VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide
- Version/Release: V2R2
- Published: 2023-09-21
-
Expand All:
- Severity:
-
Sort:
Compare
Select any two versions of this STIG to compare the individual requirements
View
Select any old version/release of this STIG to view the previous requirements
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000015
- Version
- VROM-SL-000005
- Vuln IDs
-
- V-239441
- V-88353
- Rule IDs
-
- SV-239441r661774_rule
- SV-99003
Checks: C-42674r661772_chk
Interview the server admin to determine if there is automated mechanisms for managing user accounts. If there is not, this is a finding.
Fix: F-42633r661773_fix
Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. If possible, this system should integrate with an existing enterprise user management system, such as, one based Active Directory or Kerberos.
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000016
- Version
- VROM-SL-000010
- Vuln IDs
-
- V-239442
- V-88355
- Rule IDs
-
- SV-239442r661777_rule
- SV-99005
Checks: C-42675r661775_chk
For every existing temporary account, run the following command to obtain its account expiration information. # chage -l system_account_name Verify each of these accounts has an expiration date set within "72" hours. If any temporary accounts have no expiration date set or do not expire within "72" hours, this is a finding.
Fix: F-42634r661776_fix
In the event temporary accounts are required, configure the system to terminate them after "72" hours. For every temporary account, run the following command to set an expiration date on it, substituting "system_account_name" for the appropriate value. # chage -E `date -d "+3 days" +%Y-%m-%d` system_account_name `date -d "+3 days" +%Y-%m-%d` gets the expiration date for the account at the time of running the command.
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000018
- Version
- VROM-SL-000015
- Vuln IDs
-
- V-239443
- V-88357
- Rule IDs
-
- SV-239443r661780_rule
- SV-99007
Checks: C-42676r661778_chk
Determine if execution of the useradd and groupadd executable are audited. # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Expected result: LIST_RULES: exit,always watch=/usr/sbin/useradd perm=x key=useradd LIST_RULES: exit,always watch=/usr/sbin/groupadd perm=x key=groupadd
Fix: F-42635r661779_fix
Configure execute auditing of the "useradd" and "groupadd" executables run the DoD.script with the following command as root: # /etc/dodscript.sh OR Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to /etc/audit/audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Restart the auditd service. # service auditd restart
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000018
- Version
- VROM-SL-000020
- Vuln IDs
-
- V-239444
- V-88359
- Rule IDs
-
- SV-239444r661783_rule
- SV-99009
Checks: C-42677r661781_chk
Determine if /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow are audited for appending. # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow)' | grep perm=a If the "passwd", "shadow", "group", and "gshadow" files are not listed with a permissions filter of at least "a", this is a finding. Expected result: LIST_RULES: exit,always watch=/etc/passwd perm=a key=passwd LIST_RULES: exit,always watch=/etc/shadow perm=a key=shadow LIST_RULES: exit,always watch=/etc/group perm=a key=group LIST_RULES: exit,always watch=/etc/gshadow perm=a key=gshadow
Fix: F-42636r661782_fix
Configure append auditing of the "passwd", "shadow", "group", and "gshadow" files run the DoD.script with the following command as root: # /etc/dodscript.sh # echo '-w /etc/gshadow -p a -k gshadow' >> /etc/audit/audit.rules Restart the auditd service. # service auditd restart OR Configure append auditing of the passwd, shadow, group, and gshadow files by running the following commands: # echo '-w /etc/passwd -p a -k passwd' >> /etc/audit/audit.rules # echo '-w /etc/shadow -p a -k shadow' >> /etc/audit/audit.rules # echo '-w /etc/group -p a -k group' >> /etc/audit/audit.rules # echo '-w /etc/gshadow -p a -k gshadow' >> /etc/audit/audit.rules Restart the auditd service. # service auditd restart
- RMF Control
- AC-7
- Severity
- Medium
- CCI
- CCI-000044
- Version
- VROM-SL-000025
- Vuln IDs
-
- V-239445
- V-88361
- Rule IDs
-
- SV-239445r661786_rule
- SV-99011
Checks: C-42678r661784_chk
Run the following command to ensure that the SLES for vRealize enforces the limit of "3" consecutive invalid logon attempts by a user: # grep pam_tally2.so /etc/pam.d/common-auth The output should contain "deny=3" in the returned line. If the output does not contain "deny=3", this is a finding. Expected Result: auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300
Fix: F-42637r661785_fix
To configure the SLES for vRealize to enforce the limit of "3" consecutive invalid attempts using "pam_tally2.so", modify the content of the /etc/pam.d/common-auth-vmware.local by running the following command: # sed -i "/^[^#]*pam_tally2.so/ c\auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300" /etc/pam.d/common-auth-vmware.local
- RMF Control
- AC-8
- Severity
- Medium
- CCI
- CCI-000048
- Version
- VROM-SL-000030
- Vuln IDs
-
- V-239446
- V-88363
- Rule IDs
-
- SV-239446r661789_rule
- SV-99013
Checks: C-42679r661787_chk
Check that the SSH daemon is configured for logon warning banners: # grep -i banner /etc/ssh/sshd_config | grep -v '#' The output should contain "Banner /etc/issue". If the output does not contain "Banner /etc/issue", this is a finding.
Fix: F-42638r661788_fix
To configure the SSH daemon with the logon warning banners, modify /etc/ssh/sshd_config execute the following command: # sed -i "/^[^#]*Banner/ c\Banner /etc/issue" /etc/ssh/sshd_config The SSH service will need to be restarted after the above change has been made to SSH. This can be done by running the following command: # service sshd restart
- RMF Control
- AC-10
- Severity
- Low
- CCI
- CCI-000054
- Version
- VROM-SL-000040
- Vuln IDs
-
- V-239447
- V-88365
- Rule IDs
-
- SV-239447r877399_rule
- SV-99015
Checks: C-42680r661790_chk
Verify the SLES for vRealize limits the number of concurrent sessions to "10" for all accounts and/or account types with the following command: # grep maxlogins /etc/security/limits.conf | grep -v '#' The default maxlimits should be set to a max of "10" or a documented site defined number: * hard maxlogins 10 If the default maxlimits is not set to "10" or the documented site defined number, this is a finding.
Fix: F-42639r661791_fix
Configure the SLES for vRealize to limit the number of concurrent sessions to "10" for all accounts and/or account types by using the following command: sed -i 's/\(^* *hard *maxlogins\).*/* hard maxlogins 10/g' /etc/security/limits.conf
- RMF Control
- AC-11
- Severity
- Medium
- CCI
- CCI-000057
- Version
- VROM-SL-000050
- Vuln IDs
-
- V-239448
- V-88367
- Rule IDs
-
- SV-239448r661795_rule
- SV-99017
Checks: C-42681r661793_chk
Check for the existence of the /etc/profile.d/tmout.sh file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to 900 seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set, this is a finding.
Fix: F-42640r661794_fix
Ensure the file exists and is owned by root. If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file "/etc/profile.d/tmout.sh", and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null
- RMF Control
- AC-11
- Severity
- Medium
- CCI
- CCI-000057
- Version
- VROM-SL-000055
- Vuln IDs
-
- V-239449
- V-88369
- Rule IDs
-
- SV-239449r661798_rule
- SV-99019
Checks: C-42682r661796_chk
Verify SLES for vRealize initiates a session lock after a 15-minute period of inactivity for SSH. Execute the following command: # grep ClientAliveInterval /etc/ssh/sshd_config; grep ClientAliveCountMax /etc/ssh/sshd_config Verify the following result: ClientAliveInterval 900 ClientAliveCountMax 0 If the session lock is not set to a 15-minute period, this is a finding.
Fix: F-42641r661797_fix
Configure SLES for vRealize to initiate a session lock after a 15-minute period of inactivity for SSH. Set the session lock after a 15-minute period by executing the following command: # sed -i 's/^.*\bClientAliveInterval\b.*$/ClientAliveInterval 900/' /etc/ssh/sshd_config; sed -i 's/^.*\bClientAliveCountMax\b.*$/ClientAliveCountMax 0/' /etc/ssh/sshd_config
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-000067
- Version
- VROM-SL-000070
- Vuln IDs
-
- V-239450
- V-88371
- Rule IDs
-
- SV-239450r661801_rule
- SV-99021
Checks: C-42683r661799_chk
Verify that SSH is configured to verbosely log connection attempts and failed logon attempts to the server by running the following command: # grep LogLevel /etc/ssh/sshd_config | grep -v '#' The output message must contain the following text: LogLevel VERBOSE If it is not set to "VERBOSE", this is a finding.
Fix: F-42642r661800_fix
To configure SSH to verbosely log connection attempts and failed logon attempts to the server, run the following command: # sed -i 's/^.*\bLogLevel\b.*$/LogLevel VERBOSE/' /etc/ssh/sshd_config The SSH service will need to be restarted after the above change has been made to SSH. This can be done by running the following command: # service sshd restart
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-000068
- Version
- VROM-SL-000075
- Vuln IDs
-
- V-239451
- V-88373
- Rule IDs
-
- SV-239451r877398_rule
- SV-99023
Checks: C-42684r661802_chk
Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the sshd_config file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr
Fix: F-42643r661803_fix
Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-000068
- Version
- VROM-SL-000080
- Vuln IDs
-
- V-239452
- V-88375
- Rule IDs
-
- SV-239452r877398_rule
- SV-99025
Checks: C-42685r766910_chk
Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the ssh_config file. # grep -i Ciphers /etc/ssh/ssh_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes256-ctr,aes128-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr
Fix: F-42644r661806_fix
Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/ssh_config Save and close the file.
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- VROM-SL-000085
- Vuln IDs
-
- V-239453
- V-88377
- Rule IDs
-
- SV-239453r661810_rule
- SV-99027
Checks: C-42686r661808_chk
Verify SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for: service auditd running If the service is not running, this is a finding.
Fix: F-42645r661809_fix
Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-000139
- Version
- VROM-SL-000125
- Vuln IDs
-
- V-239454
- V-88379
- Rule IDs
-
- SV-239454r661813_rule
- SV-99029
Checks: C-42687r661811_chk
Check /etc/audit/auditd.conf for the "space_left_action" with the following command: # cat /etc/audit/auditd.conf | grep space_left_action If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding. Expected Result: space_left_action = SYSLOG Notes: If the space_left_action is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding. If the space_left_action is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding. The "action_mail_acct" parameter, if missing, defaults to "root". Note: If the email address of the system administrator is on a remote system "sendmail" must be available.
Fix: F-42646r661812_fix
Set the "space_left_action" parameter to the valid setting "SYSLOG", by running the following command: # sed -i "/^[^#]*space_left_action/ c\space_left_action = SYSLOG" /etc/audit/auditd.conf Restart the audit service: # service auditd restart
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-000140
- Version
- VROM-SL-000130
- Vuln IDs
-
- V-239455
- V-88381
- Rule IDs
-
- SV-239455r661816_rule
- SV-99031
Checks: C-42688r661814_chk
Verify the /etc/audit/auditd.conf has the "disk_full_action", "disk_error_action", and "admin_disk_space_left" parameters set. # grep disk_full_action /etc/audit/auditd.conf If the "disk_full_action" parameter is missing or set to "suspend" or "ignore", this is a finding. # grep disk_error_action /etc/audit/auditd.conf If the "disk_error_action" parameter is missing or set to "suspend" or "ignore", this is a finding. # grep admin_space_left_action /etc/audit/auditd.conf If the "admin_space_left_action" parameter is missing or set to "suspend" or "ignore", this is a finding.
Fix: F-42647r661815_fix
Edit /etc/audit/auditd.conf and set the "disk_full_action", "disk_error_action", and "admin_space_left_action" parameters to "syslog" with the following commands: # sed -i "/^[^#]*disk_full_action/ c\disk_full_action = SYSLOG" /etc/audit/auditd.conf # sed -i "/^[^#]*disk_error_action/ c\disk_error_action = SYSLOG" /etc/audit/auditd.conf # sed -i "/^[^#]*admin_space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined.
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000162
- Version
- VROM-SL-000150
- Vuln IDs
-
- V-239456
- V-88383
- Rule IDs
-
- SV-239456r661819_rule
- SV-99033
Checks: C-42689r661817_chk
Verify that the SLES for vRealize audit logs are owned by "root". # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file is not owned by "root" or "admin", this is a finding.
Fix: F-42648r661818_fix
Change the ownership of the audit log file(s). Procedure: # chown root <audit log file> # chown root /var/log/audit/audit.log
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000162
- Version
- VROM-SL-000155
- Vuln IDs
-
- V-239457
- V-88385
- Rule IDs
-
- SV-239457r661822_rule
- SV-99035
Checks: C-42690r661820_chk
Verify that the SLES for vRealize audit logs are group-owned by "root". # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file is not group-owned by "root" or "admin", this is a finding.
Fix: F-42649r661821_fix
Change the group ownership of the audit log file(s). Procedure: # chgrp root <audit log file> # chgrp root /var/log/audit/audit.log
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000163
- Version
- VROM-SL-000160
- Vuln IDs
-
- V-239458
- V-88387
- Rule IDs
-
- SV-239458r661825_rule
- SV-99037
Checks: C-42691r661823_chk
Check that the SLES for vRealize audit logs with the following command: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file has a mode more permissive than "0640", this is a finding.
Fix: F-42650r661824_fix
Change the mode of the audit log file(s): # chmod 0640 <audit log file>
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000164
- Version
- VROM-SL-000165
- Vuln IDs
-
- V-239459
- V-88389
- Rule IDs
-
- SV-239459r661828_rule
- SV-99039
Checks: C-42692r661826_chk
Check that the SLES for vRealize audit logs with the following command: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file has a mode more permissive than "0640", this is a finding.
Fix: F-42651r661827_fix
Change the mode of the audit log file(s): # chmod 0640 <audit log file>
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000164
- Version
- VROM-SL-000170
- Vuln IDs
-
- V-239460
- V-88391
- Rule IDs
-
- SV-239460r661831_rule
- SV-99041
Checks: C-42693r661829_chk
Run the following command to check the mode of the system audit directories: # grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n Audit directories must be mode "0700". If the audit directories is not set to mode "0700", this is a finding.
Fix: F-42652r661830_fix
Change the mode of the audit log directories with the following command: # chmod 700 <audit log directory>
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000171
- Version
- VROM-SL-000240
- Vuln IDs
-
- V-239474
- V-88419
- Rule IDs
-
- SV-239474r661873_rule
- SV-99069
Checks: C-42707r661871_chk
Check the permissions of the rules files in /etc/audit: # ls -l /etc/audit/ Note: If /etc/audit/audit.rules is a symbolic link to /etc/audit/audit.rules.STIG, then the check is only applicable to /etc/audit/audit.rules.STIG. If the permissions of the file is not set to "640", this is a finding.
Fix: F-42666r661872_fix
Change the permissions of the /etc/audit/audit.rules.STIG, the /etc/audit/audit.rules.ORIG, and the /etc/audit/audit.rules files (if not a symbolic link): # chmod 640 /etc/audit/audit.rules.STIG # chmod 640 /etc/audit/audit.rules.ORIG # if [ -f /etc/audit/audit.rules ]; then chmod 640 /etc/audit/audit.rules; fi Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000171
- Version
- VROM-SL-000245
- Vuln IDs
-
- V-239475
- V-88421
- Rule IDs
-
- SV-239475r661876_rule
- SV-99071
Checks: C-42708r661874_chk
Check the permissions of the rules files in /etc/audit: # ls -l /etc/audit/ Note: If /etc/audit/audit.rules is a symbolic link to /etc/audit/audit.rules.STIG, then the check is only applicable to /etc/audit/audit.rules.STIG. If the ownership is not set to "root", this is a finding.
Fix: F-42667r661875_fix
Change the ownership of the /etc/audit/audit.rules.STIG, the /etc/audit/audit.rules.ORIG, and the /etc/audit/audit.rules files (if not a symbolic link): # chown root /etc/audit/audit.rules.STIG # chown root /etc/audit/audit.rules.ORIG # if [ -f /etc/audit/audit.rules ]; then chown root /etc/audit/audit.rules; fi Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000171
- Version
- VROM-SL-000250
- Vuln IDs
-
- V-239476
- V-88423
- Rule IDs
-
- SV-239476r661879_rule
- SV-99073
Checks: C-42709r661877_chk
Check the permissions of the rules files in /etc/audit: # ls -l /etc/audit/ Note: If /etc/audit/audit.rules is a symbolic link to /etc/audit/audit.rules.STIG, then the check is only applicable to /etc/audit/audit.rules.STIG. If the group owner is not set to "root", this is a finding.
Fix: F-42668r661878_fix
Change the group ownership of the /etc/audit/audit.rules.STIG, the /etc/audit/audit.rules.ORIG, and the /etc/audit/audit.rules files (if not a symbolic link): # chgrp root /etc/audit/audit.rules.STIG # chgrp root /etc/audit/audit.rules.ORIG # if [ -f /etc/audit/audit.rules ]; then chgrp root /etc/audit/audit.rules; fi Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-000255
- Vuln IDs
-
- V-239477
- V-88425
- Rule IDs
-
- SV-239477r661882_rule
- SV-99075
Checks: C-42710r661880_chk
To determine if the system is configured to audit calls to the "chmod" system call, run the following command: # auditctl -l | grep syscall | grep chmod If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.
Fix: F-42669r661881_fix
At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S chmod -F auid=0 -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-000260
- Vuln IDs
-
- V-239478
- V-88427
- Rule IDs
-
- SV-239478r661885_rule
- SV-99077
Checks: C-42711r661883_chk
To determine if the SLES for vRealize is configured to audit calls to the "chown" system call, run the following command: # auditctl -l | grep syscall | grep chown If the SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.
Fix: F-42670r661884_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S chown -F auid=0 -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-000265
- Vuln IDs
-
- V-239479
- V-88429
- Rule IDs
-
- SV-239479r661888_rule
- SV-99079
Checks: C-42712r661886_chk
To determine if SLES for vRealize is configured to audit calls to the "fchmod" system call, run the following command: # auditctl -l | grep syscall | grep fchmod If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.
Fix: F-42671r661887_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchmod -F auid=0 -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-000270
- Vuln IDs
-
- V-239480
- V-88431
- Rule IDs
-
- SV-239480r661891_rule
- SV-99081
Checks: C-42713r661889_chk
To determine if SLES for vRealize is configured to audit calls to the "fchmodat" system call, run the following command: # auditctl -l | grep syscall | grep fchmodat If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.
Fix: F-42672r661890_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchmodat -F auid=0 -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-000275
- Vuln IDs
-
- V-239481
- V-88433
- Rule IDs
-
- SV-239481r661894_rule
- SV-99083
Checks: C-42714r661892_chk
To determine if SLES for vRealize is configured to audit calls to the "fchown" system call, run the following command: # auditctl -l | grep syscall | grep fchown If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.
Fix: F-42673r661893_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchown -F auid=0 -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-000280
- Vuln IDs
-
- V-239482
- V-88435
- Rule IDs
-
- SV-239482r661897_rule
- SV-99085
Checks: C-42715r661895_chk
To determine if SLES for vRealize is configured to audit calls to the "fchownat" system call, run the following command: # auditctl -l | grep syscall | grep fchownat If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.
Fix: F-42674r661896_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchownat -F auid=0 -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-000285
- Vuln IDs
-
- V-239483
- V-88437
- Rule IDs
-
- SV-239483r661900_rule
- SV-99087
Checks: C-42716r661898_chk
To determine if SLES for vRealize is configured to audit calls to the "fremovexattr" system call, run the following command: # auditctl -l | grep syscall | grep fremovexattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.
Fix: F-42675r661899_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fremovexattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-000290
- Vuln IDs
-
- V-239484
- V-88439
- Rule IDs
-
- SV-239484r661903_rule
- SV-99089
Checks: C-42717r661901_chk
To determine if SLES for vRealize is configured to audit calls to the "fsetxattr" system call, run the following command: # auditctl -l | grep syscall | grep fsetxattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.
Fix: F-42676r661902_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fsetxattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-000295
- Vuln IDs
-
- V-239485
- V-88441
- Rule IDs
-
- SV-239485r661906_rule
- SV-99091
Checks: C-42718r661904_chk
To determine if SLES for vRealize is configured to audit calls to the "lchown" system call, run the following command: # auditctl -l | grep syscall | grep lchown If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.
Fix: F-42677r661905_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S lchown Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-000300
- Vuln IDs
-
- V-239486
- V-88443
- Rule IDs
-
- SV-239486r661909_rule
- SV-99093
Checks: C-42719r661907_chk
To determine if SLES for vRealize is configured to audit calls to the "lremovexattr" system call, run the following command: # auditctl -l | grep syscall | grep lremovexattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.
Fix: F-42678r661908_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S lremovexattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-000305
- Vuln IDs
-
- V-239487
- V-88445
- Rule IDs
-
- SV-239487r661912_rule
- SV-99095
Checks: C-42720r661910_chk
To determine if SLES for vRealize is configured to audit calls to the "lsetxattr" system call, run the following command: # auditctl -l | grep syscall | grep lsetxattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.
Fix: F-42679r661911_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S lsetxattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-000310
- Vuln IDs
-
- V-239488
- V-88447
- Rule IDs
-
- SV-239488r661915_rule
- SV-99097
Checks: C-42721r661913_chk
To determine if SLES for vRealize is configured to audit calls to the "removexattr" system call, run the following command: # auditctl -l | grep syscall | grep removexattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.
Fix: F-42680r661914_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S removexattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-000315
- Vuln IDs
-
- V-239489
- V-88449
- Rule IDs
-
- SV-239489r661918_rule
- SV-99099
Checks: C-42722r661916_chk
To determine if SLES for vRealize is configured to audit calls to the "setxattr" system call, run the following command: # auditctl -l | grep syscall | grep setxattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.
Fix: F-42681r661917_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S setxattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-000320
- Vuln IDs
-
- V-239490
- V-88451
- Rule IDs
-
- SV-239490r661921_rule
- SV-99101
Checks: C-42723r661919_chk
To check that the SLES for vRealize audit system collects unauthorized file accesses, run the following commands: # grep EACCES /etc/audit/audit.rules -a exit,always -F arch=b64 -S swapon -F exit=-EACCES -a exit,always -F arch=b64 -S creat -F exit=-EACCES -a exit,always -F arch=b64 -S open -F exit=-EACCES # grep EPERM /etc/audit/audit.rules -a exit,always -F arch=b64 -S swapon -F exit=-EPERM -a exit,always -F arch=b64 -S creat -F exit=-EPERM -a exit,always -F arch=b64 -S open -F exit=-EPERM If either command lacks output, this is a finding.
Fix: F-42682r661920_fix
Add the following to "/etc/audit/audit.rules": -a exit,always -F arch=b64 -S swapon -F exit=-EACCES -a exit,always -F arch=b64 -S creat -F exit=-EACCES -a exit,always -F arch=b64 -S open -F exit=-EACCES -a exit,always -F arch=b64 -S swapon -F exit=-EPERM -a exit,always -F arch=b64 -S creat -F exit=-EPERM -a exit,always -F arch=b64 -S open -F exit=-EPERM Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000192
- Version
- VROM-SL-000340
- Vuln IDs
-
- V-239491
- V-88453
- Rule IDs
-
- SV-239491r661924_rule
- SV-99103
Checks: C-42724r661922_chk
Check SLES for vRealize enforces password complexity by requiring that at least one upper-case character be used by using the following command: # grep ucredit /etc/pam.d/common-password-vmware.local If "ucredit" is not set to "-1" or not at all, this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=4 retry=3
Fix: F-42683r661923_fix
If ucredit was not set at all in "/etc/pam.d/common-password-vmware.local" file then run the following command: # sed -i '/pam_cracklib.so/ s/$/ ucredit=-1/' /etc/pam.d/common-password-vmware.local If "ucredit" was set incorrectly, run the following command to set it to "-1": # sed -i '/pam_cracklib.so/ s/ucredit=../ucredit=-1/' /etc/pam.d/common-password-vmware.local
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000192
- Version
- VROM-SL-000345
- Vuln IDs
-
- V-239492
- V-88455
- Rule IDs
-
- SV-239492r661927_rule
- SV-99105
Checks: C-42725r661925_chk
Verify that common-{account, auth, password, session} settings are being applied: Verify that local customization has occurred in the common- {account,auth,password,session}-pc file(s) by some method other than the use of the pam-config utility. The files "/etc/pam.d/common-{account,auth,password,session} -pc" are autogenerated by "pam-config". Any manual changes made to them will be lost if "pam-config" is allowed to run. # ls -l /etc/pam.d/common-{account,auth,password,session} If the symlinks point to "/etc/pam.d/common- {account,auth,password,session}-pc" and manual updates have been made in these files, the updates cannot be protected if pam-config is enabled. # ls -l /usr/sbin/pam-config If the setting for pam-config is not "000", this is a finding.
Fix: F-42684r661926_fix
In the default distribution of SLES 11 "/etc/pam.d/common- {account,auth,password,session}" are symlinks to their respective "/etc/pam.d/common- {account,auth,password,session}-pc" files. These common- {account,auth,password,session}-pc files are autogenerated by the pam-config utility. Edit /usr/sbin/pam-config permissions to prevent its use: # chmod 000 /usr/sbin/pam-config
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000193
- Version
- VROM-SL-000350
- Vuln IDs
-
- V-239493
- V-88457
- Rule IDs
-
- SV-239493r661930_rule
- SV-99107
Checks: C-42726r661928_chk
Verify SLES for vRealize enforces password complexity by requiring that at least one lower-case character be used by using the following command: # grep lcredit /etc/pam.d/common-password-vmware.local If "lcredit" is not set to "-1" or not at all, this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=4 retry=3
Fix: F-42685r661929_fix
If lcredit was not set at all in "/etc/pam.d/common-password-vmware.local" then run the following command: # sed -i '/pam_cracklib.so/ s/$/ lcredit=-1/' /etc/pam.d/common-password-vmware.local If "lcredit" was set incorrectly, run the following command to set it to "-1": # sed -i '/pam_cracklib.so/ s/lcredit=../lcredit=-1/' /etc/pam.d/common-password-vmware.local
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000194
- Version
- VROM-SL-000355
- Vuln IDs
-
- V-239494
- V-88459
- Rule IDs
-
- SV-239494r661933_rule
- SV-99109
Checks: C-42727r661931_chk
Check that SLES for vRealize enforces password complexity by requiring that at least one numeric character be used by running the following command: # grep dcredit /etc/pam.d/common-password-vmware.local If "dcredit" is not set to "-1" or not at all, this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=4 retry=3
Fix: F-42686r661932_fix
If dcredit was not set at all in "/etc/pam.d/common-password-vmware.local" then run the following command: # sed -i '/pam_cracklib.so/ s/$/ dcredit=-1/' /etc/pam.d/common-password-vmware.local If "dcredit" was set incorrectly, run the following command to set it to "-1": # sed -i '/pam_cracklib.so/ s/dcredit=../dcredit=-1/' /etc/pam.d/common-password-vmware.local
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000195
- Version
- VROM-SL-000360
- Vuln IDs
-
- V-239495
- V-88461
- Rule IDs
-
- SV-239495r661936_rule
- SV-99111
Checks: C-42728r661934_chk
Check that at least eight characters need to be changed between old and new passwords during a password change by running the following command: # grep pam_cracklib /etc/pam.d/common-password-vmware.local The "difok" parameter indicates how many characters must be different. The DoD requires at least eight characters to be different during a password change. This would appear as "difok=8". If "difok" is not found or not set to at least "8", this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=8 retry=3
Fix: F-42687r661935_fix
If "difok" was not set at all in "/etc/pam.d/common-password-vmware.local" then run the following command: # sed -i '/pam_cracklib.so/ s/$/ difok-8/' /etc/pam.d/common-password-vmware.local If "difok" was set incorrectly, run the following command to set it to "8": # sed -i '/pam_cracklib.so/ s/difok=./difok=8/' /etc/pam.d/common-password-vmware.local
- RMF Control
- IA-5
- Severity
- High
- CCI
- CCI-000196
- Version
- VROM-SL-000365
- Vuln IDs
-
- V-239496
- V-88463
- Rule IDs
-
- SV-239496r877397_rule
- SV-99113
Checks: C-42729r661937_chk
Check that the user account passwords are stored hashed using sha512 by running the following command: # cat /etc/default/passwd | grep CRYPT=sha512 If "CRYPT=sha512" is not listed, this is a finding.
Fix: F-42688r661938_fix
Ensure password are being encrypted with hash sha512 with the following command: # echo 'CRYPT=sha512'>>/etc/default/passwd
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000198
- Version
- VROM-SL-000375
- Vuln IDs
-
- V-239497
- V-88465
- Rule IDs
-
- SV-239497r661942_rule
- SV-99115
Checks: C-42730r661940_chk
To check that SLES for vRealize enforces 24 hours/1 day as the minimum password age, run the following command: # grep PASS_MIN_DAYS /etc/login.defs | grep -v '#' The DoD requirement is "1". If "PASS_MIN_DAYS" is not set to the required value, this is a finding.
Fix: F-42689r661941_fix
To configure SLES for vRealize to enforce 24 hours/1 day as the minimum password age, edit the file "/etc/login.defs" with the following command: # sed -i "/^[^#]*PASS_MIN_DAYS/ c\PASS_MIN_DAYS 1" /etc/login.defs
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000198
- Version
- VROM-SL-000380
- Vuln IDs
-
- V-239498
- V-88467
- Rule IDs
-
- SV-239498r661945_rule
- SV-99117
Checks: C-42731r661943_chk
Check the minimum time period between password changes for each user account is "1" day. # cat /etc/shadow | cut -d ':' -f1,4 | grep -v 1 | grep -v ":$" If any results are returned, this is a finding.
Fix: F-42690r661944_fix
Change the minimum time period between password changes for each [USER] account to "1" day. The command in the check text will give you a list of users that need to be updated to be in compliance. # passwd -n 1 [USER]
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000199
- Version
- VROM-SL-000385
- Vuln IDs
-
- V-239499
- V-88469
- Rule IDs
-
- SV-239499r661948_rule
- SV-99119
Checks: C-42732r661946_chk
To check that SLES for vRealize enforces a "60" days or less maximum password age, run the following command: # grep PASS_MAX_DAYS /etc/login.defs | grep -v "#" The DoD requirement is "60" days or less (Greater than zero, as zero days will lock the account immediately). If "PASS_MAX_DAYS" is not set to the required value, this is a finding.
Fix: F-42691r661947_fix
To configure SLES for vRealize to enforce a "60" day or less maximum password age, edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days. # sed -i "/^[^#]*PASS_MAX_DAYS/ c\PASS_MAX_DAYS 60" /etc/login.defs The DoD requirement is "60" days or less (Greater than zero, as zero days will lock the account immediately).
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000199
- Version
- VROM-SL-000390
- Vuln IDs
-
- V-239500
- V-88471
- Rule IDs
-
- SV-239500r661951_rule
- SV-99121
Checks: C-42733r661949_chk
Check the max days field of "/etc/shadow" by running the following command: # cat /etc/shadow | cut -d':' -f1,5 | egrep -v "([0|60])" | grep -v ":$" If any results are returned, this is a finding.
Fix: F-42692r661950_fix
Set the maximum time period between password changes for each [USER] account to "60" days. The command in the check text will give you a list of users that need to be updated to be in compliance. # passwd -x 60 [USER] The DoD requirement is "60" days.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000200
- Version
- VROM-SL-000395
- Vuln IDs
-
- V-239501
- V-88473
- Rule IDs
-
- SV-239501r661954_rule
- SV-99123
Checks: C-42734r661952_chk
Verify that SLES for vRealize prohibits the reuse of a password for a minimum of five generations, by running the following commands: # grep pam_pwhistory.so /etc/pam.d/common-password-vmware.local If the "remember" option in "/etc/pam.d/common-password-vmware.local" file is not "5" or greater, this is a finding.
Fix: F-42693r661953_fix
Configure pam to use password history. If the "remember" option was not set at all in "/etc/pam.d/common-password-vmware.local" file then run the following command: # sed -i '/pam_cracklib.so/ s/$/ remember=5/' /etc/pam.d/common-password-vmware.local If "remember" option was set incorrectly, run the following command to set it to "5": # sed -i '/pam_cracklib.so/ s/remember=./remember=5/' /etc/pam.d/common-password-vmware.local
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000200
- Version
- VROM-SL-000400
- Vuln IDs
-
- V-239502
- V-88475
- Rule IDs
-
- SV-239502r661957_rule
- SV-99125
Checks: C-42735r661955_chk
Verify that the old password file, "opasswd", exists, by running the following command: # ls /etc/security/opasswd If "/etc/security/opasswd" file does not exist, this is a finding.
Fix: F-42694r661956_fix
Create the password history file. # touch /etc/security/opasswd # chown root:root /etc/security/opasswd # chmod 0600 /etc/security/opasswd
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000205
- Version
- VROM-SL-000405
- Vuln IDs
-
- V-239503
- V-88477
- Rule IDs
-
- SV-239503r661960_rule
- SV-99127
Checks: C-42736r661958_chk
Verify that SLES for vRealize enforces a minimum 15-character password length, by running the following command: # grep pam_cracklib /etc/pam.d/common-password-vmware.local # grep pam_cracklib /etc/pam.d/common-password If the result does not contain "minlen=15" or higher, this is a finding.
Fix: F-42695r661959_fix
If "minlen" was not set at all in "/etc/pam.d/common-password-vmware.local" file then run the following command: # sed -i '/pam_cracklib.so/ s/$/ minlen=15/' /etc/pam.d/common-password-vmware.local If "minlen" was set incorrectly, run the following command to set it to "15": # sed -i '/pam_cracklib.so/ s/minlen=../minlen=15/' /etc/pam.d/common-password-vmware.local
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- VROM-SL-000415
- Vuln IDs
-
- V-239504
- V-88479
- Rule IDs
-
- SV-239504r661963_rule
- SV-99129
Checks: C-42737r661961_chk
Verify that root password is required for single user mode logon with the following command: # grep sulogin /etc/inittab Expected result: ~~:S:respawn:/sbin/sulogin If the expected result is not displayed, this is a finding.
Fix: F-42696r661962_fix
Configure SLES for vRealize to require root password login with single user mode use the following command: # echo '~~:S:respawn:/sbin/sulogin' >> /etc/inittab
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- VROM-SL-000420
- Vuln IDs
-
- V-239505
- V-88481
- Rule IDs
-
- SV-239505r661966_rule
- SV-99131
Checks: C-42738r661964_chk
To verify a boot password exists. In "/boot/grub/menu.lst" run the following command: # grep password /boot/grub/menu.lst The output should show the following: password --encrypted $1$[rest-of-the-password-hash] If it does not, this is a finding.
Fix: F-42697r661965_fix
Run the following command: # /usr/sbin/grub-md5-crypt An MD5 password is generated. After the password is supplied, the command supplies the md5 hash output. Append the password to the menu.lst file by running the following command: echo 'password --md5 <hash from grub-md5-crypt>' >> /boot/grub/menu.lst Or use "yast2" to set the bootloader password: Open the Boot Loader Installation tab. Click Boot Loader Options. Activate the Protect Boot Loader with Password option with a click and type in your Password twice. Click "OK" twice to save the changes.
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- VROM-SL-000425
- Vuln IDs
-
- V-239506
- V-88483
- Rule IDs
-
- SV-239506r661969_rule
- SV-99133
Checks: C-42739r661967_chk
Check the /boot/grub/menu.lst file: # stat /boot/grub/menu.lst If "/boot/grub/menu.lst" has a mode more permissive than "0600", this is a finding.
Fix: F-42698r661968_fix
Change the mode of the "/boot/grub/menu.lst" file to "0600": # chmod 0600 /boot/grub/menu.lst
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- VROM-SL-000430
- Vuln IDs
-
- V-239507
- V-88485
- Rule IDs
-
- SV-239507r661972_rule
- SV-99135
Checks: C-42740r661970_chk
Check "/boot/grub/menu.lst" file ownership: # stat /boot/grub/menu.lst If the owner of the file is not "root", this is a finding.
Fix: F-42699r661971_fix
Change the ownership of the "/boot/grub/menu.lst" file: # chown root /boot/grub/menu.lst
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- VROM-SL-000435
- Vuln IDs
-
- V-239508
- V-88487
- Rule IDs
-
- SV-239508r661975_rule
- SV-99137
Checks: C-42741r661973_chk
Check "/boot/grub/menu.lst" file ownership: # stat /boot/grub/menu.lst If the group-owner of the file is not "root", "bin", "sys", or "system", this is a finding.
Fix: F-42700r661974_fix
Change the group-ownership of the "/boot/grub/menu.lst" file: # chgrp root /boot/grub/menu.lst
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- VROM-SL-000440
- Vuln IDs
-
- V-239509
- V-88489
- Rule IDs
-
- SV-239509r661978_rule
- SV-99139
Checks: C-42742r661976_chk
Verify the Bluetooth protocol handler is prevented from dynamic loading: # grep "install bluetooth /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.
Fix: F-42701r661977_fix
Prevent the Bluetooth protocol handler for dynamic loading: # echo "install bluetooth /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- VROM-SL-000445
- Vuln IDs
-
- V-239510
- V-88491
- Rule IDs
-
- SV-239510r661981_rule
- SV-99141
Checks: C-42743r661979_chk
If SLES for vRealize needs USB storage, this vulnerability is not applicable. Check if the "usb-storage" module is prevented from loading: # grep "install usb-storage /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no results are returned, this is a finding.
Fix: F-42702r661980_fix
Prevent the "usb-storage" module from loading: # echo "install usb-storage /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- VROM-SL-000450
- Vuln IDs
-
- V-239511
- V-88493
- Rule IDs
-
- SV-239511r661984_rule
- SV-99143
Checks: C-42744r661982_chk
If SLES for vRealize needs USB, this vulnerability is not applicable. Check if the directory "/proc/bus/usb exists". If the directory "/proc/bus/usb exists", this is a finding.
Fix: F-42703r661983_fix
Edit the grub bootloader file, "/boot/grub/menu.lst" file, by appending the "nousb" parameter to the kernel boot line.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- VROM-SL-000455
- Vuln IDs
-
- V-239512
- V-88495
- Rule IDs
-
- SV-239512r661987_rule
- SV-99145
Checks: C-42745r661985_chk
Check if "telnet-server" package is installed: # rpm -q telnet-server If there is a "telnet-server" package listed, this is a finding.
Fix: F-42704r661986_fix
To remove the "telnet-server" package use the following command: rpm -e telnet-server
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- VROM-SL-000460
- Vuln IDs
-
- V-239513
- V-88497
- Rule IDs
-
- SV-239513r661990_rule
- SV-99147
Checks: C-42746r661988_chk
Check if "rsh-server" package is installed: # rpm -q rsh-server If there is a "rsh-server" package listed, this is a finding.
Fix: F-42705r661989_fix
To remove the "telnet-server" package use the following command: rpm -e rsh-server
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- VROM-SL-000465
- Vuln IDs
-
- V-239514
- V-88499
- Rule IDs
-
- SV-239514r661993_rule
- SV-99149
Checks: C-42747r661991_chk
Check if "ypserv" package is installed: # rpm -q ypserv If there is a "ypserv" package listed, this is a finding.
Fix: F-42706r661992_fix
To remove the "ypserv" package use the following command: rpm -e ypserv
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000381
- Version
- VROM-SL-000470
- Vuln IDs
-
- V-239515
- V-88501
- Rule IDs
-
- SV-239515r661996_rule
- SV-99151
Checks: C-42748r661994_chk
Check if "yast2-tftp-server" package is installed: # rpm -q yast2-tftp-server If there is a "yast2-tftp-server" package listed, this is a finding.
Fix: F-42707r661995_fix
To remove the "yast2-tftp-server" package use the following command: rpm -e yast2-tftp-server
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000485
- Vuln IDs
-
- V-239516
- V-88503
- Rule IDs
-
- SV-239516r661999_rule
- SV-99153
Checks: C-42749r661997_chk
Check that the DCCP protocol handler is prevented from dynamic loading: # grep "install dccp /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding. # grep "install dccp_ipv4 /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding. # grep "install dccp_ipv6" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* | grep ‘bin/true’ If no result is returned, this is a finding.
Fix: F-42708r661998_fix
Prevent the DCCP protocol handler for dynamic loading: # echo "install dccp /bin/true" >> /etc/modprobe.conf.local # echo "install dccp_ipv4 /bin/true" >> /etc/modprobe.conf.local # echo "install dccp_ipv6 /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000490
- Vuln IDs
-
- V-239517
- V-88505
- Rule IDs
-
- SV-239517r662002_rule
- SV-99155
Checks: C-42750r662000_chk
Verify the SCTP protocol handler is prevented from dynamic loading: # grep "install sctp /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.
Fix: F-42709r662001_fix
Prevent the SCTP protocol handler from dynamic loading: # echo "install sctp /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000495
- Vuln IDs
-
- V-239518
- V-88507
- Rule IDs
-
- SV-239518r662005_rule
- SV-99157
Checks: C-42751r662003_chk
Ask the SA if RDS is required by application software running on the system. If so, this is not applicable. Check that the RDS protocol handler is prevented from dynamic loading: # grep "install rds /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.
Fix: F-42710r662004_fix
Prevent the RDS protocol handler from dynamic loading: # echo "install rds /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000500
- Vuln IDs
-
- V-239519
- V-88509
- Rule IDs
-
- SV-239519r662008_rule
- SV-99159
Checks: C-42752r662006_chk
Verify the TIPC protocol handler is prevented from dynamic loading: # grep "install tipc /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.
Fix: F-42711r662007_fix
Prevent the TIPC protocol handler from dynamic loading: # echo "install tipc /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000505
- Vuln IDs
-
- V-239520
- V-88511
- Rule IDs
-
- SV-239520r662011_rule
- SV-99161
Checks: C-42753r662009_chk
If network services are using the "xinetd" service, this is not applicable. To check that the "xinetd" service is disabled in system boot configuration, run the following command: # chkconfig "xinetd" --list Output should indicate the "xinetd" service has either not been installed, or has been disabled at all run levels, as shown in the example below: xinetd 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "xinetd" is disabled through current runtime configuration: # service xinetd status If the "xinetd" service is disabled the command will return the following output: Checking for service xinetd: unused If the "xinetd" service is running, this is a finding.
Fix: F-42712r662010_fix
The "xinetd" service can be disabled with the following command: # chkconfig xinetd off
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000510
- Vuln IDs
-
- V-239521
- V-88513
- Rule IDs
-
- SV-239521r662014_rule
- SV-99163
Checks: C-42754r662012_chk
If network services are using the "ypbind" service, this is not applicable. To check that the "ypbind" service is disabled in system boot configuration, run the following command: # chkconfig "ypbind" --list Output should indicate the "ypbind" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "ypbind" is disabled through current runtime configuration: # service ypbind status If the "ypbind" service is disabled the command will return the following output: Checking for service ypbind unused If the "ypbind" service is running, this is a finding.
Fix: F-42713r662013_fix
The "ypbind" service can be disabled with the following command: # chkconfig ypbind off
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000515
- Vuln IDs
-
- V-239522
- V-88515
- Rule IDs
-
- SV-239522r662017_rule
- SV-99165
Checks: C-42755r662015_chk
Perform the following to check NIS file ownership: # ls -la /var/yp/* If the NIS file ownership is not "root", sys, or bin, this is a finding.
Fix: F-42714r662016_fix
Change the ownership of NIS/NIS+/yp files to "root", "sys", "bin", or "system". Consult vendor documentation to determine the location of the files: # chown root <filename>
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000520
- Vuln IDs
-
- V-239523
- V-88517
- Rule IDs
-
- SV-239523r662020_rule
- SV-99167
Checks: C-42756r662018_chk
Perform the following to check NIS file ownership: # ls -la /var/yp/* If the NIS file's mode is more permissive than "0755", this is a finding.
Fix: F-42715r662019_fix
Change the mode of NIS/NIS+/yp command files to "0755" or less permissive: # chmod 0755 <filename>
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000525
- Vuln IDs
-
- V-239524
- V-88519
- Rule IDs
-
- SV-239524r662023_rule
- SV-99169
Checks: C-42757r662021_chk
If SLES for vRealize does not use NIS or NIS+, this is not applicable. Check if NIS or NIS+ is implemented using UDP: # rpcinfo -p | grep yp | grep udp If NIS or NIS+ is implemented using UDP, this is a finding.
Fix: F-42716r662022_fix
Configure SLES for vRealize to not use UDP for NIS and NIS+. Consult vendor documentation for the required procedure.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000530
- Vuln IDs
-
- V-239525
- V-88521
- Rule IDs
-
- SV-239525r662026_rule
- SV-99171
Checks: C-42758r662024_chk
If SLES for vRealize does not use NIS or NIS+, this is not applicable. Check the domain name for NIS maps: # domainname If the name returned is simple to guess, such as the organization name, building or room name, etc., this is a finding.
Fix: F-42717r662025_fix
Change the NIS domainname to a value difficult to guess. Consult vendor documentation for the required procedure.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000535
- Vuln IDs
-
- V-239526
- V-88523
- Rule IDs
-
- SV-239526r662029_rule
- SV-99173
Checks: C-42759r662027_chk
Determine if Sendmail only binds to loopback addresses by examining the "DaemonPortOptions" configuration options. # grep -i "O DaemonPortOptions" /etc/sendmail.cf If there are uncommented "DaemonPortOptions" lines, and all such lines specify system loopback addresses, this is not a finding. Otherwise, determine if "Sendmail" is configured to allow open relay operation. # grep -i promiscuous_relay /etc/mail/sendmail.mc If the promiscuous relay feature is enabled, this is a finding.
Fix: F-42718r662028_fix
If SLES for vRealize does not need to receive mail from external hosts, add one or more "DaemonPortOptions" lines referencing system loopback addresses (such as "O DaemonPortOptions=Addr=127.0.0.1,Port=smtp,Name=MTA") and remove lines containing non-loopback addresses. # sed -i "s/O DaemonPortOptions=Name=MTA/O DaemonPortOptions=Addr=127.0.0.1,Port=smtp,Name=MTA/" /etc/sendmail.cf Restart the sendmail service: # service sendmail restart
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000540
- Vuln IDs
-
- V-239527
- V-88525
- Rule IDs
-
- SV-239527r662032_rule
- SV-99175
Checks: C-42760r662030_chk
Check the ownership of the alias file: # ls -lL /etc/aliases # ls -lL /etc/aliases.db If all the files are not owned by "root", this is a finding.
Fix: F-42719r662031_fix
Change the owner of the alias files to "root": # chown root /etc/aliases # chown root /etc/aliases.db
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000545
- Vuln IDs
-
- V-239528
- V-88527
- Rule IDs
-
- SV-239528r662035_rule
- SV-99177
Checks: C-42761r662033_chk
Check the group ownership of the alias files: # ls -lL /etc/aliases # ls -lL /etc/aliases.db If the files are not group-owned by "root", this is a finding.
Fix: F-42720r662034_fix
Change the group owner of the alias files to "root": # chgrp root /etc/aliases # chgrp root /etc/aliases.db
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000550
- Vuln IDs
-
- V-239529
- V-88529
- Rule IDs
-
- SV-239529r662038_rule
- SV-99179
Checks: C-42762r662036_chk
Check the permissions of the alias files: # ls -lL /etc/aliases # ls -lL /etc/aliases.db If the alias files have a mode more permissive than "0644", this is a finding.
Fix: F-42721r662037_fix
Change the mode of the alias files to "0644": # chmod 0644 /etc/aliases /etc/aliases.db
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000555
- Vuln IDs
-
- V-239530
- V-88531
- Rule IDs
-
- SV-239530r662041_rule
- SV-99181
Checks: C-42763r662039_chk
Verify the ownership of files referenced within the sendmail aliases file: # more /etc/aliases Examine the aliases file for any utilized directories or paths: # ls -lL <directory or file path> Check the owner for any paths referenced. Check if the file or parent directory is owned by root. If the file or parent directory is not owned by "root", this is a finding.
Fix: F-42722r662040_fix
Edit the "/etc/aliases" file (alternatively, /usr/lib/sendmail.cf). Locate the entries executing a program. They will appear similar to the following line: Aliasname: : /usr/local/bin/ls (or some other program name) Ensure "root" owns the programs and the directory(ies) they reside in by using the chown command to change owner to "root": # chown root <file or directory name>
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000560
- Vuln IDs
-
- V-239531
- V-88533
- Rule IDs
-
- SV-239531r662044_rule
- SV-99183
Checks: C-42764r662042_chk
Examine the contents of the "/etc/aliases" file: # more /etc/aliases Examine the aliases file for any directories or paths that may be utilized: # ls -lL <file referenced from aliases> Check the permissions for any paths referenced. If the group owner of any file is not "root", "bin", "sys", or "system", this is a finding.
Fix: F-42723r662043_fix
Change the group ownership of the file referenced from "/etc/mail/aliases": # chgrp root <file referenced from aliases>
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000565
- Vuln IDs
-
- V-239532
- V-88535
- Rule IDs
-
- SV-239532r662047_rule
- SV-99185
Checks: C-42765r662045_chk
Examine the contents of the "/etc/aliases" file: # more /etc/aliases Examine the aliases file for any directories or paths that may be utilized: # ls -lL <file referenced from aliases> Check the permissions for any paths referenced. If any file referenced from the aliases file has a mode more permissive than "0755", this is a finding.
Fix: F-42724r662046_fix
Use the chmod command to change the access permissions for files executed from the alias file: # chmod 0755 <file referenced from aliases>
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000570
- Vuln IDs
-
- V-239533
- V-88537
- Rule IDs
-
- SV-239533r662050_rule
- SV-99187
Checks: C-42766r662048_chk
Check sendmail to determine if the logging level is set to level "9": # grep "O L" /etc/sendmail.cf OR # grep LogLevel /etc/sendmail.cf If logging is set to less than "9", this is a finding.
Fix: F-42725r662049_fix
Edit the "sendmail.cf" file, locate the "O L" or "LogLevel" entry, and change it to "9".
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000575
- Vuln IDs
-
- V-239534
- V-88539
- Rule IDs
-
- SV-239534r662053_rule
- SV-99189
Checks: C-42767r662051_chk
Check the "/etc/syslog-ng/syslog-ng.conf" file for the following log entries: filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; If any of the above log entries are present, this is not a finding.
Fix: F-42726r662052_fix
Edit the "/etc/syslog-ng/syslog-ng.conf" file and add the following log entries: filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; destination mailinfo { file("/var/log/mail.info"); }; log { source(src); filter(f_mailinfo); destination(mailinfo); }; destination mailwarn { file("/var/log/mail.warn"); }; log { source(src); filter(f_mailwarn); destination(mailwarn); }; destination mailerr { file("/var/log/mail.err" fsync(yes)); }; log { source(src); filter(f_mailerr); destination(mailerr); };
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000580
- Vuln IDs
-
- V-239535
- V-88541
- Rule IDs
-
- SV-239535r662056_rule
- SV-99191
Checks: C-42768r662054_chk
Check the permissions on the mail log files: # ls -la /var/log/mail # ls -la /var/log/mail.info # ls -la /var/log/mail.warn # ls -la /var/log/mail.err If any mail log file is not owned by "root", this is a finding.
Fix: F-42727r662055_fix
Change the ownership of the sendmail log files to "root": # chown root <sendmail log file>
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000585
- Vuln IDs
-
- V-239536
- V-88543
- Rule IDs
-
- SV-239536r662059_rule
- SV-99193
Checks: C-42769r662057_chk
Check the permissions on the mail log files: # ls -la /var/log/mail # ls -la /var/log/mail.info # ls -la /var/log/mail.warn # ls -la /var/log/mail.err If the log file permissions are greater than "0644", this is a finding.
Fix: F-42728r662058_fix
Change the mode of the sendmail log files to "0644": # chmod 0644 <sendmail log file>
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000590
- Vuln IDs
-
- V-239537
- V-88545
- Rule IDs
-
- SV-239537r662062_rule
- SV-99195
Checks: C-42770r662060_chk
Check the permissions of the sendmail helpfile: ls -al /usr/lib/sendmail.d/helpfile If the permissions are not "0000", this is a finding.
Fix: F-42729r662061_fix
Run the following command to disable the sendmail helpfile: # chmod 0000 /usr/lib/sendmail.d/helpfile
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000595
- Vuln IDs
-
- V-239538
- V-88547
- Rule IDs
-
- SV-239538r662065_rule
- SV-99197
Checks: C-42771r662063_chk
To check for the sendmail version being displayed in the greeting: # more /etc/sendmail.cf | grep SmtpGreetingMessage If it returns: O SmtpGreetingMessage=$j Sendmail $v/$Z; $b Then sendmail is providing version information, this is a finding.
Fix: F-42730r662064_fix
Change the "O SmtpGreetingMessage" line in the "/etc/sendmail.cf" file to: O SmtpGreetingMessage= Mail Server Ready ; $b
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000600
- Vuln IDs
-
- V-239539
- V-88549
- Rule IDs
-
- SV-239539r662068_rule
- SV-99199
Checks: C-42772r662066_chk
Check forwarding from sendmail: # grep "0 ForwardPath" /etc/sendmail.cf If the entry contains a file path and is not commented out, this is a finding.
Fix: F-42731r662067_fix
Disable forwarding for sendmail and remove ".forward" files from the system: Remove all ".forward" files on the system. # find / -name .forward -delete Use the following command to disable forwarding: # sed -i "s/O ForwardPath/#O ForwardPath/" /etc/sendmail.cf Restart the sendmail service: # service sendmail restart
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000605
- Vuln IDs
-
- V-239540
- V-88551
- Rule IDs
-
- SV-239540r662071_rule
- SV-99201
Checks: C-42773r662069_chk
Use the following command to check if EXPN is disabled: # grep -v "^#" /etc/sendmail.cf |grep -i PrivacyOptions If "noexpn" is not returned, this is a finding.
Fix: F-42732r662070_fix
Add "noexpn" to the "PrivacyOptions" flag in the "/etc/sendmail.cf" file.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000610
- Vuln IDs
-
- V-239541
- V-88553
- Rule IDs
-
- SV-239541r662074_rule
- SV-99203
Checks: C-42774r662072_chk
Use the following command to check if VRFY is disabled: # grep -v "^#" /etc/sendmail.cf |grep -i PrivacyOptions If "novrfy" is not returned, this is a finding.
Fix: F-42733r662073_fix
Add "novrfy" to the "PrivacyOptions" flag in the "/etc/sendmail.cf" file.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000615
- Vuln IDs
-
- V-239542
- V-88555
- Rule IDs
-
- SV-239542r662077_rule
- SV-99205
Checks: C-42775r662075_chk
Run the following command: iptables --list | grep "udplite" If no result is displayed, this is a finding.
Fix: F-42734r662076_fix
Configure SLES for vRealize to prevent the dynamic loading of the "UDP-Lite" protocol handler: Add the following rule to the iptables firewall ruleset: # iptables -A INPUT -p udplite -j DROP
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000620
- Vuln IDs
-
- V-239543
- V-88557
- Rule IDs
-
- SV-239543r662080_rule
- SV-99207
Checks: C-42776r662078_chk
Check that the "IPX" protocol handler is prevented from dynamic loading: # grep "install ipx /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.
Fix: F-42735r662079_fix
Prevent the "IPX" protocol handler from dynamic loading: # echo "install ipx /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000625
- Vuln IDs
-
- V-239544
- V-88559
- Rule IDs
-
- SV-239544r662083_rule
- SV-99209
Checks: C-42777r662081_chk
Verify the "AppleTalk" protocol handler is prevented from dynamic loading: # grep "install appletalk /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.
Fix: F-42736r662082_fix
Prevent the "AppleTalk" protocol handler from dynamic loading: # echo "install appletalk /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000630
- Vuln IDs
-
- V-239545
- V-88561
- Rule IDs
-
- SV-239545r662086_rule
- SV-99211
Checks: C-42778r662084_chk
Check that the "DECnet" protocol handler is prevented from dynamic loading: # grep "install decnet /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.
Fix: F-42737r662085_fix
Prevent the "DECnet" protocol handler from dynamic loading: # echo "install decnet /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000635
- Vuln IDs
-
- V-239546
- V-88563
- Rule IDs
-
- SV-239546r662089_rule
- SV-99213
Checks: C-42779r662087_chk
Determine if SLES for vRealize has proxy "NDP", and if it is enabled: # more /proc/sys/net/ipv6/conf/*/proxy_ndp If the file is not found, the kernel does not have proxy "NDP", this is not a finding. If the file has a value of "0", proxy "NDP" is not enabled, this is not a finding. If the file has a value of "1", proxy NDP is enabled, this is a finding.
Fix: F-42738r662088_fix
Disable proxy "NDP" on the system. For Appliance OS, "proxy_ndp" is disabled by default.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000640
- Vuln IDs
-
- V-239547
- V-88565
- Rule IDs
-
- SV-239547r662092_rule
- SV-99215
Checks: C-42780r662090_chk
Check SLES for vRealize for any active "6to4" tunnels without specific remote addresses: # ip tun list | grep "remote any" | grep "ipv6/ip" If any results are returned the "tunnel" is the first field. If any results are returned, this is a finding.
Fix: F-42739r662091_fix
Disable the active "6to4" tunnel: # ip link set <tunnel> down Add this command to a startup script, or remove the configuration creating the tunnel.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000645
- Vuln IDs
-
- V-239548
- V-88567
- Rule IDs
-
- SV-239548r662095_rule
- SV-99217
Checks: C-42781r662093_chk
Verify the "Miredo" service is not running: # ps ax | grep miredo | grep -v grep If the Miredo process is running, this is a finding. Note: For Appliance OS, "Miredo" is not included by default, this is not a finding.
Fix: F-42740r662094_fix
Kill the "Miredo" service. Edit startup scripts to prevent the service from running on startup.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000650
- Vuln IDs
-
- V-239549
- V-88569
- Rule IDs
-
- SV-239549r662098_rule
- SV-99219
Checks: C-42782r662096_chk
Check that no interface is configured to use "DHCP": # grep -i bootproto=dhcp4 /etc/sysconfig/network/ifcfg-* If any configuration is found, this is a finding.
Fix: F-42741r662097_fix
Edit the "/etc/sysconfig/network/ifcfg-*" file(s) and change the "bootproto" setting to "static".
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- VROM-SL-000655
- Vuln IDs
-
- V-239550
- V-88571
- Rule IDs
-
- SV-239550r662101_rule
- SV-99221
Checks: C-42783r662099_chk
If SLES for vRealize needs IEEE 1394 (Firewire), this is not applicable. Check if the firewire module is not disabled: # grep "install ieee1394 /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no results are returned, this is a finding.
Fix: F-42742r662100_fix
Prevent SLES for vRealize from loading the firewire module: # echo "install ieee1394 /bin/true" >> /etc/modprobe.conf.local
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-000764
- Version
- VROM-SL-000660
- Vuln IDs
-
- V-239551
- V-88573
- Rule IDs
-
- SV-239551r662104_rule
- SV-99223
Checks: C-42784r662102_chk
Verify that SLES for vRealize contains no duplicate UIDs for organizational users by running the following command: # awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If output is produced, this is a finding.
Fix: F-42743r662103_fix
Edit the file "/etc/passwd" and provide each organizational user account that has a duplicate UID with a unique UID.
- RMF Control
- IA-2
- Severity
- High
- CCI
- CCI-000770
- Version
- VROM-SL-000685
- Vuln IDs
-
- V-239552
- V-88575
- Rule IDs
-
- SV-239552r662107_rule
- SV-99225
Checks: C-42785r662105_chk
Verify SLES for vRealize prevents direct logons to the root account by running the following command: # grep root /etc/shadow | cut -d "":"" -f 2 If the returned message contains any text, this is a finding.
Fix: F-42744r662106_fix
Configure SLES for vRealize to prevent direct logins to the root account by performing the following operations: Add this line to the "/etc/group" file: admin:x:[UNIQUE_NUMBER]:[USERNAME] USERNAME is the user you wish to add to the admin group. UNIQUE_NUMBER is a number entered into the ID field of an entry that is unique to all other IDs in the file. Comment out the following lines in "/etc/sudoers" file: Default targetpw ALL ALL=(ALL) ALL Under the line in the "/etc/sudoers" file: root ALL=(ALL) All Add the following line: %admin ALL=(ALL) ALL Run the following command: # passwd -d root
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-001941
- Version
- VROM-SL-000690
- Vuln IDs
-
- V-239553
- V-88577
- Rule IDs
-
- SV-239553r852586_rule
- SV-99227
Checks: C-42786r662108_chk
Verify that SLES for vRealize enforces SSHv2 for network access to privileged accounts by running the following command: Replace [ADDRESS] in the following command with the correct IP address based on the current system configuration. # ssh -1 [ADDRESS] An example of the command usage is as follows: # ssh -1 localhost The output must be the following: Protocol major versions differ: 1 vs. 2 If it is not, this is a finding. OR Verify that the ssh is configured to enforce SSHv2 for network access to privileged accounts by running the following command: # grep Protocol /etc/ssh/sshd_config If the result is not "Protocol 2", this is a finding.
Fix: F-42745r662109_fix
Configure SLES for vRealize to enforce SSHv2 for network access to privileged accounts by running the following commands: # sed -i 's/^.*\bProtocol\b.*$/Protocol 2/' /etc/ssh/sshd_config Restart the ssh service. # service sshd restart
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-001942
- Version
- VROM-SL-000695
- Vuln IDs
-
- V-239554
- V-88579
- Rule IDs
-
- SV-239554r852587_rule
- SV-99229
Checks: C-42787r662111_chk
Verify that SLES for vRealize enforces SSHv2 for network access to privileged accounts by running the following command: Replace [ADDRESS] in the following command with the correct IP address based on the current system configuration. # ssh -1 [ADDRESS] An example of the command usage is as follows: # ssh -1 localhost The output must be one of the following items: Protocol major versions differ: 1 vs. 2 OR Protocol 1 not allowed in the FIPS mode. If it does not, this is a finding. OR Verify that the ssh is configured to enforce SSHv2 for network access to privileged accounts by running the following command: # grep Protocol /etc/ssh/sshd_config If the result is not "Protocol 2", this is a finding.
Fix: F-42746r662112_fix
Configure SLES for vRealize to enforce SSHv2 for network access to non-privileged accounts by running the following commands: # sed -i 's/^.*\bProtocol\b.*$/Protocol 2/' /etc/ssh/sshd_config Restart the ssh service. # service sshd restart
- RMF Control
- IA-4
- Severity
- Medium
- CCI
- CCI-000795
- Version
- VROM-SL-000705
- Vuln IDs
-
- V-239555
- V-88581
- Rule IDs
-
- SV-239555r662116_rule
- SV-99231
Checks: C-42788r662114_chk
Verify SLES for vRealize disables account identifiers after "35" days of inactivity after the password expiration, by performing the following commands: # grep "INACTIVE" /etc/default/useradd The output must indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below: grep "INACTIVE" /etc/default/useradd INACTIVE=35 If "INACTIVE" is not set to a value 0<[VALUE]<=35, this is a finding.
Fix: F-42747r662115_fix
Configure SLES for vRealize to disable account identifiers after "35" days of inactivity after the password expiration. Run the following command to change the configuration for useradd: Replace [VALUE] in the command with any integer from the range 0<[VALUE]<= 35. # sed -i "s/^.*\bINACTIVE\b.*$/INACTIVE=[VALUE]/" /etc/default/useradd DoD recommendation is "35" days, but a lower value is acceptable. The value "-1" will disable this feature and "0" will disable the account immediately after the password expires.
- RMF Control
- IA-7
- Severity
- Medium
- CCI
- CCI-000803
- Version
- VROM-SL-000710
- Vuln IDs
-
- V-239556
- V-88583
- Rule IDs
-
- SV-239556r662119_rule
- SV-99233
Checks: C-42789r662117_chk
Check the "/etc/default/passwd" file: # grep CRYPT /etc/default/passwd If the "CRYPT" setting in the "/etc/default/passwd" file is not present, or not set to "SHA256" or "SHA512", this is a finding. If the "CRYPT_FILES" setting in the "/etc/default/passwd" file is not present, or not set to "SHA256" or "SHA512", this is a finding.
Fix: F-42748r662118_fix
Edit the "/etc/default/passwd" file and add or change the "CRYPT" variable setting so that it contains: CRYPT=sha256 OR CRYPT=sha512 Edit the "/etc/default/passwd" file and add or change the "CRYPT_FILES" variable setting so that it contains: CRYPT_FILES=sha256 OR CRYPT_FILES=sha512
- RMF Control
- IA-8
- Severity
- Medium
- CCI
- CCI-000804
- Version
- VROM-SL-000715
- Vuln IDs
-
- V-239557
- V-88585
- Rule IDs
-
- SV-239557r662122_rule
- SV-99235
Checks: C-42790r662120_chk
Run the following command to check for duplicate account names: # pwck -rq If there are no duplicate names, no line will be returned. If a line is returned, this is a finding.
Fix: F-42749r662121_fix
Change usernames, or delete accounts, so each has a unique name.
- RMF Control
- IA-8
- Severity
- Medium
- CCI
- CCI-000804
- Version
- VROM-SL-000720
- Vuln IDs
-
- V-239558
- V-88587
- Rule IDs
-
- SV-239558r662125_rule
- SV-99237
Checks: C-42791r662123_chk
Verify the SLES for vRealize uniquely identifies and authenticates non-organizational users by running the following commands: # awk -F: '{print $3}' /etc/passwd | sort | uniq -d If the output is not blank, this is a finding.
Fix: F-42750r662124_fix
Configure the SLES for vRealize to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). UNIQUE_USER_ID is a unique numerical value that must be non-negative. USERNAME is the username of the user whose user ID you wish to change. # usermod -u [UNIQUE_USER_ID] [USERNAME]
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001682
- Version
- VROM-SL-000730
- Vuln IDs
-
- V-239559
- V-88589
- Rule IDs
-
- SV-239559r662128_rule
- SV-99239
Checks: C-42792r662126_chk
For each emergency administrator account run the following command: chage -l [user] If the output shows an expiration date for the account, this is a finding.
Fix: F-42751r662127_fix
For each emergency administrator account run the following command to remove the expiration date: chage -E -1 [user]
- RMF Control
- MA-4
- Severity
- Medium
- CCI
- CCI-000877
- Version
- VROM-SL-000735
- Vuln IDs
-
- V-239560
- V-88591
- Rule IDs
-
- SV-239560r877395_rule
- SV-99241
Checks: C-42793r662129_chk
Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the sshd_config file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr
Fix: F-42752r662130_fix
Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart
- RMF Control
- MA-4
- Severity
- Medium
- CCI
- CCI-000879
- Version
- VROM-SL-000740
- Vuln IDs
-
- V-239561
- V-88593
- Rule IDs
-
- SV-239561r662134_rule
- SV-99243
Checks: C-42794r662132_chk
Check for the existence of the "/etc/profile.d/tmout.sh" file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to "900" seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set to "900", this is a finding.
Fix: F-42753r662133_fix
Ensure the file exists and is owned by "root". If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file "/etc/profile.d/tmout.sh", and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null
- RMF Control
- SC-5
- Severity
- Medium
- CCI
- CCI-001095
- Version
- VROM-SL-000760
- Vuln IDs
-
- V-239562
- V-88595
- Rule IDs
-
- SV-239562r662137_rule
- SV-99245
Checks: C-42795r662135_chk
Check that SLES for vRealize is configured to use TCP syncookies when experiencing a TCP SYN flood. # cat /proc/sys/net/ipv4/tcp_syncookies If the result is not "1", this is a finding.
Fix: F-42754r662136_fix
Configure SLES for vRealize to use TCP syncookies when experiencing a TCP SYN flood. # sed -i 's/^.*\bnet.ipv4.tcp_syncookies\b.*$/net.ipv4.tcp_syncookies=1/' /etc/sysctl.conf Reload sysctl to verify the new change: # sysctl -p
- RMF Control
- SC-5
- Severity
- Medium
- CCI
- CCI-001095
- Version
- VROM-SL-000765
- Vuln IDs
-
- V-239563
- V-88597
- Rule IDs
-
- SV-239563r662140_rule
- SV-99247
Checks: C-42796r662138_chk
Check that SLES for vRealize has an appropriate TCP backlog queue size to mitigate against TCP SYN flood DOS attacks with the following command: # cat /proc/sys/net/ipv4/tcp_max_syn_backlog The recommended default setting is "1280". If the TCP backlog queue size is not set to "1280", this is a finding.
Fix: F-42755r662139_fix
Configure the TCP backlog queue size with the following command: # sed -i 's/^.*\bnet.ipv4.tcp_max_syn_backlog\b.*$/net.ipv4.tcp_max_syn_backlog=1280/' /etc/sysctl.conf Reload sysctl to verify the new change: # sysctl -p
- RMF Control
- SC-10
- Severity
- Medium
- CCI
- CCI-001133
- Version
- VROM-SL-000770
- Vuln IDs
-
- V-239564
- V-88599
- Rule IDs
-
- SV-239564r662405_rule
- SV-99249
Checks: C-42797r662141_chk
Check for the existence of the "/etc/profile.d/tmout.sh" file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to "900" seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set to "900", this is a finding.
Fix: F-42756r662142_fix
Ensure the file exists and is owned by "root". If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file "/etc/profile.d/tmout.sh", and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VROM-SL-000795
- Vuln IDs
-
- V-239565
- V-88601
- Rule IDs
-
- SV-239565r662146_rule
- SV-99251
Checks: C-42798r662144_chk
Verify the "/var/log" directory is group-owned by "root" by running the following command: # ls -lad /var/log | cut -d' ' -f4 The output must look like the following example: ls -lad /var/log | cut -d' ' -f4 root If "root" is not returned as a result, this is a finding.
Fix: F-42757r662145_fix
Change the group of the directory "/var/log" to "root" by running the following command: # chgrp root /var/log
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VROM-SL-000800
- Vuln IDs
-
- V-239566
- V-88603
- Rule IDs
-
- SV-239566r662149_rule
- SV-99253
Checks: C-42799r662147_chk
Verify that the "/var/log" directory is owned by "root" by running the following command: # ls -lad /var/log | cut -d' ' -f3 The output must look like the following example: ls -lad /var/log | cut -d' ' -f3 root If "root" is not returned as a result, this is a finding.
Fix: F-42758r662148_fix
Change the owner of the directory "/var/log" to "root" by running the following command: # chown root /var/log
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VROM-SL-000805
- Vuln IDs
-
- V-239567
- V-88605
- Rule IDs
-
- SV-239567r662152_rule
- SV-99255
Checks: C-42800r662150_chk
Verify that the "/var/log" directory is the mode 0750 or less permissive by running the following command: # ls -lad /var/log | cut -d' ' -f1 The output must look like the following example: ls -lad /var/log | cut -d' ' -f1 drwxr-x--- If "drwxr-x---" is not returned as a result, this is a finding.
Fix: F-42759r662151_fix
Change the permissions of the directory "/var/log" to "0750" by running the following command: # chmod 0750 /var/log
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VROM-SL-000810
- Vuln IDs
-
- V-239568
- V-88607
- Rule IDs
-
- SV-239568r662155_rule
- SV-99257
Checks: C-42801r662153_chk
Verify that the "/var/log/messages" file is group-owned by "root" by running the following command: # ls -la /var/log/messages | cut -d' ' -f4 The output must look like the following example: ls -la /var/log/messages | cut -d' ' -f4 root If "root" is not returned as a result, this is a finding.
Fix: F-42760r662154_fix
Change the group of the file "/var/log/messages" to "root" by running the following command: # chgrp root /var/log/messages
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VROM-SL-000815
- Vuln IDs
-
- V-239569
- V-88609
- Rule IDs
-
- SV-239569r662158_rule
- SV-99259
Checks: C-42802r662156_chk
Verify that the "/var/log/messages" file is owned by "root" by running the following command: # ls -la /var/log/messages | cut -d' ' -f3 The output must look like the following example: ls -la /var/log/messages | cut -d' ' -f3 root If "root" is not returned as a result, this is a finding.
Fix: F-42761r662157_fix
Change the owner of the file "/var/log/messages" to "root" by running the following command: # chown root /var/log/messages
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VROM-SL-000820
- Vuln IDs
-
- V-239570
- V-88611
- Rule IDs
-
- SV-239570r662161_rule
- SV-99261
Checks: C-42803r662159_chk
Verify that the "/var/log/messages" file is 0640 or less permissive by running the following command: # ls -lad /var/log/messages | cut -d' ' -f1 The output must look like the following example: ls -lad /var/log/messages | cut -d' ' -f1 -rw-r----- If "-rw-r-----" is not returned as a result, this is a finding.
Fix: F-42762r662160_fix
Change the permissions of the file "/var/log/messages" to "0640" by running the following command: # chmod 0640 /var/log/messages
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VROM-SL-000825
- Vuln IDs
-
- V-239571
- V-88613
- Rule IDs
-
- SV-239571r662164_rule
- SV-99263
Checks: C-42804r662162_chk
Check the permissions of the syslog configuration file(s): # ls -lL /etc/syslog-ng/syslog-ng.conf If the mode of the file is more permissive than "0640", this is a finding.
Fix: F-42763r662163_fix
Change the permissions of the syslog configuration file(s): # chmod 640 /etc/syslog-ng/syslog-ng.conf
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VROM-SL-000830
- Vuln IDs
-
- V-239572
- V-88615
- Rule IDs
-
- SV-239572r662167_rule
- SV-99265
Checks: C-42805r662165_chk
Check the permissions of the syslog configuration file(s): # ls -lL /etc/syslog-ng/syslog-ng.conf If the file is not owned by "root", this is a finding.
Fix: F-42764r662166_fix
Use the chown command to set the owner to "root": # chown root /etc/syslog-ng/syslog-ng.conf
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- VROM-SL-000835
- Vuln IDs
-
- V-239573
- V-88617
- Rule IDs
-
- SV-239573r662170_rule
- SV-99267
Checks: C-42806r662168_chk
Check the permissions of the syslog configuration file(s): # ls -lL /etc/syslog-ng/syslog-ng.conf If the file is not group owned by "root", this is a finding.
Fix: F-42765r662169_fix
Change the group-owner of the "/etc/rsyslog.conf" file to "root": # chgrp root /etc/syslog-ng/syslog-ng.conf
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001403
- Version
- VROM-SL-000845
- Vuln IDs
-
- V-239575
- V-88621
- Rule IDs
-
- SV-239575r662176_rule
- SV-99271
Checks: C-42808r662174_chk
Determine if execution of the "usermod" and "groupmod" executable are audited. # auditctl -l | egrep '(usermod|groupmod)' | grep perm=x If either "usermod" or "groupmod" are not listed with a permissions filter of at least "x", this is a finding.
Fix: F-42767r662175_fix
Configure execute auditing of the "usermod" and "groupmod" executables run the DoD.script with the following command as "root": # /etc/dodscript.sh OR Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the audit.rules file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Restart the auditd service. # service auditd restart
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001403
- Version
- VROM-SL-000850
- Vuln IDs
-
- V-239576
- V-88623
- Rule IDs
-
- SV-239576r662179_rule
- SV-99273
Checks: C-42809r662177_chk
Determine if "/etc/passwd", "/etc/shadow", "/etc/group", and "/etc/gshadow" are audited for writing. # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow)' | grep perm=w If any of these are not listed with a permissions filter of at least "w", this is a finding.
Fix: F-42768r662178_fix
Configure append auditing of the "passwd", "shadow", "group", and "gshadow" files run the DoD.script with the following command as root: # /etc/dodscript.sh OR Configure append auditing of the "passwd", "shadow", "group", and "gshadow" files. Add the following to the audit.rules file: -w /etc/passwd -p w -k passwd -w /etc/shadow -p w -k shadow -w /etc/group -p w -k group -w /etc/gshadow -p w -k gshadow Restart the auditd service. # service auditd restart
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001404
- Version
- VROM-SL-000855
- Vuln IDs
-
- V-239577
- V-88625
- Rule IDs
-
- SV-239577r662182_rule
- SV-99275
Checks: C-42810r662180_chk
Determine if execution of the "passwd" executable is audited: # auditctl -l | grep watch=/usr/bin/passwd If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding.
Fix: F-42769r662181_fix
Configure SLES for vRealize to automatically audit account-disabling actions by running the following command: # /etc/dodscript.sh OR # echo '-w /usr/bin/passwd -p x -k passwd' >> /etc/audit/audit.rules Restart the auditd service. # service auditd restart
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001405
- Version
- VROM-SL-000860
- Vuln IDs
-
- V-239578
- V-88627
- Rule IDs
-
- SV-239578r662185_rule
- SV-99277
Checks: C-42811r662183_chk
Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding.
Fix: F-42770r662184_fix
Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-001453
- Version
- VROM-SL-000865
- Vuln IDs
-
- V-239579
- V-88629
- Rule IDs
-
- SV-239579r877394_rule
- SV-99279
Checks: C-42812r662186_chk
Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr
Fix: F-42771r662187_fix
Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart
- RMF Control
- AU-14
- Severity
- Medium
- CCI
- CCI-001464
- Version
- VROM-SL-000870
- Vuln IDs
-
- V-239580
- V-88631
- Rule IDs
-
- SV-239580r662191_rule
- SV-99281
Checks: C-42813r662189_chk
Check for the "audit=1" kernel parameter. # grep "audit=1" /proc/cmdline If no results are returned, this is a finding.
Fix: F-42772r662190_fix
Edit the grub bootloader file "/boot/grub/menu.lst" by appending the "audit=1" parameter to the kernel boot line. Reboot the system for the change to take effect.
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-001487
- Version
- VROM-SL-000875
- Vuln IDs
-
- V-239581
- V-88633
- Rule IDs
-
- SV-239581r662194_rule
- SV-99283
Checks: C-42814r662192_chk
Verify SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.
Fix: F-42773r662193_fix
Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001493
- Version
- VROM-SL-000880
- Vuln IDs
-
- V-239582
- V-88635
- Rule IDs
-
- SV-239582r662197_rule
- SV-99285
Checks: C-42815r662195_chk
The following command will list which audit files on the system have permissions different from what is expected by the RPM database: # rpm -V audit | grep '^.M' If there is any output, for each file or directory found, compare the RPM-expected permissions with the permissions on the file or directory: # rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" audit | grep [filename] # ls -lL [filename] If the existing permissions are more permissive than those expected by the RPM database, this is a finding.
Fix: F-42774r662196_fix
For each file that has permissions that are more permissive than those expected by the RPM database, alter the permission of the file with the following command: # chmod <permission> <filename>
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001494
- Version
- VROM-SL-000885
- Vuln IDs
-
- V-239583
- V-88637
- Rule IDs
-
- SV-239583r662200_rule
- SV-99287
Checks: C-42816r662198_chk
The following command will list which audit files on the system where the group ownership has been modified: # rpm -V audit | grep '^......G' If there is output, this is a finding.
Fix: F-42775r662199_fix
For each file that has the incorrect group modification, alter the group ownership of the file with the following command: # chgrp <group> <filename>
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001495
- Version
- VROM-SL-000890
- Vuln IDs
-
- V-239584
- V-88639
- Rule IDs
-
- SV-239584r662203_rule
- SV-99289
Checks: C-42817r662201_chk
The following command will list which audit files on the system where the ownership has been modified: # rpm -V audit | grep '^.....U' If there is output, this is a finding.
Fix: F-42776r662202_fix
For each file that has the incorrect owner modification, alter the ownership of the file with the following command: # chown <owner> <filename>
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-001619
- Version
- VROM-SL-000900
- Vuln IDs
-
- V-239585
- V-88641
- Rule IDs
-
- SV-239585r662206_rule
- SV-99291
Checks: C-42818r662204_chk
Verify SLES for vRealize enforces password complexity by requiring that at least one special character be used by using the following command: Check the password "ocredit" option: # grep pam_cracklib.so /etc/pam.d/common-password Confirm the "ocredit" option is set to "-1" as in the example: password requisite pam_cracklib.so ocredit=-1 There may be other options on the line. If no such line is found, or the "ocredit" is not "-1", this is a finding.
Fix: F-42777r662205_fix
Configure SLES for vRealize to enforce password complexity by requiring that at least one special character be used by running the following command: If "ocredit" was not set at all in "/etc/pam.d/common-password-vmware.local" file then run the following command: # sed -i '/pam_cracklib.so/ s/$/ ocredit=-1/' /etc/pam.d/common-password-vmware.local If "ocredit" was set incorrectly, run the following command: # sed -i '/pam_cracklib.so/ s/ocredit=../ocredit=-1/' /etc/pam.d/common-password-vmware.local
- RMF Control
- AC-2
- Severity
- Low
- CCI
- CCI-001683
- Version
- VROM-SL-000910
- Vuln IDs
-
- V-239586
- V-88643
- Rule IDs
-
- SV-239586r662209_rule
- SV-99293
Checks: C-42819r662207_chk
Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.
Fix: F-42778r662208_fix
Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };
- RMF Control
- AC-2
- Severity
- Low
- CCI
- CCI-001684
- Version
- VROM-SL-000915
- Vuln IDs
-
- V-239587
- V-88645
- Rule IDs
-
- SV-239587r662212_rule
- SV-99295
Checks: C-42820r662210_chk
Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.
Fix: F-42779r662211_fix
Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };
- RMF Control
- AC-2
- Severity
- Low
- CCI
- CCI-001685
- Version
- VROM-SL-000920
- Vuln IDs
-
- V-239588
- V-88647
- Rule IDs
-
- SV-239588r662215_rule
- SV-99297
Checks: C-42821r662213_chk
Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.
Fix: F-42780r662214_fix
Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };
- RMF Control
- AC-2
- Severity
- Low
- CCI
- CCI-001686
- Version
- VROM-SL-000925
- Vuln IDs
-
- V-239589
- V-88649
- Rule IDs
-
- SV-239589r662218_rule
- SV-99299
Checks: C-42822r662216_chk
Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.
Fix: F-42781r662217_fix
Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001496
- Version
- VROM-SL-000930
- Vuln IDs
-
- V-239590
- V-88651
- Rule IDs
-
- SV-239590r877393_rule
- SV-99301
Checks: C-42823r662219_chk
The following command will list which audit files on the system have file hashes different from what is expected by the RPM database: # rpm -V audit | grep '$1 ~ /..5/ && $2 != "c"' If there is output, this is a finding.
Fix: F-42782r662220_fix
The RPM package management system can check the hashes of audit system package files. Run the following command to list which audit files on the system have hashes that differ from what is expected by the RPM database: # rpm -V audit | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to, refresh from distribution media or online repositories. rpm -Uvh [affected_package]
- RMF Control
- AC-12
- Severity
- Medium
- CCI
- CCI-002361
- Version
- VROM-SL-000935
- Vuln IDs
-
- V-239591
- V-88653
- Rule IDs
-
- SV-239591r852588_rule
- SV-99303
Checks: C-42824r662222_chk
Check for the existence of the "/etc/profile.d/tmout.sh" file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to "900" seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set to "900", this is a finding.
Fix: F-42783r662223_fix
Ensure the file exists and is owned by "root". If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file "/etc/profile.d/tmout.sh", and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-002314
- Version
- VROM-SL-000950
- Vuln IDs
-
- V-239592
- V-88655
- Rule IDs
-
- SV-239592r852589_rule
- SV-99305
Checks: C-42825r662225_chk
Check the SSH daemon configuration for listening network addresses: # grep -i Listen /etc/ssh/sshd_config | grep -v '^#' If no configuration is returned, or if a returned "Listen" configuration contains addresses not designated for management traffic, this is a finding.
Fix: F-42784r662226_fix
Edit the SSH daemon configuration with the following command: # sed -i "/^[^#]ListenAddress/ c\ListenAddress = 0.0.0.0" /etc/ssh/sshd_config Replace "0.0.0.0" with the listening network addresses designated for management traffic.
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-002130
- Version
- VROM-SL-000970
- Vuln IDs
-
- V-239593
- V-88657
- Rule IDs
-
- SV-239593r852590_rule
- SV-99307
Checks: C-42826r662228_chk
Determine if execution of the usermod and groupmod executable are audited: # auditctl -l | egrep '(usermod|groupmod)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of "useradd" and "groupadd" are audited: # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the passwd executable is audited: # auditctl -l | grep "/usr/bin/passwd" If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding. Determine if "/etc/passwd", "/etc/shadow", "etc/group", and "etc/security/opasswd" are audited for writing: # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)' If any of these are not listed with a permissions filter of at least "w", this is a finding.
Fix: F-42785r662229_fix
Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Configure execute auditing of the "passwd" executable. Add the following to the aud.rules: -w /usr/bin/passwd -p x -k passwd Configure write auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the "/etc/audit/audit.rules" file: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/security/opasswd -p wa -k opasswd Restart the auditd service: # service auditd restart
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-002132
- Version
- VROM-SL-000975
- Vuln IDs
-
- V-239594
- V-88659
- Rule IDs
-
- SV-239594r852591_rule
- SV-99309
Checks: C-42827r662231_chk
Determine if execution of the "usermod" and "groupmod" executable are audited: # auditctl -l | egrep '(usermod|groupmod)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of "useradd" and "groupadd" are audited: # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "passwd" executable is audited: # auditctl -l | grep "/usr/bin/passwd" If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding. Determine if "/etc/passwd", "/etc/shadow", "/etc/group", and "/etc/security/opasswd" are audited for writing: # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)' If any of these are not listed with a permissions filter of at least "w", this is a finding.
Fix: F-42786r662232_fix
Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Configure execute auditing of the "passwd" executable. Add the following to the aud.rules: -w /usr/bin/passwd -p x -k passwd Configure write auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the "/etc/audit/audit.rules" file: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/security/opasswd -p wa -k opasswd Restart the auditd service: # service auditd restart
- RMF Control
- AC-6
- Severity
- Low
- CCI
- CCI-002234
- Version
- VROM-SL-001005
- Vuln IDs
-
- V-239595
- V-88661
- Rule IDs
-
- SV-239595r852592_rule
- SV-99311
Checks: C-42828r662234_chk
To verify that auditing of privileged command use is configured, run the following command to find relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: # grep path /etc/audit/audit.rules It should be the case that all relevant setuid programs have a line in the audit rules. If it is not the case, this is a finding.
Fix: F-42787r662235_fix
At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Then, for each setuid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid program in the list: -a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -k privileged OR # /etc/dodscript.sh
- RMF Control
- AC-7
- Severity
- Low
- CCI
- CCI-002238
- Version
- VROM-SL-001010
- Vuln IDs
-
- V-239596
- V-88663
- Rule IDs
-
- SV-239596r852593_rule
- SV-99313
Checks: C-42829r662237_chk
Check the "pam_tally2" configuration: # more /etc/pam.d/common-auth Confirm the following line is configured: auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_ti me=86400 root_unlock_time=300 # more /etc/pam.d/common-account Confirm the following line is configured: account required pam_tally2.so If no such lines are found, this is a finding.
Fix: F-42788r662238_fix
Edit "/etc/pam.d/common-auth" file and add the following line: auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300 Edit "/etc/pam.d/common-account" file and add the following line: account required pam_tally2.so
- RMF Control
- AU-4
- Severity
- Low
- CCI
- CCI-001851
- Version
- VROM-SL-001035
- Vuln IDs
-
- V-239597
- V-88665
- Rule IDs
-
- SV-239597r877390_rule
- SV-99315
Checks: C-42830r662240_chk
Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.
Fix: F-42789r662241_fix
Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-001855
- Version
- VROM-SL-001040
- Vuln IDs
-
- V-239598
- V-88667
- Rule IDs
-
- SV-239598r877389_rule
- SV-99317
Checks: C-42831r662243_chk
Check "/etc/audit/auditd.conf" file for the "space_left_action" parameter with the following command: # cat /etc/audit/auditd.conf | grep space_left_action If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding Expected Result: space_left_action = SYSLOG Notes: If the "space_left_action" parameter is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding. If the "space_left_action" parameter is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding. The "action_mail_acct" parameter, if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system "sendmail" must be available.
Fix: F-42790r662244_fix
Set the "space_left_action" parameter to the valid setting "SYSLOG", by running the following command: # sed -i "/^[^#]*space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf Restart the audit service: # service auditd restart
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-001858
- Version
- VROM-SL-001045
- Vuln IDs
-
- V-239599
- V-88669
- Rule IDs
-
- SV-239599r852596_rule
- SV-99319
Checks: C-42832r662246_chk
Check "/etc/audit/auditd.conf" file for the "space_left_action" parameter with the following command: # cat /etc/audit/auditd.conf | grep space_left_action If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding Expected Result: space_left_action = SYSLOG Notes: If the "space_left_action" parameter is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding. If the "space_left_action" parameter is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding. The "action_mail_acct" parameter, if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system "sendmail" must be available.
Fix: F-42791r662247_fix
Set the "space_left_action" parameter to the valid setting "SYSLOG", by running the following command: # sed -i "/^[^#]*space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf Restart the audit service: # service auditd restart
- RMF Control
- AU-8
- Severity
- Medium
- CCI
- CCI-001891
- Version
- VROM-SL-001085
- Vuln IDs
-
- V-239600
- V-88671
- Rule IDs
-
- SV-239600r878121_rule
- SV-99321
Checks: C-42833r662249_chk
A remote NTP server should be configured for time synchronization. To verify one is configured, open the following files: # cat /etc/ntp.conf | grep server | grep -v '^#' # cat /etc/ntp.conf | grep peer | grep -v '^#' # cat /etc/ntp.conf | grep multicastclient | grep -v '^#' Confirm the servers and peers or multicastclient (as applicable) are local or an authoritative U.S. DoD source. If a non-local/non-authoritative time-server is used, this is a finding.
Fix: F-42792r662250_fix
To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver by using the following command: # echo "server [ntpserver]" >> /etc/ntp.conf Replace [ntpserver] with one of the USNO time servers. This instructs the NTP software to contact that remote server to obtain time data. Restart the service with: # service ntp restart
- RMF Control
- AU-8
- Severity
- Medium
- CCI
- CCI-001891
- Version
- VROM-SL-001090
- Vuln IDs
-
- V-239601
- V-88673
- Rule IDs
-
- SV-239601r877038_rule
- SV-99323
Checks: C-42834r662252_chk
Check the ownership of the NTP configuration file: # ls -l /etc/ntp.conf If the owner is not "root", this is a finding.
Fix: F-42793r662253_fix
Change the owner of the NTP configuration file to "root": # chown root /etc/ntp.conf
- RMF Control
- AU-8
- Severity
- Medium
- CCI
- CCI-001891
- Version
- VROM-SL-001095
- Vuln IDs
-
- V-239602
- V-88675
- Rule IDs
-
- SV-239602r877038_rule
- SV-99325
Checks: C-42835r662255_chk
Check the group ownership of the NTP configuration file: # ls -lL /etc/ntp.conf If the group-owner is not "root", "bin", "sys", or "system", this is a finding.
Fix: F-42794r662256_fix
Change the group-owner of the NTP configuration file: # chgrp root /etc/ntp.conf
- RMF Control
- AU-8
- Severity
- Medium
- CCI
- CCI-001891
- Version
- VROM-SL-001100
- Vuln IDs
-
- V-239603
- V-88677
- Rule IDs
-
- SV-239603r877038_rule
- SV-99327
Checks: C-42836r662258_chk
Check that the mode for the NTP configuration file is not more permissive than "0640": # ls -l /etc/ntp.conf If the mode is more permissive than "0640", this is a finding.
Fix: F-42795r662259_fix
Change the mode of the NTP configuration file to "0640" or less permissive: # chmod 0640 /etc/ntp.conf
- RMF Control
- AU-8
- Severity
- Medium
- CCI
- CCI-002046
- Version
- VROM-SL-001105
- Vuln IDs
-
- V-239604
- V-88679
- Rule IDs
-
- SV-239604r852601_rule
- SV-99329
Checks: C-42837r662261_chk
Run the following command to determine the current status of the "ntpd" service: # service ntp status If the service is configured, the command should show a list of the ntp servers and the status of the synchronization. If nothing is returned, this is a finding. If the service is configured, but does not show a status of "on", this is a finding.
Fix: F-42796r662262_fix
The "ntp" service can be enabled with the following command: # chkconfig ntp on # service ntp start
- RMF Control
- CM-3
- Severity
- Medium
- CCI
- CCI-001744
- Version
- VROM-SL-001130
- Vuln IDs
-
- V-239605
- V-88681
- Rule IDs
-
- SV-239605r852602_rule
- SV-99331
Checks: C-42838r662264_chk
Verify SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.
Fix: F-42797r662265_fix
Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001814
- Version
- VROM-SL-001140
- Vuln IDs
-
- V-239606
- V-88683
- Rule IDs
-
- SV-239606r852603_rule
- SV-99333
Checks: C-42839r662267_chk
Verify SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.
Fix: F-42798r662268_fix
Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001749
- Version
- VROM-SL-001145
- Vuln IDs
-
- V-239607
- V-88685
- Rule IDs
-
- SV-239607r877463_rule
- SV-99335
Checks: C-42840r662270_chk
Verify RPM signature validation is not disabled: # grep nosignature /usr/lib/rpm/rpmrc ~root/.rpmrc The result should either respond with no such file or directory, or an empty return. If any configuration is found, this is a finding.
Fix: F-42799r662271_fix
Edit the RPM configuration files containing the "nosignature" option and remove the option.
- RMF Control
- MA-4
- Severity
- Medium
- CCI
- CCI-002884
- Version
- VROM-SL-001220
- Vuln IDs
-
- V-239608
- V-88687
- Rule IDs
-
- SV-239608r852605_rule
- SV-99337
Checks: C-42841r662273_chk
Verify that all commands run by "root" are being audited with the following command: # cat /etc/audit/audit.rules | grep execve If the following lines are not displayed, this is a finding. -a exit,always -F arch=b64 -F euid=0 -S execve -a exit,always -F arch=b32 -F euid=0 -S execve
Fix: F-42800r662274_fix
Configure SLES for vRealize to log all commands run by "root" with the following command: # echo "-a exit,always -F arch=b64 -F euid=0 -S execve" >> /etc/audit/audit.rules # echo "-a exit,always -F arch=b32 -F euid=0 -S execve" >> /etc/audit/audit.rules Restart the audit service: # service auditd restart
- RMF Control
- MA-4
- Severity
- Medium
- CCI
- CCI-002890
- Version
- VROM-SL-001225
- Vuln IDs
-
- V-239609
- V-88689
- Rule IDs
-
- SV-239609r877382_rule
- SV-99339
Checks: C-42842r662276_chk
Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr
Fix: F-42801r662277_fix
Update the Ciphers directive with the following command: # sed -i '/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr' /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart
- RMF Control
- MA-4
- Severity
- Medium
- CCI
- CCI-003123
- Version
- VROM-SL-001230
- Vuln IDs
-
- V-239610
- V-88691
- Rule IDs
-
- SV-239610r877381_rule
- SV-99341
Checks: C-42843r662279_chk
Check the SSH daemon configuration for allowed MACs: # grep -i macs /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding.
Fix: F-42802r662280_fix
Edit the SSH daemon configuration and remove any MACs other than "hmac-sha1". If necessary, add a "MACs" line. # sed -i "/^[^#]*MACs/ c\MACs hmac-sha1" /etc/ssh/sshd_config
- RMF Control
- SC-13
- Severity
- High
- CCI
- CCI-002450
- Version
- VROM-SL-001240
- Vuln IDs
-
- V-239611
- V-88693
- Rule IDs
-
- SV-239611r877380_rule
- SV-99343
Checks: C-42844r662282_chk
Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr
Fix: F-42803r662283_fix
Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart
- RMF Control
- SC-8
- Severity
- High
- CCI
- CCI-002418
- Version
- VROM-SL-001285
- Vuln IDs
-
- V-239612
- V-88695
- Rule IDs
-
- SV-239612r916422_rule
- SV-99345
Checks: C-42845r662285_chk
Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr
Fix: F-42804r662286_fix
Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart
- RMF Control
- SC-8
- Severity
- High
- CCI
- CCI-002421
- Version
- VROM-SL-001290
- Vuln IDs
-
- V-239613
- V-88697
- Rule IDs
-
- SV-239613r878122_rule
- SV-99347
Checks: C-42846r662288_chk
Check the SSH daemon configuration for allowed MACs: # grep -i macs /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding.
Fix: F-42805r662289_fix
Edit the SSH daemon configuration and remove any MACs other than "hmac-sha1". If necessary, add a "MACs" line. # sed -i "/^[^#]*MACs/ c\MACs hmac-sha1" /etc/ssh/sshd_config
- RMF Control
- SI-16
- Severity
- Medium
- CCI
- CCI-002824
- Version
- VROM-SL-001310
- Vuln IDs
-
- V-239614
- V-88699
- Rule IDs
-
- SV-239614r852611_rule
- SV-99349
Checks: C-42847r662291_chk
The stock kernel has support for non-executable program stacks compiled in by default. Verify that the option was specified when the kernel was built: # grep -i "execute" /var/log/boot.msg The message: "NX (Execute Disable) protection: active" will be written in the boot log when compiled in the kernel. This is the default for x86_64. To activate this support, the "noexec=on" kernel parameter must be specified at boot time. Check for a message with the following command: # grep –i "noexec" /var/log/boot.msg The message: "Kernel command line: <boot parameters> noexec=on" will be written to the boot log when properly appended to the "/boot/grub/menu.lst" file. If non-executable program stacks have not been configured, this is a finding.
Fix: F-42806r662292_fix
Edit the "/boot/grub/menu.lst" file and add "noexec=on" to the end of each kernel line entry. A system restart is required to implement this change.
- RMF Control
- SI-16
- Severity
- Medium
- CCI
- CCI-002824
- Version
- VROM-SL-001315
- Vuln IDs
-
- V-239615
- V-88701
- Rule IDs
-
- SV-239615r852612_rule
- SV-99351
Checks: C-42848r662294_chk
Verify "randomize_va_space" has not been changed from the default "1" setting. # sysctl kernel.randomize_va_space If the return value is not "kernel.randomize_va_space = 1", this is a finding.
Fix: F-42807r662295_fix
Run the following command: #sysctl kernel.randomize_va_space=1
- RMF Control
- SI-6
- Severity
- Medium
- CCI
- CCI-002702
- Version
- VROM-SL-001335
- Vuln IDs
-
- V-239616
- V-88703
- Rule IDs
-
- SV-239616r852613_rule
- SV-99353
Checks: C-42849r662297_chk
Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.
Fix: F-42808r662298_fix
Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001340
- Vuln IDs
-
- V-239617
- V-88705
- Rule IDs
-
- SV-239617r662302_rule
- SV-99355
Checks: C-42850r662300_chk
To verify that auditing is configured for system administrator actions, run the following command: # auditctl -l | grep "watch=/etc/sudoers" The result should return a rule for sudoers, such as: LIST_RULES: exit,always watch=/etc/sudoers perm=wa key=sudoers If there is no output, this is a finding.
Fix: F-42809r662301_fix
At a minimum, the audit system should collect administrator actions for all users and "root". Add the following to the "/etc/audit/audit.rules" file: -w /etc/sudoers -p wa -k sudoers OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001345
- Vuln IDs
-
- V-239618
- V-88707
- Rule IDs
-
- SV-239618r662305_rule
- SV-99357
Checks: C-42851r662303_chk
Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.
Fix: F-42810r662304_fix
Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001350
- Vuln IDs
-
- V-239619
- V-88709
- Rule IDs
-
- SV-239619r662308_rule
- SV-99359
Checks: C-42852r662306_chk
To determine if SLES for vRealize is configured to audit calls to the "chmod" system call, run the following command: # auditctl -l | grep syscall | grep chmod If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=1073741827 (0x40000003) syscall=chmod,lchown,sethostname,fchmod,fchown,adjtimex,init_module,delete_module,chown,lchown32,fchown32,chown32,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime,fchownat,fchmodat If no lines are returned, this is a finding.
Fix: F-42811r662307_fix
At a minimum, the audit system should collect file permission changes for all users and "root". Add the following to the "/etc/audit/audit.rules" file: -a always,exit -F arch=b64 -S chmod -F auid=0 -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -a always,exit -F arch=b32 -S chmod OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001355
- Vuln IDs
-
- V-239620
- V-88711
- Rule IDs
-
- SV-239620r662311_rule
- SV-99361
Checks: C-42853r662309_chk
To verify that auditing is configured for system administrator actions, run the following command: # auditctl -l | grep "watch=/etc/sudoers" The result should return a rule for sudoers, such as: LIST_RULES: exit,always watch=/etc/sudoers perm=wa key=sudoers If there is no output, this is a finding.
Fix: F-42812r662310_fix
At a minimum, the audit system should collect administrator actions for all users and root. Add the following to the "/etc/audit/audit.rules" file: -w /etc/sudoers -p wa -k sudoers OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001360
- Vuln IDs
-
- V-239621
- V-88713
- Rule IDs
-
- SV-239621r662314_rule
- SV-99363
Checks: C-42854r662312_chk
Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.
Fix: F-42813r662313_fix
Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001365
- Vuln IDs
-
- V-239622
- V-88715
- Rule IDs
-
- SV-239622r662317_rule
- SV-99365
Checks: C-42855r662315_chk
To determine if SLES for vRealize is configured to audit calls to the "chmod" system call, run the following command: # auditctl -l | grep syscall | grep chmod If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=1073741827 (0x40000003) syscall=chmod,lchown,sethostname,fchmod,fchown,adjtimex,init_module,delete_module,chown,lchown32,fchown32,chown32,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime,fchownat,fchmodat If no lines are returned, this is a finding.
Fix: F-42814r662316_fix
At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and root. Add the following to the "/etc/audit/audit.rules" file: -a always,exit -F arch=b64 -S chmod -F auid=0 -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -a always,exit -F arch=b32 -S chmod OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001370
- Vuln IDs
-
- V-239623
- V-88717
- Rule IDs
-
- SV-239623r662320_rule
- SV-99367
Checks: C-42856r662318_chk
Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.
Fix: F-42815r662319_fix
Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001375
- Vuln IDs
-
- V-239624
- V-88719
- Rule IDs
-
- SV-239624r662323_rule
- SV-99369
Checks: C-42857r662321_chk
To verify that auditing is configured for system administrator actions, run the following command: # auditctl -l | grep "watch=/etc/sudoers" The result should return a rule for sudoers, such as: LIST_RULES: exit,always watch=/etc/sudoers perm=wa key=sudoers If there is no output, this is a finding.
Fix: F-42816r662322_fix
At a minimum, the SLES for vRealize audit system should collect administrator actions for all users and root. Add the following to the "/etc/audit/audit.rules" file: -w /etc/sudoers -p wa -k sudoers OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001380
- Vuln IDs
-
- V-239625
- V-88721
- Rule IDs
-
- SV-239625r662326_rule
- SV-99371
Checks: C-42858r662324_chk
The message types that are always recorded to the "/var/log/audit/audit.log" file include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" must be protected from tampering of the login records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" entries do not exist, this is a finding.
Fix: F-42817r662325_fix
Ensure the auditing of logins by modifying the "/etc/audit/audit.rules" file to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001385
- Vuln IDs
-
- V-239626
- V-88723
- Rule IDs
-
- SV-239626r662329_rule
- SV-99373
Checks: C-42859r662327_chk
To verify that auditing of privileged command use is configured, run the following command to find relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: # grep path /etc/audit/audit.rules It should be the case that all relevant setuid programs have a line in the audit rules. If it is not the case, this is a finding.
Fix: F-42818r662328_fix
At a minimum, the SLES for vRealize audit system should collect the execution of privileged commands for all users and "root". To find the relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Then, for each setuid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid program in the list: -a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -k privileged OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001390
- Vuln IDs
-
- V-239627
- V-88725
- Rule IDs
-
- SV-239627r662332_rule
- SV-99375
Checks: C-42860r662330_chk
Determine if "/sbin/insmod" is audited: # cat /etc/audit/audit.rules | grep "/sbin/insmod" If the result does not start with "-w" and contain "-p x", this is a finding.
Fix: F-42819r662331_fix
Add the following to the "/etc/audit/audit.rules" file in order to capture kernel module loading and unloading events: -w /sbin/insmod -p x OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001395
- Vuln IDs
-
- V-239628
- V-88727
- Rule IDs
-
- SV-239628r662335_rule
- SV-99377
Checks: C-42861r662333_chk
The message types that are always recorded to the "/var/log/audit/audit.log" file include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" must be protected from tampering of the login records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" entries do not exist, this is a finding.
Fix: F-42820r662334_fix
Ensure the auditing of logins by modifying the "/etc/audit/audit.rules" file to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001400
- Vuln IDs
-
- V-239629
- V-88729
- Rule IDs
-
- SV-239629r662338_rule
- SV-99379
Checks: C-42862r662336_chk
The message types that are always recorded to the "/var/log/audit/audit.log" file include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" must be protected from tampering of the login records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" entries do not exist, this is a finding.
Fix: F-42821r662337_fix
Ensure the auditing of logins by modifying the "/etc/audit/audit.rules" file to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001405
- Vuln IDs
-
- V-239630
- V-88731
- Rule IDs
-
- SV-239630r662341_rule
- SV-99381
Checks: C-42863r662339_chk
Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.
Fix: F-42822r662340_fix
Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001410
- Vuln IDs
-
- V-239631
- V-88733
- Rule IDs
-
- SV-239631r662344_rule
- SV-99383
Checks: C-42864r662342_chk
Verify auditd is configured to audit failed file access attempts. There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall: # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S creat" | grep -e "-F exit=-EPERM" # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S creat" | grep -e "-F exit=-EACCES" There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall. If not, this is a finding.
Fix: F-42823r662343_fix
Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S creat -F exit=-EPERM -a exit,always -F arch=b64 -S creat -F exit=-EACCES -a exit,always -F arch=b32 -S creat -F exit=-EPERM -a exit,always -F arch=b32 -S creat -F exit=-EACCES
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001415
- Vuln IDs
-
- V-239632
- V-88735
- Rule IDs
-
- SV-239632r662347_rule
- SV-99385
Checks: C-42865r662345_chk
Verify auditd is configured to audit failed file access attempts. There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall: # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S open" | grep -e "-F exit=-EPERM" # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S open" | grep -e "-F exit=-EACCES" There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall. If not, this is a finding.
Fix: F-42824r662346_fix
Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S open -F exit=-EPERM -a exit,always -F arch=b64 -S open -F exit=-EACCES -a exit,always -F arch=b32 -S open -F exit=-EPERM -a exit,always -F arch=b32 -S open -F exit=-EACCES
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001420
- Vuln IDs
-
- V-239633
- V-88737
- Rule IDs
-
- SV-239633r662350_rule
- SV-99387
Checks: C-42866r662348_chk
Verify auditd is configured to audit failed file access attempts. There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0) # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S openat" | grep -e "-F success=0" There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0). If not, this is a finding.
Fix: F-42825r662349_fix
Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S openat -F success=0 -a exit,always -F arch=b32 -S openat -F success=0
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001425
- Vuln IDs
-
- V-239634
- V-88739
- Rule IDs
-
- SV-239634r662353_rule
- SV-99389
Checks: C-42867r662351_chk
Verify auditd is configured to audit failed file access attempts. There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0) # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S truncate" | grep -e "-F success=0" There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0). If not, this is a finding.
Fix: F-42826r662352_fix
Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S truncate -F success=0 -a exit,always -F arch=b32 -S truncate -F success=0
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001430
- Vuln IDs
-
- V-239635
- V-88741
- Rule IDs
-
- SV-239635r662356_rule
- SV-99391
Checks: C-42868r662354_chk
Verify auditd is configured to audit failed file access attempts. There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0) # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S ftruncate" | grep -e "-F success=0" There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0). If not, this is a finding.
Fix: F-42827r662355_fix
Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S ftruncate -F success=0 -a exit,always -F arch=b32 -S ftruncate -F success=0
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001435
- Vuln IDs
-
- V-239636
- V-88743
- Rule IDs
-
- SV-239636r662359_rule
- SV-99393
Checks: C-42869r662357_chk
To determine if SLES for vRealize is configured to audit calls to the "unlink" system call, run the following command: # auditctl -l | grep syscall | grep unlink | grep -v unlinkat If the system is configured to audit this activity, it will return several lines. To determine if the system is configured to audit calls to the "unlinkat" system call, run the following command: # auditctl -l | grep syscall | grep unlinkat If the system is configured to audit this activity, it will return several lines. To determine if the system is configured to audit calls to the "rename" system call, run the following command: # auditctl -l | grep syscall | grep rename | grep -v renameat If the system is configured to audit this activity, it will return several lines. To determine if the system is configured to audit calls to the "renameat" system call, run the following command: # auditctl -l | grep syscall | grep renameat If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding.
Fix: F-42828r662358_fix
Edit the audit.rules file and add the following line(s) to enable auditing of deletions of files and programs: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid=0 -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid=0 -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001440
- Vuln IDs
-
- V-239637
- V-88745
- Rule IDs
-
- SV-239637r662362_rule
- SV-99395
Checks: C-42870r662360_chk
Check SLES for vRealize audit configuration to determine if file and directory deletions are audited: # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -i "rmdir" If no results are returned or the results do not contain "-S rmdir", this is a finding.
Fix: F-42829r662361_fix
Add the following to the "/etc/audit/audit.rules" file in order to capture file and directory deletion events: -a always,exit -F arch=b64 -S rmdir -S rm -a always,exit -F arch=b32 -S rmdir -S rm
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001445
- Vuln IDs
-
- V-239638
- V-88747
- Rule IDs
-
- SV-239638r662365_rule
- SV-99397
Checks: C-42871r662363_chk
Check for a logrotate entry that rotates audit logs. # ls -l /etc/logrotate.d/audit If it exists, check for the presence of the daily rotate flag: # egrep "daily" /etc/logrotate.d/audit The command should produce a "daily" entry in the logrotate file for the audit daemon. If the daily entry is missing, this is a finding.
Fix: F-42830r662364_fix
Create or edit the "/etc/logrotate.d/audit" file and add the daily entry, such as: /var/log/audit/audit.log { compress dateext rotate 15 daily missingok notifempty create 600 root root sharedscripts postrotate /sbin/service auditd restart 2> /dev/null > /dev/null || true endscript }
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001450
- Vuln IDs
-
- V-239639
- V-88749
- Rule IDs
-
- SV-239639r662368_rule
- SV-99399
Checks: C-42872r662366_chk
The message types that are always recorded to the "/var/log/audit/audit.log" file include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" must be protected from tampering of the login records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" entries do not exist, this is a finding.
Fix: F-42831r662367_fix
Ensure the auditing of logins by modifying the "/etc/audit/audit.rules" file to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001455
- Vuln IDs
-
- V-239640
- V-88751
- Rule IDs
-
- SV-239640r662371_rule
- SV-99401
Checks: C-42873r662369_chk
Determine if execution of the "usermod" and "groupmod" executable are audited: # auditctl -l | egrep '(usermod|groupmod)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of "useradd" and "groupadd" are audited: # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the passwd executable is audited: # auditctl -l | grep "/usr/bin/passwd" If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding. Determine if "/etc/passwd", "/etc/shadow", "/etc/group", and "/etc/security/opasswd" are audited for writing: # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)' If any of these are not listed with a permissions filter of at least "w", this is a finding.
Fix: F-42832r662370_fix
Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Configure execute auditing of the "passwd" executable. Add the following to audit.rules: -w /usr/bin/passwd -p x -k passwd Configure write auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the "/etc/audit/audit.rules" file: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/security/opasswd -p wa -k opasswd Restart the auditd service: # service auditd restart OR # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- VROM-SL-001460
- Vuln IDs
-
- V-239641
- V-88753
- Rule IDs
-
- SV-239641r662374_rule
- SV-99403
Checks: C-42874r662372_chk
Determine if "/sbin/insmod" is audited: # cat /etc/audit/audit.rules | grep "/sbin/insmod" If the result does not start with "-w" and contain "-p x", this is a finding.
Fix: F-42833r662373_fix
Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events: -w /sbin/insmod -p x OR # /etc/dodscript.sh
- RMF Control
- SC-13
- Severity
- Medium
- CCI
- CCI-002450
- Version
- VROM-SL-001465
- Vuln IDs
-
- V-239642
- V-88755
- Rule IDs
-
- SV-239642r878123_rule
- SV-99405
Checks: C-42875r662375_chk
Check the SSH daemon configuration for allowed MACs: # grep -i macs /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding.
Fix: F-42834r662376_fix
Edit the SSH daemon configuration and remove any MACs other than "hmac-sha1". If necessary, add a "MACs" line. # sed -i "/^[^#]*MACs/ c\MACs hmac-sha1" /etc/ssh/sshd_config
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001851
- Version
- VROM-SL-001470
- Vuln IDs
-
- V-239643
- V-88757
- Rule IDs
-
- SV-239643r852615_rule
- SV-99407
Checks: C-42876r662378_chk
Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.
Fix: F-42835r662379_fix
Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- VROM-SL-001475
- Vuln IDs
-
- V-239644
- V-88759
- Rule IDs
-
- SV-239644r662383_rule
- SV-99409
Checks: C-42877r662381_chk
Check "/etc/pam.d/common-password" for "pam_cracklib" configuration: # grep pam_cracklib /etc/pam.d/common-password* If "pam_cracklib" is not present, this is a finding. Ensure the passwd command uses the common-password settings. # grep common-password /etc/pam.d/passwd If a line "password include common-password" is not found then the password checks in common-password will not be applied to new passwords, this is a finding.
Fix: F-42836r662382_fix
Edit "/etc/pam.d/common-password" and configure "pam_cracklib" by adding a line such as "password requisite pam_cracklib.so".
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- VROM-SL-001480
- Vuln IDs
-
- V-239645
- V-88761
- Rule IDs
-
- SV-239645r662386_rule
- SV-99411
Checks: C-42878r662384_chk
Verify the module "pam_cracklib.so" is present. Procedure: # ls /lib/security/ Confirm that "pam_cracklib.so" is present in the directory listing. If "pam_cracklib.so" is not present, this is a finding. Verify the file "/etc/pam.d/common-password" is configured. Procedure: # grep pam_cracklib /etc/pam.d/common-password* If a line containing "password required pam_cracklib.so" is not present, this is a finding.
Fix: F-42837r662385_fix
Configure SLES for vRealize to prevent the use of dictionary words for passwords. Edit the file "/etc/pam.d/common-password". Configure "common-password" by adding a line such as: password required pam_cracklib.so Save the changes made to the file "/etc/pam.d/common-password".
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- VROM-SL-001485
- Vuln IDs
-
- V-239646
- V-88763
- Rule IDs
-
- SV-239646r662389_rule
- SV-99413
Checks: C-42879r662387_chk
Verify the "passwd" command uses the "common-password" settings. Procedure: # grep common-password /etc/pam.d/passwd If line "password include common-password" is not found then the password checks in common-password will not be applied to new passwords, and this is a finding.
Fix: F-42838r662388_fix
Configure SLES for vRealize to prevent the use of dictionary words for passwords. Procedure: Edit the file "/etc/pam.d/passwd". Configure "passwd" by adding a line such as: password include common-password Save the changes made to the file.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- VROM-SL-001490
- Vuln IDs
-
- V-239647
- V-88765
- Rule IDs
-
- SV-239647r662392_rule
- SV-99415
Checks: C-42880r662390_chk
Check the value of the "FAIL_DELAY" variable and the ability to use it: # grep FAIL_DELAY /etc/login.defs The following result should be displayed: FAIL_DELAY 4 If the value does not exist, or is less than "4", this is a finding. Check for the use of "pam_faildelay": # grep pam_faildelay /etc/pam.d/common-auth* The following result should be displayed: /etc/pam.d/common-auth:auth optional pam_faildelay.so If the "pam_faildelay.so" module is not listed or is commented out, this is a finding.
Fix: F-42839r662391_fix
Add the "pam_faildelay" module and set the "FAIL_DELAY" variable. Edit the "/etc/login.defs" file and set the value of the "FAIL_DELAY" variable to "4" or more. Edit "/etc/pam.d/common-auth" and add a "pam_faildelay" entry if one does not exist, such as: auth optional pam_faildelay.so
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- VROM-SL-001495
- Vuln IDs
-
- V-239648
- V-88767
- Rule IDs
-
- SV-239648r662395_rule
- SV-99417
Checks: C-42881r662393_chk
Verify the SLES for vRealize enforces a delay of at least "4" seconds between logon prompts following a failed logon attempt. Review the file "/etc/login.defs" and verify the parameter "FAIL_DELAY" is a value of "4" or greater. Procedure: # grep FAIL_DELAY /etc/login.defs The typical configuration looks something like this: FAIL_DELAY 4 If the parameter "FAIL_DELAY" does not exists, or is less than "4", this is a finding.
Fix: F-42840r662394_fix
Configure SLES for vRealize to enforce a delay of at least "4" seconds between logon prompts following a failed logon attempt. Set the parameter "FAIL_DELAY" to a value of "4" or greater. Edit the file "/etc/login.defs". Set the parameter "FAIL_DELAY" to a value of "4" or greater. The typical configuration looks something like this: FAIL_DELAY 4 Save the changes made to the file.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- VROM-SL-001500
- Vuln IDs
-
- V-239649
- V-88769
- Rule IDs
-
- SV-239649r662398_rule
- SV-99419
Checks: C-42882r662396_chk
Verify SLES for vRealize enforces a delay of at least "4" seconds between logon prompts following a failed logon attempt. Verify the use of the "pam_faildelay" module. Procedure: # grep pam_faildelay /etc/pam.d/common-auth* The typical configuration looks something like this: #delay is in micro seconds auth required pam_faildelay.so delay=4000000 If the line is not present, this is a finding.
Fix: F-42841r662397_fix
Configure SLES for vRealize to enforce a delay of at least "4" seconds between logon prompts following a failed logon attempt with the following command: # sed -i "/^[^#]*pam_faildelay.so/ c\auth required pam_faildelay.so delay=4000000" /etc/pam.d/common-auth-vmware.local
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- VROM-SL-001505
- Vuln IDs
-
- V-239650
- V-88771
- Rule IDs
-
- SV-239650r662401_rule
- SV-99421
Checks: C-42883r662399_chk
Verify SLES for vRealize is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding.
Fix: F-42842r662400_fix
Configure SLES for vRealize in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- VROM-SL-001510
- Vuln IDs
-
- V-239651
- V-88773
- Rule IDs
-
- SV-239651r662404_rule
- SV-99423
Checks: C-42884r662402_chk
Check for the configured umask value in login.defs with the following command: # grep UMASK /etc/login.defs If the default umask is not "077", this a finding. Note: If the default umask is "000" or allows for the creation of world-writable files this becomes a CAT I finding.
Fix: F-42843r662403_fix
To configure the correct UMASK setting run the following command: # sed -i "/^[^#]*UMASK/ c\UMASK 077" /etc/login.defs NOTE: Setting "UMASK 077" will break upgrades and other possible functionality within the product. When making upgrades to the system, you will need to revert this UMASK setting to the default for the duration of upgrades and then re-apply.
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- VROM-SL-009999
- Vuln IDs
-
- V-258448
- Rule IDs
-
- SV-258448r928863_rule
Checks: C-62188r928861_chk
vRealize Operations Manager 6.x SLES is no longer supported by the vendor. If the system is running vRealize Operations Manager 6.x SLES, this is a finding.
Fix: F-53958r798705_fix
Upgrade to a supported version.
- RMF Control
- AC-8
- Severity
- Medium
- CCI
- CCI-001384
- Version
- VROM-SL-000840
- Vuln IDs
-
- V-258512
- V-88619
- Rule IDs
-
- SV-258512r929628_rule
- SV-99269
Checks: C-62252r929626_chk
Check issue file to verify that it contains one of the DoD required banners. # cat /etc/issue "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." If it does not, this is a finding.
Fix: F-62161r929627_fix
To configure SLES for vRealize to display the Standard Mandatory DoD Notice and Consent Banner, run the DoD.script with the following command as "root": # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VROM-SL-000175
- Vuln IDs
-
- V-258513
- V-88393
- Rule IDs
-
- SV-258513r929631_rule
- SV-99043
Checks: C-62253r929629_chk
Check the auditing configuration of the system: # cat /etc/audit/audit.rules | grep -i "auditd.conf" If no results are returned, or the line does not start with "-w", this is a finding. Expected Result: -w /etc/audit/auditd.conf
Fix: F-62162r929630_fix
Add the following lines to the "audit.rules" file to enable auditing of administrative, privileged, and security actions: echo '-w /etc/audit/auditd.conf' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VROM-SL-000180
- Vuln IDs
-
- V-258514
- V-88395
- Rule IDs
-
- SV-258514r929634_rule
- SV-99045
Checks: C-62254r929632_chk
Check if SLES for vRealize system is configured to audit calls to the "adjtimex" system call, run the following command: # grep -w "adjtimex" /etc/audit/audit.rules If SLES for vRealize is configured to audit time changes, it will return at least two lines containing "-S adjtimex" that also contain "arch=b64". If no line is returned, this is a finding.
Fix: F-62163r929633_fix
Run the following command: echo '-a exit,always -F arch=b64 -S adjtimex -F auid=0' >> /etc/audit/audit.rules echo '-a exit,always -F arch=b64 -S adjtimex -F auid>=500 -F auid!=4294967295' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VROM-SL-000185
- Vuln IDs
-
- V-258515
- V-88397
- Rule IDs
-
- SV-258515r929637_rule
- SV-99047
Checks: C-62255r929635_chk
Check if SLES for vRealize is configured to audit calls to the "settimeofday" system call, run the following command: # grep -w "settimeofday" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return at least two lines containing "-S settimeofday" that also contain "arch=b64". If no line is returned, this is a finding.
Fix: F-62164r929636_fix
Run the following command: echo '-a exit,always -F arch=b64 -S settimeofday -F auid=0' >> /etc/audit/audit.rules echo '-a exit,always -F arch=b64 -S settimeofday -F auid>=500 -F auid!=4294967295' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VROM-SL-000190
- Vuln IDs
-
- V-258516
- V-88399
- Rule IDs
-
- SV-258516r929640_rule
- SV-99049
Checks: C-62256r929638_chk
Check if SLES for vRealize is configured to audit calls to the "settimeofday" system call, run the following command: # grep -w "stime" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return at least two lines containing "-S settimeofday" that also contain "arch=b64". If no line is returned, this is a finding.
Fix: F-62165r929639_fix
Run the following command: echo '-a exit,always -F arch=b64 -S stime' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VROM-SL-000195
- Vuln IDs
-
- V-258517
- V-88401
- Rule IDs
-
- SV-258517r929643_rule
- SV-99051
Checks: C-62257r929641_chk
Check if SLES for vRealize is configured to audit calls to the "clock_settime" system call, run the following command: # grep -w "clock_settime" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return at least a line containing "-S clock_settime" that also contain "arch=b64". If no line is returned, this is a finding.
Fix: F-62166r929642_fix
Run the following command: echo '-a exit,always -F arch=b64 -S clock_settime' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VROM-SL-000200
- Vuln IDs
-
- V-258518
- V-88403
- Rule IDs
-
- SV-258518r929646_rule
- SV-99053
Checks: C-62258r929644_chk
To determine if SLES for vRealize is configured to audit attempts to alter time via the /etc/localtime file, run the following command: # auditctl -l | grep "watch=/etc/localtime" If SLES for vRealize is configured to audit this activity, it will return a line. LIST_RULES: exit,always watch=/etc/localtime perm=wa key=localtime If no line is returned, this is a finding.
Fix: F-62167r929645_fix
To configure the SLES for vRealize to audit attempts to alter time via the /etc/localtime file, run the following command: echo '-w /etc/localtime -p wa -k localtime' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VROM-SL-000205
- Vuln IDs
-
- V-258519
- V-88405
- Rule IDs
-
- SV-258519r929649_rule
- SV-99055
Checks: C-62259r929647_chk
Check if SLES for vRealize is configured to audit calls to the "sethostname" system call, run the following command: # grep -w "sethostname" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return at least one line. If no line is returned, this is a finding.
Fix: F-62168r929648_fix
Run the following command: # echo '-a exit,always -F arch=b64 -S sethostname' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VROM-SL-000210
- Vuln IDs
-
- V-258520
- V-88407
- Rule IDs
-
- SV-258520r929652_rule
- SV-99057
Checks: C-62260r929650_chk
Check if SLES for vRealize is configured to audit calls to the "sethostname" system call, run the following command: # grep -w "setdomainname" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return a line. If no line is returned, this is a finding.
Fix: F-62169r929651_fix
Run the following command: # echo '-a exit,always -F arch=b64 -S setdomainname' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VROM-SL-000215
- Vuln IDs
-
- V-258521
- V-88409
- Rule IDs
-
- SV-258521r929655_rule
- SV-99059
Checks: C-62261r929653_chk
Check if SLES for vRealize is configured to audit calls to the "sethostname" system call, run the following command: # grep -w "sched_setparam" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return a line. If no line is returned, this is a finding.
Fix: F-62170r929654_fix
Run the following command: echo '-a exit,always -F arch=b64 -S sched_setparam' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VROM-SL-000220
- Vuln IDs
-
- V-258522
- V-88411
- Rule IDs
-
- SV-258522r929658_rule
- SV-99061
Checks: C-62262r929656_chk
Check if SLES for vRealize is configured to audit calls to the "sethostname" system call, run the following command: # grep -w "sched_setscheduler" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return a line. If no line is returned, this is a finding.
Fix: F-62171r929657_fix
Run the following command: echo '-a exit,always -F arch=b64 -S sched_setscheduler' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VROM-SL-000225
- Vuln IDs
-
- V-258523
- V-88413
- Rule IDs
-
- SV-258523r929661_rule
- SV-99063
Checks: C-62263r929659_chk
Verify that attempts to alter the log files /var/log/faillog are audited: # egrep "faillog" /etc/audit/audit.rules If "-w /var/log/faillog -p wa" entry does not exist, this is a finding.
Fix: F-62172r929660_fix
Ensure attempts to alter /var/log/faillog are audited by modifying /etc/audit/audit.rules to contain "-w /var/log/faillog -p wa" with the following command: echo '-w /var/log/faillog -p wa' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VROM-SL-000230
- Vuln IDs
-
- V-258524
- V-88415
- Rule IDs
-
- SV-258524r929664_rule
- SV-99065
Checks: C-62264r929662_chk
Verify that attempts to alter the log files /var/log/lastlog are audited: # egrep "lastlog" /etc/audit/audit.rules If "-w /var/log/lastlog -p wa" entry does not exist, this is a finding.
Fix: F-62173r929663_fix
Ensure attempts to alter /var/log/lastlog are audited by modifying /etc/audit/audit.rules to contain "-w /var/log/lastlog -p wa" with the following command: echo '-w /var/log/lastlog -p wa' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- VROM-SL-000235
- Vuln IDs
-
- V-258525
- V-88417
- Rule IDs
-
- SV-258525r929667_rule
- SV-99067
Checks: C-62265r929665_chk
Verify that attempts to alter the log files /var/log/tallylog are audited: # egrep "tallylog" /etc/audit/audit.rules If "-w /var/log/tallylog -p wa" entry does not exist, this is a finding.
Fix: F-62174r929666_fix
Ensure attempts to alter /var/log/tallylog are audited by modifying /etc/audit/audit.rules to contain "-w /var/log/tallylog -p wa" with the following command: echo '-w /var/log/tallylog -p wa' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh