24,7 @@ identifiers:
     cce@rhel9: CCE-83543-9
     cce@rhel10: CCE-87457-8
     cce@sle15: CCE-85673-2
+    cce@slmicro5: CCE-93713-6
 
 references:
     cis-csc: 1,12,15,16,5

diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
@@ -28,6 +28,7 @@ identifiers:
     cce@rhel10: CCE-88136-7
     cce@sle12: CCE-83231-1
     cce@sle15: CCE-85764-9
+    cce@slmicro5: CCE-93716-9
 
 references:
     cis@ubuntu2204: 5.3.6

diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/ansible/shared.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/ansible/shared.yml
@@ -1,10 +1,10 @@
-# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro
 # reboot = false
 # strategy = restrict
 # complexity = low
 # disruption = low
 
-{{% if 'sle' in product %}}
+{{% if 'sle' in product or 'slmicro' in product %}}
 - name: "{{{ rule_title }}} - Ensure Zypper Removes Previous Package Versions"
   ansible.builtin.ini_file:
     dest: /etc/zypp/zypp.conf

diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/bash/shared.sh b/linux_os/guide/system/software/updating/clean_components_post_updating/bash/shared.sh
@@ -1,6 +1,6 @@
-# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_rhv,multi_platform_sle,multi_platform_slmicro
 
-{{% if 'sle' in product %}}
+{{% if 'sle' in product or 'slmicro' in product %}}
 {{{ bash_replace_or_append('/etc/zypp/zypp.conf', '^solver.upgradeRemoveDroppedPackages', 'true', '%s=%s') }}}
 {{% else %}}
 if grep --silent ^clean_requirements_on_remove {{{ pkg_manager_config_file }}} ; then

diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/oval/slmicro5.xml b/linux_os/guide/system/software/updating/clean_components_post_updating/oval/slmicro5.xml
@@ -0,0 +1,24 @@
+<def-group>
+  <definition class="compliance" id="clean_components_post_updating" version="1">
+    <metadata>
+      <title>Ensure Zypper Removes Previous Package Versions</title>
+      <affected family="unix">
+        <platform>SUSE Linux Enterprise Micro 5</platform>
+      </affected>
+      <description>The solver.upgradeRemoveDroppedPackages option should be used to ensure that old
+      versions of software components are removed after updating.</description>
+    </metadata>
+    <criteria>
+        <criterion comment="check value of solver.upgradeRemoveDroppedPackages in /etc/zypp/zypp.conf" test_ref="test_zypp_clean_components_post_updating" />
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of solver.upgradeRemoveDroppedPackages in /etc/zypp/zypp.conf" id="test_zypp_clean_components_post_updating" version="1">
+    <ind:object object_ref="object_zypp_clean_components_post_updating" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_zypp_clean_components_post_updating" comment="solver.upgradeRemoveDroppedPackages set in /etc/zypp/zypp.conf" version="1">
+    <ind:filepath>/etc/zypp/zypp.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^solver.upgradeRemoveDroppedPackages\s*=\s*(?i)true(?-i)\s*$</ind:pattern>
+    <ind:instance datatype="int" operation="equals">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml b/linux_os/guide/system/software/updating/clean_components_post_updating/rule.yml
@@ -6,7 +6,7 @@ title: 'Ensure {{{ pkg_manager }}} Removes Previous Package Versions'
 description: |-
     <tt>{{{ pkg_manager }}}</tt> should be configured to remove previous software components after
     new versions have been installed. To configure <tt>{{{ pkg_manager }}}</tt> to remove the
-    {{% if 'sle' in product %}}
+    {{% if 'sle' in product or 'slmicro' in product %}}
     previous software components after updating, set the <tt>solver.upgradeRemoveDroppedPackages</tt>
     {{% elif 'ubuntu' in product %}}
     previous software components after updating, set the <tt>::Remove-Unused-Dependencies</tt> and
@@ -32,6 +32,7 @@ identifiers:
     cce@rhel10: CCE-88515-2
     cce@sle12: CCE-83186-7
     cce@sle15: CCE-85551-0
+    cce@slmicro5: CCE-93720-1
 
 references:
     cis-csc: 18,20,4
@@ -52,7 +53,7 @@ references:
     stigid@ubuntu2204: UBTU-22-214015
 
 ocil_clause: |-
-    {{%- if 'sle' in product %}}
+    {{%- if 'sle' in product or 'slmicro' in product %}}
     'solver.upgradeRemoveDroppedPackages is not enabled or configured correctly'
     {{%- elif 'ubuntu' in product %}}
     '::Remove-Unused-Dependencies and ::Remove-Unused-Kernel-Packages is not
@@ -64,7 +65,7 @@ ocil_clause: |-
 ocil: |-
     Verify {{{ full_name }}} removes all software components after updated versions have been installed.
 
-    {{% if 'sle' in product %}}
+    {{% if 'sle' in product or 'slmicro' in product %}}
     To verify that <tt>solver.upgradeRemoveDroppedPackages</tt> is configured properly, run the
     following command:
     <pre>$ grep -i upgradeRemoveDroppedPackages {{{ pkg_manager_config_file }}}</pre>

diff --git a/shared/references/cce-slmicro5-avail.txt b/shared/references/cce-slmicro5-avail.txt
@@ -42,13 +42,8 @@ CCE-93704-5
 CCE-93709-4
 CCE-93710-2
 CCE-93713-6
-CCE-93714-4
-CCE-93715-1
-CCE-93716-9
-CCE-93717-7
-CCE-93718-5
-CCE-93719-3
-CCE-93720-1
+CCE-93711-0
+CCE-93712-8
 CCE-93721-9
 CCE-93722-7
 CCE-93723-5