Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · SCAP

SLES 12 Security Technical Implementation Guide

V2R1 · · · Published 23 Oct 2020 · 105 rules
View

Open a previous version of this SCAP benchmark.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Sort by
c
The SUSE operating system must be a vendor-supported release.
RMF Control
SI-2
Severity
H
CCI
CCI-001230
Version
SLES-12-010000
Vuln IDs
V-217101
Rule IDs
SV-217101r505931_rule
A SUSE operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
Fix: F-18327r369460_fix

Upgrade the SUSE operating system to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription. If the system requires Long-Term Service Pack Support (LTSS), obtain the correct LTSS subscription for the system.

a
The SUSE operating system must utilize vlock to allow for session locking.
RMF Control
AC-11
Severity
L
CCI
CCI-000058
Version
SLES-12-010070
Vuln IDs
V-217108
Rule IDs
SV-217108r505931_rule
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, SRG-OS-000031-GPOS-00012
Fix: F-18334r499364_fix

Allow users to lock the console by installing the "kbd" package using zypper: # sudo zypper install kbd

c
The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.
RMF Control
IA-11
Severity
H
CCI
CCI-002038
Version
SLES-12-010110
Vuln IDs
V-217112
Rule IDs
SV-217112r505931_rule
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When SUSE operating system provide the capability to change user authenticators, change security roles, or escalate a functional capability, it is critical the user reauthenticate. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158
Fix: F-18338r369493_fix

Configure the SUSE operating system to remove any occurrence of "NOPASSWD" or "!authenticate" found in the "/etc/sudoers" file. If the system does not use passwords for authentication, the "NOPASSWD" tag may exist in the file.

a
The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
RMF Control
AC-10
Severity
L
CCI
CCI-000054
Version
SLES-12-010120
Vuln IDs
V-217113
Rule IDs
SV-217113r505931_rule
SUSE operating system management includes the ability to control the number of users and user sessions that utilize a SUSE operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to Denial-of-Service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.
Fix: F-18339r369496_fix

Configure the SUSE operating system to limit the number of concurrent sessions to 10 or less for all accounts and/or account types. Add the following line to "/etc/security/limits.conf" or /etc/limits.d/*.conf file: * hard maxlogins 10

b
The SUSE operating system must enforce a delay of at least four (4) seconds between logon prompts following a failed logon attempt.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-010140
Vuln IDs
V-217116
Rule IDs
SV-217116r505931_rule
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
Fix: F-18342r369505_fix

Configure the SUSE operating system to enforce a delay of at least four (4) seconds between logon prompts following a failed logon attempt. Add or update the following variable in "/etc/login.defs" to match the line below ("FAIL_DELAY" must have a value of "4" or higher): FAIL_DELAY 4

b
The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
SLES-12-010210
Vuln IDs
V-217122
Rule IDs
SV-217122r505931_rule
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised. SUSE operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.
Fix: F-18348r369523_fix

Configure the SUSE operating system to require "ENCRYPT_METHOD" in "/etc/login.defs" be set to "SHA512" by running the following command as a superuser: # sudo grep -q '^.*ENCRYPT_METHOD' /etc/login.defs && sudo sed -i 's/^.*ENCRYPT_METHOD.*/ENCRYPT_METHOD SHA512/' /etc/login.defs || sudo echo 'ENCRYPT_METHOD SHA512' >> /etc/login.defs

b
The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
RMF Control
IA-5
Severity
M
CCI
CCI-000196
Version
SLES-12-010220
Vuln IDs
V-217123
Rule IDs
SV-217123r505931_rule
The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
Fix: F-18349r369526_fix

Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. Set "ENCRYPT_METHOD" in "/etc/login.defs" to "SHA512" by running the following command as a superuser: # sudo grep -q '^.*ENCRYPT_METHOD' /etc/login.defs && sudo sed -i 's/^.*ENCRYPT_METHOD.*/ENCRYPT_METHOD SHA512/' /etc/login.defs || sudo echo 'ENCRYPT_METHOD SHA512' >> /etc/login.defs Lock all interactive user accounts not using SHA512 hashing until the passwords can be regenerated.

b
The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
SLES-12-010240
Vuln IDs
V-217126
Rule IDs
SV-217126r505931_rule
The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
Fix: F-18352r369535_fix

Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "5000": SHA_CRYPT_MIN_ROUNDS 5000

b
The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (1 day).
RMF Control
IA-5
Severity
M
CCI
CCI-000198
Version
SLES-12-010260
Vuln IDs
V-217128
Rule IDs
SV-217128r505931_rule
Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Fix: F-18354r369541_fix

Configure the SUSE operating system to enforce 24 hours/1 day or greater as the minimum password age. Edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days: PASS_MIN_DAYS [DAYS] The DoD requirement is "1" but a greater value is acceptable.

b
The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (1 day).
RMF Control
IA-5
Severity
M
CCI
CCI-000198
Version
SLES-12-010270
Vuln IDs
V-217129
Rule IDs
SV-217129r505931_rule
Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Fix: F-18355r369544_fix

Configure the SUSE operating system to enforce 24 hours/1 day or greater as the minimum password age for user accounts. Change the minimum time period between password changes for each [USER] account to "1" day with the command, replacing [USER] with the user account that must be changed: # sudo passwd -n 1 [USER]

b
The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.
RMF Control
IA-5
Severity
M
CCI
CCI-000199
Version
SLES-12-010280
Vuln IDs
V-217130
Rule IDs
SV-217130r505931_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.
Fix: F-18356r369547_fix

Configure the SUSE operating system to enforce a maximum password age of "60" days or less. Edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days: PASS_MAX_DAYS [DAYS] The DoD requirement is "60" days or less (greater than zero, as zero days will lock the account immediately).

b
The SUSE operating system must employ user passwords with a maximum lifetime of 60 days.
RMF Control
IA-5
Severity
M
CCI
CCI-000199
Version
SLES-12-010290
Vuln IDs
V-217131
Rule IDs
SV-217131r505931_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.
Fix: F-18357r369550_fix

Configure the SUSE operating system to enforce a maximum password age of each [USER] account to "60" days. The command in the check text will give a list of users that need to be updated to be in compliance: # sudo passwd -x 60 [USER] The DoD requirement is "60" days.

c
The SUSE operating system must not allow unattended or automatic logon via the graphical user interface.
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
SLES-12-010380
Vuln IDs
V-217139
Rule IDs
SV-217139r505931_rule
Failure to restrict system access to authenticated users negatively impacts SUSE operating system security.
Fix: F-18365r369574_fix

Configure the SUSE operating system graphical user interface to not allow unattended or automatic logon to the system. Add or edit the following line in the "/etc/gdm/custom.conf" file directly below the "[daemon]" tag: AutomaticLoginEnable=false

c
There must be no .shosts files on the SUSE operating system.
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
SLES-12-010400
Vuln IDs
V-217141
Rule IDs
SV-217141r505931_rule
The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Fix: F-18367r369580_fix

Remove any ".shosts" files found on the SUSE operating system. # rm /[path]/[to]/[file]/.shosts

c
There must be no shosts.equiv files on the SUSE operating system.
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
SLES-12-010410
Vuln IDs
V-217142
Rule IDs
SV-217142r505931_rule
The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Fix: F-18368r369583_fix

Remove any "shosts.equiv" files found on the SUSE operating system. # rm /[path]/[to]/[file]/shosts.equiv

b
FIPS 140-2 mode must be enabled on the SUSE operating system.
RMF Control
SC-13
Severity
M
CCI
CCI-002450
Version
SLES-12-010420
Vuln IDs
V-217143
Rule IDs
SV-217143r505931_rule
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The SUSE operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223
Fix: F-18369r369586_fix

To configure the SUSE operating system to run in FIPS mode, add "fips=1" to the kernel parameter during the SUSE operating system install. Enabling FIPS mode on a preexisting system involves a number of modifications to the SUSE operating system. Refer to section 9.1, "Crypto Officer Guidance", of the following document for installation guidance: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2435.pdf

b
The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-010620
Vuln IDs
V-217161
Rule IDs
SV-217161r505931_rule
Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.
Fix: F-18387r369640_fix

Configure the SUSE operating system to define the default permissions for all authenticated users in such a way that the users can only read and modify their own files. Add or edit the "UMASK" parameter in the "/etc/login.defs" file to match the example below: UMASK 077

c
The SUSE operating system root account must be the only account having unrestricted access to the system.
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
SLES-12-010650
Vuln IDs
V-217164
Rule IDs
SV-217164r505931_rule
If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire SUSE operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.
Fix: F-18390r369649_fix

Change the UID of any account on the SUSE operating system, other than the root account, that has a UID of "0". If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.

b
All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-010720
Vuln IDs
V-217171
Rule IDs
SV-217171r505931_rule
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
Fix: F-18397r369670_fix

Configure the SUSE operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows. CREATE_HOME yes

b
SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-010810
Vuln IDs
V-217180
Rule IDs
SV-217180r505931_rule
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Fix: F-18406r369697_fix

Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems that are being exported via NFS.

b
SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-010820
Vuln IDs
V-217181
Rule IDs
SV-217181r505931_rule
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Fix: F-18407r369700_fix

Configure the SUSE operating system "/etc/fstab" file to use the "noexec" option on file systems that are being exported via NFS.

b
The SUSE operating system must have the auditing package installed.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020000
Vuln IDs
V-217190
Rule IDs
SV-217190r505931_rule
Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the SUSE operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured SUSE operating system. Satisfies: SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220
Fix: F-18416r369727_fix

The SUSE operating system auditd package must be installed on the system. If it is not installed, use the following command to install it: # sudo zypper in auditd

b
SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-020010
Vuln IDs
V-217191
Rule IDs
SV-217191r505931_rule
Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the SUSE operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured SUSE operating system. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000392-GPOS-00172, SRG-OS-000480-GPOS-00227
Fix: F-18417r369730_fix

Enable the SUSE operating system auditd service by performing the following commands: # sudo systemctl enable auditd.service # sudo systemctl start auditd.service

b
The audit-audispd-plugins must be installed on the SUSE operating system.
RMF Control
AU-4
Severity
M
CCI
CCI-001851
Version
SLES-12-020070
Vuln IDs
V-217197
Rule IDs
SV-217197r505931_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Fix: F-18423r369748_fix

Install the "audit-audispd-plugins" package on the SUSE operating system by running the following command: # sudo zypper install audit-audispd-plugins In /etc/audisp/plugins.d/au-remote.conf, change the value of "active" to "yes", or add "active = yes" if no such setting exists in the file.

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020200
Vuln IDs
V-217205
Rule IDs
SV-217205r505931_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000470-GPOS-00214, SRG-OS-000476-GPOS-00221
Fix: F-18431r369772_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/passwd" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/passwd -p wa -k account_mod The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
RMF Control
AC-2
Severity
M
CCI
CCI-000018
Version
SLES-12-020210
Vuln IDs
V-217206
Rule IDs
SV-217206r505931_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221
Fix: F-18432r369775_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/group" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/group -p wa -k account_mod The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020220
Vuln IDs
V-217207
Rule IDs
SV-217207r505931_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221
Fix: F-18433r369778_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/shadow" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/shadow -p wa -k account_mod The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
RMF Control
AC-2
Severity
M
CCI
CCI-000018
Version
SLES-12-020230
Vuln IDs
V-217208
Rule IDs
SV-217208r505931_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221
Fix: F-18434r369781_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/security/opasswd" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/security/opasswd -p wa -k account_mod The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the privileged functions.
RMF Control
CM-5
Severity
L
CCI
CCI-001814
Version
SLES-12-020240
Vuln IDs
V-217209
Rule IDs
SV-217209r505931_rule
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152
Fix: F-18435r369784_fix

Configure the operating system to audit the execution of privileged functions. Add or update the following rules in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the su command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020250
Vuln IDs
V-217210
Rule IDs
SV-217210r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18436r369787_fix

Configure the SUSE operating system to generate an audit record for all uses of the "su" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the sudo command.
RMF Control
AU-3
Severity
L
CCI
CCI-000130
Version
SLES-12-020260
Vuln IDs
V-217211
Rule IDs
SV-217211r505931_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18437r369790_fix

Configure the SUSE operating system to generate an audit record for all uses of the "sudo" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-sudo The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the chfn command.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
SLES-12-020280
Vuln IDs
V-217212
Rule IDs
SV-217212r505931_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18438r369793_fix

Configure the SUSE operating system to generate an audit record for all uses the "chfn" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-chfn The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the mount command.
RMF Control
AU-12
Severity
L
CCI
CCI-000169
Version
SLES-12-020290
Vuln IDs
V-217213
Rule IDs
SV-217213r505931_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18439r369796_fix

Configure the SUSE operating system to generate an audit record for all uses the "mount" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the umount command.
RMF Control
AU-12
Severity
L
CCI
CCI-000169
Version
SLES-12-020300
Vuln IDs
V-217214
Rule IDs
SV-217214r505931_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18440r369799_fix

Configure the SUSE operating system to generate an audit record for all uses the "umount" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=4294967295 -k privileged-umount -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the ssh-agent command.
RMF Control
AU-3
Severity
L
CCI
CCI-000130
Version
SLES-12-020310
Vuln IDs
V-217215
Rule IDs
SV-217215r505931_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18441r369802_fix

Configure the SUSE operating system to generate an audit record for all uses the "ssh-agent" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-ssh-agent The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the ssh-keysign command.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
SLES-12-020320
Vuln IDs
V-217216
Rule IDs
SV-217216r505931_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18442r369805_fix

Configure the SUSE operating system to generate an audit record for all uses the "ssh-keysign" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-ssh-keysign The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the kmod command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-12-020360
Vuln IDs
V-217217
Rule IDs
SV-217217r505931_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the following list of events for which the SUSE operating system will provide an audit record generation capability: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18443r369808_fix

Configure the SUSE operating system to audit the execution of the module management program "kmod" by adding the following line to "/etc/audit/rules.d/audit.rules": -w /usr/bin/kmod -p x -k modules The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the setxattr command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020370
Vuln IDs
V-217218
Rule IDs
SV-217218r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18444r369811_fix

Configure the SUSE operating system to generate an audit record for all uses of the "setxattr" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the fsetxattr command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-12-020380
Vuln IDs
V-217219
Rule IDs
SV-217219r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18445r369814_fix

Configure the SUSE operating system to generate an audit record for all uses of the "fsetxattr" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the removexattr command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020390
Vuln IDs
V-217220
Rule IDs
SV-217220r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18446r369817_fix

Configure the SUSE operating system to generate an audit record for all uses of the "removexattr" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the lremovexattr command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-12-020400
Vuln IDs
V-217221
Rule IDs
SV-217221r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18447r369820_fix

Configure the SUSE operating system to generate an audit record for all uses of the "lremovexattr" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the fremovexattr command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020410
Vuln IDs
V-217222
Rule IDs
SV-217222r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18448r369823_fix

Configure the SUSE operating system to generate an audit record for all uses of the "fremovexattr" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the chown command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-12-020420
Vuln IDs
V-217223
Rule IDs
SV-217223r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18449r369826_fix

Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the fchown command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020430
Vuln IDs
V-217224
Rule IDs
SV-217224r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18450r369829_fix

Configure the SUSE operating system to generate an audit record for all uses of the "fchown" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the lchown command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-12-020440
Vuln IDs
V-217225
Rule IDs
SV-217225r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18451r369832_fix

Configure the SUSE operating system to generate an audit record for all uses of the "lchown" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the fchownat command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020450
Vuln IDs
V-217226
Rule IDs
SV-217226r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18452r369835_fix

Configure the SUSE operating system to generate an audit record for all uses of the "fchownat" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the chmod command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-12-020460
Vuln IDs
V-217227
Rule IDs
SV-217227r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18453r369838_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chmod" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the fchmod command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020470
Vuln IDs
V-217228
Rule IDs
SV-217228r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18454r369841_fix

Configure the SUSE operating system to generate an audit record for all uses of the "fchmod" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the fchmodat command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-12-020480
Vuln IDs
V-217229
Rule IDs
SV-217229r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18455r369844_fix

Configure the SUSE operating system to generate an audit record for all uses of the "fchmodat" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the open command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020490
Vuln IDs
V-217230
Rule IDs
SV-217230r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18456r369847_fix

Configure the SUSE operating system to generate an audit record for all uses of the "open" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the truncate command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020500
Vuln IDs
V-217231
Rule IDs
SV-217231r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203
Fix: F-18457r369850_fix

Configure the SUSE operating system to generate an audit record for all uses of the "truncate" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the ftruncate command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020510
Vuln IDs
V-217232
Rule IDs
SV-217232r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18458r369853_fix

Configure the SUSE operating system to generate an audit record for all uses of the "ftruncate" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the creat command.
RMF Control
AU-12
Severity
M
CCI
CCI-000169
Version
SLES-12-020520
Vuln IDs
V-217233
Rule IDs
SV-217233r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18459r369856_fix

Configure the SUSE operating system to generate an audit record for all uses of the "creat" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the openat command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020530
Vuln IDs
V-217234
Rule IDs
SV-217234r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18460r369859_fix

Configure the SUSE operating system to generate an audit record for all uses of the "openat" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the open_by_handle_at command.
RMF Control
AU-12
Severity
M
CCI
CCI-000169
Version
SLES-12-020540
Vuln IDs
V-217235
Rule IDs
SV-217235r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18461r369862_fix

Configure the SUSE operating system to generate an audit record for all uses of the "open_by_handle_at" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the passwd command.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
SLES-12-020550
Vuln IDs
V-217236
Rule IDs
SV-217236r505931_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18462r369865_fix

Configure the SUSE operating system to generate an audit record for all uses the "passwd" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-passwd The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the gpasswd command.
RMF Control
AU-12
Severity
L
CCI
CCI-000169
Version
SLES-12-020560
Vuln IDs
V-217237
Rule IDs
SV-217237r505931_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18463r369868_fix

Configure the SUSE operating system to generate an audit record for all uses the "gpasswd" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-gpasswd The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the newgrp command.
RMF Control
AU-12
Severity
L
CCI
CCI-000172
Version
SLES-12-020570
Vuln IDs
V-217238
Rule IDs
SV-217238r505931_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18464r369871_fix

Configure the SUSE operating system to generate an audit record for all uses the "newgrp" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-newgrp The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for a uses of the chsh command.
RMF Control
AU-12
Severity
L
CCI
CCI-000169
Version
SLES-12-020580
Vuln IDs
V-217239
Rule IDs
SV-217239r505931_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18465r369874_fix

Configure the SUSE operating system to generate an audit record for all uses the "chsh" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-chsh The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020590
Vuln IDs
V-217240
Rule IDs
SV-217240r505931_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221
Fix: F-18466r369877_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/gshadow" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/gshadow -p wa -k account_mod The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the chmod command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-12-020600
Vuln IDs
V-217241
Rule IDs
SV-217241r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18467r369880_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chmod" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=500 -F auid!=4294967295 -k prim_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the setfacl command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020610
Vuln IDs
V-217242
Rule IDs
SV-217242r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18468r369883_fix

Configure the SUSE operating system to generate an audit record for all uses of the "setfacl" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=500 -F auid!=4294967295 -k prim_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the chacl command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-12-020620
Vuln IDs
V-217243
Rule IDs
SV-217243r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18469r369886_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chacl" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=500 -F auid!=4294967295 -k prim_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
Successful/unsuccessful attempts to modify categories of information (e.g., classification levels) must generate audit records.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020630
Vuln IDs
V-217244
Rule IDs
SV-217244r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18470r369889_fix

Configure the SUSE operating system to generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=500 -F auid!=4294967295 -k prim_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the rm command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-12-020640
Vuln IDs
V-217245
Rule IDs
SV-217245r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18471r369892_fix

Configure the SUSE operating system to generate an audit record for all uses of the "rm" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=500 -F auid!=4294967295 -k prim_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020650
Vuln IDs
V-217246
Rule IDs
SV-217246r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218
Fix: F-18472r369895_fix

Configure the SUSE operating system to generate an audit record for any all modifications to the "tallylog" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /var/log/tallylog -p wa -k logins The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all modifications to the lastlog file.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-12-020660
Vuln IDs
V-217247
Rule IDs
SV-217247r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18473r369898_fix

Configure the SUSE operating system to generate an audit record for any all modifications to the "lastlog" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /var/log/lastlog -p wa -k logins The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the passmass command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020670
Vuln IDs
V-217248
Rule IDs
SV-217248r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18474r369901_fix

Configure the SUSE operating system to generate an audit record for all uses of the "passmass" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-passmass The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the unix_chkpwd command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-12-020680
Vuln IDs
V-217249
Rule IDs
SV-217249r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18475r369904_fix

Configure the SUSE operating system to generate an audit record for all uses of the "unix_chkpwd" and "unix2_chkpwd" commands. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-unix-chkpwd -a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-unix2-chkpwd The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the chage command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020690
Vuln IDs
V-217250
Rule IDs
SV-217250r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18476r369907_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chage" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-chage The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the usermod command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-12-020700
Vuln IDs
V-217251
Rule IDs
SV-217251r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18477r369910_fix

Configure the SUSE operating system to generate an audit record for all uses of the "usermod" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-usermod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the crontab command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020710
Vuln IDs
V-217252
Rule IDs
SV-217252r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18478r369913_fix

Configure the SUSE operating system to generate an audit record for all uses of the "crontab" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-crontab The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-12-020720
Vuln IDs
V-217253
Rule IDs
SV-217253r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18479r369916_fix

Configure the SUSE operating system to generate an audit record for all uses of the "pam_timestamp_check" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-pam_timestamp_check The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the delete_module command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020730
Vuln IDs
V-217254
Rule IDs
SV-217254r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18480r369919_fix

Configure the SUSE operating system to generate an audit record for all uses of the "delete_module" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the finit_module command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-12-020740
Vuln IDs
V-217255
Rule IDs
SV-217255r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18481r369922_fix

Configure the SUSE operating system to generate an audit record for all uses of the "finit_module" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module-load -a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module-load The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the init_module command.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-12-020750
Vuln IDs
V-217256
Rule IDs
SV-217256r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18482r369925_fix

Configure the SUSE operating system to generate an audit record for all uses of the "init_module" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=4294967295 -k module-load -a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k module-load The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all modifications to the faillog file.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-12-020760
Vuln IDs
V-217257
Rule IDs
SV-217257r505931_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18483r369928_fix

Configure the SUSE operating system to generate an audit record for any all modifications to the "faillog" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /var/log/faillog -p wa -k logins The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must not have the telnet-server package installed.
RMF Control
IA-5
Severity
M
CCI
CCI-000197
Version
SLES-12-030000
Vuln IDs
V-217258
Rule IDs
SV-217258r505931_rule
It is detrimental for SUSE operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. SUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions and functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but which cannot be disabled. Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049
Fix: F-18484r369931_fix

Remove the telnet-server package from the SUSE operating system by running the following command: # sudo zypper remove telnet-server

c
All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
RMF Control
SC-8
Severity
H
CCI
CCI-002418
Version
SLES-12-030100
Vuln IDs
V-217264
Rule IDs
SV-217264r505931_rule
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190
Fix: F-18490r369949_fix

Note: If the system is not networked this requirement is Not Applicable. Configure the SUSE operating system to implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. Install the OpenSSH package on the SUSE operating system with the following command: # sudo zypper in openssh Enable the OpenSSH service to start automatically on reboot with the following command: # sudo systemctl enable sshd.service For the changes to take effect immediately, start the service with the following command: # sudo systemctl restart sshd.service

b
The SUSE operating system must log SSH connection attempts and failures to the server.
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
SLES-12-030110
Vuln IDs
V-217265
Rule IDs
SV-217265r505931_rule
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
Fix: F-18491r369952_fix

Configure SSH to verbosely log connection attempts and failed logon attempts to the SUSE operating system. Add or update the following line in the "/etc/ssh/sshd_config" file: LogLevel VERBOSE The SSH service will need to be restarted in order for the changes to take effect: # systemctl restart sshd

b
The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-030130
Vuln IDs
V-217266
Rule IDs
SV-217266r505931_rule
Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.
Fix: F-18492r369955_fix

Configure the SUSE operating system to provide users with feedback on when account accesses last occurred. Add or edit the following lines in the "/etc/ssh/sshd_config" file: PrintLastLog yes

b
The SUSE operating system must deny direct logons to the root account using remote access via SSH.
RMF Control
IA-2
Severity
M
CCI
CCI-000770
Version
SLES-12-030140
Vuln IDs
V-217267
Rule IDs
SV-217267r505931_rule
To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the UNIX OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account. For example, the UNIX and Windows SUSE operating systems offer a "switch user" capability, allowing users to authenticate with their individual credentials and, when needed, "switch" to the administrator role. This method provides for unique individual authentication prior to using a group authenticator. Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the SUSE operating system without identification or authentication. Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.
Fix: F-18493r369958_fix

Configure the SUSE operating system to deny direct logons to the root account using remote access via SSH. Edit the appropriate "/etc/ssh/sshd_config" file, add or uncomment the line for "PermitRootLogin" and set its value to "no" (this file may be named differently or be in a different location): PermitRootLogin no

b
The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-030170
Vuln IDs
V-217270
Rule IDs
SV-217270r505931_rule
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173
Fix: F-18496r369967_fix

Edit the SSH daemon configuration (/etc/ssh/sshd_config) and remove any ciphers not starting with "aes" and remove any ciphers ending with "cbc". If necessary, add a "Ciphers" line: Ciphers aes128-ctr,aes192-ctr,aes256-ctr Restart the SSH daemon: # sudo systemctl restart sshd.service

b
The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
RMF Control
MA-4
Severity
M
CCI
CCI-000877
Version
SLES-12-030180
Vuln IDs
V-217271
Rule IDs
SV-217271r505931_rule
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. Satisfies: SRG-OS-000125-GPOS-00065, SRG-OS-000394-GPOS-00174
Fix: F-18497r369970_fix

Configure the SUSE operating system SSH daemon to only use MACs that employ FIPS 140-2 approved ciphers. Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-256" and/or "hmac-sha2-512" (The file might be named differently or be in a different location): MACs hmac-sha2-256,hmac-sha2-512

b
The SUSE operating system SSH daemon must be configured with a timeout interval.
RMF Control
MA-4
Severity
M
CCI
CCI-000879
Version
SLES-12-030190
Vuln IDs
V-217272
Rule IDs
SV-217272r505931_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the SUSE operating system level, and deallocating networking assignments at the application level if multiple application sessions are using a single SUSE operating system-level network connection. This does not mean that the SUSE operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109
Fix: F-18498r369973_fix

Configure the SUSE operating system SSH daemon to timeout idle sessions. Add or modify (to match exactly) the following line in the "/etc/ssh/sshd_config" file: ClientAliveInterval 600 The SSH daemon must be restarted in order for any changes to take effect.

b
The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity.
RMF Control
AC-12
Severity
M
CCI
CCI-002361
Version
SLES-12-030191
Vuln IDs
V-217273
Rule IDs
SV-217273r505931_rule
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific Ubuntu operating system functionality where the system owner, data owner, or organization requires additional assurance.
Fix: F-18499r369976_fix

Configure the SUSE operating system to automatically terminate all network connections associated with SSH traffic at the end of a session or after a "10" minute period of inactivity. Modify or append the following lines in the "/etc/ssh/sshd_config" file: ClientAliveCountMax 1 In order for the changes to take effect, the SSH daemon must be restarted. # sudo systemctl restart sshd.service

b
The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-030200
Vuln IDs
V-217274
Rule IDs
SV-217274r505931_rule
Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.
Fix: F-18500r369979_fix

Configure the SUSE operating system SSH daemon to not allow authentication using known hosts authentication. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": IgnoreUserKnownHosts yes

b
The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-030210
Vuln IDs
V-217275
Rule IDs
SV-217275r505931_rule
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
Fix: F-18501r369982_fix

Configure the SUSE operating system SSH daemon public host key files have mode "0644" or less permissive. Note: SSH public key files may be found in other directories on the system depending on the installation. Change the mode of public host key files under "/etc/ssh" to "0644" with the following command: # chmod 0644 /etc/ssh/*.key.pub

b
The SUSE operating system SSH daemon private host key files must have mode 0600 or less permissive.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-030220
Vuln IDs
V-217276
Rule IDs
SV-217276r505931_rule
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
Fix: F-18502r369985_fix

Configure the mode of the SUSE operating system SSH daemon private host key files under "/etc/ssh" to "0600" with the following command: # chmod 0600 /etc/ssh/ssh_host*key

b
The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-030230
Vuln IDs
V-217277
Rule IDs
SV-217277r505931_rule
If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.
Fix: F-18503r369988_fix

Configure the SUSE operating system SSH daemon performs strict mode checking of home directory configuration files. Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" and set the value to "yes": StrictModes yes

b
The SUSE operating system SSH daemon must use privilege separation.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-030240
Vuln IDs
V-217278
Rule IDs
SV-217278r505931_rule
SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.
Fix: F-18504r369991_fix

Configure the SUSE operating system SSH daemon is configured to use privilege separation. Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" and set the value to "yes" or "sandbox": UsePrivilegeSeparation yes

c
The SUSE operating system SSH daemon must encrypt forwarded remote X connections for interactive users.
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
SLES-12-030260
Vuln IDs
V-217280
Rule IDs
SV-217280r505931_rule
Open X displays allow an attacker to capture keystrokes and execute commands remotely.
Fix: F-18506r369997_fix

Configure the SUSE operating system SSH daemon to encrypt forwarded X connections for interactive users. Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "yes" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): X11Forwarding yes

b
The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses.
RMF Control
SI-16
Severity
M
CCI
CCI-002824
Version
SLES-12-030320
Vuln IDs
V-217283
Rule IDs
SV-217283r505931_rule
Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.
Fix: F-18509r370006_fix

Configure the SUSE operating system to prevent leaking of internal kernel addresses by running the following command: # echo "kernel.kptr_restrict=1" >> /etc/sysctl.d/kptr_restrict After the line has been added, the kernel settings from all system configuration files must be reloaded before any of the changes will take effect. Run the following command to reload all of the kernel system configuration files: # sudo sysctl --system

b
Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution.
RMF Control
SI-16
Severity
M
CCI
CCI-002824
Version
SLES-12-030330
Vuln IDs
V-217284
Rule IDs
SV-217284r505931_rule
Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.
Fix: F-18510r370009_fix

Configure the SUSE operating system implements address space layout randomization (ASLR). Remove the "kernel.randomize_va_space" entry found in the "/etc/sysctl.conf" file. After the line has been removed, the kernel settings from all system configuration files must be reloaded before any of the changes will take effect. Run the following command to reload all of the kernel system configuration files: # sudo sysctl --system To check that "kernel.randomize_va_space" has been properly set to "2" after reloading the settings, run the following command: # cat /proc/sys/kernel/randomize_va_space

b
The SUSE operating system must be configured to use TCP syncookies.
RMF Control
SC-5
Severity
M
CCI
CCI-001095
Version
SLES-12-030350
Vuln IDs
V-217286
Rule IDs
SV-217286r505931_rule
Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
Fix: F-18512r370015_fix

Configure the SUSE operating system to use TCP syncookies by running the following command as an administrator: # sudo sysctl -w net.ipv4.tcp_syncookies=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.conf": net.ipv4.tcp_syncookies = 1

b
The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-030360
Vuln IDs
V-217287
Rule IDs
SV-217287r505931_rule
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
Fix: F-18513r370018_fix

Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.all.accept_source_route = 0 Run the following command to apply this value: # sysctl --system

b
The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-030361
Vuln IDs
V-217288
Rule IDs
SV-217288r505931_rule
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
Fix: F-18514r370021_fix

Configure the SUSE operating system to not accept IPv6 source-routed packets by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv6.conf.all.accept_source_route = 0 Run the following command to apply this value: # sysctl --system

b
The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-030370
Vuln IDs
V-217289
Rule IDs
SV-217289r505931_rule
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
Fix: F-18515r370024_fix

Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.default.accept_source_route = 0 Run the following command to apply this value: # sysctl --system

b
The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-030380
Vuln IDs
V-217290
Rule IDs
SV-217290r505931_rule
Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Fix: F-18516r370027_fix

Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following command to apply this value: # sysctl --system

b
The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-030390
Vuln IDs
V-217291
Rule IDs
SV-217291r505931_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Fix: F-18517r370030_fix

Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.all.accept_redirects =0 Run the following command to apply this value: # sysctl --system

b
The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-030400
Vuln IDs
V-217292
Rule IDs
SV-217292r505931_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Fix: F-18518r370033_fix

Configure the SUSE operating system ignores IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.default.accept_redirects = 0 Run the following command to apply this value: # sysctl --system

b
The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-030401
Vuln IDs
V-217293
Rule IDs
SV-217293r505931_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Fix: F-18519r370036_fix

Configure the SUSE operating system to not allow IPv6 ICMP redirect messages by default. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv6.conf.default.accept_redirects=0 Run the following command to apply this value: # sysctl –system

b
The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-030410
Vuln IDs
V-217294
Rule IDs
SV-217294r505931_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
Fix: F-18520r370039_fix

Configure the SUSE operating system to not allow interfaces to perform IPv4 ICMP redirects by default. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.default.send_redirects=0 Run the following command to apply this value: # sysctl --system

b
The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-030420
Vuln IDs
V-217295
Rule IDs
SV-217295r505931_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
Fix: F-18521r370042_fix

Configure the SUSE operating system to not allow interfaces to perform IPv4 ICMP redirects. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.all.send_redirects=0 Run the following command to apply this value: # sysctl --system

b
The SUSE operating system must not be performing packet forwarding unless the system is a router.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-12-030430
Vuln IDs
V-217296
Rule IDs
SV-217296r505931_rule
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
Fix: F-18522r370045_fix

Configure the SUSE operating system to the required kernel parameter upon boot by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.ip_forward=0 Run the following command to apply this value: # sysctl --system