Merge pull request #9716 from rumch-se/pci_dss_4_profile_update

Added rules to PCI DSS 4.0 SLES 15 profile
ComplianceAsCode · Oct 24, 2022 · f68ca3d · f68ca3d
2 parents 3748e7b + 3f84a41
commit f68ca3d
Show file tree

Hide file tree

Showing 2 changed files with 96 additions and 35 deletions.
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
@@ -18,11 +18,13 @@ identifiers:
     cce@rhel7: CCE-85856-3
     cce@rhel8: CCE-83357-4
     cce@rhel9: CCE-84103-1
+    cce@sle12: CCE-91679-1
+    cce@sle15: CCE-91309-5
 
 references:
     cis@rhel7: 5.3.22
     cis@rhel8: 5.2.18
-    cis@sle12: 5.3.23
+    cis@sle12: 5.2.22
     cis@sle15: 5.2.22
     cis@ubuntu2004: 5.2.22
     cis@ubuntu2204: 5.2.22

diff --git a/products/sle15/profiles/pci-dss-4.profile b/products/sle15/profiles/pci-dss-4.profile
@@ -12,37 +12,96 @@ description: |-
     Ensures PCI-DSS v4 security configuration settings are applied.
 
 selections:
-    - pcidss_3:all:base
-    - accounts_minimum_age_login_defs
-    - accounts_no_uid_except_zero
-    - accounts_password_warn_age_login_defs
-    - accounts_tmout
-    - accounts_umask_etc_bashrc
-    - accounts_umask_etc_login_defs
-    - accounts_umask_etc_profile
-    - cracklib_accounts_password_pam_dcredit
-    - cracklib_accounts_password_pam_lcredit
-    - cracklib_accounts_password_pam_minlen
-    - cracklib_accounts_password_pam_ocredit
-    - cracklib_accounts_password_pam_retry
-    - cracklib_accounts_password_pam_ucredit
-    - file_permissions_sshd_private_key
-    - file_permissions_sshd_pub_key
-    - no_direct_root_logins
-    - package_audit_installed
-    - package_chrony_installed
-    - package_openldap-clients_removed
-    - package_sudo_installed
-    - package_telnet-server_removed
-    - package_vsftpd_removed
-    - package_ypserv_removed
-    - postfix_network_listening_disabled
-    - securetty_root_login_console_only
-    - sshd_disable_empty_passwords
-    - sshd_disable_root_login
-    - sshd_do_not_permit_user_env
-    - sshd_enable_warning_banner
-    - sshd_set_loglevel_verbose
-    - sudo_add_use_pty
-    - sudo_custom_logfile
-
+    -  pcidss_3:all:base
+    -  account_unique_id
+    -  accounts_minimum_age_login_defs
+    -  accounts_no_uid_except_zero
+    -  accounts_password_warn_age_login_defs
+    -  accounts_tmout
+    -  accounts_umask_etc_bashrc
+    -  accounts_umask_etc_login_defs
+    -  accounts_umask_etc_profile
+    -  coredump_disable_backtraces
+    -  coredump_disable_storage
+    -  cracklib_accounts_password_pam_dcredit
+    -  cracklib_accounts_password_pam_lcredit
+    -  cracklib_accounts_password_pam_minlen
+    -  cracklib_accounts_password_pam_ocredit
+    -  cracklib_accounts_password_pam_retry
+    -  cracklib_accounts_password_pam_ucredit
+    -  disable_host_auth
+    -  disable_users_coredumps
+    -  file_at_deny_not_exist
+    -  file_cron_deny_not_exist
+    -  file_groupowner_at_allow
+    -  file_groupowner_backup_etc_passwd
+    -  file_groupowner_backup_etc_shadow
+    -  file_groupowner_cron_allow
+    -  file_owner_at_allow
+    -  file_owner_backup_etc_passwd
+    -  file_owner_backup_etc_shadow
+    -  file_owner_cron_allow
+    -  file_permissions_at_allow
+    -  file_permissions_backup_etc_passwd
+    -  file_permissions_backup_etc_shadow
+    -  file_permissions_cron_allow
+    -  file_permissions_cron_d
+    -  file_permissions_cron_daily
+    -  file_permissions_cron_hourly
+    -  file_permissions_cron_monthly
+    -  file_permissions_cron_weekly
+    -  file_permissions_crontab
+    -  file_permissions_etc_group
+    -  file_permissions_etc_shadow
+    -  file_permissions_sshd_config
+    -  file_permissions_sshd_private_key
+    -  file_permissions_sshd_pub_key
+    -  file_permissions_unauthorized_world_writable
+    -  file_permissions_ungroupowned
+    -  group_unique_id
+    -  group_unique_name
+    -  no_direct_root_logins
+    -  no_files_unowned_by_user
+    -  package_audit_installed
+    -  package_bind_removed
+    -  package_chrony_installed
+    -  package_dhcp_removed
+    -  package_httpd_removed
+    -  package_net-snmp_removed
+    -  package_nfs-utils_removed
+    -  package_openldap-servers_removed
+    -  package_openldapclients_removed
+    -  package_rsh_removed
+    -  package_samba_removed
+    -  package_sudo_installed
+    -  package_talk_removed
+    -  package_telnet_removed
+    -  package_telnetserver_removed
+    -  package_vsftpd_removed
+    -  package_xinetd_removed
+    -  package_ypbind_removed
+    -  package_ypserv_removed
+    -  postfix_network_listening_disabled
+    -  securetty_root_login_console_only
+    -  service_avahi-daemon_disabled
+    -  service_cron_enabled
+    -  service_cups_disabled
+    -  service_rpcbind_disabled
+    -  service_rsyncd_disabled
+    -  sshd_disable_empty_passwords
+    -  sshd_disable_rhosts
+    -  sshd_disable_root_login
+    -  sshd_disable_tcp_forwarding
+    -  sshd_disable_x11_forwarding
+    -  sshd_do_not_permit_user_env
+    -  sshd_enable_pam
+    -  sshd_enable_warning_banner
+    -  sshd_set_loglevel_verbose
+    -  sshd_set_max_auth_tries
+    -  sshd_set_max_sessions
+    -  sshd_set_maxstartups
+    -  sshd_use_approved_ciphers
+    -  sshd_use_approved_macs
+    -  sudo_add_use_pty
+    -  sudo_custom_logfile
+    -  sysctl_fs_suid_dumpable