VMware vRealize Automation 7.x SLES Security Technical Implementation Guide
- Version/Release: V2R2
- Published: 2023-09-22
-
Expand All:
- Severity:
-
Sort:
Compare
Select any two versions of this STIG to compare the individual requirements
View
Select any old version/release of this STIG to view the previous requirements
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000016
- Version
- VRAU-SL-000010
- Vuln IDs
-
- V-240344
- V-89465
- Rule IDs
-
- SV-240344r670773_rule
- SV-100115
Checks: C-43577r670771_chk
For every existing temporary account, run the following command to obtain its account expiration information: # chage -l system_account_name Verify each of these accounts has an expiration date set within "72" hours. If any temporary accounts have no expiration date set or do not expire within "72" hours, this is a finding.
Fix: F-43536r670772_fix
In the event temporary accounts are required, configure the system to terminate them after a 72-hour time period. For every temporary account, run the following command to set an expiration date on it, substituting "system_account_name" to the appropriate value: # chage -E `date -d "+3 days" +%Y-%m-%d` system_account_name `date -d "+3 days" +%Y-%m-%d` gets the "72" expiration date for the account at the time of running the command.
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000018
- Version
- VRAU-SL-000015
- Vuln IDs
-
- V-240345
- V-89467
- Rule IDs
-
- SV-240345r670776_rule
- SV-100117
Checks: C-43578r670774_chk
Determine if execution of the useradd and groupadd executable are audited. # auditctl -l | egrep '(useradd|groupadd)' If either useradd or groupadd are not listed with a permissions filter of at least "x", this is a finding. Expected result: LIST_RULES: exit,always watch=/usr/sbin/useradd perm=x key=useradd LIST_RULES: exit,always watch=/usr/sbin/groupadd perm=x key=groupadd
Fix: F-43537r670775_fix
Configure execute auditing of the useradd and groupadd executables. Run the dodscript with the following command as root: # /etc/dodscript.sh OR Configure execute auditing of the useradd and groupadd executables. Add the following to /etc/audit/audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Restart the auditd service: # service auditd restart
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000018
- Version
- VRAU-SL-000020
- Vuln IDs
-
- V-240346
- V-89469
- Rule IDs
-
- SV-240346r670779_rule
- SV-100119
Checks: C-43579r670777_chk
Determine if /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow are audited for appending. # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow)' | grep perm=a If any of these are not listed with a permissions filter of at least "a", this is a finding. Expected result: LIST_RULES: exit,always watch=/etc/passwd perm=a key=passwd LIST_RULES: exit,always watch=/etc/shadow perm=a key=shadow LIST_RULES: exit,always watch=/etc/group perm=a key=group LIST_RULES: exit,always watch=/etc/gshadow perm=a key=gshadow
Fix: F-43538r670778_fix
Configure append auditing of the passwd, shadow, group, and gshadow files. Run the dodscript with the following command as root: # /etc/dodscript.sh # echo '-w /etc/gshadow -p a -k gshadow' >> /etc/audit/audit.rules Restart the auditd service. # service auditd restart OR Configure append auditing of the passwd, shadow, group, and gshadow files by running the following commands: # echo '-w /etc/passwd -p a -k passwd' >> /etc/audit/audit.rules # echo '-w /etc/shadow -p a -k shadow' >> /etc/audit/audit.rules # echo '-w /etc/group -p a -k group' >> /etc/audit/audit.rules # echo '-w /etc/gshadow -p a -k gshadow' >> /etc/audit/audit.rules Restart the auditd service: # service auditd restart
- RMF Control
- AC-7
- Severity
- Medium
- CCI
- CCI-000044
- Version
- VRAU-SL-000025
- Vuln IDs
-
- V-240347
- V-89471
- Rule IDs
-
- SV-240347r670782_rule
- SV-100121
Checks: C-43580r670780_chk
Run the following command to ensure that the operating system enforces the limit of three consecutive invalid logon attempts by a user: # grep pam_tally2.so /etc/pam.d/common-auth The output should contain "deny=3" in the returned line. If this is not the case, this is a finding. Expected Result: auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300
Fix: F-43539r670781_fix
To configure the SLES for vRealize to enforce the limit of three consecutive invalid attempts using "pam_tally2.so", modify the content of the /etc/pam.d/common-auth-vmware.local by running the following command: # sed -i "/^[^#]*pam_tally2.so/ c\auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300" /etc/pam.d/common-auth-vmware.local
- RMF Control
- AC-8
- Severity
- Medium
- CCI
- CCI-000048
- Version
- VRAU-SL-000030
- Vuln IDs
-
- V-240348
- V-89473
- Rule IDs
-
- SV-240348r670785_rule
- SV-100123
Checks: C-43581r670783_chk
Check that the SSH daemon is configured for logon warning banners: # grep -i banner /etc/ssh/sshd_config | grep -v '#' If the output does not contain "Banner /etc/issue", this is a finding.
Fix: F-43540r670784_fix
To configure the SSH daemon for the logon warning banners, modify /etc/ssh/sshd_config with the following command: # sed -i "/^[^#]*Banner/ c\Banner /etc/issue" /etc/ssh/sshd_config The SSH service will need to be restarted after the above change has been made to SSH. This can be done by running the following command: # service sshd restart
- RMF Control
- AC-10
- Severity
- Low
- CCI
- CCI-000054
- Version
- VRAU-SL-000040
- Vuln IDs
-
- V-240349
- V-89475
- Rule IDs
-
- SV-240349r877399_rule
- SV-100125
Checks: C-43582r670786_chk
Verify the SLES for vRealize limits the number of concurrent sessions to "10" for all accounts and/or account types with the following command: # grep maxlogins /etc/security/limits.conf | grep -v '#' The default maxlimits should be set to a max of "10" or a documented site defined number: * hard maxlogins 10 If no such line exists, this is a finding.
Fix: F-43541r670787_fix
Configure the SLES for vRealize to limit the number of concurrent sessions to "10" for all accounts and/or account types by using the following command. sed -i 's/\(^* *hard *maxlogins\).*/* hard maxlogins 10/g' /etc/security/limits.conf
- RMF Control
- AC-11
- Severity
- Medium
- CCI
- CCI-000057
- Version
- VRAU-SL-000050
- Vuln IDs
-
- V-240350
- V-89477
- Rule IDs
-
- SV-240350r670791_rule
- SV-100127
Checks: C-43583r670789_chk
Check for the existence of the /etc/profile.d/tmout.sh file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the TMOUT variable: # grep TMOUT /etc/profile.d/tmout.sh The value of TMOUT should be set to "900" seconds (15 minutes). If the file does not exist, or the TMOUT variable is not set, this is a finding.
Fix: F-43542r670790_fix
Ensure the file exists and is owned by "root". If the file does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file "/etc/profile.d/tmout.sh" and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null
- RMF Control
- AC-11
- Severity
- Medium
- CCI
- CCI-000057
- Version
- VRAU-SL-000055
- Vuln IDs
-
- V-240351
- V-89479
- Rule IDs
-
- SV-240351r670794_rule
- SV-100129
Checks: C-43584r670792_chk
Verify the SLES for vRealize initiates a session lock after a 15-minute period of inactivity for SSH. Execute the following command: # grep ClientAliveInterval /etc/ssh/sshd_config; grep ClientAliveCountMax /etc/ssh/sshd_config Verify the following result: ClientAliveInterval 900 ClientAliveCountMax 0 If this is not set, this is a finding.
Fix: F-43543r670793_fix
Configure the SLES for vRealize to initiate a session lock after a 15-minute period of inactivity for SSH. Set the session lock after a 15-minute period by executing the following command: # sed -i 's/^.*\bClientAliveInterval\b.*$/ClientAliveInterval 900/' /etc/ssh/sshd_config; sed -i 's/^.*\bClientAliveCountMax\b.*$/ClientAliveCountMax 0/' /etc/ssh/sshd_config
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-000067
- Version
- VRAU-SL-000070
- Vuln IDs
-
- V-240352
- V-89481
- Rule IDs
-
- SV-240352r670797_rule
- SV-100131
Checks: C-43585r670795_chk
Verify that SSH is configured to verbosely log connection attempts and failed logon attempts to the server by running the following command: # grep LogLevel /etc/ssh/sshd_config | grep -v '#' The output message must contain the following text: LogLevel VERBOSE If it is not set to "VERBOSE", this is a finding.
Fix: F-43544r670796_fix
To configure SSH to verbosely log connection attempts and failed logon attempts to the server, run the following command: # sed -i 's/^.*\bLogLevel\b.*$/LogLevel VERBOSE/' /etc/ssh/sshd_config The SSH service will need to be restarted after the above change has been made to SSH. This can be done by running the following command: # service sshd restart
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-000068
- Version
- VRAU-SL-000075
- Vuln IDs
-
- V-240353
- V-89483
- Rule IDs
-
- SV-240353r877398_rule
- SV-100133
Checks: C-43586r670798_chk
Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the "Ciphers" setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either nothing or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr
Fix: F-43545r670799_fix
Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-000068
- Version
- VRAU-SL-000080
- Vuln IDs
-
- V-240354
- V-89485
- Rule IDs
-
- SV-240354r877398_rule
- SV-100135
Checks: C-43587r766908_chk
Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the "Ciphers" setting in the "ssh_config" file. # grep -i Ciphers /etc/ssh/ssh_config | grep -v '#' The output must contain either nothing or any number of the following algorithms: aes256-ctr,aes128-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr
Fix: F-43546r670802_fix
Update the "Ciphers" directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/ssh_config Save and close the file.
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- VRAU-SL-000085
- Vuln IDs
-
- V-240355
- V-89487
- Rule IDs
-
- SV-240355r670806_rule
- SV-100137
Checks: C-43588r670804_chk
Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.
Fix: F-43547r670805_fix
Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-000139
- Version
- VRAU-SL-000125
- Vuln IDs
-
- V-240356
- V-89489
- Rule IDs
-
- SV-240356r670809_rule
- SV-100139
Checks: C-43589r670807_chk
Check /etc/audit/auditd.conf for the space_left_action with the following command: # cat /etc/audit/auditd.conf | grep space_left_action If the "space_left_action" parameter is missing; is set to "ignore", "suspend", "single", or "halt"; or is blank, this is a finding. Expected Result: space_left_action = SYSLOG NOTES: If the "space_left_action" is set to "exec", the system executes a designated script. If this script informs the SA of the event, this is not a finding. If the "space_left_action" is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding. The "action_mail_acct" parameter, if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system, "sendmail" must be available.
Fix: F-43548r670808_fix
Set the space_left_action parameter to the valid setting "SYSLOG" by running the following command: # sed -i "/^[^#]*space_left_action/ c\space_left_action = SYSLOG" /etc/audit/auditd.conf Restart the audit service: # service auditd restart
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-000140
- Version
- VRAU-SL-000130
- Vuln IDs
-
- V-240357
- V-89491
- Rule IDs
-
- SV-240357r670812_rule
- SV-100141
Checks: C-43590r670810_chk
Verify the /etc/audit/auditd.conf has the "disk_full_action", "disk_error_action", and "admin_disk_space_left" parameters set. # grep disk_full_action /etc/audit/auditd.conf If the "disk_full_action" parameter is missing or set to "suspend" or "ignore" this is a finding. # grep disk_error_action /etc/audit/auditd.conf If the "disk_error_action" parameter is missing or set to "suspend" or "ignore" this is a finding. # grep admin_space_left_action /etc/audit/auditd.conf If the "admin_space_left_action" parameter is missing or set to "suspend" or "ignore" this is a finding.
Fix: F-43549r670811_fix
Edit /etc/audit/auditd.conf and set the "disk_full_action", "disk_error_action", and "admin_space_left_action" parameters to "syslog" with the following commands: # sed -i "/^[^#]*disk_full_action/ c\disk_full_action = SYSLOG" /etc/audit/auditd.conf # sed -i "/^[^#]*disk_error_action/ c\disk_error_action = SYSLOG" /etc/audit/auditd.conf # sed -i "/^[^#]*admin_space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined.
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000162
- Version
- VRAU-SL-000150
- Vuln IDs
-
- V-240358
- V-89493
- Rule IDs
-
- SV-240358r670815_rule
- SV-100143
Checks: C-43591r670813_chk
Verify that the system audit logs are owned by "root": # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file is not owned by "root", this is a finding.
Fix: F-43550r670814_fix
Change the ownership of the audit log file(s). Procedure: # chown root <audit log file> # chown root /var/log/audit/audit.log
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000162
- Version
- VRAU-SL-000155
- Vuln IDs
-
- V-240359
- V-89495
- Rule IDs
-
- SV-240359r670818_rule
- SV-100145
Checks: C-43592r670816_chk
Verify that the system audit logs are group-owned by "root": # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file is not group-owned by "root" or "admin", this is a finding.
Fix: F-43551r670817_fix
Change the group-ownership of the audit log file(s). Procedure: # chgrp root <audit log file> # chgrp root /var/log/audit/audit.log
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000163
- Version
- VRAU-SL-000160
- Vuln IDs
-
- V-240360
- V-89497
- Rule IDs
-
- SV-240360r670821_rule
- SV-100147
Checks: C-43593r670819_chk
Verify that the system audit logs with the following command: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file has a mode more permissive than "0640", this is a finding.
Fix: F-43552r670820_fix
Change the mode of the audit log file(s): # chmod 0640 <audit log file>
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000164
- Version
- VRAU-SL-000165
- Vuln IDs
-
- V-240361
- V-89499
- Rule IDs
-
- SV-240361r670824_rule
- SV-100149
Checks: C-43594r670822_chk
Verify that the system audit logs with the following command: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file has a mode more permissive than "0640", this is a finding.
Fix: F-43553r670823_fix
Change the mode of the audit log file(s): # chmod 0640 <audit log file>
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000164
- Version
- VRAU-SL-000170
- Vuln IDs
-
- V-240362
- V-89501
- Rule IDs
-
- SV-240362r670827_rule
- SV-100151
Checks: C-43595r670825_chk
Run the following command to check the mode of the system audit directories: # grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n Audit directories must be mode "0700". If any are more permissive, this is a finding.
Fix: F-43554r670826_fix
Change the mode of the audit log directories with the following command: # chmod 700 <audit log directory>
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000171
- Version
- VRAU-SL-000240
- Vuln IDs
-
- V-240376
- V-89529
- Rule IDs
-
- SV-240376r670869_rule
- SV-100179
Checks: C-43609r670867_chk
Check the permissions of the rules files in /etc/audit: # ls -l /etc/audit/ NOTE: If /etc/audit/audit.rules is a symblic link to /etc/audit/audit.rules.STIG, then the check is only applicable to /etc/audit/audit.rules.STIG. If the permissions of the file is not set to "640", this is a finding.
Fix: F-43568r670868_fix
Change the permissions of the /etc/audit/audit.rules.STIG, the /etc/audit/audit.rules.ORIG, and the /etc/audit/audit.rules files (if not a symblic link): # chmod 640 /etc/audit/audit.rules.STIG # chmod 640 /etc/audit/audit.rules.ORIG # if [ -f /etc/audit/audit.rules ]; then chmod 640 /etc/audit/audit.rules; fi Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000171
- Version
- VRAU-SL-000245
- Vuln IDs
-
- V-240377
- V-89531
- Rule IDs
-
- SV-240377r670872_rule
- SV-100181
Checks: C-43610r670870_chk
Check the permissions of the rules files in /etc/audit: # ls -l /etc/audit/ NOTE: If /etc/audit/audit.rules is a symblic link to /etc/audit/audit.rules.STIG, then the check is only applicable to /etc/audit/audit.rules.STIG If the ownership is not set to "root", this is a finding.
Fix: F-43569r670871_fix
Change the ownership of the /etc/audit/audit.rules.STIG, the /etc/audit/audit.rules.ORIG, and the /etc/audit/audit.rules files (if not a symblic link): # chown root /etc/audit/audit.rules.STIG # chown root /etc/audit/audit.rules.ORIG # if [ -f /etc/audit/audit.rules ]; then chown root /etc/audit/audit.rules; fi Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000171
- Version
- VRAU-SL-000250
- Vuln IDs
-
- V-240378
- V-89533
- Rule IDs
-
- SV-240378r670875_rule
- SV-100183
Checks: C-43611r670873_chk
Check the permissions of the rules files in /etc/audit: # ls -l /etc/audit/ NOTE: If /etc/audit/audit.rules is a symblic link to /etc/audit/audit.rules.STIG, then the check is only applicable to /etc/audit/audit.rules.STIG. If the group-owner is not set to "root", this is a finding.
Fix: F-43570r670874_fix
Change the group-ownership of the /etc/audit/audit.rules.STIG, the /etc/audit/audit.rules.ORIG, and the /etc/audit/audit.rules files (if not a symblic link): # chgrp root /etc/audit/audit.rules.STIG # chgrp root /etc/audit/audit.rules.ORIG # if [ -f /etc/audit/audit.rules ]; then chgrp root /etc/audit/audit.rules; fi Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-000255
- Vuln IDs
-
- V-240379
- V-89535
- Rule IDs
-
- SV-240379r670878_rule
- SV-100185
Checks: C-43612r670876_chk
To determine if the system is configured to audit calls to the "chmod" system call, run the following command: # auditctl -l | grep syscall | grep chmod If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.
Fix: F-43571r670877_fix
At a minimum, the audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S chmod -F auid=0 -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-000260
- Vuln IDs
-
- V-240380
- V-89537
- Rule IDs
-
- SV-240380r670881_rule
- SV-100187
Checks: C-43613r670879_chk
To determine if the system is configured to audit calls to the "chown" system call, run the following command: # auditctl -l | grep syscall | grep chown If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.
Fix: F-43572r670880_fix
At a minimum, the audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S chown -F auid=0 -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-000265
- Vuln IDs
-
- V-240381
- V-89539
- Rule IDs
-
- SV-240381r670884_rule
- SV-100189
Checks: C-43614r670882_chk
To determine if the system is configured to audit calls to the "fchmod" system call, run the following command: # auditctl -l | grep syscall | grep fchmod If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.
Fix: F-43573r670883_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchmod -F auid=0 -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-000270
- Vuln IDs
-
- V-240382
- V-89541
- Rule IDs
-
- SV-240382r670887_rule
- SV-100191
Checks: C-43615r670885_chk
To determine if the system is configured to audit calls to the "fchmodat" system call, run the following command: # auditctl -l | grep syscall | grep fchmodat If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.
Fix: F-43574r670886_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchmodat -F auid=0 -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-000275
- Vuln IDs
-
- V-240383
- V-89543
- Rule IDs
-
- SV-240383r670890_rule
- SV-100193
Checks: C-43616r670888_chk
To determine if the system is configured to audit calls to the "fchown" system call, run the following command: # auditctl -l | grep syscall | grep fchown If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.
Fix: F-43575r670889_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchown -F auid=0 -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -a always,exit -F arch=b32 -S fchown -a always,exit -F arch=b32 -S fchown32 Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-000280
- Vuln IDs
-
- V-240384
- V-89545
- Rule IDs
-
- SV-240384r670893_rule
- SV-100195
Checks: C-43617r670891_chk
To determine if the system is configured to audit calls to the "fchownat" system call, run the following command: # auditctl -l | grep syscall | grep fchownat If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.
Fix: F-43576r670892_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchownat -F auid=0 -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-000285
- Vuln IDs
-
- V-240385
- V-89547
- Rule IDs
-
- SV-240385r670896_rule
- SV-100197
Checks: C-43618r670894_chk
To determine if the system is configured to audit calls to the "fremovexattr" system call, run the following command: # auditctl -l | grep syscall | grep fremovexattr If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.
Fix: F-43577r670895_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fremovexattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-000290
- Vuln IDs
-
- V-240386
- V-89549
- Rule IDs
-
- SV-240386r670899_rule
- SV-100199
Checks: C-43619r670897_chk
To determine if the system is configured to audit calls to the "fsetxattr" system call, run the following command: # auditctl -l | grep syscall | grep fsetxattr If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.
Fix: F-43578r670898_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fsetxattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-000295
- Vuln IDs
-
- V-240387
- V-89551
- Rule IDs
-
- SV-240387r670902_rule
- SV-100201
Checks: C-43620r670900_chk
To determine if the system is configured to audit calls to the "lchown" system call, run the following command: # auditctl -l | grep syscall | grep lchown If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.
Fix: F-43579r670901_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S lchown Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-000300
- Vuln IDs
-
- V-240388
- V-89553
- Rule IDs
-
- SV-240388r670905_rule
- SV-100203
Checks: C-43621r670903_chk
To determine if the system is configured to audit calls to the "lremovexattr" system call, run the following command: # auditctl -l | grep syscall | grep lremovexattr If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.
Fix: F-43580r670904_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S lremovexattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-000305
- Vuln IDs
-
- V-240389
- V-89555
- Rule IDs
-
- SV-240389r670908_rule
- SV-100205
Checks: C-43622r670906_chk
To determine if the system is configured to audit calls to the "lsetxattr" system call, run the following command: # auditctl -l | grep syscall | grep lsetxattr If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.
Fix: F-43581r670907_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S lsetxattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-000310
- Vuln IDs
-
- V-240390
- V-89557
- Rule IDs
-
- SV-240390r670911_rule
- SV-100207
Checks: C-43623r670909_chk
To determine if the system is configured to audit calls to the "removexattr" system call, run the following command: # auditctl -l | grep syscall | grep removexattr If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.
Fix: F-43582r670910_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S removexattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-000315
- Vuln IDs
-
- V-240391
- V-89559
- Rule IDs
-
- SV-240391r670914_rule
- SV-100209
Checks: C-43624r670912_chk
To determine if the system is configured to audit calls to the "setxattr" system call, run the following command: # auditctl -l | grep syscall | grep setxattr If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.
Fix: F-43583r670913_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S setxattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-000320
- Vuln IDs
-
- V-240392
- V-89561
- Rule IDs
-
- SV-240392r670917_rule
- SV-100211
Checks: C-43625r670915_chk
To check that the audit system collects unauthorized file accesses, run the following commands: # grep EACCES /etc/audit/audit.rules -a exit,always -F arch=b64 -S swapon -F exit=-EACCES -a exit,always -F arch=b64 -S creat -F exit=-EACCES -a exit,always -F arch=b64 -S open -F exit=-EACCES # grep EPERM /etc/audit/audit.rules -a exit,always -F arch=b64 -S swapon -F exit=-EPERM -a exit,always -F arch=b64 -S creat -F exit=-EPERM -a exit,always -F arch=b64 -S open -F exit=-EPERM If either command lacks output, this is a finding.
Fix: F-43584r670916_fix
Add the following to "/etc/audit/audit.rules": -a exit,always -F arch=b64 -S swapon -F exit=-EACCES -a exit,always -F arch=b64 -S creat -F exit=-EACCES -a exit,always -F arch=b64 -S open -F exit=-EACCES -a exit,always -F arch=b64 -S swapon -F exit=-EPERM -a exit,always -F arch=b64 -S creat -F exit=-EPERM -a exit,always -F arch=b64 -S open -F exit=-EPERM Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000192
- Version
- VRAU-SL-000340
- Vuln IDs
-
- V-240393
- V-89563
- Rule IDs
-
- SV-240393r670920_rule
- SV-100213
Checks: C-43626r670918_chk
Check the SLES for vRealize enforces password complexity by requiring that at least one upper-case character be used by using the following command: # grep ucredit /etc/pam.d/common-password-vmware.local If "ucredit" is not set to "-1" or not at all, this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=4 retry=3
Fix: F-43585r670919_fix
If "ucredit" was not set at all in /etc/pam.d/common-password-vmware.local then run the following command: # sed -i '/pam_cracklib.so/ s/$/ ucredit=-1/' /etc/pam.d/common-password-vmware.local If "ucredit" was set incorrectly then run the following command to set it to "-1": # sed -i '/pam_cracklib.so/ s/ucredit=../ucredit=-1/' /etc/pam.d/common-password-vmware.local
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000192
- Version
- VRAU-SL-000345
- Vuln IDs
-
- V-240394
- V-89565
- Rule IDs
-
- SV-240394r670923_rule
- SV-100215
Checks: C-43627r670921_chk
Verify that common-{account,auth,password,session} settings are being applied. Verify that local customization has occurred in the common- {account,auth,password,session}-pc file(s) by some method other than the use of the pam-config utility. The files "/etc/pam.d/common-{account,auth,password,session} -pc " are auto-generated by "pam-config". Any manual changes made to them will be lost if "pam-config" is allowed to run. # ls -l /etc/pam.d/common-{account,auth,password,session} If the symlinks point to "/etc/pam.d/common- {account,auth,password,session}-pc" and manual updates have been made in these files, the updates cannot be protected if pam-config is enabled. # ls -l /usr/sbin/pam-config If the setting for "pam-config" is not "000", this is a finding.
Fix: F-43586r670922_fix
In the default distribution of SLES 11, "/etc/pam.d/common- {account,auth,password,session}" are symlinks to their respective "/etc/pam.d/common- {account,auth,password,session}-pc" files. These common- {account,auth,password,session}-pc files are auto-generated by the pam-config utility. Edit /usr/sbin/pam-config permissions to prevent its use: # chmod 000 /usr/sbin/pam-config
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000193
- Version
- VRAU-SL-000350
- Vuln IDs
-
- V-240395
- V-89567
- Rule IDs
-
- SV-240395r670926_rule
- SV-100217
Checks: C-43628r670924_chk
Verify the SLES for vRealize enforces password complexity by requiring that at least one lower-case character be used by using the following command: # grep lcredit /etc/pam.d/common-password-vmware.local If "lcredit" is not set to "-1" or not at all, this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=4 retry=3
Fix: F-43587r670925_fix
If "lcredit" was not set at all in /etc/pam.d/common-password-vmware.local then run the following command: # sed -i '/pam_cracklib.so/ s/$/ lcredit=-1/' /etc/pam.d/common-password-vmware.local If "lcredit" was set incorrectly then run the following command to set it to "-1": # sed -i '/pam_cracklib.so/ s/lcredit=../lcredit=-1/' /etc/pam.d/common-password-vmware.local
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000194
- Version
- VRAU-SL-000355
- Vuln IDs
-
- V-240396
- V-89569
- Rule IDs
-
- SV-240396r670929_rule
- SV-100219
Checks: C-43629r670927_chk
Check that the SLES for vRealize enforces password complexity by requiring that at least one numeric character be used by running the following command: # grep dcredit /etc/pam.d/common-password-vmware.local If "dcredit" is not set to "-1" or is not set at all, this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=4 retry=3
Fix: F-43588r670928_fix
If "dcredit" was not set at all in /etc/pam.d/common-password-vmware.local, run the following command: # sed -i '/pam_cracklib.so/ s/$/ dcredit=-1/' /etc/pam.d/common-password-vmware.local If "dcredit" was set incorrectly, run the following command: # sed -i '/pam_cracklib.so/ s/dcredit=../dcredit=-1/' /etc/pam.d/common-password-vmware.local
- RMF Control
- IA-5
- Severity
- High
- CCI
- CCI-000195
- Version
- VRAU-SL-000360
- Vuln IDs
-
- V-240397
- V-89571
- Rule IDs
-
- SV-240397r670932_rule
- SV-100221
Checks: C-43630r670930_chk
Check that at least eight characters need to be changed between old and new passwords during a password change by running the following command: # grep pam_cracklib /etc/pam.d/common-password-vmware.local The "difok" parameter indicates how many characters must be different. The DoD requires at least eight characters to be different during a password change. This would appear as "difok=8". If difok is not found or not set to at least "8", this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=8 retry=3
Fix: F-43589r670931_fix
If "difok" was not set at all in /etc/pam.d/common-password-vmware.local then run the following command: # sed -i '/pam_cracklib.so/ s/$/ difok-8/' /etc/pam.d/common-password-vmware.local If "difok" was set incorrectly then run the following command to set it to "8": # sed -i '/pam_cracklib.so/ s/difok=./difok=8/' /etc/pam.d/common-password-vmware.local
- RMF Control
- IA-5
- Severity
- High
- CCI
- CCI-000196
- Version
- VRAU-SL-000365
- Vuln IDs
-
- V-240398
- V-89573
- Rule IDs
-
- SV-240398r877397_rule
- SV-100223
Checks: C-43631r670933_chk
Check that the user account passwords are stored hashed using sha512 by running the following command: # more /etc/shadow If the password hash does not begins with "$6$" for user accounts such as "root" or "admin", this is a finding.
Fix: F-43590r670934_fix
Reset the user password using the following command: # passwd [user account]
- RMF Control
- IA-5
- Severity
- High
- CCI
- CCI-000196
- Version
- VRAU-SL-000370
- Vuln IDs
-
- V-240399
- V-89575
- Rule IDs
-
- SV-240399r877397_rule
- SV-100225
Checks: C-43632r670936_chk
Check that the user account passwords are stored hashed using sha512 by running the following command: # cat /etc/default/passwd | grep CRYPT=sha512 If "CRYPT=sha512" is not listed, this is a finding.
Fix: F-43591r670937_fix
Ensure password are being encrypted with hash sha512 with the following command: # echo 'CRYPT=sha512'>>/etc/default/passwd
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000198
- Version
- VRAU-SL-000380
- Vuln IDs
-
- V-240400
- V-89577
- Rule IDs
-
- SV-240400r670941_rule
- SV-100227
Checks: C-43633r670939_chk
To check that the SLES for vRealize enforces 24 hours/1 day as the minimum password age, run the following command: # grep PASS_MIN_DAYS /etc/login.defs | grep -v '#' The DoD requirement is "1". If "PASS_MIN_DAYS" is not set to the required value, this is a finding.
Fix: F-43592r670940_fix
To configure the SLES for vRealize to enforce 24 hours/1 day as the minimum password age, edit the file "/etc/login.defs" with the following command: # sed -i "/^[^#]*PASS_MIN_DAYS/ c\PASS_MIN_DAYS 1" /etc/login.defs
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000198
- Version
- VRAU-SL-000385
- Vuln IDs
-
- V-240401
- V-89579
- Rule IDs
-
- SV-240401r670944_rule
- SV-100229
Checks: C-43634r670942_chk
Check the minimum time period between password changes for each user account is 1 day. # cat /etc/shadow | cut -d ':' -f1,4 | grep -v 1 | grep -v ":$" If any results are returned, this is a finding.
Fix: F-43593r670943_fix
Change the minimum time period between password changes for each [USER] account to 1 day. The command in the check text will give you a list of users that need to be updated to be in compliance. # passwd -n 1 [USER]
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000199
- Version
- VRAU-SL-000390
- Vuln IDs
-
- V-240402
- V-89581
- Rule IDs
-
- SV-240402r670947_rule
- SV-100231
Checks: C-43635r670945_chk
To check that the SLES for vRealize enforces a 60-days or less maximum password age, run the following command: # grep PASS_MAX_DAYS /etc/login.defs | grep -v "#" The DoD requirement is "60" days or less (greater than zero, as zero days will lock the account immediately). If "PASS_MAX_DAYS" is not set to the required value, this is a finding.
Fix: F-43594r670946_fix
To configure the SLES for vRealize to enforce a 60-day or less maximum password age, edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days. # sed -i "/^[^#]*PASS_MAX_DAYS/ c\PASS_MAX_DAYS 60" /etc/login.defs The DoD requirement is "60" days or less (greater than zero, as zero days will lock the account immediately).
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000199
- Version
- VRAU-SL-000395
- Vuln IDs
-
- V-240403
- V-89583
- Rule IDs
-
- SV-240403r670950_rule
- SV-100233
Checks: C-43636r670948_chk
Check the max days field of /etc/shadow by running the following command: # cat /etc/shadow | cut -d':' -f1,5 | egrep -v "([0|60])" | grep -v ":$" If any results are returned, this is a finding.
Fix: F-43595r670949_fix
Set the maximum time period between password changes for each [USER] account to "60" days. The command in the check text will give you a list of users that need to be updated to be in compliance. # passwd -x 60 [USER] The DoD requirement is "60" days.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000200
- Version
- VRAU-SL-000400
- Vuln IDs
-
- V-240404
- V-89585
- Rule IDs
-
- SV-240404r670953_rule
- SV-100235
Checks: C-43637r670951_chk
Verify that the SLES for vRealize prohibits the reuse of a password for a minimum of five generations by running the following commands: # grep pam_pwhistory.so /etc/pam.d/common-password-vmware.local If the "remember" option in /etc/pam.d/common-password-vmware.local is not "5" or greater, this is a finding.
Fix: F-43596r670952_fix
Configure pam to use password history. If "remember" was not set at all in /etc/pam.d/common-password-vmware.local, run the following command: # sed -i '/pam_cracklib.so/ s/$/ remember=5/' /etc/pam.d/common-password-vmware.local If "remember" was set incorrectly, run the following command to set it to "5": # sed -i '/pam_cracklib.so/ s/remember=./remember=5/' /etc/pam.d/common-password-vmware.local
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000200
- Version
- VRAU-SL-000405
- Vuln IDs
-
- V-240405
- V-89587
- Rule IDs
-
- SV-240405r670956_rule
- SV-100237
Checks: C-43638r670954_chk
Verify that the old password file "opasswd" exists, by running the following command: # ls /etc/security/opasswd If "/etc/security/opasswd" does not exist, this is a finding.
Fix: F-43597r670955_fix
Create the password history file. # touch /etc/security/opasswd # chown root:root /etc/security/opasswd # chmod 0600 /etc/security/opasswd
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000205
- Version
- VRAU-SL-000410
- Vuln IDs
-
- V-240406
- V-89589
- Rule IDs
-
- SV-240406r670959_rule
- SV-100239
Checks: C-43639r670957_chk
Verify that the SLES for vRealize enforces a minimum 15-character password length by running the following command: # grep pam_cracklib /etc/pam.d/common-password-vmware.local # grep pam_cracklib /etc/pam.d/common-password If "minlen" is not set to "15" or higher, this is a finding.
Fix: F-43598r670958_fix
If "minlen" was not set at all in /etc/pam.d/common-password-vmware.local, run the following command: # sed -i '/pam_cracklib.so/ s/$/ minlen=15/' /etc/pam.d/common-password-vmware.local If "minlen" was set incorrectly then run the following command to set it to "15": # sed -i '/pam_cracklib.so/ s/minlen=../minlen=15/' /etc/pam.d/common-password-vmware.local
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- VRAU-SL-000420
- Vuln IDs
-
- V-240407
- V-89591
- Rule IDs
-
- SV-240407r670962_rule
- SV-100241
Checks: C-43640r670960_chk
Verify that root password is required for single user mode login with the following command: # grep sulogin /etc/inittab Expected result: ~~:S:respawn:/sbin/sulogin If the expected result is not displayed, this is a finding.
Fix: F-43599r670961_fix
Configure the system to require root password login with single user mode use the following command: # echo '~~:S:respawn:/sbin/sulogin' >> /etc/inittab
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- VRAU-SL-000425
- Vuln IDs
-
- V-240408
- V-89593
- Rule IDs
-
- SV-240408r670965_rule
- SV-100243
Checks: C-43641r670963_chk
To verify a boot password exists, in /boot/grub/menu.lst run the following command: # grep password /boot/grub/menu.lst The output should show the following: password --encrypted $1$[rest-of-the-password-hash] If it does not, this is a finding.
Fix: F-43600r670964_fix
Run the following command: # /usr/sbin/grub-md5-crypt An MD5 password is generated. After the password is supplied, the command supplies the md5 hash output. Append the password to the "menu.lst" file by running the following command: echo 'password --md5 <hash from grub-md5-crypt>' >> /boot/grub/menu.lst Or use yast2 to set the bootloader password. Open the Boot Loader Installation tab. Click "Boot Loader Options". Activate the Protect Boot Loader with Password option with a click and type in the password twice. Click "OK" twice to save the changes.
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- VRAU-SL-000430
- Vuln IDs
-
- V-240409
- V-89595
- Rule IDs
-
- SV-240409r670968_rule
- SV-100245
Checks: C-43642r670966_chk
Check the /boot/grub/menu.lst file: # stat /boot/grub/menu.lst If /boot/grub/menu.lst has a mode more permissive than "0600", this is a finding.
Fix: F-43601r670967_fix
Change the mode of the menu.lst file to "0600": # chmod 0600 /boot/grub/menu.lst
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- VRAU-SL-000435
- Vuln IDs
-
- V-240410
- V-89597
- Rule IDs
-
- SV-240410r670971_rule
- SV-100247
Checks: C-43643r670969_chk
Check /boot/grub/menu.lst ownership: # stat /boot/grub/menu.lst If the owner of the file is not "root", this is a finding.
Fix: F-43602r670970_fix
Change the ownership of the file: # chown root /boot/grub/menu.lst
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- VRAU-SL-000440
- Vuln IDs
-
- V-240411
- V-89599
- Rule IDs
-
- SV-240411r670974_rule
- SV-100249
Checks: C-43644r670972_chk
Check /boot/grub/menu.lst ownership: # stat /boot/grub/menu.lst If the group-owner of the file is not "root", "bin", "sys", or "system", this is a finding.
Fix: F-43603r670973_fix
Change the group-ownership of the file: # chgrp root /boot/grub/menu.lst
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- VRAU-SL-000445
- Vuln IDs
-
- V-240412
- V-89601
- Rule IDs
-
- SV-240412r670977_rule
- SV-100251
Checks: C-43645r670975_chk
Verify the Bluetooth protocol handler is prevented from dynamic loading: # grep "install bluetooth /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.
Fix: F-43604r670976_fix
Prevent the Bluetooth protocol handler for dynamic loading: # echo "install bluetooth /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- VRAU-SL-000450
- Vuln IDs
-
- V-240413
- V-89603
- Rule IDs
-
- SV-240413r670980_rule
- SV-100253
Checks: C-43646r670978_chk
If the system needs USB storage, this vulnerability is not applicable. Check if "usb-storage" is prevented from loading: # grep "install usb-storage /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no results are returned, this is a finding.
Fix: F-43605r670979_fix
Prevent the "usb-storage" module from loading: # echo "install usb-storage /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- VRAU-SL-000455
- Vuln IDs
-
- V-240414
- V-89605
- Rule IDs
-
- SV-240414r670983_rule
- SV-100255
Checks: C-43647r670981_chk
If the system needs USB, this vulnerability is not applicable. Check if the directory /proc/bus/usb exists. If the directory /proc/bus/usb exists, this is a finding.
Fix: F-43606r670982_fix
Edit the grub bootloader file /boot/grub/menu.lst by appending the "nousb" parameter to the kernel boot line.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- VRAU-SL-000460
- Vuln IDs
-
- V-240415
- V-89607
- Rule IDs
-
- SV-240415r670986_rule
- SV-100257
Checks: C-43648r670984_chk
Check if "telnet-server" is installed: # rpm -q telnet-server If there is a "telnet-server" package listed, this is a finding.
Fix: F-43607r670985_fix
To remove the "telnet-server" package use the following command: rpm -e telnet-server
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- VRAU-SL-000465
- Vuln IDs
-
- V-240416
- V-89609
- Rule IDs
-
- SV-240416r670989_rule
- SV-100259
Checks: C-43649r670987_chk
Check if "rsh-server" is installed: # rpm -q rsh-server If an "rsh-server" package is listed, this is a finding.
Fix: F-43608r670988_fix
To remove the "telnet-server" package, use the following command: rpm -e rsh-server
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- VRAU-SL-000470
- Vuln IDs
-
- V-240417
- V-89611
- Rule IDs
-
- SV-240417r670992_rule
- SV-100261
Checks: C-43650r670990_chk
Check if "ypserv" is installed: # rpm -q ypserv If there is a "ypserv" package listed, this is a finding.
Fix: F-43609r670991_fix
To remove the "telnet-server" package use the following command: rpm -e ypserv
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- VRAU-SL-000475
- Vuln IDs
-
- V-240418
- V-89613
- Rule IDs
-
- SV-240418r670995_rule
- SV-100263
Checks: C-43651r670993_chk
Check if "yast2-tftp-server" is installed: # rpm -q yast2-tftp-server If a "yast2-tftp-server" package is listed, this is a finding.
Fix: F-43610r670994_fix
To remove the "yast2-tftp-server" package, use the following command: rpm -e yast2-tftp-server
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- VRAU-SL-000490
- Vuln IDs
-
- V-240419
- V-89615
- Rule IDs
-
- SV-240419r670998_rule
- SV-100265
Checks: C-43652r670996_chk
Check if "tftp" is installed: # rpm -q tftp If there is a "tftp" package listed, this is a finding.
Fix: F-43611r670997_fix
To remove the "tftp" package use the following command: rpm -e tftp
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000495
- Vuln IDs
-
- V-240420
- V-89617
- Rule IDs
-
- SV-240420r671001_rule
- SV-100267
Checks: C-43653r670999_chk
Check that the DCCP protocol handler is prevented from dynamic loading: # grep "install dccp /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding. # grep "install dccp_ipv4 /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding. # grep "install dccp_ipv6" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* | grep ‘bin/true’ If no result is returned, this is a finding.
Fix: F-43612r671000_fix
Prevent the DCCP protocol handler for dynamic loading: # echo "install dccp /bin/true" >> /etc/modprobe.conf.local # echo "install dccp_ipv4 /bin/true" >> /etc/modprobe.conf.local # echo "install dccp_ipv6 /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000500
- Vuln IDs
-
- V-240421
- V-89619
- Rule IDs
-
- SV-240421r671004_rule
- SV-100269
Checks: C-43654r671002_chk
Verify the SCTP protocol handler is prevented from dynamic loading: # grep "install sctp /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.
Fix: F-43613r671003_fix
Prevent the SCTP protocol handler for dynamic loading: # echo "install sctp /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000505
- Vuln IDs
-
- V-240422
- V-89621
- Rule IDs
-
- SV-240422r671007_rule
- SV-100271
Checks: C-43655r671005_chk
Ask the SA if RDS is required by application software running on the system. If so, this is not applicable. Check that the RDS protocol handler is prevented from dynamic loading: # grep "install rds /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.
Fix: F-43614r671006_fix
Prevent the use of RDS protocol handler for dynamic loading: # echo "install rds /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000510
- Vuln IDs
-
- V-240423
- V-89623
- Rule IDs
-
- SV-240423r671010_rule
- SV-100273
Checks: C-43656r671008_chk
Verify the TIPC protocol handler is prevented from dynamic loading: # grep "install tipc /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.
Fix: F-43615r671009_fix
Prevent the TIPC protocol handler for dynamic loading: # echo "install tipc /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000515
- Vuln IDs
-
- V-240424
- V-89625
- Rule IDs
-
- SV-240424r671013_rule
- SV-100275
Checks: C-43657r671011_chk
If network services are using the "xinetd" service, this is not applicable. To check that the "xinetd" service is disabled in system boot configuration, run the following command: # chkconfig "xinetd" --list Output should indicate the "xinetd" service has either not been installed or has been disabled at all run levels as shown in the example below: xinetd 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "xinetd" is disabled through current runtime configuration: # service xinetd status If the service is disabled, the command will return the following output: Checking for service xinetd: unused If the service is running, this is a finding.
Fix: F-43616r671012_fix
The "xinetd" service can be disabled with the following command: # chkconfig xinetd off
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000520
- Vuln IDs
-
- V-240425
- V-89627
- Rule IDs
-
- SV-240425r671016_rule
- SV-100277
Checks: C-43658r671014_chk
Check the owner of the "xinetd" configuration files: # ls -lL /etc/xinetd.conf # ls -laL /etc/xinetd.d This is a finding if any of the above files or directories are not owned by "root" or "bin".
Fix: F-43617r671015_fix
Change the owner of the "xinetd" configuration files: # chown root /etc/xinetd.conf /etc/xinetd.d/*
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000525
- Vuln IDs
-
- V-240426
- V-89629
- Rule IDs
-
- SV-240426r671019_rule
- SV-100279
Checks: C-43659r671017_chk
Check the group-ownership of the "xinetd" configuration files and directories: # ls -alL /etc/xinetd.conf /etc/xinetd.d If a file or directory is not group-owned by "root", "bin", "sys", or "system", this is a finding.
Fix: F-43618r671018_fix
Change the group-owner of the "xinetd" configuration files and directories: # chgrp -R root /etc/xinetd.conf /etc/xinetd.d
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000530
- Vuln IDs
-
- V-240427
- V-89631
- Rule IDs
-
- SV-240427r671022_rule
- SV-100281
Checks: C-43660r671020_chk
Check the permissions of the "xinetd" configuration directories: # ls -dlL /etc/xinetd.d If the mode of the directory is more permissive than "0755", this is a finding.
Fix: F-43619r671021_fix
Change the mode of the directory: # chmod 0755 /etc/xinetd.d
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000535
- Vuln IDs
-
- V-240428
- V-89633
- Rule IDs
-
- SV-240428r671025_rule
- SV-100283
Checks: C-43661r671023_chk
Examine the /etc/xinetd.conf file and each file in the /etc/xinetd.d directory file for the following: log_type = SYSLOG authpriv log_on_success = HOST PID USERID EXIT log_on_failure = HOST USERID If "xinetd" running and logging is not enabled, this is a finding.
Fix: F-43620r671024_fix
Edit each file in the /etc/xinetd.d directory and the /etc/xinetd.conf file to contain: log_type = SYSLOG authpriv log_on_success = HOST PID USERID EXIT log_on_failure = HOST USERID The /etc/xinetd.conf file contains default values that will hold true for all services unless individually modified in the service's "xinetd.d" file.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000540
- Vuln IDs
-
- V-240429
- V-89635
- Rule IDs
-
- SV-240429r671028_rule
- SV-100285
Checks: C-43662r671026_chk
If network services are using the "ypbind" service, this is not applicable. To check that the "ypbind" service is disabled in system boot configuration, run the following command: # chkconfig "ypbind" --list Output should indicate the "ypbind" service has either not been installed, or has been disabled at all run levels, as shown in the example below: ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "ypbind" is disabled through current runtime configuration: # service ypbind status If the service is disabled the command will return the following output: Checking for service ypbind unused If the service is running, this is a finding.
Fix: F-43621r671027_fix
The "ypbind" service can be disabled with the following command: # chkconfig ypbind off
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000545
- Vuln IDs
-
- V-240430
- V-89637
- Rule IDs
-
- SV-240430r671031_rule
- SV-100287
Checks: C-43663r671029_chk
If the SLES for vRealize does not use NIS or NIS+, this is not applicable. Check if NIS or NIS+ is implemented using UDP: # rpcinfo -p | grep yp | grep udp If NIS or NIS+ is implemented using UDP, this is a finding.
Fix: F-43622r671030_fix
Configure the SLES for vRealize to not use UDP for NIS and NIS+. Consult vendor documentation for the required procedure.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000550
- Vuln IDs
-
- V-240431
- V-89639
- Rule IDs
-
- SV-240431r671034_rule
- SV-100289
Checks: C-43664r671032_chk
If the SLES for vRealize does not use NIS or NIS+, this is not applicable. Check the domain name for NIS maps: # domainname If the name returned is simple to guess, such as the organization name, building or room name, etc., this is a finding.
Fix: F-43623r671033_fix
Change the NIS domain name to a value difficult to guess. Consult vendor documentation for the required procedure.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000555
- Vuln IDs
-
- V-240432
- V-89641
- Rule IDs
-
- SV-240432r671037_rule
- SV-100291
Checks: C-43665r671035_chk
Determine if Sendmail only binds to loopback addresses by examining the "DaemonPortOptions" configuration options. # grep -i "O DaemonPortOptions" /etc/sendmail.cf If there are uncommented DaemonPortOptions lines, and all such lines specify system loopback addresses, this is not a finding. Otherwise, determine if Sendmail is configured to allow open relay operation. # grep -i promiscuous_relay /etc/mail/sendmail.mc If the promiscuous relay feature is enabled, this is a finding.
Fix: F-43624r671036_fix
If the SLES for vRealize does not need to receive mail from external hosts, add one or more "DaemonPortOptions" lines referencing system loopback addresses (such as "O DaemonPortOptions=Addr=127.0.0.1,Port=smtp,Name=MTA") and remove lines containing non-loopback addresses. # sed -i "s/O DaemonPortOptions=Name=MTA/O DaemonPortOptions=Addr=127.0.0.1,Port=smtp,Name=MTA/" /etc/sendmail.cf Restart the sendmail service: # service sendmail restart
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000560
- Vuln IDs
-
- V-240433
- V-89643
- Rule IDs
-
- SV-240433r671040_rule
- SV-100293
Checks: C-43666r671038_chk
Check the ownership of the alias file: # ls -lL /etc/aliases # ls -lL /etc/aliases.db If all the files are not owned by "root", this is a finding.
Fix: F-43625r671039_fix
Change the owner of the alias files to "root": # chown root /etc/aliases # chown root /etc/aliases.db
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000565
- Vuln IDs
-
- V-240434
- V-89645
- Rule IDs
-
- SV-240434r671043_rule
- SV-100295
Checks: C-43667r671041_chk
Check the group-ownership of the alias files: # ls -lL /etc/aliases # ls -lL /etc/aliases.db If the files are not group-owned by "root", this is a finding.
Fix: F-43626r671042_fix
Change the group-owner of the alias files to "root": # chgrp root /etc/aliases # chgrp root /etc/aliases.db
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000570
- Vuln IDs
-
- V-240435
- V-89647
- Rule IDs
-
- SV-240435r671046_rule
- SV-100297
Checks: C-43668r671044_chk
Check the permissions of the alias files: # ls -lL /etc/aliases # ls -lL /etc/aliases.db If the files have a mode more permissive than "0644", this is a finding.
Fix: F-43627r671045_fix
Change the mode of the alias files to "0644": # chmod 0644 /etc/aliases /etc/aliases.db
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000575
- Vuln IDs
-
- V-240436
- V-89649
- Rule IDs
-
- SV-240436r671049_rule
- SV-100299
Checks: C-43669r671047_chk
Verify the ownership of files referenced within the sendmail aliases file: # more /etc/aliases Examine the aliases file for any directories or paths used: # ls -lL <directory or file path> Check the owner for any paths referenced. If the file or parent directory is not owned by "root", this is a finding.
Fix: F-43628r671048_fix
Edit the /etc/aliases file (alternatively, /usr/lib/sendmail.cf). Locate the entries executing a program. They will appear similar to the following line: Aliasname: : /usr/local/bin/ls (or some other program name) Ensure "root" owns the programs and the directory or directories they reside in by using the "chown" command to change owner to "root": # chown root <file or directory name>
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000580
- Vuln IDs
-
- V-240437
- V-89651
- Rule IDs
-
- SV-240437r671052_rule
- SV-100301
Checks: C-43670r671050_chk
Examine the contents of the /etc/aliases file: # more /etc/aliases Examine the aliases file for any directories or paths that may be utilized: # ls -lL <file referenced from aliases> Check the permissions for any paths referenced. If the group-owner of any file is not "root", "bin", "sys", or "system", this is a finding.
Fix: F-43629r671051_fix
Change the group-ownership of the file referenced from /etc/mail/aliases: # chgrp root <file referenced from aliases>
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000585
- Vuln IDs
-
- V-240438
- V-89653
- Rule IDs
-
- SV-240438r671055_rule
- SV-100303
Checks: C-43671r671053_chk
Examine the contents of the /etc/aliases file: # more /etc/aliases Examine the aliases file for any directories or paths that may be used: # ls -lL <file referenced from aliases> Check the permissions for any paths referenced. If any file referenced from the aliases file has a mode more permissive than "0755", this is a finding.
Fix: F-43630r671054_fix
Use the "chmod" command to change the access permissions for files executed from the alias file: # chmod 0755 <file referenced from aliases>
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000590
- Vuln IDs
-
- V-240439
- V-89655
- Rule IDs
-
- SV-240439r671058_rule
- SV-100305
Checks: C-43672r671056_chk
Check sendmail to determine if the logging level is set to level nine: # grep "O L" /etc/sendmail.cf OR # grep LogLevel /etc/sendmail.cf If logging is set to less than nine, this is a finding.
Fix: F-43631r671057_fix
Edit the sendmail.cf file, locate the "O L" or "LogLevel" entry and change it to "9".
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000595
- Vuln IDs
-
- V-240440
- V-89657
- Rule IDs
-
- SV-240440r671061_rule
- SV-100307
Checks: C-43673r671059_chk
Check the /etc/syslog-ng/syslog-ng.conf for the following log entries: filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; If present, this is not a finding.
Fix: F-43632r671060_fix
Edit the /etc/syslog-ng/syslog-ng.conf file and add the following log entries: filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; destination mailinfo { file("/var/log/mail.info"); }; log { source(src); filter(f_mailinfo); destination(mailinfo); }; destination mailwarn { file("/var/log/mail.warn"); }; log { source(src); filter(f_mailwarn); destination(mailwarn); }; destination mailerr { file("/var/log/mail.err" fsync(yes)); }; log { source(src); filter(f_mailerr); destination(mailerr); };
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000600
- Vuln IDs
-
- V-240441
- V-89659
- Rule IDs
-
- SV-240441r671064_rule
- SV-100309
Checks: C-43674r671062_chk
Check the permissions on the mail log files: # ls -la /var/log/mail # ls -la /var/log/mail.info # ls -la /var/log/mail.warn # ls -la /var/log/mail.err If any mail log file is not owned by "root", this is a finding.
Fix: F-43633r671063_fix
Change the ownership of the sendmail log files: # chown root <sendmail log file>
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000605
- Vuln IDs
-
- V-240442
- V-89661
- Rule IDs
-
- SV-240442r671067_rule
- SV-100311
Checks: C-43675r671065_chk
Check the permissions on the mail log files: # ls -la /var/log/mail # ls -la /var/log/mail.info # ls -la /var/log/mail.warn # ls -la /var/log/mail.err If the log file permissions are greater than "0644", this is a finding.
Fix: F-43634r671066_fix
Change the mode of the sendmail log files: # chmod 0644 <sendmail log file>
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000610
- Vuln IDs
-
- V-240443
- V-89663
- Rule IDs
-
- SV-240443r671070_rule
- SV-100313
Checks: C-43676r671068_chk
Check the permissions of the sendmail helpfile: ls -al /usr/lib/sendmail.d/helpfile If the permissions are not "0000", this is a finding.
Fix: F-43635r671069_fix
Run the following command to disable the sendmail helpfile: # chmod 0000 /usr/lib/sendmail.d/helpfile
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000615
- Vuln IDs
-
- V-240444
- V-89665
- Rule IDs
-
- SV-240444r671073_rule
- SV-100315
Checks: C-43677r671071_chk
To check for the sendmail version being displayed in the greeting: # more /etc/sendmail.cf | grep SmtpGreetingMessage If it returns the following: O SmtpGreetingMessage=$j Sendmail $v/$Z; $b Then sendmail is providing version information, and this is a finding.
Fix: F-43636r671072_fix
Change the "O SmtpGreetingMessage" line in the /etc/sendmail.cf file to: O SmtpGreetingMessage= Mail Server Ready ; $b
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000620
- Vuln IDs
-
- V-240445
- V-89667
- Rule IDs
-
- SV-240445r671076_rule
- SV-100317
Checks: C-43678r671074_chk
Check if forwarding from sendmail: # grep "0 ForwardPath" /etc/sendmail.cf If the entry contains a file path and is not commented out, this is a finding.
Fix: F-43637r671075_fix
Disable forwarding for sendmail and remove ".forward" files from the system: Remove all .forward files on the system: # find / -name .forward -delete Use the following command to disable forwarding: # sed -i "s/O ForwardPath/#O ForwardPath/" /etc/sendmail.cf Restart the sendmail service: # service sendmail restart
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000625
- Vuln IDs
-
- V-240446
- V-89669
- Rule IDs
-
- SV-240446r671079_rule
- SV-100319
Checks: C-43679r671077_chk
Use the following command to check if EXPN is disabled: # grep -v "^#" /etc/sendmail.cf |grep -i PrivacyOptions If "noexpn" is not returned, this is a finding.
Fix: F-43638r671078_fix
Add "noexpn" to the "PrivacyOptions" flag in /etc/sendmail.cf
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000630
- Vuln IDs
-
- V-240447
- V-89671
- Rule IDs
-
- SV-240447r671082_rule
- SV-100321
Checks: C-43680r671080_chk
Use the following command to check if VRFY is disabled: # grep -v "^#" /etc/sendmail.cf |grep -i PrivacyOptions If "novrfy" is not returned, this is a finding.
Fix: F-43639r671081_fix
Add "novrfy" to the "PrivacyOptions" flag in /etc/sendmail.cf
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000635
- Vuln IDs
-
- V-240448
- V-89673
- Rule IDs
-
- SV-240448r671085_rule
- SV-100323
Checks: C-43681r671083_chk
Run the following command: iptables --list | grep "udplite" If no result is displayed, this is a finding.
Fix: F-43640r671084_fix
Configure the system to prevent the dynamic loading of the UDP-Lite protocol handler: Add the following rule to the iptables firewall ruleset: # iptables -A INPUT -p udplite -j DROP
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000640
- Vuln IDs
-
- V-240449
- V-89675
- Rule IDs
-
- SV-240449r671088_rule
- SV-100325
Checks: C-43682r671086_chk
Check that the IPX protocol handler is prevented from dynamic loading: # grep "install ipx /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.
Fix: F-43641r671087_fix
Prevent the IPX protocol handler for dynamic loading: # echo "install ipx /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000645
- Vuln IDs
-
- V-240450
- V-89677
- Rule IDs
-
- SV-240450r671091_rule
- SV-100327
Checks: C-43683r671089_chk
Verify the AppleTalk protocol handler is prevented from dynamic loading: # grep "install appletalk /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.
Fix: F-43642r671090_fix
Prevent the AppleTalk protocol handler for dynamic loading: # echo "install appletalk /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000650
- Vuln IDs
-
- V-240451
- V-89679
- Rule IDs
-
- SV-240451r671094_rule
- SV-100329
Checks: C-43684r671092_chk
Check that the DECnet protocol handler is prevented from dynamic loading: # grep "install decnet /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.
Fix: F-43643r671093_fix
Prevent the DECnet protocol handler for dynamic loading: # echo "install decnet /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000655
- Vuln IDs
-
- V-240452
- V-89681
- Rule IDs
-
- SV-240452r671097_rule
- SV-100331
Checks: C-43685r671095_chk
Note: For Appliance OS, proxy_ndp is disabled by default and this is not a finding. Determine if the system is configured for proxy NDP, and if it is enabled: more /proc/sys/net/ipv6/conf/*/proxy_ndp If the file is not found, the kernel is not configured for proxy NDP, and this is not a finding. If the file has a value of "0", proxy NDP is not enabled, and this is not a finding. If the file has a value of "1", proxy NDP is enabled, and this is a finding.
Fix: F-43644r671096_fix
Disable proxy NDP on the system.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000660
- Vuln IDs
-
- V-240453
- V-89683
- Rule IDs
-
- SV-240453r671100_rule
- SV-100333
Checks: C-43686r671098_chk
Check the SLES for vRealize for any active "6to4" tunnels without specific remote addresses: # ip tun list | grep "remote any" | grep "ipv6/ip" If any results are returned the "tunnel" is the first field. If any results are returned, this is a finding.
Fix: F-43645r671099_fix
Disable the active 6to4 tunnel: # ip link set <tunnel> down Add this command to a startup script, or remove the configuration creating the tunnel.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000665
- Vuln IDs
-
- V-240454
- V-89685
- Rule IDs
-
- SV-240454r671103_rule
- SV-100335
Checks: C-43687r671101_chk
Verify the Teredo service is not running: ps ax | grep teredo | grep -v grep If the Teredo process is running, this is a finding.
Fix: F-43646r671102_fix
Kill the Teredo service. Edit startup scripts to prevent the service from running on startup. For Appliance OS, Teredo is not included by default, this is not a finding.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000670
- Vuln IDs
-
- V-240455
- V-89687
- Rule IDs
-
- SV-240455r671106_rule
- SV-100337
Checks: C-43688r671104_chk
Check that no interface is configured to use DHCP: # grep -i bootproto=dhcp4 /etc/sysconfig/network/ifcfg-* If any configuration is found, this is a finding.
Fix: F-43647r671105_fix
Edit the /etc/sysconfig/network/ifcfg-* file(s) and change the "bootproto" setting to "static".
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VRAU-SL-000675
- Vuln IDs
-
- V-240456
- V-89689
- Rule IDs
-
- SV-240456r671109_rule
- SV-100339
Checks: C-43689r671107_chk
If the SLES for vRealize needs IEEE 1394 (Firewire), this is not applicable. Check if the firewire module is not disabled: # grep "install ieee1394 /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no results are returned, this is a finding.
Fix: F-43648r671108_fix
Prevent the SLES for vRealize from loading the firewire module: # echo "install ieee1394 /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-000764
- Version
- VRAU-SL-000680
- Vuln IDs
-
- V-240457
- V-89691
- Rule IDs
-
- SV-240457r671112_rule
- SV-100341
Checks: C-43690r671110_chk
Verify that the SLES for vRealize contains no duplicate UIDs for organizational users by running the following command: # awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If output is produced, this is a finding.
Fix: F-43649r671111_fix
Edit the file /etc/passwd and provide each organizational user account that has a duplicate UID with a unique UID.
- RMF Control
- IA-2
- Severity
- High
- CCI
- CCI-000770
- Version
- VRAU-SL-000705
- Vuln IDs
-
- V-240458
- V-89693
- Rule IDs
-
- SV-240458r671115_rule
- SV-100343
Checks: C-43691r671113_chk
Verify the SLES for vRealize prevents direct logons to the "root" account by running the following command: # grep root /etc/shadow | cut -d "":"" -f 2 If the returned message contains any text, this is a finding.
Fix: F-43650r671114_fix
Configure the SLES for vRealize to prevent direct logons to the "root" account by performing the following operations: Add this line to the /etc/group file: admin:x:[UNIQUE_NUMBER]:[USERNAME] USERNAME is the user to be added to the admin group. UNIQUE_NUMBER is a number entered into the ID field of an entry that is unique to all other IDs in the file. Comment out the following lines in /etc/sudoers file: Default targetpw ALL ALL=(ALL) ALL Under the line in the /etc/sudoers file: root ALL=(ALL) All Add the following line: %admin ALL=(ALL) ALL Run the following command: # passwd -d root
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-001941
- Version
- VRAU-SL-000710
- Vuln IDs
-
- V-240459
- V-89695
- Rule IDs
-
- SV-240459r852556_rule
- SV-100345
Checks: C-43692r671116_chk
Verify that the SLES for vRealize enforces SSHv2 for network access to privileged accounts by running the following command: Replace [ADDRESS] in the following command with the correct IP address based on the current system configuration. # ssh -1 [ADDRESS] An example of the command usage is as follows: # ssh -1 localhost The output must be the following: Protocol major versions differ: 1 vs. 2 If the output is not as listed above, this is a finding. OR Verify that the ssh is configured to enforce SSHv2 for network access to privileged accounts by running the following command: # grep Protocol /etc/ssh/sshd_config If the result is not "Protocol 2", this is a finding.
Fix: F-43651r671117_fix
Configure the SLES for vRealize to enforce SSHv2 for network access to privileged accounts by running the following commands: # sed -i 's/^.*\bProtocol\b.*$/Protocol 2/' /etc/ssh/sshd_config Restart the ssh service: # service sshd restart
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-001942
- Version
- VRAU-SL-000715
- Vuln IDs
-
- V-240460
- V-89697
- Rule IDs
-
- SV-240460r852557_rule
- SV-100347
Checks: C-43693r671119_chk
Verify that the SLES for vRealize enforces SSHv2 for network access to privileged accounts by running the following command: Replace [ADDRESS] in the following command with the correct IP address based on the current system configuration. # ssh -1 [ADDRESS] An example of the command usage is as follows: # ssh -1 localhost The output must be one of the following items: Protocol major versions differ: 1 vs. 2 OR: Protocol 1 not allowed in the FIPS mode. If the output is not one of the above, this is a finding. OR Verify that the ssh is configured to enforce SSHv2 for network access to privileged accounts by running the following command: # grep Protocol /etc/ssh/sshd_config If the result is not "Protocol 2", this is a finding.
Fix: F-43652r671120_fix
Configure the SLES for vRealize to enforce SSHv2 for network access to non-privileged accounts by running the following commands: # sed -i 's/^.*\bProtocol\b.*$/Protocol 2/' /etc/ssh/sshd_config Restart the ssh service: # service sshd restart
- RMF Control
- IA-4
- Severity
- Medium
- CCI
- CCI-000795
- Version
- VRAU-SL-000725
- Vuln IDs
-
- V-240461
- V-89699
- Rule IDs
-
- SV-240461r671124_rule
- SV-100349
Checks: C-43694r671122_chk
Verify the SLES for vRealize disables account identifiers after "35" days of inactivity after the password expiration, by performing the following commands: # grep "INACTIVE" /etc/default/useradd The output must indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below: grep "INACTIVE" /etc/default/useradd INACTIVE=35 If "INACTIVE" is not set to the value of "35" or less, this is a finding.
Fix: F-43653r671123_fix
Configure the SLES for vRealize to disable account identifiers after 35 days of inactivity after the password expiration. Run the following command to change the configuration for useradd: Replace [VALUE] in the command with any integer from the range 0<[VALUE]<= 35. # sed -i "s/^.*\bINACTIVE\b.*$/INACTIVE=[VALUE]/" /etc/default/useradd DoD recommendation is "35" days, but a lower value is acceptable. The value "-1" will disable this feature and "0" will disable the account immediately after the password expires.
- RMF Control
- IA-7
- Severity
- Medium
- CCI
- CCI-000803
- Version
- VRAU-SL-000730
- Vuln IDs
-
- V-240462
- V-89701
- Rule IDs
-
- SV-240462r671127_rule
- SV-100351
Checks: C-43695r671125_chk
Check the /etc/default/passwd file: # grep CRYPT /etc/default/passwd If the "CRYPT" setting in /etc/default/passwd is not present, or not set to "SHA256" or "SHA512", this is a finding. If the "CRYPT_FILES" setting in /etc/default/passwd is not present, or not set to "SHA256" or "SHA512", this is a finding.
Fix: F-43654r671126_fix
Edit the /etc/default/passwd file and add or change the "CRYPT" variable setting so that it contains: CRYPT=sha256 OR CRYPT=sha512 Edit the /etc/default/passwd file and add or change the "CRYPT_FILES" variable setting so that it contains: CRYPT_FILES=sha256 OR CRYPT_FILES=sha512
- RMF Control
- IA-8
- Severity
- Medium
- CCI
- CCI-000804
- Version
- VRAU-SL-000735
- Vuln IDs
-
- V-240463
- V-89703
- Rule IDs
-
- SV-240463r671130_rule
- SV-100353
Checks: C-43696r671128_chk
Run the following command to check for duplicate account names: # pwck -rq If there are no duplicate names, no line will be returned. If a line is returned, this is a finding.
Fix: F-43655r671129_fix
Change usernames, or delete accounts, so each has a unique name.
- RMF Control
- IA-8
- Severity
- Medium
- CCI
- CCI-000804
- Version
- VRAU-SL-000740
- Vuln IDs
-
- V-240464
- V-89705
- Rule IDs
-
- SV-240464r671133_rule
- SV-100355
Checks: C-43697r671131_chk
To ensure all GIDs referenced in /etc/passwd are defined in /etc/group, run the following command: # pwck -rq If a line is returned, this is a finding.
Fix: F-43656r671132_fix
Add a group to the system for each GID referenced without a corresponding group.
- RMF Control
- IA-8
- Severity
- Medium
- CCI
- CCI-000804
- Version
- VRAU-SL-000745
- Vuln IDs
-
- V-240465
- V-89707
- Rule IDs
-
- SV-240465r671136_rule
- SV-100357
Checks: C-43698r671134_chk
Verify the SLES for vRealize uniquely identifies and authenticates non-organizational users by running the following commands: # awk -F: '{print $3}' /etc/passwd | sort | uniq -d If the output is not blank, this is a finding.
Fix: F-43657r671135_fix
Configure the SLES for vRealize to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). UNIQUE_USER_ID is a unique numerical value that must be non-negative. USERNAME is the username of the user whose user ID is to be changed. # usermod -u [UNIQUE_USER_ID] [USERNAME]
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001682
- Version
- VRAU-SL-000755
- Vuln IDs
-
- V-240466
- V-89709
- Rule IDs
-
- SV-240466r671139_rule
- SV-100359
Checks: C-43699r671137_chk
For each emergency administrator account run the following command: chage -l [user] If the output shows an expiration date for the account, this is a finding.
Fix: F-43658r671138_fix
For each emergency administrator account run the following command to remove the expiration: chage -E -1 [user]
- RMF Control
- MA-4
- Severity
- Medium
- CCI
- CCI-000877
- Version
- VRAU-SL-000760
- Vuln IDs
-
- V-240467
- V-89711
- Rule IDs
-
- SV-240467r877395_rule
- SV-100361
Checks: C-43700r671140_chk
Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the "Ciphers" setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either nothing or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr
Fix: F-43659r671141_fix
Update the "Ciphers" directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart
- RMF Control
- MA-4
- Severity
- Medium
- CCI
- CCI-000879
- Version
- VRAU-SL-000765
- Vuln IDs
-
- V-240468
- V-89713
- Rule IDs
-
- SV-240468r671145_rule
- SV-100363
Checks: C-43701r671143_chk
Check for the existence of the /etc/profile.d/tmout.sh file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to "900" seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set to "900", this is a finding.
Fix: F-43660r671144_fix
Ensure the file exists and is owned by "root". If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file /etc/profile.d/tmout.sh, and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null
- RMF Control
- SC-5
- Severity
- Medium
- CCI
- CCI-001095
- Version
- VRAU-SL-000785
- Vuln IDs
-
- V-240469
- V-89715
- Rule IDs
-
- SV-240469r671148_rule
- SV-100365
Checks: C-43702r671146_chk
Check that the SLES for vRealize configured to use TCP syncookies when experiencing a TCP SYN flood. # cat /proc/sys/net/ipv4/tcp_syncookies If the result is not "1", this is a finding.
Fix: F-43661r671147_fix
Configure the SLES for vRealize to use TCP syncookies when experiencing a TCP SYN flood. # sed -i 's/^.*\bnet.ipv4.tcp_syncookies\b.*$/net.ipv4.tcp_syncookies=1/' /etc/sysctl.conf Reload sysctl to verify the new change: # sysctl -p
- RMF Control
- SC-5
- Severity
- Medium
- CCI
- CCI-001095
- Version
- VRAU-SL-000790
- Vuln IDs
-
- V-240470
- V-89717
- Rule IDs
-
- SV-240470r671151_rule
- SV-100367
Checks: C-43703r671149_chk
Check that the SLES for vRealize has an appropriate TCP backlog queue size to mitigate against TCP SYN flood DOS attacks with the following command: # cat /proc/sys/net/ipv4/tcp_max_syn_backlog If the TCP backlog queue size is not set to at least the recommended default setting of "1280", this is a finding.
Fix: F-43662r671150_fix
Configure the TCP backlog queue size with the following command: # sed -i 's/^.*\bnet.ipv4.tcp_max_syn_backlog\b.*$/net.ipv4.tcp_max_syn_backlog=1280/' /etc/sysctl.conf Reload sysctl to verify the new change: # sysctl -p
- RMF Control
- SC-10
- Severity
- Medium
- CCI
- CCI-001133
- Version
- VRAU-SL-000795
- Vuln IDs
-
- V-240471
- V-89719
- Rule IDs
-
- SV-240471r671395_rule
- SV-100369
Checks: C-43704r671152_chk
Check for the existence of the /etc/profile.d/tmout.sh file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to "900" seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set to "900", this is a finding.
Fix: F-43663r671153_fix
Ensure the file exists and is owned by "root". If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file /etc/profile.d/tmout.sh, and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VRAU-SL-000820
- Vuln IDs
-
- V-240472
- V-89721
- Rule IDs
-
- SV-240472r671157_rule
- SV-100371
Checks: C-43705r671155_chk
Verify the /var/log directory is group-owned by "root" by running the following command: # ls -lad /var/log | cut -d' ' -f4 The output must look like the following example: ls -lad /var/log | cut -d' ' -f4 root If "root" is not returned as a result, this is a finding.
Fix: F-43664r671156_fix
Change the group of the directory /var/log to "root" by running the following command: # chgrp root /var/log
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VRAU-SL-000825
- Vuln IDs
-
- V-240473
- V-89723
- Rule IDs
-
- SV-240473r671160_rule
- SV-100373
Checks: C-43706r671158_chk
Verify that the /var/log directory is owned by "root" by running the following command: # ls -lad /var/log | cut -d' ' -f3 The output must look like the following example: ls -lad /var/log | cut -d' ' -f3 root If "root" is not returned as a result, this is a finding.
Fix: F-43665r671159_fix
Change the owner of the directory /var/log to "root" by running the following command: # chown root /var/log
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VRAU-SL-000830
- Vuln IDs
-
- V-240474
- V-89725
- Rule IDs
-
- SV-240474r671163_rule
- SV-100375
Checks: C-43707r671161_chk
Verify that the /var/log directory has mode 0750 or less by running the following command: # ls -lad /var/log | cut -d' ' -f1 The output must look like the following example: ls -lad /var/log | cut -d' ' -f1 drwxr-x--- If "drwxr-x---" is not returned as a result, this is a finding.
Fix: F-43666r671162_fix
Change the permissions of the directory /var/log to "0750" by running the following command: # chmod 0750 /var/log
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VRAU-SL-000835
- Vuln IDs
-
- V-240475
- V-89727
- Rule IDs
-
- SV-240475r671166_rule
- SV-100377
Checks: C-43708r671164_chk
Verify that the /var/log/messages file is group-owned by "root" by running the following command: # ls -la /var/log/messages | cut -d' ' -f4 The output must look like the following example: ls -la /var/log/messages | cut -d' ' -f4 root If "root" is not returned as a result, this is a finding.
Fix: F-43667r671165_fix
Change the group of the file /var/log/messages to "root" by running the following command: # chgrp root /var/log/messages
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VRAU-SL-000840
- Vuln IDs
-
- V-240476
- V-89729
- Rule IDs
-
- SV-240476r671169_rule
- SV-100379
Checks: C-43709r671167_chk
Verify that the /var/log/messages file is owned by "root" by running the following command: # ls -la /var/log/messages | cut -d' ' -f3 The output must look like the following example: ls -la /var/log/messages | cut -d' ' -f3 root If "root" is not returned as a result, this is a finding.
Fix: F-43668r671168_fix
Change the owner of the file /var/log/messages to "root" by running the following command: # chown root /var/log/messages
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VRAU-SL-000845
- Vuln IDs
-
- V-240477
- V-89731
- Rule IDs
-
- SV-240477r671172_rule
- SV-100381
Checks: C-43710r671170_chk
Verify that the /var/log/messages file has mode 0640 or less by running the following command: # ls -lad /var/log/messages | cut -d' ' -f1 The output must look like the following example: ls -lad /var/log/messages | cut -d' ' -f1 -rw-r----- If "-rw-r-----" is not returned as a result, this is a finding.
Fix: F-43669r671171_fix
Change the permissions of the file /var/log/messages to "0640" by running the following command: # chmod 0640 /var/log/messages
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VRAU-SL-000850
- Vuln IDs
-
- V-240478
- V-89733
- Rule IDs
-
- SV-240478r671175_rule
- SV-100383
Checks: C-43711r671173_chk
Check the permissions of the syslog configuration file(s): # ls -lL /etc/syslog-ng/syslog-ng.conf If the mode of the file is more permissive than "0640", this is a finding.
Fix: F-43670r671174_fix
Change the permissions of the syslog configuration file(s): # chmod 640 /etc/syslog-ng/syslog-ng.conf
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VRAU-SL-000855
- Vuln IDs
-
- V-240479
- V-89735
- Rule IDs
-
- SV-240479r671178_rule
- SV-100385
Checks: C-43712r671176_chk
Check the permissions of the syslog configuration file(s): # ls -lL /etc/syslog-ng/syslog-ng.conf If the file is not owned by "root", this is a finding.
Fix: F-43671r671177_fix
Use the chown command to set the owner to "root": # chown root /etc/syslog-ng/syslog-ng.conf
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VRAU-SL-000860
- Vuln IDs
-
- V-240480
- V-89737
- Rule IDs
-
- SV-240480r671181_rule
- SV-100387
Checks: C-43713r671179_chk
Check the permissions of the syslog configuration file(s): # ls -lL /etc/syslog-ng/syslog-ng.conf If the file is not group-owned by "root", this is a finding.
Fix: F-43672r671180_fix
Change the group-owner of the /etc/rsyslog.conf file to "root": # chgrp root /etc/syslog-ng/syslog-ng.conf
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001403
- Version
- VRAU-SL-000870
- Vuln IDs
-
- V-240482
- V-89741
- Rule IDs
-
- SV-240482r671187_rule
- SV-100391
Checks: C-43715r671185_chk
Determine if execution of the usermod and groupmod executable are audited. # auditctl -l | egrep '(usermod|groupmod)' | grep perm=x If either usermod or groupmod are not listed with a permissions filter of at least 'x', this is a finding.
Fix: F-43674r671186_fix
Configure execute auditing of the usermod and groupmod executables run the dodscript with the following command as root: # /etc/dodscript.sh OR.... Configure execute auditing of the usermod and groupmod executables. Add the following to the audit.rules file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Restart the auditd service. # service auditd restart
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001403
- Version
- VRAU-SL-000875
- Vuln IDs
-
- V-240483
- V-89743
- Rule IDs
-
- SV-240483r671190_rule
- SV-100393
Checks: C-43716r671188_chk
Determine if /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow are audited for writing. # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow)' | grep perm=w If any of these are not listed with a permissions filter of at least "w", this is a finding.
Fix: F-43675r671189_fix
Configure append auditing of the "passwd", "shadow", "group", and "gshadow" files run "dodscript" with the following command as "root": # /etc/dodscript.sh OR Configure auditing of the "passwd", "shadow", "group", and "gshadow" files. Add the following to the audit.rules file: -w /etc/passwd -p w -k passwd -w /etc/shadow -p w -k shadow -w /etc/group -p w -k group -w /etc/gshadow -p w -k gshadow Restart the auditd service: # service auditd restart
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001404
- Version
- VRAU-SL-000880
- Vuln IDs
-
- V-240484
- V-89745
- Rule IDs
-
- SV-240484r671193_rule
- SV-100395
Checks: C-43717r671191_chk
Determine if execution of the "passwd" executable is audited: # auditctl -l | grep watch=/usr/bin/passwd If /usr/bin/passwd is not listed with a permissions filter of at least "x", this is a finding.
Fix: F-43676r671192_fix
Configure the SLES for vRealize to automatically audit account disabling actions by running the following command: # /etc/dodscript.sh OR # echo '-w /usr/bin/passwd -p x -k passwd' >> /etc/audit/audit.rules Restart the auditd service: # service auditd restart
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001405
- Version
- VRAU-SL-000885
- Vuln IDs
-
- V-240485
- V-89747
- Rule IDs
-
- SV-240485r671196_rule
- SV-100397
Checks: C-43718r671194_chk
Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding.
Fix: F-43677r671195_fix
Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the /etc/audit/audit.rules file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-001453
- Version
- VRAU-SL-000890
- Vuln IDs
-
- V-240486
- V-89749
- Rule IDs
-
- SV-240486r877394_rule
- SV-100399
Checks: C-43719r671197_chk
Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the "Ciphers" setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either nothing or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr
Fix: F-43678r671198_fix
Update the "Ciphers" directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart
- RMF Control
- AU-14
- Severity
- Medium
- CCI
- CCI-001464
- Version
- VRAU-SL-000895
- Vuln IDs
-
- V-240487
- V-89751
- Rule IDs
-
- SV-240487r671202_rule
- SV-100401
Checks: C-43720r671200_chk
Check for the "audit=1" kernel parameter. # grep "audit=1" /proc/cmdline If no results are returned, this is a finding.
Fix: F-43679r671201_fix
Edit the grub bootloader file /boot/grub/menu.lst by appending the "audit=1" parameter to the kernel boot line. Reboot the system for the change to take effect.
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-001487
- Version
- VRAU-SL-000900
- Vuln IDs
-
- V-240488
- V-89753
- Rule IDs
-
- SV-240488r671205_rule
- SV-100403
Checks: C-43721r671203_chk
Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not "running", this is a finding.
Fix: F-43680r671204_fix
Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001493
- Version
- VRAU-SL-000905
- Vuln IDs
-
- V-240489
- V-89755
- Rule IDs
-
- SV-240489r671208_rule
- SV-100405
Checks: C-43722r671206_chk
The following command will list which audit files on the system have permissions different from what is expected by the RPM database: # rpm -V audit | grep '^.M' If there is any output, for each file or directory found, compare the RPM-expected permissions with the permissions on the file or directory: # rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" audit | grep [filename] # ls -lL [filename] If the existing permissions are more permissive than those expected by RPM, this is a finding.
Fix: F-43681r671207_fix
Run the following command to reset audit permissions to the correct values: sudo rpm --setperms audit-1.8-0.34.26
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001494
- Version
- VRAU-SL-000910
- Vuln IDs
-
- V-240490
- V-89757
- Rule IDs
-
- SV-240490r671211_rule
- SV-100407
Checks: C-43723r671209_chk
The following command will list which audit files on the system where the group-ownership has been modified: # rpm -V audit | grep '^......G' If there is output, this is a finding.
Fix: F-43682r671210_fix
Run the following command to reset audit permissions to the correct values: sudo rpm --setperms audit-1.8-0.34.26
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001495
- Version
- VRAU-SL-000915
- Vuln IDs
-
- V-240491
- V-89759
- Rule IDs
-
- SV-240491r671214_rule
- SV-100409
Checks: C-43724r671212_chk
The following command will list which audit files on the system where the ownership has been modified: # rpm -V audit | grep '^.....U' If there is output, this is a finding.
Fix: F-43683r671213_fix
Run the following command to reset audit permissions to the correct values: sudo rpm --setperms audit-1.8-0.34.26
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- VRAU-SL-000920
- Vuln IDs
-
- V-240492
- V-89761
- Rule IDs
-
- SV-240492r671217_rule
- SV-100411
Checks: C-43725r671215_chk
Verify that that system wide shared library files are not group-writable or world writable with the following command: ls -l /lib /lib64 /usr/lib /usr/lib64 /lib/modules If any library files are group-writable or world writable, this is a finding.
Fix: F-43684r671216_fix
For any shared library file that was a finding: sudo chmod go-w <filename>
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- VRAU-SL-000921
- Vuln IDs
-
- V-240493
- V-89763
- Rule IDs
-
- SV-240493r671220_rule
- SV-100413
Checks: C-43726r671218_chk
Verify that that system wide shared library files have root ownership with the following command: ls -l /lib /lib64 /usr/lib /usr/lib64 /lib/modules If any library files are not root owned, this is a finding.
Fix: F-43685r671219_fix
For any shared library file that was a finding: sudo chown root <filename>
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- VRAU-SL-000922
- Vuln IDs
-
- V-240494
- V-89765
- Rule IDs
-
- SV-240494r671223_rule
- SV-100415
Checks: C-43727r671221_chk
Verify that that system executables are not group-writable or world writable with the following command: ls -l /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin If any files are group-writable or world writable, this is a finding.
Fix: F-43686r671222_fix
For any file that was a finding: sudo chmod go-w <filename>
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- VRAU-SL-000923
- Vuln IDs
-
- V-240495
- V-89767
- Rule IDs
-
- SV-240495r671226_rule
- SV-100417
Checks: C-43728r671224_chk
Verify that that system executable files have root ownership with the following command: ls -l /bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbin If any library files are not root owned, this is a finding.
Fix: F-43687r671225_fix
For any file that was a finding: sudo chown root <filename>
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-001619
- Version
- VRAU-SL-000925
- Vuln IDs
-
- V-240496
- V-89769
- Rule IDs
-
- SV-240496r671229_rule
- SV-100419
Checks: C-43729r671227_chk
Verify the SLES for vRealize enforces password complexity by requiring that at least one special character be used by using the following command: Check the password "ocredit" option: # grep pam_cracklib.so /etc/pam.d/common-password Confirm the "ocredit" option is set to "-1" as in the example: password requisite pam_cracklib.so ocredit=-1 There may be other options on the line. If no such line is found, or the "ocredit" is not "-1", this is a finding.
Fix: F-43688r671228_fix
Configure the SLES for vRealize to enforce password complexity by requiring that at least one special character be used: If "ocredit" was not set at all in /etc/pam.d/common-password-vmware.local then run the following command: # sed -i '/pam_cracklib.so/ s/$/ ocredit=-1/' /etc/pam.d/common-password-vmware.local If "ocredit" was set incorrectly then run the following command: # sed -i '/pam_cracklib.so/ s/ocredit=../ocredit=-1/' /etc/pam.d/common-password-vmware.local
- RMF Control
- AC-12
- Severity
- Medium
- CCI
- CCI-002361
- Version
- VRAU-SL-000960
- Vuln IDs
-
- V-240497
- V-89771
- Rule IDs
-
- SV-240497r852558_rule
- SV-100421
Checks: C-43730r671230_chk
Check for the existence of the /etc/profile.d/tmout.sh file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to "900" seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set to "900", this is a finding.
Fix: F-43689r671231_fix
Ensure the file exists and is owned by "root". If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file /etc/profile.d/tmout.sh, and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-002314
- Version
- VRAU-SL-000975
- Vuln IDs
-
- V-240498
- V-89773
- Rule IDs
-
- SV-240498r852559_rule
- SV-100423
Checks: C-43731r671233_chk
Check the SSH daemon configuration for listening network addresses: # grep -i Listen /etc/ssh/sshd_config | grep -v '^#' If no configuration is returned, or if a returned "Listen" configuration contains addresses not designated for management traffic, this is a finding.
Fix: F-43690r671234_fix
Edit the SSH daemon configuration /etc/ssh/sshd_config to specify listening network addresses designated for management traffic with the following command: sed -i "/^ListenAddress/ c\ListenAddress x.x.x.x" /etc/ssh/sshd_config Note: Replace x.x.x.x with the desired remote access IP address.
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-002130
- Version
- VRAU-SL-000995
- Vuln IDs
-
- V-240499
- V-89775
- Rule IDs
-
- SV-240499r852560_rule
- SV-100425
Checks: C-43732r671236_chk
Determine if execution of the "usermod" and "groupmod" executable are audited: # auditctl -l | egrep '(usermod|groupmod)' If either "usermod" or "groupmod" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of "useradd" and "groupadd" are audited: # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "passwd" executable is audited: # auditctl -l | grep “/usr/bin/passwd” If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding. Determine if /etc/passwd, /etc/shadow, /etc/group, and /etc/security/opasswd are audited for writing: # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)' If any of these are not listed with a permissions filter of at least "w", this is a finding.
Fix: F-43691r671237_fix
Configure "execute" auditing of the "usermod" and "groupmod" executables. Add the following to the /etc/audit/audit.rules file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Configure "execute" auditing of the "userdel" and "groupdel" executables. Add the following to the /etc/audit/audit.rules file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel Configure "execute" auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Configure "execute" auditing of the "passwd" executable. Add the following to the aud.rules: -w /usr/bin/passwd -p x -k passwd Configure "write" auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the /etc/audit/audit.rules file: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/security/opasswd -p wa -k opasswd Restart the auditd service: # service auditd restart
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-002132
- Version
- VRAU-SL-001000
- Vuln IDs
-
- V-240500
- V-89777
- Rule IDs
-
- SV-240500r852561_rule
- SV-100427
Checks: C-43733r671239_chk
Determine if execution of the "usermod" and "groupmod" executable are audited: # auditctl -l | egrep '(usermod|groupmod)' If either "usermod" or "groupmod" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of "useradd" and "groupadd" are audited: # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "passwd" executable is audited: # auditctl -l | grep “/usr/bin/passwd” If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding. Determine if /etc/passwd, /etc/shadow, /etc/group, and /etc/security/opasswd are audited for writing: # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)' If any of these are not listed with a permissions filter of at least "w", this is a finding.
Fix: F-43692r671240_fix
Configure "execute" auditing of the "usermod" and "groupmod" executables. Add the following to the /etc/audit/audit.rules file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Configure "execute" auditing of the "userdel" and "groupdel" executables. Add the following to the /etc/audit/audit.rules file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel Configure "execute" auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Configure "execute" auditing of the "passwd" executable. Add the following to the aud.rules: -w /usr/bin/passwd -p x -k passwd Configure "write" auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the /etc/audit/audit.rules file: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/security/opasswd -p wa -k opasswd Restart the auditd service: # service auditd restart
- RMF Control
- AC-6
- Severity
- Low
- CCI
- CCI-002234
- Version
- VRAU-SL-001030
- Vuln IDs
-
- V-240501
- V-89779
- Rule IDs
-
- SV-240501r852562_rule
- SV-100429
Checks: C-43734r671242_chk
To verify that auditing of privileged command use is configured, run the following command to find relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: # grep path /etc/audit/audit.rules It should be the case that all relevant setuid programs have a line in the audit rules. If it is not the case, this is a finding.
Fix: F-43693r671243_fix
At a minimum, the audit system should collect the execution of privileged commands for all users and "root". To find the relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Then, for each setuid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid program in the list: -a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -k privileged OR # /etc/dodscript.sh
- RMF Control
- AC-7
- Severity
- Low
- CCI
- CCI-002238
- Version
- VRAU-SL-001035
- Vuln IDs
-
- V-240502
- V-89781
- Rule IDs
-
- SV-240502r852563_rule
- SV-100431
Checks: C-43735r671245_chk
Check the "pam_tally2" configuration: # more /etc/pam.d/common-auth Confirm the following line is configured: auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300 # more /etc/pam.d/common-account Confirm the following line is configured: account required pam_tally2.so If no such lines are found, this is a finding.
Fix: F-43694r671246_fix
Edit "/etc/pam.d/common-auth" and add the following line: auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300 Edit "/etc/pam.d/common-account" and add the following line: account required pam_tally2.so
- RMF Control
- AU-4
- Severity
- Low
- CCI
- CCI-001851
- Version
- VRAU-SL-001060
- Vuln IDs
-
- V-240503
- V-89783
- Rule IDs
-
- SV-240503r877390_rule
- SV-100433
Checks: C-43736r671248_chk
Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or "logserver" is commented out, this is a finding.
Fix: F-43695r671249_fix
Edit the syslog configuration file and add an appropriate remote syslog server: In the /etc/syslog-ng/syslog-ng.conf file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # destination logserver { udp("x.x.x.x" port(514)); }; log { source(src); destination(logserver); }; Note: Replace x.x.x.x with the appropriate IP address.
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-001855
- Version
- VRAU-SL-001065
- Vuln IDs
-
- V-240504
- V-89785
- Rule IDs
-
- SV-240504r877389_rule
- SV-100435
Checks: C-43737r671251_chk
Check "/etc/audit/auditd.conf" for the" space_left_action" with the following command: # cat /etc/audit/auditd.conf | grep space_left_action If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding. Expected Result: space_left_action = SYSLOG NOTES: If the space_left_action is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding. If the space_left_action is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding. The "action_mail_acct parameter", if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system "sendmail" must be available.
Fix: F-43696r671252_fix
Set the "space_left_action" parameter to the valid setting "SYSLOG", by running the following command: # sed -i "/^[^#]*space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf Restart the audit service: # service auditd restart
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-001858
- Version
- VRAU-SL-001070
- Vuln IDs
-
- V-240505
- V-89787
- Rule IDs
-
- SV-240505r852566_rule
- SV-100437
Checks: C-43738r671254_chk
Check "/etc/audit/auditd.conf" for the "space_left_action" with the following command: # cat /etc/audit/auditd.conf | grep space_left_action If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding. Expected Result: space_left_action = SYSLOG NOTES: If the "space_left_action" is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding. If the "space_left_action" is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding. The "action_mail_acct parameter", if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system "sendmail" must be available.
Fix: F-43697r671255_fix
Set the "space_left_action" parameter to the valid setting "SYSLOG", by running the following command: # sed -i "/^[^#]*space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf Restart the audit service: # service auditd restart
- RMF Control
- AU-8
- Severity
- Medium
- CCI
- CCI-001891
- Version
- VRAU-SL-001110
- Vuln IDs
-
- V-240506
- V-89789
- Rule IDs
-
- SV-240506r878118_rule
- SV-100439
Checks: C-43739r671257_chk
A remote NTP server should be configured for time synchronization. To verify one is configured, open the following file: # cat /etc/ntp.conf | grep server | grep -v '^#' # cat /etc/ntp.conf | grep peer | grep -v '^#' # cat /etc/ntp.conf | grep multicastclient | grep -v '^#' Confirm the servers and peers or multicastclient (as applicable) are local or an authoritative U.S. DoD source. If a non-local/non-authoritative time-server is used, this is a finding.
Fix: F-43698r671258_fix
To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for "ntpserver" by using the following command: # echo "server [ntpserver]" >> /etc/ntp.conf Replace [ntpserver] with one of the USNO time servers. This instructs the NTP software to contact that remote server to obtain time data. Restart the service with: # service ntp restart
- RMF Control
- AU-8
- Severity
- Medium
- CCI
- CCI-001891
- Version
- VRAU-SL-001115
- Vuln IDs
-
- V-240507
- V-89791
- Rule IDs
-
- SV-240507r877038_rule
- SV-100441
Checks: C-43740r671260_chk
Check the ownership of the NTP configuration file: # ls -l /etc/ntp.conf If the owner is not "root", this is a finding.
Fix: F-43699r671261_fix
Change the owner of the NTP configuration file: # chown root /etc/ntp.conf
- RMF Control
- AU-8
- Severity
- Medium
- CCI
- CCI-001891
- Version
- VRAU-SL-001120
- Vuln IDs
-
- V-240508
- V-89793
- Rule IDs
-
- SV-240508r877038_rule
- SV-100443
Checks: C-43741r671263_chk
Check the group-ownership of the NTP configuration file: # ls -lL /etc/ntp.conf If the group-owner is not "root", "bin", "sys", or "system", this is a finding.
Fix: F-43700r671264_fix
Change the group-owner of the NTP configuration file: # chgrp root /etc/ntp.conf
- RMF Control
- AU-8
- Severity
- Medium
- CCI
- CCI-001891
- Version
- VRAU-SL-001125
- Vuln IDs
-
- V-240509
- V-89795
- Rule IDs
-
- SV-240509r877038_rule
- SV-100445
Checks: C-43742r671266_chk
Check that the mode for the NTP configuration file is not more permissive than "0640": # ls -l /etc/ntp.conf If the mode is more permissive than "0640", this is a finding.
Fix: F-43701r671267_fix
Change the mode of the NTP configuration file to "0640" or less permissive: # chmod 0640 /etc/ntp.conf
- RMF Control
- AU-8
- Severity
- Medium
- CCI
- CCI-002046
- Version
- VRAU-SL-001130
- Vuln IDs
-
- V-240510
- V-89797
- Rule IDs
-
- SV-240510r852571_rule
- SV-100447
Checks: C-43743r671269_chk
Run the following command to determine the current status of the "ntpd" service: # service ntp status If the service is configured, the command should show a list of the ntp servers and the status of the synchronization. If it does not, this is a finding.
Fix: F-43702r671270_fix
The "ntp" service can be enabled with the following command: # chkconfig ntp on # service ntp start Configure the time server for the authoritative time source with the following steps: 1. Edit /etc/ntp.conf and locate the "server" entry. 2. Replace the address with the address of the authoritative time source. 3. Save the /etc/ntp.conf file. 4. Restart the ntp daemon with /etc/init.d/ntp start.
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001814
- Version
- VRAU-SL-001165
- Vuln IDs
-
- V-240511
- V-89799
- Rule IDs
-
- SV-240511r852572_rule
- SV-100449
Checks: C-43744r671272_chk
Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not "running", this is a finding.
Fix: F-43703r671273_fix
Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001749
- Version
- VRAU-SL-001170
- Vuln IDs
-
- V-240512
- V-89801
- Rule IDs
-
- SV-240512r877463_rule
- SV-100451
Checks: C-43745r671275_chk
Verify RPM signature validation is not disabled: # grep nosignature /usr/lib/rpm/rpmrc ~root/.rpmrc The result should either respond with no such file or directory, or an empty return. If any configuration is found, this is a finding.
Fix: F-43704r671276_fix
Edit the RPM configuration files containing the "nosignature" option and remove the option.
- RMF Control
- MA-4
- Severity
- Medium
- CCI
- CCI-002884
- Version
- VRAU-SL-001245
- Vuln IDs
-
- V-240513
- V-89803
- Rule IDs
-
- SV-240513r852574_rule
- SV-100453
Checks: C-43746r671278_chk
Verify that all commands run by "root" are being audited with the following command: # cat /etc/audit/audit.rules | grep execve If the following lines are not displayed, this is a finding. -a exit,always -F arch=b64 -F euid=0 -S execve -a exit,always -F arch=b32 -F euid=0 -S execve
Fix: F-43705r671279_fix
Configure the system to log all commands run by "root" with the following command: # echo "-a exit,always -F arch=b64 -F euid=0 -S execve" >> /etc/audit/audit.rules # echo "-a exit,always -F arch=b32 -F euid=0 -S execve" >> /etc/audit/audit.rules Restart the audit service: # service auditd restart
- RMF Control
- MA-4
- Severity
- Medium
- CCI
- CCI-002890
- Version
- VRAU-SL-001250
- Vuln IDs
-
- V-240514
- V-89805
- Rule IDs
-
- SV-240514r877382_rule
- SV-100455
Checks: C-43747r671281_chk
Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the "Ciphers" setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either nothing or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr
Fix: F-43706r671282_fix
Update the "Ciphers" directive with the following command: # sed -i '/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr' /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart
- RMF Control
- MA-4
- Severity
- Medium
- CCI
- CCI-003123
- Version
- VRAU-SL-001255
- Vuln IDs
-
- V-240515
- V-89807
- Rule IDs
-
- SV-240515r877381_rule
- SV-100457
Checks: C-43748r671284_chk
Check the SSH daemon configuration for allowed MACs: # grep -i macs /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding.
Fix: F-43707r671285_fix
Edit the SSH daemon configuration and remove any MACs other than "hmac-sha1". If necessary, add a "MACs" line. # sed -i "/^[^#]*MACs/ c\MACs hmac-sha1" /etc/ssh/sshd_config
- RMF Control
- SC-13
- Severity
- High
- CCI
- CCI-002450
- Version
- VRAU-SL-001265
- Vuln IDs
-
- V-240516
- V-89809
- Rule IDs
-
- SV-240516r877380_rule
- SV-100459
Checks: C-43749r671287_chk
Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the "Ciphers" setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either nothing or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr
Fix: F-43708r671288_fix
Update the "Ciphers" directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart
- RMF Control
- SC-5
- Severity
- High
- CCI
- CCI-002385
- Version
- VRAU-SL-001305
- Vuln IDs
-
- V-240517
- V-89811
- Rule IDs
-
- SV-240517r852578_rule
- SV-100461
Checks: C-43750r671290_chk
Check that the system configured to use TCP syncookies when experiencing a TCP SYN flood. # cat /proc/sys/net/ipv4/tcp_syncookies If the result is not "1", this is a finding.
Fix: F-43709r671291_fix
Configure the system to use TCP syncookies when experiencing a TCP SYN flood. Check for the presence of "net.ipv4.tcp_syncookies" in the /etc/sysctl.conf file: # grep "net.ipv4.tcp_syncookies" /etc/sysctl.conf If it exists, change the value to "1". If it does not exist, add a setting for tcp_syncookies: # echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf Reload sysctl to verify the new change: # sysctl -p
- RMF Control
- SC-8
- Severity
- High
- CCI
- CCI-002418
- Version
- VRAU-SL-001310
- Vuln IDs
-
- V-240518
- V-89813
- Rule IDs
-
- SV-240518r916422_rule
- SV-100463
Checks: C-43751r671293_chk
Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the "Ciphers" setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either nothing or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr
Fix: F-43710r671294_fix
Update the "Ciphers" directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart
- RMF Control
- SC-8
- Severity
- High
- CCI
- CCI-002421
- Version
- VRAU-SL-001315
- Vuln IDs
-
- V-240519
- V-89815
- Rule IDs
-
- SV-240519r878119_rule
- SV-100465
Checks: C-43752r671296_chk
Check the SSH daemon configuration for allowed MACs: # grep -i macs /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding.
Fix: F-43711r671297_fix
Edit the SSH daemon configuration and remove any MACs other than "hmac-sha1". If necessary, add a "MACs" line.
- RMF Control
- SI-16
- Severity
- Medium
- CCI
- CCI-002824
- Version
- VRAU-SL-001335
- Vuln IDs
-
- V-240520
- V-89817
- Rule IDs
-
- SV-240520r852581_rule
- SV-100467
Checks: C-43753r671299_chk
The stock kernel has support for non-executable program stacks compiled in by default. Verify that the option was specified when the kernel was built: # grep -i "execute" /var/log/boot.msg The message: "NX (Execute Disable) protection: active" will be written in the boot log when compiled in the kernel. This is the default for x86_64. To activate this support, the “noexec=on” kernel parameter must be specified at boot time. Check for a message with the following command: # grep –i "noexec" /var/log/boot.msg The message: "Kernel command line: <boot parameters> noexec=on" will be written to the boot log when properly appended to the /boot/grub/menu.lst file. If non-executable program stacks have not been configured, this is a finding.
Fix: F-43712r671300_fix
Edit the /boot/grub/menu.lst file and add “noexec=on” to the end of each kernel line entry. A system restart is required to implement this change.
- RMF Control
- SI-16
- Severity
- Medium
- CCI
- CCI-002824
- Version
- VRAU-SL-001340
- Vuln IDs
-
- V-240521
- V-89819
- Rule IDs
-
- SV-240521r852582_rule
- SV-100469
Checks: C-43754r671302_chk
Verify "randomize_va_space" has not been changed from the default "1" setting. # sysctl kernel.randomize_va_space If the return value is not "kernel.randomize_va_space = 1", this is a finding.
Fix: F-43713r671303_fix
Run the following command: #sysctl kernel.randomize_va_space=1
- RMF Control
- SI-6
- Severity
- Medium
- CCI
- CCI-002696
- Version
- VRAU-SL-001350
- Vuln IDs
-
- V-240522
- V-89821
- Rule IDs
-
- SV-240522r852583_rule
- SV-100471
Checks: C-43755r671305_chk
Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not "running", this is a finding.
Fix: F-43714r671306_fix
Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001365
- Vuln IDs
-
- V-240523
- V-89823
- Rule IDs
-
- SV-240523r671310_rule
- SV-100473
Checks: C-43756r671308_chk
To verify that auditing is configured for system administrator actions, run the following command: # auditctl -l | grep "watch=/etc/sudoers" The result should return a rule for sudoers, such as: LIST_RULES: exit,always watch=/etc/sudoers perm=wa key=sudoers If there is no output, this is a finding.
Fix: F-43715r671309_fix
At a minimum, the audit system should collect administrator actions for all users and "root". Add the following to "/etc/audit/audit.rules": -w /etc/sudoers -p wa -k sudoers OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001375
- Vuln IDs
-
- V-240524
- V-89825
- Rule IDs
-
- SV-240524r671313_rule
- SV-100475
Checks: C-43757r671311_chk
To determine if the system is configured to audit calls to the "chmod" system call, run the following command: # auditctl -l | grep syscall | grep chmod If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=1073741827 (0x40000003) syscall=chmod,lchown,sethostname,fchmod,fchown,adjtimex,init_module,delete_module,chown,lchown32,fchown32,chown32,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime,fchownat,fchmodat If no lines are returned, this is a finding.
Fix: F-43716r671312_fix
At a minimum, the audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S chmod -F auid=0 -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -a always,exit -F arch=b32 -S chmod OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001380
- Vuln IDs
-
- V-240525
- V-89827
- Rule IDs
-
- SV-240525r671316_rule
- SV-100477
Checks: C-43758r671314_chk
To verify that auditing is configured for system administrator actions, run the following command: # auditctl -l | grep "watch=/etc/sudoers" The result should return a rule for sudoers, such as: LIST_RULES: exit,always watch=/etc/sudoers perm=wa key=sudoers If there is no output, this is a finding.
Fix: F-43717r671315_fix
At a minimum, the audit system should collect administrator actions for all users and "root". Add the following to "/etc/audit/audit.rules": -w /etc/sudoers -p wa -k sudoers OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001390
- Vuln IDs
-
- V-240526
- V-89829
- Rule IDs
-
- SV-240526r671319_rule
- SV-100479
Checks: C-43759r671317_chk
To determine if the system is configured to audit calls to the "chmod" system call, run the following command: # auditctl -l | grep syscall | grep chmod If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=1073741827 (0x40000003) syscall=chmod,lchown,sethostname,fchmod,fchown,adjtimex,init_module,delete_module,chown,lchown32,fchown32,chown32,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime,fchownat,fchmodat If no lines are returned, this is a finding.
Fix: F-43718r671318_fix
At a minimum, the audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S chmod -F auid=0 -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -a always,exit -F arch=b32 -S chmod OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001400
- Vuln IDs
-
- V-240527
- V-89831
- Rule IDs
-
- SV-240527r671322_rule
- SV-100481
Checks: C-43760r671320_chk
To verify that auditing is configured for system administrator actions, run the following command: # auditctl -l | grep "watch=/etc/sudoers" The result should return a rule for sudoers, such as: LIST_RULES: exit,always watch=/etc/sudoers perm=wa key=sudoers If there is no output, this is a finding.
Fix: F-43719r671321_fix
At a minimum, the audit system should collect administrator actions for all users and "root". Add the following to "/etc/audit/audit.rules": -w /etc/sudoers -p wa -k sudoers OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001405
- Vuln IDs
-
- V-240528
- V-89833
- Rule IDs
-
- SV-240528r671325_rule
- SV-100483
Checks: C-43761r671323_chk
The message types that are always recorded to /var/log/audit/audit.log include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files /var/log/faillog, /var/log/lastlog, and /var/log/tallylog must be protected from tampering of the logon records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If /var/log/faillog, /var/log/lastlog, and /var/log/tallylog entries do not exist, this is a finding.
Fix: F-43720r671324_fix
Ensure the auditing of logons by modifying /etc/audit/audit.rules to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001410
- Vuln IDs
-
- V-240529
- V-89835
- Rule IDs
-
- SV-240529r671328_rule
- SV-100485
Checks: C-43762r671326_chk
To verify that auditing of privileged command use is configured, run the following command to find relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: # grep path /etc/audit/audit.rules It should be the case that all relevant setuid programs have a line in the audit rules. If it is not the case, this is a finding.
Fix: F-43721r671327_fix
At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Then, for each setuid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid program in the list: -a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -k privileged OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001415
- Vuln IDs
-
- V-240530
- V-89837
- Rule IDs
-
- SV-240530r671331_rule
- SV-100487
Checks: C-43763r671329_chk
Determine if "/sbin/insmod" is audited: # cat /etc/audit/audit.rules | grep "/sbin/insmod" If the result does not start with "-w" and contain "-p x", this is a finding.
Fix: F-43722r671330_fix
Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events: -w /sbin/insmod -p x OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001420
- Vuln IDs
-
- V-240531
- V-89839
- Rule IDs
-
- SV-240531r671334_rule
- SV-100489
Checks: C-43764r671332_chk
The message types that are always recorded to /var/log/audit/audit.log include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files /var/log/faillog, /var/log/lastlog, and /var/log/tallylog must be protected from tampering of the logon records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If /var/log/faillog, /var/log/lastlog, and /var/log/tallylog entries do not exist, this is a finding.
Fix: F-43723r671333_fix
Ensure the auditing of logons by modifying /etc/audit/audit.rules to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR... # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001425
- Vuln IDs
-
- V-240532
- V-89841
- Rule IDs
-
- SV-240532r671337_rule
- SV-100491
Checks: C-43765r671335_chk
The message types that are always recorded to /var/log/audit/audit.log include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files /var/log/faillog, /var/log/lastlog, and /var/log/tallylog must be protected from tampering of the logon records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If /var/log/faillog, /var/log/lastlog, and /var/log/tallylog entries do not exist, this is a finding.
Fix: F-43724r671336_fix
Ensure the auditing of logons by modifying /etc/audit/audit.rules to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR... # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001430
- Vuln IDs
-
- V-240533
- V-89843
- Rule IDs
-
- SV-240533r671340_rule
- SV-100493
Checks: C-43766r671338_chk
Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is "enabled", the returned message must contain the following text: Checking for service auditd running If the service is not "running", this is a finding.
Fix: F-43725r671339_fix
Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001440
- Vuln IDs
-
- V-240534
- V-89845
- Rule IDs
-
- SV-240534r671343_rule
- SV-100495
Checks: C-43767r671341_chk
Verify auditd is configured to audit failed file access attempts. There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall: # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S open" | grep -e "-F exit=-EPERM" # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S open" | grep -e "-F exit=-EACCES" There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall. If not, this is a finding.
Fix: F-43726r671342_fix
Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S open -F exit=-EPERM -a exit,always -F arch=b64 -S open -F exit=-EACCES -a exit,always -F arch=b32 -S open -F exit=-EPERM -a exit,always -F arch=b32 -S open -F exit=-EACCES
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001455
- Vuln IDs
-
- V-240535
- V-89847
- Rule IDs
-
- SV-240535r671346_rule
- SV-100497
Checks: C-43768r671344_chk
Verify auditd is configured to audit failed file access attempts. # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S ftruncate" | grep -e "-F success=0" There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0). If not, this is a finding.
Fix: F-43727r671345_fix
Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S ftruncate -F success=0 -a exit,always -F arch=b32 -S ftruncate -F success=0
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001460
- Vuln IDs
-
- V-240536
- V-89849
- Rule IDs
-
- SV-240536r671349_rule
- SV-100499
Checks: C-43769r671347_chk
To determine if the system is configured to audit calls to the "unlink" system call, run the following command: # auditctl -l | grep syscall | grep unlink | grep -v unlinkat If the system is configured to audit this activity, it will return several lines. If it does not, this is a finding. To determine if the system is configured to audit calls to the "unlinkat" system call, run the following command: # auditctl -l | grep syscall | grep unlinkat If the system is configured to audit this activity, it will return several lines. If it does not, this is a finding. To determine if the system is configured to audit calls to the "rename" system call, run the following command: # auditctl -l | grep syscall | grep rename | grep -v renameat If the system is configured to audit this activity, it will return several lines. If it does not, this is a finding. To determine if the system is configured to audit calls to the "renameat" system call, run the following command: # auditctl -l | grep syscall | grep renameat If the system is configured to audit this activity, it will return several lines. If it does not, this is a finding.
Fix: F-43728r671348_fix
Edit the audit.rules file and add the following line(s) to enable auditing of deletions of files and programs: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid=0 -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid=0 -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001465
- Vuln IDs
-
- V-240537
- V-89851
- Rule IDs
-
- SV-240537r671352_rule
- SV-100501
Checks: C-43770r671350_chk
Check the system audit configuration to determine if file and directory deletions are audited: # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -i "rmdir" If no results are returned, or the results do not contain "-S rmdir", this is a finding.
Fix: F-43729r671351_fix
Add the following to "/etc/audit/audit.rules" in order to capture file and directory deletion events: -a always,exit -F arch=b64 -S rmdir -S rm -a always,exit -F arch=b32 -S rmdir -S rm
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001470
- Vuln IDs
-
- V-240538
- V-89853
- Rule IDs
-
- SV-240538r671355_rule
- SV-100503
Checks: C-43771r671353_chk
Check for a "logrotate" entry that rotates audit logs. # ls -l /etc/logrotate.d/audit If it exists, check for the presence of the "daily" rotate flag: # egrep "daily" /etc/logrotate.d/audit The command should produce a "daily" entry in the logrotate file for the audit daemon. If the "daily" entry is missing, this is a finding.
Fix: F-43730r671354_fix
Create or edit the /etc/logrotate.d/audit file and add the "daily" entry, such as: /var/log/audit/audit.log { compress dateext rotate 15 daily missingok notifempty create 600 root root sharedscripts postrotate /sbin/service auditd restart 2> /dev/null > /dev/null || true endscript }
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001475
- Vuln IDs
-
- V-240539
- V-89855
- Rule IDs
-
- SV-240539r671358_rule
- SV-100505
Checks: C-43772r671356_chk
The message types that are always recorded to /var/log/audit/audit.log include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files /var/log/faillog, /var/log/lastlog, and /var/log/tallylog must be protected from tampering of the login records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If /var/log/faillog, /var/log/lastlog, and /var/log/tallylog entries do not exist, this is a finding.
Fix: F-43731r671357_fix
Ensure the auditing of logins by modifying /etc/audit/audit.rules to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001480
- Vuln IDs
-
- V-240540
- V-89857
- Rule IDs
-
- SV-240540r671361_rule
- SV-100507
Checks: C-43773r671359_chk
Determine if execution of the "usermod" and "groupmod" executable are audited: # auditctl -l | egrep '(usermod|groupmod)' If either "usermod" or "groupmod" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of "useradd" and "groupadd" are audited: # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "passwd" executable is audited: # auditctl -l | grep “/usr/bin/passwd” If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding. Determine if /etc/passwd, /etc/shadow, /etc/group, and /etc/security/opasswd are audited for writing: # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)' If any of these are not listed with a permissions filter of at least "w", this is a finding.
Fix: F-43732r671360_fix
Configure "execute" auditing of the "usermod" and "groupmod" executables. Add the following to the /etc/audit/audit.rules file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Configure "execute" auditing of the "userdel" and "groupdel" executables. Add the following to the /etc/audit/audit.rules file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel Configure "execute" auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Configure "execute" auditing of the "passwd" executable. Add the following to the aud.rules: -w /usr/bin/passwd -p x -k passwd Configure "write" auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the /etc/audit/audit.rules file: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/security/opasswd -p wa -k opasswd Restart the auditd service: # service auditd restart OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VRAU-SL-001485
- Vuln IDs
-
- V-240541
- V-89859
- Rule IDs
-
- SV-240541r671364_rule
- SV-100509
Checks: C-43774r671362_chk
Determine if "/sbin/insmod" is audited: # cat /etc/audit/audit.rules | grep "/sbin/insmod" If the result does not start with "-w" and contain "-p x", this is a finding.
Fix: F-43733r671363_fix
Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events: -w /sbin/insmod -p x OR # /etc/dodscript.sh
- RMF Control
- SC-13
- Severity
- Medium
- CCI
- CCI-002450
- Version
- VRAU-SL-001490
- Vuln IDs
-
- V-240542
- V-89861
- Rule IDs
-
- SV-240542r878120_rule
- SV-100511
Checks: C-43775r671365_chk
Check the SSH daemon configuration for allowed MACs: # grep -i macs /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding.
Fix: F-43734r671366_fix
Edit the SSH daemon configuration and remove any MACs other than "hmac-sha1". If necessary, add a "MACs" line.
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001851
- Version
- VRAU-SL-001495
- Vuln IDs
-
- V-240543
- V-89863
- Rule IDs
-
- SV-240543r852585_rule
- SV-100513
Checks: C-43776r671368_chk
Check the "syslog" configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or "logserver" is commented out, this is a finding.
Fix: F-43735r671369_fix
Edit the syslog configuration file and add an appropriate remote syslog server: In the /etc/syslog-ng/syslog-ng.conf file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # destination logserver { udp("10.10.10.10" port(514)); }; log { source(src); destination(logserver); };
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- VRAU-SL-001500
- Vuln IDs
-
- V-240544
- V-89865
- Rule IDs
-
- SV-240544r671373_rule
- SV-100515
Checks: C-43777r671371_chk
Check "/etc/pam.d/common-password" for "pam_cracklib" configuration: # grep pam_cracklib /etc/pam.d/common-password* If "pam_cracklib" is not present, this is a finding. Ensure the "passwd" command uses the "common-password" settings. # grep common-password /etc/pam.d/passwd If a line "password include common-password" is not found then the "password checks in common-password" will not be applied to new passwords, this is a finding.
Fix: F-43736r671372_fix
Edit "/etc/pam.d/common-password" and configure "pam_cracklib" by adding a line such as "password requisite pam_cracklib.so"
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- VRAU-SL-001505
- Vuln IDs
-
- V-240545
- V-89867
- Rule IDs
-
- SV-240545r671376_rule
- SV-100517
Checks: C-43778r671374_chk
Verify the module "pam_cracklib.so" is present. # ls /lib/security/ Confirm that "pam_cracklib.so" is present in the directory listing. If "pam_cracklib.so" is not present, this is a finding. Verify the file "/etc/pam.d/common-password" is configured. # grep pam_cracklib /etc/pam.d/common-password* If a line containing "password required pam_cracklib.so" is not present, this is a finding.
Fix: F-43737r671375_fix
Configure the SLES for vRealize to prevent the use of dictionary words for passwords. Edit the file "/etc/pam.d/common-password". Configure "common-password" by adding a line such as: password required pam_cracklib.so Save the changes made to the file "/etc/pam.d/common-password".
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- VRAU-SL-001510
- Vuln IDs
-
- V-240546
- V-89869
- Rule IDs
-
- SV-240546r671379_rule
- SV-100519
Checks: C-43779r671377_chk
Verify the "passwd" command uses the "common-password" settings. # grep common-password /etc/pam.d/passwd If a line "password include common-password" is not found then the "password checks in common-password" will not be applied to new passwords, and this is a finding.
Fix: F-43738r671378_fix
Configure the SLES for vRealize to prevent the use of dictionary words for passwords. Edit the file "/etc/pam.d/passwd". Configure "passwd" by adding a line such as: password include common-password Save the changes made to the file.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- VRAU-SL-001515
- Vuln IDs
-
- V-240547
- V-89871
- Rule IDs
-
- SV-240547r671382_rule
- SV-100521
Checks: C-43780r671380_chk
Check the value of the "FAIL_DELAY" variable and the ability to use it: # grep FAIL_DELAY /etc/login.defs The following result should be displayed: FAIL_DELAY 4 If the value does not exist, or is less than "4", this is a finding. Check for the use of "pam_faildelay": # grep pam_faildelay /etc/pam.d/common-auth* The following result should be displayed: /etc/pam.d/common-auth:auth optional pam_faildelay.so If the "pam_faildelay.so" module is not listed or is commented out, this is a finding.
Fix: F-43739r671381_fix
Add the "pam_faildelay" module and set the "FAIL_DELAY" variable. Edit "/etc/login.defs" and set the value of the "FAIL_DELAY" variable to "4" or more. Edit "/etc/pam.d/common-auth" and add a "pam_faildelay" entry if one does not exist, such as: auth optional pam_faildelay.so
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- VRAU-SL-001520
- Vuln IDs
-
- V-240548
- V-89873
- Rule IDs
-
- SV-240548r671385_rule
- SV-100523
Checks: C-43781r671383_chk
Verify the SLES for vRealize enforces a delay of at least "4" seconds between logon prompts following a failed logon attempt. Review the file "/etc/login.defs" and verify the parameter "FAIL_DELAY" is a value of "4" or greater. # grep FAIL_DELAY /etc/login.defs The typical configuration looks something like this: FAIL_DELAY 4 If the parameter "FAIL_DELAY" does not exists, or is less than "4", this is a finding.
Fix: F-43740r671384_fix
Configure the SLES for vRealize to enforce a delay of at least "4" seconds between logon prompts following a failed logon attempt. Set the parameter "FAIL_DELAY" to a value of "4" or greater. Edit the file "/etc/login.defs". Set the parameter "FAIL_DELAY" to a value of "4" or greater. The typical configuration looks something like this: FAIL_DELAY 4 Save the changes made to the file.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- VRAU-SL-001525
- Vuln IDs
-
- V-240549
- V-89875
- Rule IDs
-
- SV-240549r671388_rule
- SV-100525
Checks: C-43782r671386_chk
Verify the SLES for vRealize enforces a delay of at least "4" seconds between logon prompts following a failed logon attempt. Verify the use of the "pam_faildelay" module. # grep pam_faildelay /etc/pam.d/common-auth* The typical configuration looks something like this: #delay is in micro seconds auth required pam_faildelay.so delay=4000000 If the line is not present, this is a finding.
Fix: F-43741r671387_fix
Configure the SLES for vRealize to enforce a delay of at least "4" seconds between logon prompts following a failed logon attempt with the following command: # sed -i "/^[^#]*pam_faildelay.so/ c\auth required pam_faildelay.so delay=4000000" /etc/pam.d/common-auth-vmware.local
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- VRAU-SL-001530
- Vuln IDs
-
- V-240550
- V-89877
- Rule IDs
-
- SV-240550r671391_rule
- SV-100527
Checks: C-43783r671389_chk
Verify the SLES for vRealize is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding.
Fix: F-43742r671390_fix
Configure the SLES for vRealize in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- VRAU-SL-001535
- Vuln IDs
-
- V-240551
- V-89879
- Rule IDs
-
- SV-240551r671394_rule
- SV-100529
Checks: C-43784r671392_chk
Check for the configured "umask" value in "login.defs" with the following command: # grep UMASK /etc/login.defs If the default "umask" is not "077", this a finding. Note: If the default umask is "000" or allows for the creation of world-writable files this becomes a Severity Code I finding.
Fix: F-43743r671393_fix
To configure the correct UMASK setting run the following command: # sed -i "/^[^#]*UMASK/ c\UMASK 077" /etc/login.defs
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- VRAU-SL-009999
- Vuln IDs
-
- V-258447
- Rule IDs
-
- SV-258447r928860_rule
Checks: C-62187r928859_chk
vRealize Automation 7.x SLES is no longer supported by the vendor. If the system is running vRealize Automation 7.x SLES, this is a finding.
Fix: F-53958r798705_fix
Upgrade to a supported version.
- RMF Control
- AC-8
- Severity
- Medium
- CCI
- CCI-001384
- Version
- VRAU-SL-000865
- Vuln IDs
-
- V-258526
- V-89739
- Rule IDs
-
- SV-258526r929672_rule
- SV-100389
Checks: C-62266r929670_chk
Check the issue file to verify that it contains one of the DoD required banners: # cat /etc/issue "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for SLES for vRealize that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." If it does not, this is a finding.
Fix: F-62175r929671_fix
To configure the system to display the Standard Mandatory DoD Notice and Consent Banner, run the dodscript with the following command as root: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VRAU-SL-000175
- Vuln IDs
-
- V-258527
- V-89503
- Rule IDs
-
- SV-258527r929675_rule
- SV-100153
Checks: C-62267r929673_chk
Check the auditing configuration of the system: # cat /etc/audit/audit.rules | grep -i "auditd.conf" If no results are returned, or the line does not start with "-w", this is a finding. Expected Result: -w /etc/audit/auditd.conf
Fix: F-62176r929674_fix
Add the following lines to the audit.rules file to enable auditing of administrative, privileged, and security actions: echo '-w /etc/audit/auditd.conf' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VRAU-SL-000180
- Vuln IDs
-
- V-258528
- V-89505
- Rule IDs
-
- SV-258528r929823_rule
- SV-100155
Checks: C-62268r929821_chk
Check if the system is configured to audit calls to the "adjtimex" system call by running the following command: # grep -w "adjtimex" /etc/audit/audit.rules If the system is configured to audit time changes, it will return at least two lines containing "-S adjtimex" that also contain "arch=b64". If no line is returned, this is a finding.
Fix: F-62177r929822_fix
Run the following command: echo '-a exit,always -F arch=b64 -S adjtimex -F auid=0' >> /etc/audit/audit.rules echo '-a exit,always -F arch=b64 -S adjtimex -F auid>=500 -F auid!=4294967295' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VRAU-SL-000185
- Vuln IDs
-
- V-258529
- V-89507
- Rule IDs
-
- SV-258529r929826_rule
- SV-100157
Checks: C-62269r929824_chk
Check if the system is configured to audit calls to the "settimeofday" system call by running the following command: # grep -w "settimeofday" /etc/audit/audit.rules If the system is configured to audit this activity, it will return at least two lines containing "-S settimeofday" that also contain "arch=b64". If no line is returned, this is a finding.
Fix: F-62178r929825_fix
Run the following command: echo '-a exit,always -F arch=b64 -S settimeofday -F auid=0' >> /etc/audit/audit.rules echo '-a exit,always -F arch=b64 -S settimeofday -F auid>=500 -F auid!=4294967295' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VRAU-SL-000190
- Vuln IDs
-
- V-258530
- V-89509
- Rule IDs
-
- SV-258530r929829_rule
- SV-100159
Checks: C-62270r929827_chk
Check if the system is configured to audit calls to the "settimeofday" system call by running the following command: # grep -w "stime" /etc/audit/audit.rules If the system is configured to audit this activity, it will return at least two lines containing "-S settimeofday" that also contain "arch=b64". If no line is returned, this is a finding.
Fix: F-62179r929828_fix
Run the following command: echo '-a exit,always -F arch=b64 -S stime' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VRAU-SL-000195
- Vuln IDs
-
- V-258531
- V-89511
- Rule IDs
-
- SV-258531r929832_rule
- SV-100161
Checks: C-62271r929830_chk
Check if the system is configured to audit calls to the "clock_settime" system call by running the following command: # grep -w "clock_settime" /etc/audit/audit.rules If the system is configured to audit this activity, it will return at least a line containing "-S clock_settime" that also contain "arch=b64". If no line is returned, this is a finding.
Fix: F-62180r929831_fix
Run the following command: echo '-a exit,always -F arch=b64 -S clock_settime' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VRAU-SL-000200
- Vuln IDs
-
- V-258532
- V-89513
- Rule IDs
-
- SV-258532r929835_rule
- SV-100163
Checks: C-62272r929833_chk
To determine if the system is configured to audit attempts to alter time via the /etc/localtime file, run the following command: # auditctl -l | grep "watch=/etc/localtime" If the system is configured to audit this activity, it will return. LIST_RULES: exit,always watch=/etc/localtime perm=wa key=localtime If no line is returned, this is a finding.
Fix: F-62181r929834_fix
To configure the system to audit attempts to alter time via the /etc/localtime file, run the following command: echo '-w /etc/localtime -p wa -k localtime' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VRAU-SL-000205
- Vuln IDs
-
- V-258533
- V-89515
- Rule IDs
-
- SV-258533r929838_rule
- SV-100165
Checks: C-62273r929836_chk
Check if the system is configured to audit calls to the "sethostname" system call by running the following command: # grep -w "sethostname" /etc/audit/audit.rules If the system is configured to audit this activity, it will return at least one line. If no line is returned, this is a finding.
Fix: F-62182r929837_fix
Run the following command: # echo '-a exit,always -F arch=b64 -S sethostname' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VRAU-SL-000210
- Vuln IDs
-
- V-258534
- V-89517
- Rule IDs
-
- SV-258534r929841_rule
- SV-100167
Checks: C-62274r929839_chk
Check if the system is configured to audit calls to the "sethostname" system call by running the following command: # grep -w "setdomainname" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.
Fix: F-62183r929840_fix
Run the following command: # echo '-a exit,always -F arch=b64 -S setdomainname' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VRAU-SL-000215
- Vuln IDs
-
- V-258535
- V-89519
- Rule IDs
-
- SV-258535r929844_rule
- SV-100169
Checks: C-62275r929842_chk
Check if the system is configured to audit calls to the "sethostname" system call by running the following command: # grep -w "sched_setparam" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.
Fix: F-62184r929843_fix
Run the following command: echo '-a exit,always -F arch=b64 -S sched_setparam' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VRAU-SL-000220
- Vuln IDs
-
- V-258536
- V-89521
- Rule IDs
-
- SV-258536r929847_rule
- SV-100171
Checks: C-62276r929845_chk
Check if the system is configured to audit calls to the "sethostname" system call by running the following command: # grep -w "sched_setscheduler" /etc/audit/audit.rules If the system is configured to audit this activity, it will return a line. If no line is returned, this is a finding.
Fix: F-62185r929846_fix
Run the following command: echo '-a exit,always -F arch=b64 -S sched_setscheduler' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VRAU-SL-000225
- Vuln IDs
-
- V-258537
- V-89523
- Rule IDs
-
- SV-258537r929850_rule
- SV-100173
Checks: C-62277r929848_chk
Verify that attempts to alter the log files /var/log/faillog are audited: # egrep "faillog" /etc/audit/audit.rules If "-w /var/log/faillog -p wa" entry does not exist, this is a finding.
Fix: F-62186r929849_fix
Ensure attempts to alter /var/log/faillog are audited by modifying /etc/audit/audit.rules to contain -w /var/log/faillog -p wa with the following command: echo '-w /var/log/faillog -p wa' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VRAU-SL-000230
- Vuln IDs
-
- V-258538
- V-89525
- Rule IDs
-
- SV-258538r929853_rule
- SV-100175
Checks: C-62278r929851_chk
Verify that attempts to alter the log files /var/log/lastlog are audited: # egrep "lastlog" /etc/audit/audit.rules If "-w /var/log/lastlog -p wa" entry does not exist, this is a finding.
Fix: F-62187r929852_fix
Ensure attempts to alter /var/log/lastlog are audited by modifying /etc/audit/audit.rules to contain -w /var/log/lastlog -p wa with the following command: echo '-w /var/log/lastlog -p wa' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VRAU-SL-000235
- Vuln IDs
-
- V-258539
- V-89527
- Rule IDs
-
- SV-258539r929856_rule
- SV-100177
Checks: C-62279r929854_chk
Verify that attempts to alter the log files /var/log/tallylog are audited: # egrep "tallylog" /etc/audit/audit.rules If "-w /var/log/tallylog -p wa" entry does not exist, this is a finding.
Fix: F-62188r929855_fix
Ensure attempts to alter /var/log/tallylog are audited by modifying /etc/audit/audit.rules to contain "-w /var/log/tallylog -p wa" with the following command: echo '-w /var/log/tallylog -p wa' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh