~/f/scap-security-guide/RPMS.2017 ~/f/scap-security-guide ~/f/scap-security-guide RPMS.2017/scap-security-guide-0.1.70-0.0.noarch.rpm RPMS/scap-security-guide-0.1.70-0.0.noarch.rpm differ: byte 225, line 1 Comparing scap-security-guide-0.1.70-0.0.noarch.rpm to scap-security-guide-0.1.70-0.0.noarch.rpm comparing the rpm tags of scap-security-guide --- old-rpm-tags +++ new-rpm-tags @@ -237,9 +237,9 @@ -/usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html 41092d53510b388d44656ee0849d159adf9ee490c7e9962a166ef2c4cfd6ab0c 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html 9d5b14cb473036873db72a033141901fabd937b70e02a76ab70839d11e66a086 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html 15ed462ddf6fd7725a87a3e8144c88caae63df9fe4cc1de9df0d7933d044264b 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html 3fa93e140c48a34acd8d26bbba44b9553b88cfffa7eb3dd17e61dfc8339321b2 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html 43c4bc152b12bc3496d5e3063e0b3886faba0bb86447c68517c1ee1679ee3772 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html 2b1f69be69809a7d1d57719662aac44da52fa9c2482757bd455bb33134906ecc 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html d7e5632c89866030941b492f43f035c9b8e8d0e040775b6567ad8d526f6dd873 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html f38edab7bd6c75864d0288750fc564b8becab056106f1599c9639e7a2f7bcf5f 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html bb03b93df4428506179d9c657b164f4ec48ac2f71a1e0a22c2340eaa7028524a 2 +/usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html bb1a260ba8d62623f6cc7062d6305b7902410a4caf0793ed7fb0437ee9ad7f2d 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html f29edb8a97efa7188f97d51d15fe3498b7f0ab599f25be5c86214b998d92e2a3 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html 090a987e04be23411325c5df169d5766aed8fbd79b8f273db8df8ece8961cfec 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html b140c80902e67b891999ae18e91cd441904793997192ee263ce38faae12d803e 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html dd2663a14f5398d79832b3d375de2d50ad43d2dcab892e5fa009185108f38c3f 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html 233ea5c2c2ed8e98a5eb5e6734145527b6a585b2e43b837e3388a0bb48bbb207 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html 976c0d6664592030dc7d29ece75eec476129ec7bac6ebbe8fe5f97f254c827d1 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 9fdb7d68770ffcc96874e4c96d93dbeb14d9513726f7ee5e8eb7fa345a3d1805 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html f63f7f49d607c2dd10c436e933eca10781f955ad948c9a8d510639696947862b 2 @@ -247,13 +247,13 @@ -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss-4.html df3152896904ecc5a232ce8978482b6d894f4ccb7f7fc690ed0f7c33255c3b47 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss.html 71e2cce8008f60535319c4895a96735e6244a62bd7487d809d611dc69a2a5b4a 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html 967aa3e3e3a3d39b21d3259d3c44907bbf3623bf6f305f23e40bbfb5bbf17c32 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 445bb91cb84c5e429f89b60192099f3c6c13911fb89ce20d6b9658f8424ac56f 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html e89143e39fdd92318ff3b15f1435477067c8746136ab617e8c798f54a3f3bb05 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html 44d6a4f94715fbf99c978feb2698b6357d410f0e8f18de8a9cf3faf455364c0c 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html c5a055071e873400a1f9d7b3ccae73dd727c68dd604f26a5ac1be9a1230f8622 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html fb48293010a2209488275f403c9c3f92ccca66acebbdbc9233d00af0c483245e 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html b359753fdc3cc1c2805033dd2f89c279d2dd13abe5bcf4772f55d76c3c027344 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html f705d263938970bc70517802e4bf3a324eada1934512488e0618a90a3d3a07f4 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 143c7804d0f6e62d0734e5565b6dc4cb92b89f1980b747000cbe58610eb9296e 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html a71f9be3bb6bb1b4d34148dd5208b9724010684ca9a4110642b27064ae883f8e 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html 552bf39197ecd156c27019911d12695422b898a76f528cdd0b301ee7f08c20c6 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss-4.html 7681bd489222c88762f147ffbaedc79a8192a0bb79e95e40d666a9b1aa99b27c 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss.html 9ad238d390b299d565741140e79a08a239656ed8245df3e6c92bd911fd10939d 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html 37d5bc9ea860fb5853a1025b731c72eb7ee238e06d335c0275d32c73ee48acc2 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 39fbfa14f8d1e3fb76f42fc0d109859f7bee562f6f413a4bd90d5859d58f97ff 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html 4104a675acb766db63a1fc0e2775746d9cd6d41a606704acb625cf3f16c30354 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html bf9da213d35fe97e3cd68a202fc8952219a0ff89d8be8ae337209f70cb1bad55 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html d3b7d25db1953d1840ad332722ee33a582849a26a76400b5a261a46115cfac2f 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html ad20c5118fb217532495c6918334f5e0d9911ba323a3b97277a2da263ca37ffa 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html 99221c73837b532a59346d95a48aa5847b8a9e98378f5bc479987209848db7d9 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html 4253a1c451084fe4aace2d5ff3159ecbd9c6815696b2200dc58f9ecd1d5cf3b2 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 61c91ecaf0b95c9adee6a8c970cda0bb2cb96461d8644e3db7f81b86343d6240 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html 0f1787eb55f2a53158e88db29497675de8a1517a86987c2dc8b4d3ff7435389c 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html 37e330ca29a3b27d8689f9ef80054d9bdc4363e5263b96475b3372c743a2077c 2 @@ -261,6 +261,6 @@ -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss-4.html cacfcc3851eaf7c1477d75616a23993fd3a5ac319a57aed0ef858e19dd0d5222 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html 5afdb60e40f5e19be89115dd86fccb0283fb19b994a6ff5e8623e88e0002d377 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening-sap.html 2af827cb20a69f65a472c377a81cff9dc07ab5b9500dd1887cf5b79cb2d1845e 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening.html 57ccd9c84974eb4e3f885c81871889d8f4c7175d08219c0f5c2ae3962267b489 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html a213b5c97ec8745728574705d567838dc15b333c17400b15c5be117fcb2eaa9e 2 -/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html 437d9909f6edc555356613df0c2f0d49aa0d0c8872b65e2aa220a8db9720f782 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss-4.html 839529a9e867cbd2cf25dc0c79bcfe90b2385e070b90fd0debfb6aedd36e3bbe 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html 5ad64fdeb97e67f1f7681b234ecb961e0f6e6978a02462bb5212fb63c838012a 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening-sap.html 65abddd156f6d804eab360932265a8974f1ab3fead522325811b0ac2fc5bc419 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening.html 83fa37f979d991255503d7071389a68e9385e83b7170fe1251d7f899d5cfe589 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html 403092f9a7e61f5b35cdb52e40f8d93b6f02279514c29370c9f568910341b691 2 +/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html 3d2e0c33a42428388d4ff921433acd7f1a4e931ce4a72fbecca2bd54824166e5 2 @@ -342,3 +342,3 @@ -/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 264920e2ddb7960bddef88daebc53701572e4693543c828d74a319cdbc2ca798 0 -/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 908cb8162ad66f255fb8112d46c55713bfc7e065b16161f65229c759d3c814f1 0 -/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 90ec7e0298b3f8774bd9c53c54788f08b848f3ee86f5c25d22936a59b688efc2 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml f74934f3c930b916c21add3f1c917876fe57cd87fb49a8b9e9cc3e0e4f14d918 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 7541e2a3c9b2d9c87d32c6e37bbc0b87c501ccc0e9111f26f1e7ef83d75e9bda 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 500b01dad6ab453e50f9a054dfef4c36a9c6bdd85600c73c6e4ad705f7326d43 0 @@ -346 +346 @@ -/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 0120fbcef92e71257e92bec11d8ca87df96ddce5fd2bb2f94a4af83f228b40ae 0 +/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml c41d808749052fe2b60080de05907a7b3fb0a97e7bd52b0a806d9b6c281d7e52 0 @@ -349,3 +349,3 @@ -/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml a708bba3e6b0f1995bd7f226ffc9e9f22d0bbc5a227257053a0054bd1a3e8e73 0 -/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml d82d10118600b1d577a6f7eaebcbbdf889ed2042528aef81b5ccaab616073e8f 0 -/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml ef323e27311e226ea636f21f45dc8d983d7770e7f712e4ec6bc50aceb852cb12 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 2f5ac04959bf0457865a17c89c4a237905a914a4bd4396ca6477bb93c763589c 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml b7a842ca042f60f20a4f56496589e6fa485ddea4c49e1f852dcbdf72ae6f102f 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 5f70434eeae3bde33dd9e3d1c040304858f9f3106a0e11405353eecc4ed9bdf6 0 @@ -353 +353 @@ -/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml 9df8464a448c4c290029047bb4b9c7078eba0cb17d150d3c6ab39b41e48fe06b 0 +/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml f892e9c0ee1fb6c4712141404187bc97995ff170806461511eb46e817d1f32f6 0 @@ -356,3 +356,3 @@ -/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 65622f9ba15daca52810d404411587c5dca54e36930cb18a5e345243df4a1da3 0 -/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 1d0b6180a39d394efbe7badbbc60e4d7e97c9fe70ee58ef252e32315fc4ed49d 0 -/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 1600f552912241dd40354762d4c8815e7d52e45315bc8d3e35b9f8b88eddfc3a 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 06487386bb9295452b8eab62646d675c2d9a87dd56d5abb459708ecc7a1d6ae1 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 441c9b21a0cde2ce31f99ba2d689de36cb194e86d0bfd77da5146c2d626b55e0 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml d479b50b737909a97e5c721238b51f236e431f9f74974a1c762f26c9a8a098d6 0 @@ -360 +360 @@ -/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 0d258c3169d4f21445541fff7d9051a7205a64f671e9d0abaf6cf3c77ffee60f 0 +/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml bcb32f6c6f1f3500b0b4a9f2bae921ce65a3e518c13de2f776e6b8ba06704163 0 comparing rpmtags comparing RELEASE comparing PROVIDES comparing scripts comparing filelist comparing file checksum creating rename script RPM file checksum differs. Extracting packages /usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html 2023-10-17 02:00:00.000000000 +0200 +++ new//usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html 2023-10-17 02:00:00.000000000 +0200 @@ -67,7 +67,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleStandard System Security Profile for openSUSE
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:opensuse:leap:15.0
  • cpe:/o:opensuse:leap:42.1
  • cpe:/o:opensuse:leap:42.2
  • cpe:/o:opensuse:leap:42.3

Revision History

Current version: 0.1.70

Table of Contents

  1. System Settings
    1. File Permissions and Masks

Checklist

Group   Guide to the Secure Configuration of openSUSE   Group contains 4 groups and 3 rules
Group   @@ -113,8 +113,7 @@ Verify Group Who Owns passwd File   [ref]
To properly set the group owner of /etc/passwd, run the command:
$ sudo chgrp root /etc/passwd
Rationale:
The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
Identifiers and References

References:  - 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227


Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -148,12 +147,12 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+

Complexity:low
Disruption:low
Strategy:configure
chgrp 0 /etc/passwd
 

Rule   Verify User Who Owns passwd File   [ref]

To properly set the owner of /etc/passwd, run the command:
$ sudo chown root /etc/passwd 
Rationale:
The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
Identifiers and References

References:  - 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227


Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -187,6 +186,7 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+

Complexity:low
Disruption:low
Strategy:configure
chown 0 /etc/passwd
 

Rule   Verify Permissions on passwd File   [ref]

@@ -195,13 +195,7 @@ world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
Identifiers and References

References:  - BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227


Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -235,6 +229,12 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+

Complexity:low
Disruption:low
Strategy:configure

+
+
+
+
+chmod u-xs,g-xws,o-xwt /etc/passwd
 
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their /usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html 2023-10-17 02:00:00.000000000 +0200 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html 2023-10-17 02:00:00.000000000 +0200 @@ -77,7 +77,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleANSSI-BP-028 (enhanced)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12

Revision History

Current version: 0.1.70

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 66 groups and 234 rules
Group   @@ -133,15 +133,7 @@ [[packages]] name = "aide" version = "*" -
Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -159,6 +151,14 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -181,18 +181,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
   ansible.builtin.package:
     name: '{{ item }}'
     state: present
@@ -272,6 +261,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Disk Partitioning   Group contains 10 rules
[ref]   @@ -418,15 +418,7 @@ [[packages]] name = "sudo" version = "*" -

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -441,6 +433,14 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "sudo"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Ensure sudo Runs In A Minimal Environment - sudo env_reset   [ref]

The sudo env_reset tag, when specified, will run the command in a minimal environment, @@ -450,27 +450,7 @@ in /etc/sudoers.d/.
Rationale:
Forcing sudo to reset the environment ensures that environment variables are not passed on to the command accidentaly, preventing leak of potentially sensitive information.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_env_reset
Identifiers and References

Identifiers:  CCE-91492-9

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

-if /usr/sbin/visudo -qcf /etc/sudoers; then
-    cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option env_reset
-        echo "Defaults env_reset" >> /etc/sudoers
-    fi
-    
-    # Check validity of sudoers and cleanup bak
-    if /usr/sbin/visudo -qcf /etc/sudoers; then
-        rm -f /etc/sudoers.bak
-    else
-        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
-        mv /etc/sudoers.bak /etc/sudoers
-        false
-    fi
-else
-    echo "Skipping remediation, /etc/sudoers failed to validate"
-    false
-fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
+            BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
   lineinfile:
     path: /etc/sudoers
     regexp: ^[\s]*Defaults.*\benv_reset\b.*$
@@ -484,21 +464,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_add_env_reset
-

Rule   - Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot -   [ref]

The sudo ignore_dot tag, when specified, will ignore the current directory -in the PATH environment variable. -This should be enabled by making sure that the ignore_dot tag exists in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Ignoring the commands in the user's current directory prevents an attacker from executing commands -downloaded locally.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Identifiers and References

Identifiers:  - CCE-91493-7

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

+

Complexity:low
Disruption:low
Strategy:restrict

 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\bignore_dot\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option ignore_dot
-        echo "Defaults ignore_dot" >> /etc/sudoers
+    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
+        # sudoers file doesn't define Option env_reset
+        echo "Defaults env_reset" >> /etc/sudoers
     fi
     
     # Check validity of sudoers and cleanup bak
@@ -513,7 +484,16 @@
     echo "Skipping remediation, /etc/sudoers failed to validate"
     false
 fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure ignore_dot is enabled in /etc/sudoers
+

Rule   + Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot +   [ref]

The sudo ignore_dot tag, when specified, will ignore the current directory +in the PATH environment variable. +This should be enabled by making sure that the ignore_dot tag exists in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/.
Rationale:
Ignoring the commands in the user's current directory prevents an attacker from executing commands +downloaded locally.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Identifiers and References

Identifiers:  + CCE-91493-7

References:  + BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure ignore_dot is enabled in /etc/sudoers
   lineinfile:
     path: /etc/sudoers
     regexp: ^[\s]*Defaults.*\bignore_dot\b.*$
@@ -527,21 +507,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_add_ignore_dot
-

Rule   - Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC -   [ref]

The sudo NOEXEC tag, when specified, prevents user executed -commands from executing other commands, like a shell for example. -This should be enabled by making sure that the NOEXEC tag exists in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Restricting the capability of sudo allowed commands to execute sub-commands -prevents users from running programs with privileges they wouldn't have otherwise.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_noexec
Identifiers and References

Identifiers:  - CCE-91494-5

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html	2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html	2023-10-17 02:00:00.000000000 +0200
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleANSSI-BP-028 (high)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_high

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12

Revision History

Current version: 0.1.70

  • draft - (as of 2023-10-20) + (as of 2039-11-21)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Kernel Configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
    9. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 67 groups and 287 rules
Group   @@ -133,15 +133,7 @@ [[packages]] name = "aide" version = "*" -
Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -159,6 +151,14 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -181,18 +181,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
   ansible.builtin.package:
     name: '{{ item }}'
     state: present
@@ -272,6 +261,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -295,22 +295,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-91529-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010500, 1.4.2, SV-217148r902840_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -422,6 +407,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Notification of Post-AIDE Scan Details   [ref]

AIDE should notify appropriate personnel of the details of a scan after the scan has been run. @@ -441,33 +441,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_scan_notification
Identifiers and References

Identifiers:  CCE-83048-9

References:  - BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, SI-6d, DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010510, SV-217149r902843_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-var_aide_scan_notification_email='root@localhost'
-
-
-CRONTAB=/etc/crontab
-CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
-
-# NOTE: on some platforms, /etc/crontab may not exist
-if [ -f /etc/crontab ]; then
-	CRONTAB_EXIST=/etc/crontab
-fi
-
-if [ -f /var/spool/cron/root ]; then
-	VARSPOOL=/var/spool/cron/root
-fi
-
-if ! grep -qR '^.*/usr/bin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
-	echo "0 5 * * * root /usr/bin/aide  --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: XCCDF Value var_aide_scan_notification_email # promote to variable
   set_fact:
     var_aide_scan_notification_email: !!str root@localhost
   tags:
@@ -511,6 +485,32 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+var_aide_scan_notification_email='root@localhost'
+
+
+CRONTAB=/etc/crontab
+CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
+
+# NOTE: on some platforms, /etc/crontab may not exist
+if [ -f /etc/crontab ]; then
+	CRONTAB_EXIST=/etc/crontab
+fi
+
+if [ -f /var/spool/cron/root ]; then
+	VARSPOOL=/var/spool/cron/root
+fi
+
+if ! grep -qR '^.*/usr/bin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
+	echo "0 5 * * * root /usr/bin/aide  --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure AIDE to Verify Access Control Lists (ACLs)   [ref]

By default, the acl option is added to the FIPSR ruleset in AIDE. @@ -525,35 +525,7 @@ /etc/aide.conf
Rationale:
ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.
Severity: 
low
Rule ID:xccdf_org.ssgproject.content_rule_aide_verify_acls
Identifiers and References

Identifiers:  CCE-83150-3

References:  - BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, SLES-12-010520, SV-217150r880939_rule


# Remediation is applicable only in certain platforms
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html	2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html	2023-10-17 02:00:00.000000000 +0200
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleANSSI-BP-028 (intermediary)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12

Revision History

Current version: 0.1.70

  • draft - (as of 2023-10-20) + (as of 2039-11-21)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Obsolete Services
    4. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 53 groups and 158 rules
Group   @@ -133,15 +133,7 @@ [[packages]] name = "aide" version = "*" -
Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -159,6 +151,14 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -181,18 +181,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
   ansible.builtin.package:
     name: '{{ item }}'
     state: present
@@ -272,6 +261,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Disk Partitioning   Group contains 9 rules
[ref]   @@ -405,15 +405,7 @@ [[packages]] name = "sudo" version = "*" -

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -428,6 +420,14 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "sudo"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Ensure sudo Runs In A Minimal Environment - sudo env_reset   [ref]

The sudo env_reset tag, when specified, will run the command in a minimal environment, @@ -437,27 +437,7 @@ in /etc/sudoers.d/.
Rationale:
Forcing sudo to reset the environment ensures that environment variables are not passed on to the command accidentaly, preventing leak of potentially sensitive information.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_env_reset
Identifiers and References

Identifiers:  CCE-91492-9

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

-if /usr/sbin/visudo -qcf /etc/sudoers; then
-    cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option env_reset
-        echo "Defaults env_reset" >> /etc/sudoers
-    fi
-    
-    # Check validity of sudoers and cleanup bak
-    if /usr/sbin/visudo -qcf /etc/sudoers; then
-        rm -f /etc/sudoers.bak
-    else
-        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
-        mv /etc/sudoers.bak /etc/sudoers
-        false
-    fi
-else
-    echo "Skipping remediation, /etc/sudoers failed to validate"
-    false
-fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
+            BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
   lineinfile:
     path: /etc/sudoers
     regexp: ^[\s]*Defaults.*\benv_reset\b.*$
@@ -471,21 +451,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_add_env_reset
-

Rule   - Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot -   [ref]

The sudo ignore_dot tag, when specified, will ignore the current directory -in the PATH environment variable. -This should be enabled by making sure that the ignore_dot tag exists in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Ignoring the commands in the user's current directory prevents an attacker from executing commands -downloaded locally.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Identifiers and References

Identifiers:  - CCE-91493-7

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

+

Complexity:low
Disruption:low
Strategy:restrict

 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\bignore_dot\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option ignore_dot
-        echo "Defaults ignore_dot" >> /etc/sudoers
+    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
+        # sudoers file doesn't define Option env_reset
+        echo "Defaults env_reset" >> /etc/sudoers
     fi
     
     # Check validity of sudoers and cleanup bak
@@ -500,7 +471,16 @@
     echo "Skipping remediation, /etc/sudoers failed to validate"
     false
 fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure ignore_dot is enabled in /etc/sudoers
+

Rule   + Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot +   [ref]

The sudo ignore_dot tag, when specified, will ignore the current directory +in the PATH environment variable. +This should be enabled by making sure that the ignore_dot tag exists in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/.
Rationale:
Ignoring the commands in the user's current directory prevents an attacker from executing commands +downloaded locally.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Identifiers and References

Identifiers:  + CCE-91493-7

References:  + BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure ignore_dot is enabled in /etc/sudoers
   lineinfile:
     path: /etc/sudoers
     regexp: ^[\s]*Defaults.*\bignore_dot\b.*$
@@ -514,21 +494,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_add_ignore_dot
-

Rule   - Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC -   [ref]

The sudo NOEXEC tag, when specified, prevents user executed -commands from executing other commands, like a shell for example. -This should be enabled by making sure that the NOEXEC tag exists in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Restricting the capability of sudo allowed commands to execute sub-commands -prevents users from running programs with privileges they wouldn't have otherwise.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_noexec
Identifiers and References

Identifiers:  - CCE-91494-5

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html	2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html	2023-10-17 02:00:00.000000000 +0200
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleANSSI-BP-028 (minimal)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_minimal

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12

Revision History

Current version: 0.1.70

  • draft - (as of 2023-10-20) + (as of 2039-11-21)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. File Permissions and Masks
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Obsolete Services

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 25 groups and 43 rules
Group   @@ -109,22 +109,7 @@ When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Identifiers and References

Identifiers:  CCE-83013-3

References:  - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SLES-12-010110, SV-217112r854084_rule


Complexity:low
Disruption:low
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "!authenticate" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -161,34 +146,34 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_no_authenticate
-

Rule   - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD -   [ref]

The sudo NOPASSWD tag, when specified, allows a user to execute -commands using sudo without having to authenticate. This should be disabled -by making sure that the NOPASSWD tag does not exist in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they -do not have authorization. -

-When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References

Identifiers:  - CCE-83012-5

References:  - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SLES-12-010110, SV-217112r854084_rule


Complexity:low
Disruption:low
Strategy:restrict

+

Complexity:low
Disruption:low
Strategy:restrict

 for f in /etc/sudoers /etc/sudoers.d/* ; do
   if [ ! -e "$f" ] ; then
     continue
   fi
-  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
-      # comment out "NOPASSWD" matches to preserve user data
+      # comment out "!authenticate" matches to preserve user data
       sed -i "s/^${entry}$/# &/g" $f
     done <<< "$matching_list"
 
     /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
   fi
 done
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
+

Rule   + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD +   [ref]

The sudo NOPASSWD tag, when specified, allows a user to execute +commands using sudo without having to authenticate. This should be disabled +by making sure that the NOPASSWD tag does not exist in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they +do not have authorization. +

+When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References

Identifiers:  + CCE-83012-5

References:  + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SLES-12-010110, SV-217112r854084_rule


Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -225,6 +210,21 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_nopasswd
+

Complexity:low
Disruption:low
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "NOPASSWD" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
 
Group   Updating Software   Group contains 8 rules
[ref]   @@ -255,9 +255,7 @@ [[packages]] name = "dnf-automatic" version = "*" -

Complexity:low
Disruption:low
Strategy:enable

-zypper install -y "dnf-automatic"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure dnf-automatic is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -269,6 +267,8 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
+

Complexity:low
Disruption:low
Strategy:enable

+zypper install -y "dnf-automatic"
 

Rule   Configure dnf-automatic to Install Available Updates Automatically   [ref]

To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf.
Rationale:
Installing software updates is a fundamental mitigation against @@ -279,7 +279,25 @@ The automated installation of updates ensures that recent security patches are applied in a timely manner.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
Identifiers and References

Identifiers:  CCE-91474-7

References:  - BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080


Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Available Updates Automatically
+  ini_file:
+    dest: /etc/dnf/automatic.conf
+    section: commands
+    option: apply_updates
+    value: 'yes'
+    create: true
+  tags:
+  - CCE-91474-7
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-SI-2(5)
+  - NIST-800-53-SI-2(c)
+  - dnf-automatic_apply_updates
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - unknown_strategy
+


 found=false
 
 # set value in all files if they contain section or key
@@ -306,33 +324,33 @@
     mkdir -p "$(dirname "$file")"
     echo -e "[commands]\napply_updates = yes" >> "$file"
 fi
-

Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Available Updates Automatically
+

Rule   + Configure dnf-automatic to Install Only Security Updates +   [ref]

To configure dnf-automatic to install only security updates +automatically, set upgrade_type to security under +[commands] section in /etc/dnf/automatic.conf.
Rationale:
By default, dnf-automatic installs all available updates. +Reducing the amount of updated packages only to updates that were +issued as a part of a security advisory increases the system stability.
Severity: 
low
Rule ID:xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
Identifiers and References

Identifiers:  + CCE-91478-8

References:  + BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080


Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Only Security Updates
   ini_file:
     dest: /etc/dnf/automatic.conf
     section: commands
-    option: apply_updates
-    value: 'yes'
+    option: upgrade_type
+    value: security
     create: true
   tags:
-  - CCE-91474-7
+  - CCE-91478-8
   - NIST-800-53-CM-6(a)
   - NIST-800-53-SI-2(5)
   - NIST-800-53-SI-2(c)
-  - dnf-automatic_apply_updates
+  - dnf-automatic_security_updates_only
   - low_complexity
+  - low_severity
   - medium_disruption
-  - medium_severity
   - no_reboot_needed
   - unknown_strategy
-

Rule   - Configure dnf-automatic to Install Only Security Updates -   [ref]

To configure dnf-automatic to install only security updates -automatically, set upgrade_type to security under -[commands] section in /etc/dnf/automatic.conf.
Rationale:
By default, dnf-automatic installs all available updates. -Reducing the amount of updated packages only to updates that were -issued as a part of a security advisory increases the system stability.
Severity: 
low
Rule ID:xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
Identifiers and References

Identifiers:  - CCE-91478-8

References:  - BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080



/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html	2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html	2023-10-17 02:00:00.000000000 +0200
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleCIS SUSE Linux Enterprise 12 Benchmark for Level 2 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12

Revision History

Current version: 0.1.70

  • draft - (as of 2023-10-20) + (as of 2039-11-21)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Print Support
    14. Proxy Server
    15. Samba(SMB) Microsoft Windows File Sharing Server
    16. SNMP Server
    17. SSH Server
    18. X Window System

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 112 groups and 357 rules
Group   @@ -126,15 +126,7 @@ [[packages]] name = "aide" version = "*" -
Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -152,6 +144,14 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -174,18 +174,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
   ansible.builtin.package:
     name: '{{ item }}'
     state: present
@@ -265,6 +254,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -288,22 +288,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-91529-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010500, 1.4.2, SV-217148r902840_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -415,6 +400,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Disk Partitioning   Group contains 7 rules
[ref]   @@ -617,69 +617,7 @@ with physical access to the system to quickly enumerate known user accounts without logging in.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list
Identifiers and References

Identifiers:  CCE-92346-6

References:  - CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.10


# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
-                                | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
-DBDIR="/etc/dconf/db/gdm.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
-    if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}"
-    then
-        
-        sed -Ei "s/(^\s*)disable-user-list(\s*=)/#\1disable-user-list\2/g" "${SETTINGSFILES[@]}"
-    fi
-fi
-
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html	2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html	2023-10-17 02:00:00.000000000 +0200
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleCIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis_server_l1

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12

Revision History

Current version: 0.1.70

  • draft - (as of 2023-10-20) + (as of 2039-11-21)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. AppArmor
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Print Support
    14. Proxy Server
    15. Samba(SMB) Microsoft Windows File Sharing Server
    16. SNMP Server
    17. SSH Server
    18. X Window System

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 100 groups and 285 rules
Group   @@ -126,15 +126,7 @@ [[packages]] name = "aide" version = "*" -
Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -152,6 +144,14 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -174,18 +174,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
   ansible.builtin.package:
     name: '{{ item }}'
     state: present
@@ -265,6 +254,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -288,22 +288,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-91529-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010500, 1.4.2, SV-217148r902840_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -415,6 +400,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Disk Partitioning   Group contains 2 rules
[ref]   @@ -567,69 +567,7 @@ with physical access to the system to quickly enumerate known user accounts without logging in.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list
Identifiers and References

Identifiers:  CCE-92346-6

References:  - CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.10


# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
-                                | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
-DBDIR="/etc/dconf/db/gdm.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
-    if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}"
-    then
-        
-        sed -Ei "s/(^\s*)disable-user-list(\s*=)/#\1disable-user-list\2/g" "${SETTINGSFILES[@]}"
-    fi
-fi
-
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html	2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html	2023-10-17 02:00:00.000000000 +0200
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleCIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l1

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12

Revision History

Current version: 0.1.70

  • draft - (as of 2023-10-20) + (as of 2039-11-21)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. AppArmor
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Cron and At Daemons
    2. DHCP
    3. DNS Server
    4. FTP Server
    5. Web Server
    6. IMAP and POP3 Server
    7. LDAP
    8. Mail Server Software
    9. NFS and RPC
    10. Network Time Protocol
    11. Obsolete Services
    12. Proxy Server
    13. Samba(SMB) Microsoft Windows File Sharing Server
    14. SNMP Server
    15. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 93 groups and 276 rules
Group   @@ -126,15 +126,7 @@ [[packages]] name = "aide" version = "*" -
Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -152,6 +144,14 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -174,18 +174,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
   ansible.builtin.package:
     name: '{{ item }}'
     state: present
@@ -265,6 +254,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -288,22 +288,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-91529-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010500, 1.4.2, SV-217148r902840_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -415,6 +400,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Disk Partitioning   Group contains 2 rules
[ref]   @@ -567,69 +567,7 @@ with physical access to the system to quickly enumerate known user accounts without logging in.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list
Identifiers and References

Identifiers:  CCE-92346-6

References:  - CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.10


# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
-                                | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
-DBDIR="/etc/dconf/db/gdm.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
-    if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}"
-    then
-        
-        sed -Ei "s/(^\s*)disable-user-list(\s*=)/#\1disable-user-list\2/g" "${SETTINGSFILES[@]}"
-    fi
-fi
-
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html	2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html	2023-10-17 02:00:00.000000000 +0200
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleCIS SUSE Linux Enterprise 12 Benchmark Level 2 - Workstation
Profile IDxccdf_org.ssgproject.content_profile_cis_workstation_l2

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12

Revision History

Current version: 0.1.70

  • draft - (as of 2023-10-20) + (as of 2039-11-21)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Proxy Server
    14. Samba(SMB) Microsoft Windows File Sharing Server
    15. SNMP Server
    16. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 109 groups and 353 rules
Group   @@ -126,15 +126,7 @@ [[packages]] name = "aide" version = "*" -
Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -152,6 +144,14 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -174,18 +174,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
   ansible.builtin.package:
     name: '{{ item }}'
     state: present
@@ -265,6 +254,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -288,22 +288,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-91529-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010500, 1.4.2, SV-217148r902840_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -415,6 +400,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Disk Partitioning   Group contains 7 rules
[ref]   @@ -617,69 +617,7 @@ with physical access to the system to quickly enumerate known user accounts without logging in.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list
Identifiers and References

Identifiers:  CCE-92346-6

References:  - CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, 1.10


# Remediation is applicable only in certain platforms
-if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
-
-# Check for setting in any of the DConf db directories
-# If files contain ibus or distro, ignore them.
-# The assignment assumes that individual filenames don't contain :
-readarray -t SETTINGSFILES < <(grep -r "\\[org/gnome/login-screen\\]" "/etc/dconf/db/" \
-                                | grep -v 'distro\|ibus\|gdm.d' | cut -d":" -f1)
-DCONFFILE="/etc/dconf/db/gdm.d/00-security-settings"
-DBDIR="/etc/dconf/db/gdm.d"
-
-mkdir -p "${DBDIR}"
-
-# Comment out the configurations in databases different from the target one
-if [ "${#SETTINGSFILES[@]}" -ne 0 ]
-then
-    if grep -q "^\\s*disable-user-list\\s*=" "${SETTINGSFILES[@]}"
-    then
-        
-        sed -Ei "s/(^\s*)disable-user-list(\s*=)/#\1disable-user-list\2/g" "${SETTINGSFILES[@]}"
-    fi
-fi
-
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss-4.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss-4.html	2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss-4.html	2023-10-17 02:00:00.000000000 +0200
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitlePCI-DSS v4 Control Baseline for SUSE Linux enterprise 12
Profile IDxccdf_org.ssgproject.content_profile_pci-dss-4

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12

Revision History

Current version: 0.1.70

  • draft - (as of 2023-10-20) + (as of 2039-11-21)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. Web Server
    6. LDAP
    7. NFS and RPC
    8. Network Time Protocol
    9. Obsolete Services
    10. Print Support
    11. Samba(SMB) Microsoft Windows File Sharing Server
    12. SNMP Server
    13. SSH Server
    14. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 89 groups and 213 rules
Group   @@ -133,16 +133,7 @@ information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_rpm_verify_hashes
Identifiers and References

Identifiers:  CCE-91632-0

References:  - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227



-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-
-zypper install -f -y $packages_to_reinstall
-


Complexity:high
Disruption:medium
Strategy:restrict
- name: 'Set fact: Package manager reinstall command (dnf)'
   set_fact:
     package_manager_reinstall_cmd: dnf reinstall -y
   when: ansible_distribution == "Fedora"
@@ -301,6 +292,15 @@
   - no_reboot_needed
   - restrict_strategy
   - rpm_verify_hashes
+


+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+
+zypper install -f -y $packages_to_reinstall
 

Rule   Verify and Correct Ownership with RPM   [ref]

The RPM package management system can check file ownership @@ -346,32 +346,7 @@ The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Identifiers and References

Identifiers:  CCE-91634-6

References:  - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.1


Complexity:high
Disruption:medium
Strategy:restrict

-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
-        # NOTE: some files maybe controlled by more then one package
-        readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
-        for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
-        do
-                # Use an associative array to store packages as it's keys, not having to care about duplicates.
-                SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
-        done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
-	rpm --restore "${RPM_PACKAGE}"
-done
-


Complexity:high
Disruption:medium
Strategy:restrict
- name: Read list of files with incorrect permissions
   command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
     --nocaps --nolinkto --nouser --nogroup
   register: files_with_incorrect_permissions
@@ -454,6 +429,31 @@
   - no_reboot_needed
   - restrict_strategy
   - rpm_verify_permissions
+

Complexity:high
Disruption:medium
Strategy:restrict

+# Declare array to hold set of RPM packages we need to correct permissions for
+declare -A SETPERMS_RPM_DICT
+
+# Create a list of files on the system having permissions different from what
+# is expected by the RPM database
+readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
+
+for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
+do
+        # NOTE: some files maybe controlled by more then one package
+        readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
+        for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
+        do
+                # Use an associative array to store packages as it's keys, not having to care about duplicates.
+                SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
+        done
+done
+
+# For each of the RPM packages left in the list -- reset its permissions to the
+# correct values
+for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
+do
+	rpm --restore "${RPM_PACKAGE}"
+done
 
Group   Verify Integrity with AIDE   Group contains 3 rules
[ref]   @@ -478,15 +478,7 @@ [[packages]] name = "aide" version = "*" -

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -504,6 +496,14 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -526,18 +526,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
   ansible.builtin.package:
     name: '{{ item }}'
     state: present
@@ -617,6 +606,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -640,22 +640,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-91529-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010500, 1.4.2, SV-217148r902840_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss.html	2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss.html	2023-10-17 02:00:00.000000000 +0200
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitlePCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 12
Profile IDxccdf_org.ssgproject.content_profile_pci-dss

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12

Revision History

Current version: 0.1.70

  • draft - (as of 2023-10-20) + (as of 2039-11-21)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
  2. Services
    1. Network Time Protocol
    2. SSH Server
    3. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 61 groups and 150 rules
Group   @@ -133,16 +133,7 @@ information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_rpm_verify_hashes
Identifiers and References

Identifiers:  CCE-91632-0

References:  - 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.3.8, 3.4.1, CCI-000366, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), PR.DS-6, PR.DS-8, PR.IP-1, Req-11.5, 11.5.2, SRG-OS-000480-GPOS-00227



-# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
-files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
-
-# From files names get package names and change newline to space, because rpm writes each package to new line
-packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
-
-
-zypper install -f -y $packages_to_reinstall
-


Complexity:high
Disruption:medium
Strategy:restrict
- name: 'Set fact: Package manager reinstall command (dnf)'
   set_fact:
     package_manager_reinstall_cmd: dnf reinstall -y
   when: ansible_distribution == "Fedora"
@@ -301,6 +292,15 @@
   - no_reboot_needed
   - restrict_strategy
   - rpm_verify_hashes
+


+# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
+files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
+
+# From files names get package names and change newline to space, because rpm writes each package to new line
+packages_to_reinstall="$(rpm -qf $files_with_incorrect_hash | tr '\n' ' ')"
+
+
+zypper install -f -y $packages_to_reinstall
 

Rule   Verify and Correct Ownership with RPM   [ref]

The RPM package management system can check file ownership @@ -346,32 +346,7 @@ The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_rpm_verify_permissions
Identifiers and References

Identifiers:  CCE-91634-6

References:  - 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, 5.10.4.1, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.8, 3.4.1, CCI-001493, CCI-001494, CCI-001495, CCI-001496, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-003-8 R6, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CM-6(d), CM-6(c), SI-7, SI-7(1), SI-7(6), AU-9(3), CM-6(a), PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, Req-11.5, 11.5.2, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, SRG-OS-000278-GPOS-00108, 6.1.1


Complexity:high
Disruption:medium
Strategy:restrict

-# Declare array to hold set of RPM packages we need to correct permissions for
-declare -A SETPERMS_RPM_DICT
-
-# Create a list of files on the system having permissions different from what
-# is expected by the RPM database
-readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
-
-for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
-do
-        # NOTE: some files maybe controlled by more then one package
-        readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
-        for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
-        do
-                # Use an associative array to store packages as it's keys, not having to care about duplicates.
-                SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
-        done
-done
-
-# For each of the RPM packages left in the list -- reset its permissions to the
-# correct values
-for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
-do
-	rpm --restore "${RPM_PACKAGE}"
-done
-


Complexity:high
Disruption:medium
Strategy:restrict
- name: Read list of files with incorrect permissions
   command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev
     --nocaps --nolinkto --nouser --nogroup
   register: files_with_incorrect_permissions
@@ -454,6 +429,31 @@
   - no_reboot_needed
   - restrict_strategy
   - rpm_verify_permissions
+

Complexity:high
Disruption:medium
Strategy:restrict

+# Declare array to hold set of RPM packages we need to correct permissions for
+declare -A SETPERMS_RPM_DICT
+
+# Create a list of files on the system having permissions different from what
+# is expected by the RPM database
+readarray -t FILES_WITH_INCORRECT_PERMS < <(rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }')
+
+for FILE_PATH in "${FILES_WITH_INCORRECT_PERMS[@]}"
+do
+        # NOTE: some files maybe controlled by more then one package
+        readarray -t RPM_PACKAGES < <(rpm -qf "${FILE_PATH}")
+        for RPM_PACKAGE in "${RPM_PACKAGES[@]}"
+        do
+                # Use an associative array to store packages as it's keys, not having to care about duplicates.
+                SETPERMS_RPM_DICT["$RPM_PACKAGE"]=1
+        done
+done
+
+# For each of the RPM packages left in the list -- reset its permissions to the
+# correct values
+for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
+do
+	rpm --restore "${RPM_PACKAGE}"
+done
 
Group   Verify Integrity with AIDE   Group contains 3 rules
[ref]   @@ -478,15 +478,7 @@ [[packages]] name = "aide" version = "*" -

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -504,6 +496,14 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -526,18 +526,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
   ansible.builtin.package:
     name: '{{ item }}'
     state: present
@@ -617,6 +606,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -640,22 +640,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-91529-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-12-010500, 1.4.2, SV-217148r902840_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html	2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html	2023-10-17 02:00:00.000000000 +0200
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleStandard System Security Profile for SUSE Linux Enterprise 12
Profile IDxccdf_org.ssgproject.content_profile_standard

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12

Revision History

Current version: 0.1.70

  • draft - (as of 2023-10-20) + (as of 2039-11-21)

Table of Contents

  1. System Settings
    1. File Permissions and Masks

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 4 groups and 3 rules
Group   @@ -114,8 +114,7 @@   [ref]
To properly set the group owner of /etc/passwd, run the command:
$ sudo chgrp root /etc/passwd
Rationale:
The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
Identifiers and References

Identifiers:  CCE-91627-0

References:  - 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.2


Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -151,13 +150,13 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+

Complexity:low
Disruption:low
Strategy:configure
chgrp 0 /etc/passwd
 

Rule   Verify User Who Owns passwd File   [ref]

To properly set the owner of /etc/passwd, run the command:
$ sudo chown root /etc/passwd 
Rationale:
The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
Identifiers and References

Identifiers:  CCE-91666-8

References:  - 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.2


Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -193,6 +192,7 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+

Complexity:low
Disruption:low
Strategy:configure
chown 0 /etc/passwd
 

Rule   Verify Permissions on passwd File   [ref]

@@ -202,13 +202,7 @@ accounts on the system and associated information, and protection of this file is critical for system security.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
Identifiers and References

Identifiers:  CCE-91452-3

References:  - BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, 7.2.6, SRG-OS-000480-GPOS-00227, 6.1.2


Complexity:low
Disruption:low
Strategy:configure
- name: Test for existence /etc/passwd
   stat:
     path: /etc/passwd
   register: file_exists
@@ -244,6 +238,12 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+

Complexity:low
Disruption:low
Strategy:configure

+
+
+
+
+chmod u-xs,g-xws,o-xwt /etc/passwd
 
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their /usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines) --- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2023-10-17 02:00:00.000000000 +0200 +++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 2023-10-17 02:00:00.000000000 +0200 @@ -66,7 +66,7 @@ other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Profile Information

Profile TitleDISA STIG for SUSE Linux Enterprise 12
Profile IDxccdf_org.ssgproject.content_profile_stig

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:12
  • cpe:/o:suse:linux_enterprise_server:12

Revision History

Current version: 0.1.70

  • draft - (as of 2023-10-20) + (as of 2039-11-21)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Base Services
    2. FTP Server
    3. Mail Server Software
    4. NFS and RPC
    5. Network Time Protocol
    6. Obsolete Services
    7. SSH Server
    8. System Security Services Daemon

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 12   Group contains 82 groups and 240 rules
Group   @@ -122,15 +122,7 @@ [[packages]] name = "aide" version = "*" -
Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -148,6 +140,14 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -170,18 +170,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-91483-8

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-12-010499, 1.4.1, SV-255916r880937_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
   ansible.builtin.package:
     name: '{{ item }}'
     state: present
@@ -261,6 +250,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure AIDE to Verify the Audit Tools   [ref]

The operating system file integrity tool must be configured to protect the integrity of the audit tools.
Rationale:
Protecting the integrity of the tools used for auditing purposes is a @@ -283,66 +283,7 @@ manipulated, or replaced. An example is a checksum hash of the file or files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_check_audit_tools
Identifiers and References

Identifiers:  CCE-83204-8

References:  - CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-12-010540, SV-217152r877393_rule


Complexity:low
Disruption:low
Strategy:restrict
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-
-
-
-
-
-
-
-
-
-if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-if grep -i '^.*/usr/sbin/audispd.*$' /etc/aide.conf; then
-sed -i "s#.*/usr/sbin/audispd.*#/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
-else
-echo "/usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure aide is installed
+            CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, SLES-12-010540, SV-217152r877393_rule


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure aide is installed
   package:
     name: '{{ item }}'
     state: present
@@ -420,6 +361,65 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

Complexity:low
Disruption:low
Strategy:restrict
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+
+
+
+
+
+
+
+
+
+if grep -i '^.*/usr/sbin/auditctl.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditctl.*#/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/auditd.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/auditd.*#/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/ausearch.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/ausearch.*#/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/aureport.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/aureport.*#/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/autrace.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/autrace.*#/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
+echo "/usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512" >> /etc/aide.conf
+fi
+
+if grep -i '^.*/usr/sbin/augenrules.*$' /etc/aide.conf; then
+sed -i "s#.*/usr/sbin/augenrules.*#/usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512#" /etc/aide.conf
+else
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html	2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html	2023-10-17 02:00:00.000000000 +0200
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleANSSI-BP-028 (enhanced)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_enhanced

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15

Revision History

Current version: 0.1.70

  • draft - (as of 2023-10-20) + (as of 2039-11-21)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Configure Syslog
    6. Network Configuration and Firewalls
    7. File Permissions and Masks
    8. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 66 groups and 233 rules
Group   @@ -133,15 +133,7 @@ [[packages]] name = "aide" version = "*" -
Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -159,6 +151,14 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -181,18 +181,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-85787-0

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-15-010419, 1.4.1, SV-255922r880967_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
   ansible.builtin.package:
     name: '{{ item }}'
     state: present
@@ -272,6 +261,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Disk Partitioning   Group contains 10 rules
[ref]   @@ -418,15 +418,7 @@ [[packages]] name = "sudo" version = "*" -

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -441,6 +433,14 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "sudo"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Ensure sudo Runs In A Minimal Environment - sudo env_reset   [ref]

The sudo env_reset tag, when specified, will run the command in a minimal environment, @@ -450,27 +450,7 @@ in /etc/sudoers.d/.
Rationale:
Forcing sudo to reset the environment ensures that environment variables are not passed on to the command accidentaly, preventing leak of potentially sensitive information.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_env_reset
Identifiers and References

Identifiers:  CCE-91184-2

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

-if /usr/sbin/visudo -qcf /etc/sudoers; then
-    cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option env_reset
-        echo "Defaults env_reset" >> /etc/sudoers
-    fi
-    
-    # Check validity of sudoers and cleanup bak
-    if /usr/sbin/visudo -qcf /etc/sudoers; then
-        rm -f /etc/sudoers.bak
-    else
-        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
-        mv /etc/sudoers.bak /etc/sudoers
-        false
-    fi
-else
-    echo "Skipping remediation, /etc/sudoers failed to validate"
-    false
-fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
+            BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
   lineinfile:
     path: /etc/sudoers
     regexp: ^[\s]*Defaults.*\benv_reset\b.*$
@@ -484,21 +464,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_add_env_reset
-

Rule   - Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot -   [ref]

The sudo ignore_dot tag, when specified, will ignore the current directory -in the PATH environment variable. -This should be enabled by making sure that the ignore_dot tag exists in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Ignoring the commands in the user's current directory prevents an attacker from executing commands -downloaded locally.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Identifiers and References

Identifiers:  - CCE-91185-9

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

+

Complexity:low
Disruption:low
Strategy:restrict

 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\bignore_dot\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option ignore_dot
-        echo "Defaults ignore_dot" >> /etc/sudoers
+    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
+        # sudoers file doesn't define Option env_reset
+        echo "Defaults env_reset" >> /etc/sudoers
     fi
     
     # Check validity of sudoers and cleanup bak
@@ -513,7 +484,16 @@
     echo "Skipping remediation, /etc/sudoers failed to validate"
     false
 fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure ignore_dot is enabled in /etc/sudoers
+

Rule   + Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot +   [ref]

The sudo ignore_dot tag, when specified, will ignore the current directory +in the PATH environment variable. +This should be enabled by making sure that the ignore_dot tag exists in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/.
Rationale:
Ignoring the commands in the user's current directory prevents an attacker from executing commands +downloaded locally.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Identifiers and References

Identifiers:  + CCE-91185-9

References:  + BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure ignore_dot is enabled in /etc/sudoers
   lineinfile:
     path: /etc/sudoers
     regexp: ^[\s]*Defaults.*\bignore_dot\b.*$
@@ -527,21 +507,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_add_ignore_dot
-

Rule   - Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC -   [ref]

The sudo NOEXEC tag, when specified, prevents user executed -commands from executing other commands, like a shell for example. -This should be enabled by making sure that the NOEXEC tag exists in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Restricting the capability of sudo allowed commands to execute sub-commands -prevents users from running programs with privileges they wouldn't have otherwise.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_noexec
Identifiers and References

Identifiers:  - CCE-91186-7

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html	2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html	2023-10-17 02:00:00.000000000 +0200
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleANSSI-BP-028 (high)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_high

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15

Revision History

Current version: 0.1.70

  • draft - (as of 2023-10-20) + (as of 2039-11-21)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Kernel Configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
    9. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Network Time Protocol
    4. Obsolete Services
    5. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 67 groups and 286 rules
Group   @@ -133,15 +133,7 @@ [[packages]] name = "aide" version = "*" -
Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -159,6 +151,14 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -181,18 +181,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-85787-0

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-15-010419, 1.4.1, SV-255922r880967_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
   ansible.builtin.package:
     name: '{{ item }}'
     state: present
@@ -272,6 +261,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Periodic Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -295,22 +295,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Identifiers and References

Identifiers:  CCE-85671-6

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010420, 1.4.2, SV-234851r902851_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-else
-    sed -i '\!^.* --check.*$!d' /etc/crontab
-    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure AIDE is installed
   package:
     name: '{{ item }}'
     state: present
@@ -412,6 +397,21 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+if ! grep -q "/usr/bin/aide --check" /etc/crontab ; then
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+else
+    sed -i '\!^.* --check.*$!d' /etc/crontab
+    echo "05 4 * * * root /usr/bin/aide --check" >> /etc/crontab
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Notification of Post-AIDE Scan Details   [ref]

AIDE should notify appropriate personnel of the details of a scan after the scan has been run. @@ -431,33 +431,7 @@ Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_scan_notification
Identifiers and References

Identifiers:  CCE-91214-7

References:  - BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, SV-234864r902854_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-var_aide_scan_notification_email='root@localhost'
-
-
-CRONTAB=/etc/crontab
-CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
-
-# NOTE: on some platforms, /etc/crontab may not exist
-if [ -f /etc/crontab ]; then
-	CRONTAB_EXIST=/etc/crontab
-fi
-
-if [ -f /var/spool/cron/root ]; then
-	VARSPOOL=/var/spool/cron/root
-fi
-
-if ! grep -qR '^.*/usr/bin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
-	echo "0 5 * * * root /usr/bin/aide  --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
-fi
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: XCCDF Value var_aide_scan_notification_email # promote to variable
   set_fact:
     var_aide_scan_notification_email: !!str root@localhost
   tags:
@@ -503,6 +477,32 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+var_aide_scan_notification_email='root@localhost'
+
+
+CRONTAB=/etc/crontab
+CRONDIRS='/etc/cron.d /etc/cron.daily /etc/cron.weekly /etc/cron.monthly'
+
+# NOTE: on some platforms, /etc/crontab may not exist
+if [ -f /etc/crontab ]; then
+	CRONTAB_EXIST=/etc/crontab
+fi
+
+if [ -f /var/spool/cron/root ]; then
+	VARSPOOL=/var/spool/cron/root
+fi
+
+if ! grep -qR '^.*/usr/bin/aide\s*\-\-check.*|.*\/bin\/mail\s*-s\s*".*"\s*.*@.*$' $CRONTAB_EXIST $VARSPOOL $CRONDIRS; then
+	echo "0 5 * * * root /usr/bin/aide  --check | /bin/mail -s \"\$(hostname) - AIDE Integrity Check\" $var_aide_scan_notification_email" >> $CRONTAB
+fi
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure AIDE to Verify Access Control Lists (ACLs)   [ref]

By default, the acl option is added to the FIPSR ruleset in AIDE. @@ -517,35 +517,7 @@ /etc/aide.conf
Rationale:
ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools.
Severity: 
low
Rule ID:xccdf_org.ssgproject.content_rule_aide_verify_acls
Identifiers and References

Identifiers:  CCE-85623-7

References:  - BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, SLES-15-040040, SV-234986r880968_rule


# Remediation is applicable only in certain platforms
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html	2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html	2023-10-17 02:00:00.000000000 +0200
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleANSSI-BP-028 (intermediary)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_intermediary

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15

Revision History

Current version: 0.1.70

  • draft - (as of 2023-10-20) + (as of 2039-11-21)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. GRUB2 bootloader configuration
    5. Network Configuration and Firewalls
    6. File Permissions and Masks
    7. SELinux
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Obsolete Services
    4. SSH Server

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 53 groups and 157 rules
Group   @@ -133,15 +133,7 @@ [[packages]] name = "aide" version = "*" -
Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -159,6 +151,14 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -181,18 +181,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-85787-0

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-15-010419, 1.4.1, SV-255922r880967_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
   ansible.builtin.package:
     name: '{{ item }}'
     state: present
@@ -272,6 +261,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 
Group   Disk Partitioning   Group contains 9 rules
[ref]   @@ -405,15 +405,7 @@ [[packages]] name = "sudo" version = "*" -

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "sudo"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -428,6 +420,14 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "sudo"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Ensure sudo Runs In A Minimal Environment - sudo env_reset   [ref]

The sudo env_reset tag, when specified, will run the command in a minimal environment, @@ -437,27 +437,7 @@ in /etc/sudoers.d/.
Rationale:
Forcing sudo to reset the environment ensures that environment variables are not passed on to the command accidentaly, preventing leak of potentially sensitive information.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_env_reset
Identifiers and References

Identifiers:  CCE-91184-2

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

-if /usr/sbin/visudo -qcf /etc/sudoers; then
-    cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option env_reset
-        echo "Defaults env_reset" >> /etc/sudoers
-    fi
-    
-    # Check validity of sudoers and cleanup bak
-    if /usr/sbin/visudo -qcf /etc/sudoers; then
-        rm -f /etc/sudoers.bak
-    else
-        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
-        mv /etc/sudoers.bak /etc/sudoers
-        false
-    fi
-else
-    echo "Skipping remediation, /etc/sudoers failed to validate"
-    false
-fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
+            BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure env_reset is enabled in /etc/sudoers
   lineinfile:
     path: /etc/sudoers
     regexp: ^[\s]*Defaults.*\benv_reset\b.*$
@@ -471,21 +451,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_add_env_reset
-

Rule   - Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot -   [ref]

The sudo ignore_dot tag, when specified, will ignore the current directory -in the PATH environment variable. -This should be enabled by making sure that the ignore_dot tag exists in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Ignoring the commands in the user's current directory prevents an attacker from executing commands -downloaded locally.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Identifiers and References

Identifiers:  - CCE-91185-9

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

+

Complexity:low
Disruption:low
Strategy:restrict

 if /usr/sbin/visudo -qcf /etc/sudoers; then
     cp /etc/sudoers /etc/sudoers.bak
-    if ! grep -P '^[\s]*Defaults[\s]*\bignore_dot\b.*$' /etc/sudoers; then
-        # sudoers file doesn't define Option ignore_dot
-        echo "Defaults ignore_dot" >> /etc/sudoers
+    if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
+        # sudoers file doesn't define Option env_reset
+        echo "Defaults env_reset" >> /etc/sudoers
     fi
     
     # Check validity of sudoers and cleanup bak
@@ -500,7 +471,16 @@
     echo "Skipping remediation, /etc/sudoers failed to validate"
     false
 fi
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure ignore_dot is enabled in /etc/sudoers
+

Rule   + Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot +   [ref]

The sudo ignore_dot tag, when specified, will ignore the current directory +in the PATH environment variable. +This should be enabled by making sure that the ignore_dot tag exists in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/.
Rationale:
Ignoring the commands in the user's current directory prevents an attacker from executing commands +downloaded locally.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Identifiers and References

Identifiers:  + CCE-91185-9

References:  + BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict
- name: Ensure ignore_dot is enabled in /etc/sudoers
   lineinfile:
     path: /etc/sudoers
     regexp: ^[\s]*Defaults.*\bignore_dot\b.*$
@@ -514,21 +494,12 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_add_ignore_dot
-

Rule   - Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC -   [ref]

The sudo NOEXEC tag, when specified, prevents user executed -commands from executing other commands, like a shell for example. -This should be enabled by making sure that the NOEXEC tag exists in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Restricting the capability of sudo allowed commands to execute sub-commands -prevents users from running programs with privileges they wouldn't have otherwise.
Severity: 
high
Rule ID:xccdf_org.ssgproject.content_rule_sudo_add_noexec
Identifiers and References

Identifiers:  - CCE-91186-7

References:  - BP28(R58)


Complexity:low
Disruption:low
Strategy:restrict

/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html	2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html	2023-10-17 02:00:00.000000000 +0200
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleANSSI-BP-028 (minimal)
Profile IDxccdf_org.ssgproject.content_profile_anssi_bp28_minimal

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15

Revision History

Current version: 0.1.70

  • draft - (as of 2023-10-20) + (as of 2039-11-21)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. File Permissions and Masks
  2. Services
    1. DHCP
    2. Mail Server Software
    3. Obsolete Services

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 25 groups and 43 rules
Group   @@ -109,22 +109,7 @@ When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
Identifiers and References

Identifiers:  CCE-83291-5

References:  - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SLES-15-010450, SV-234853r854199_rule


Complexity:low
Disruption:low
Strategy:restrict

-for f in /etc/sudoers /etc/sudoers.d/* ; do
-  if [ ! -e "$f" ] ; then
-    continue
-  fi
-  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
-  if ! test -z "$matching_list"; then
-    while IFS= read -r entry; do
-      # comment out "!authenticate" matches to preserve user data
-      sed -i "s/^${entry}$/# &/g" $f
-    done <<< "$matching_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -161,34 +146,34 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_no_authenticate
-

Rule   - Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD -   [ref]

The sudo NOPASSWD tag, when specified, allows a user to execute -commands using sudo without having to authenticate. This should be disabled -by making sure that the NOPASSWD tag does not exist in -/etc/sudoers configuration file or any sudo configuration snippets -in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they -do not have authorization. -

-When operating systems provide the capability to escalate a functional capability, it -is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References

Identifiers:  - CCE-85663-3

References:  - BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SLES-15-010450, SV-234853r854199_rule


Complexity:low
Disruption:low
Strategy:restrict

+

Complexity:low
Disruption:low
Strategy:restrict

 for f in /etc/sudoers /etc/sudoers.d/* ; do
   if [ ! -e "$f" ] ; then
     continue
   fi
-  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
+  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
   if ! test -z "$matching_list"; then
     while IFS= read -r entry; do
-      # comment out "NOPASSWD" matches to preserve user data
+      # comment out "!authenticate" matches to preserve user data
       sed -i "s/^${entry}$/# &/g" $f
     done <<< "$matching_list"
 
     /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
   fi
 done
-

Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
+

Rule   + Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD +   [ref]

The sudo NOPASSWD tag, when specified, allows a user to execute +commands using sudo without having to authenticate. This should be disabled +by making sure that the NOPASSWD tag does not exist in +/etc/sudoers configuration file or any sudo configuration snippets +in /etc/sudoers.d/.
Rationale:
Without re-authentication, users may access resources or perform tasks for which they +do not have authorization. +

+When operating systems provide the capability to escalate a functional capability, it +is critical that the user re-authenticate.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Identifiers and References

Identifiers:  + CCE-85663-3

References:  + BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, SLES-15-010450, SV-234853r854199_rule


Complexity:low
Disruption:low
Strategy:restrict
- name: Find /etc/sudoers.d/ files
   find:
     paths:
     - /etc/sudoers.d/
@@ -225,6 +210,21 @@
   - no_reboot_needed
   - restrict_strategy
   - sudo_remove_nopasswd
+

Complexity:low
Disruption:low
Strategy:restrict

+for f in /etc/sudoers /etc/sudoers.d/* ; do
+  if [ ! -e "$f" ] ; then
+    continue
+  fi
+  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "NOPASSWD" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
 
Group   Updating Software   Group contains 8 rules
[ref]   @@ -255,9 +255,7 @@ [[packages]] name = "dnf-automatic" version = "*" -

Complexity:low
Disruption:low
Strategy:enable

-zypper install -y "dnf-automatic"
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure dnf-automatic is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -269,6 +267,8 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
+

Complexity:low
Disruption:low
Strategy:enable

+zypper install -y "dnf-automatic"
 

Rule   Configure dnf-automatic to Install Available Updates Automatically   [ref]

To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf.
Rationale:
Installing software updates is a fundamental mitigation against @@ -279,7 +279,25 @@ The automated installation of updates ensures that recent security patches are applied in a timely manner.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates
Identifiers and References

Identifiers:  CCE-91165-1

References:  - BP28(R8), 0940, 1144, 1467, 1472, 1483, 1493, 1494, 1495, SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080


Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Available Updates Automatically
+  ini_file:
+    dest: /etc/dnf/automatic.conf
+    section: commands
+    option: apply_updates
+    value: 'yes'
+    create: true
+  tags:
+  - CCE-91165-1
+  - NIST-800-53-CM-6(a)
+  - NIST-800-53-SI-2(5)
+  - NIST-800-53-SI-2(c)
+  - dnf-automatic_apply_updates
+  - low_complexity
+  - medium_disruption
+  - medium_severity
+  - no_reboot_needed
+  - unknown_strategy
+


 found=false
 
 # set value in all files if they contain section or key
@@ -306,33 +324,33 @@
     mkdir -p "$(dirname "$file")"
     echo -e "[commands]\napply_updates = yes" >> "$file"
 fi
-

Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Available Updates Automatically
+

Rule   + Configure dnf-automatic to Install Only Security Updates +   [ref]

To configure dnf-automatic to install only security updates +automatically, set upgrade_type to security under +[commands] section in /etc/dnf/automatic.conf.
Rationale:
By default, dnf-automatic installs all available updates. +Reducing the amount of updated packages only to updates that were +issued as a part of a security advisory increases the system stability.
Severity: 
low
Rule ID:xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
Identifiers and References

Identifiers:  + CCE-91166-9

References:  + BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080


Complexity:low
Disruption:medium
- name: Configure dnf-automatic to Install Only Security Updates
   ini_file:
     dest: /etc/dnf/automatic.conf
     section: commands
-    option: apply_updates
-    value: 'yes'
+    option: upgrade_type
+    value: security
     create: true
   tags:
-  - CCE-91165-1
+  - CCE-91166-9
   - NIST-800-53-CM-6(a)
   - NIST-800-53-SI-2(5)
   - NIST-800-53-SI-2(c)
-  - dnf-automatic_apply_updates
+  - dnf-automatic_security_updates_only
   - low_complexity
+  - low_severity
   - medium_disruption
-  - medium_severity
   - no_reboot_needed
   - unknown_strategy
-

Rule   - Configure dnf-automatic to Install Only Security Updates -   [ref]

To configure dnf-automatic to install only security updates -automatically, set upgrade_type to security under -[commands] section in /etc/dnf/automatic.conf.
Rationale:
By default, dnf-automatic installs all available updates. -Reducing the amount of updated packages only to updates that were -issued as a part of a security advisory increases the system stability.
Severity: 
low
Rule ID:xccdf_org.ssgproject.content_rule_dnf-automatic_security_updates_only
Identifiers and References

Identifiers:  - CCE-91166-9

References:  - BP28(R8), SI-2(5), CM-6(a), SI-2(c), FMT_SMF_EXT.1, SRG-OS-000191-GPOS-00080



/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html	2023-10-17 02:00:00.000000000 +0200
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html	2023-10-17 02:00:00.000000000 +0200
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 

Profile Information

Profile TitleCIS SUSE Linux Enterprise 15 Benchmark for Level 2 - Server
Profile IDxccdf_org.ssgproject.content_profile_cis

CPE Platforms

  • cpe:/o:suse:linux_enterprise_desktop:15
  • cpe:/o:suse:linux_enterprise_server:15

Revision History

Current version: 0.1.70

  • draft - (as of 2023-10-20) + (as of 2039-11-21)

Table of Contents

  1. System Settings
    1. Installing and Maintaining Software
    2. Account and Access Control
    3. System Accounting with auditd
    4. AppArmor
    5. GRUB2 bootloader configuration
    6. Configure Syslog
    7. Network Configuration and Firewalls
    8. File Permissions and Masks
  2. Services
    1. Avahi Server
    2. Cron and At Daemons
    3. DHCP
    4. DNS Server
    5. FTP Server
    6. Web Server
    7. IMAP and POP3 Server
    8. LDAP
    9. Mail Server Software
    10. NFS and RPC
    11. Network Time Protocol
    12. Obsolete Services
    13. Print Support
    14. Proxy Server
    15. Samba(SMB) Microsoft Windows File Sharing Server
    16. SNMP Server
    17. SSH Server
    18. X Window System

Checklist

Group   Guide to the Secure Configuration of SUSE Linux Enterprise 15   Group contains 115 groups and 375 rules
Group   @@ -126,15 +126,7 @@ [[packages]] name = "aide" version = "*" -
Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
+

Complexity:low
Disruption:low
Strategy:enable
- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -152,6 +144,14 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
+

Complexity:low
Disruption:low
Strategy:enable
# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Build and Test AIDE Database   [ref]

Run the following command to generate a new database: @@ -174,18 +174,7 @@ If this check produces any unexpected output, investigate.
Rationale:
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_build_database
Identifiers and References

Identifiers:  CCE-85787-0

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, SLES-15-010419, 1.4.1, SV-255922r880967_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
-
-zypper install -y "aide"
-
-/usr/bin/aide --init
-/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:restrict
- name: Build and Test AIDE Database - Ensure AIDE Is Installed
   ansible.builtin.package:
     name: '{{ item }}'
     state: present
@@ -265,6 +254,17 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
+
+zypper install -y "aide"
+
+/usr/bin/aide --init
+/bin/cp -p /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi
 

Rule   Configure Systemd Timer Execution of AIDE   [ref]

At a minimum, AIDE should be configured to run a weekly scan. @@ -276,46 +276,7 @@ changes a systemd service to run the check and a systemd timer to take care of periodical execution of that systemd service should be defined.
Severity: 
medium
Rule ID:xccdf_org.ssgproject.content_rule_aide_periodic_checking_systemd_timer
Identifiers and References

Identifiers:  CCE-92516-4

References:  - BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-6(d), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, SLES-15-010570, 1.4.2, SV-234864r902854_rule


# Remediation is applicable only in certain platforms
-if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q aide; }; then
-
-zypper install -y "aide"
-
-# create unit file for periodic aide database check
-cat > /etc/systemd/system/aidecheck.service <<EOF
-[Unit]
-Description=Aide Check
-[Service]
-Type=simple
-ExecStart=/usr/sbin/aide --check
-[Install]
-WantedBy=multi-user.target
-EOF
-
-# create unit file for the aide check timer
-cat > /etc/systemd/system/aidecheck.timer <<EOF
-[Unit]
-Description=Aide check every day at 5AM
-[Timer]
-OnCalendar=*-*-* 05:00:00
-Unit=aidecheck.service
-[Install]
-WantedBy=multi-user.target
-EOF
-
-#  setup service unit files attributes
-chown root:root /etc/systemd/system/aidecheck.*
-chmod 0644 /etc/systemd/system/aidecheck.*
-
-# enable the aide related services
-systemctl daemon-reload
-systemctl enable aidecheck.service
-systemctl --now enable aidecheck.timer
-
-else
-    >&2 echo 'Remediation is not applicable, nothing was done'
-fi
-


Complexity:low
Disruption:low
Strategy:configure
- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -443,6 +404,45 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
+

# Remediation is applicable only in certain platforms
+if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q aide; }; then
+
+zypper install -y "aide"
+
+# create unit file for periodic aide database check
+cat > /etc/systemd/system/aidecheck.service <<EOF
+[Unit]
+Description=Aide Check
+[Service]
+Type=simple
+ExecStart=/usr/sbin/aide --check
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# create unit file for the aide check timer
+cat > /etc/systemd/system/aidecheck.timer <<EOF
+[Unit]
+Description=Aide check every day at 5AM
+[Timer]
+OnCalendar=*-*-* 05:00:00
+Unit=aidecheck.service
+[Install]
+WantedBy=multi-user.target
+EOF
+
+#  setup service unit files attributes
+chown root:root /etc/systemd/system/aidecheck.*
+chmod 0644 /etc/systemd/system/aidecheck.*
+
+# enable the aide related services
+systemctl daemon-reload
+systemctl enable aidecheck.service
+systemctl --now enable aidecheck.timer
+
+else
+    >&2 echo 'Remediation is not applicable, nothing was done'
+fi