SLES 12 Security Technical Implementation Guide

  • Version/Release: V2R7
  • Published: 2022-06-06
  • Severity:
  • Sort:
View

Select any old version/release of this SCAP to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
c
The SUSE operating system must be a vendor-supported release.
RMF Control
SI-2
Severity
High
CCI
CCI-001230
Version
SLES-12-010000
Vuln IDs
V-217101
Rule IDs
SV-217101r603262_rule
A SUSE operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
Fix: F-18327r369460_fix

Upgrade the SUSE operating system to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription. If the system requires Long-Term Service Pack Support (LTSS), obtain the correct LTSS subscription for the system.

a
The SUSE operating system must utilize vlock to allow for session locking.
RMF Control
AC-11
Severity
Low
CCI
CCI-000060
Version
SLES-12-010070
Vuln IDs
V-217108
Rule IDs
SV-217108r603262_rule
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, SRG-OS-000031-GPOS-00012
Fix: F-36320r602673_fix

Allow users to lock the console by installing the "kbd" package using zypper: # sudo zypper install kbd

c
The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.
RMF Control
IA-11
Severity
High
CCI
CCI-002038
Version
SLES-12-010110
Vuln IDs
V-217112
Rule IDs
SV-217112r646686_rule
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When SUSE operating system provide the capability to change user authenticators, change security roles, or escalate a functional capability, it is critical the user reauthenticate. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158
Fix: F-18338r369493_fix

Configure the SUSE operating system to remove any occurrence of "NOPASSWD" or "!authenticate" found in the "/etc/sudoers" file. If the system does not use passwords for authentication, the "NOPASSWD" tag may exist in the file.

a
The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
RMF Control
AC-10
Severity
Low
CCI
CCI-000054
Version
SLES-12-010120
Vuln IDs
V-217113
Rule IDs
SV-217113r603262_rule
SUSE operating system management includes the ability to control the number of users and user sessions that utilize a SUSE operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to Denial-of-Service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.
Fix: F-18339r369496_fix

Configure the SUSE operating system to limit the number of concurrent sessions to 10 or less for all accounts and/or account types. Add the following line to "/etc/security/limits.conf" or /etc/limits.d/*.conf file: * hard maxlogins 10

b
The SUSE operating system must enforce a delay of at least four (4) seconds between logon prompts following a failed logon attempt.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-010140
Vuln IDs
V-217116
Rule IDs
SV-217116r603262_rule
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
Fix: F-18342r369505_fix

Configure the SUSE operating system to enforce a delay of at least four (4) seconds between logon prompts following a failed logon attempt. Add or update the following variable in "/etc/login.defs" to match the line below ("FAIL_DELAY" must have a value of "4" or higher): FAIL_DELAY 4

b
The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
SLES-12-010210
Vuln IDs
V-217122
Rule IDs
SV-217122r646689_rule
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised. SUSE operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.
Fix: F-18348r646688_fix

Configure the SUSE operating system to require "ENCRYPT_METHOD" of "SHA512". Edit the "/etc/login.defs" file with the following line: ENCRYPT_METHOD SHA512

b
The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
SLES-12-010220
Vuln IDs
V-217123
Rule IDs
SV-217123r646692_rule
The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
Fix: F-18349r646691_fix

Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. Edit/modify the following line in the "/etc/login.defs" file and set "ENCRYPT_METHOD" to have a value of "SHA512". ENCRYPT_METHOD SHA512 Lock all interactive user accounts not using SHA512 hashing until the passwords can be regenerated.

b
The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
SLES-12-010240
Vuln IDs
V-217126
Rule IDs
SV-217126r603262_rule
The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
Fix: F-18352r369535_fix

Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "5000": SHA_CRYPT_MIN_ROUNDS 5000

b
The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day).
RMF Control
IA-5
Severity
Medium
CCI
CCI-000198
Version
SLES-12-010260
Vuln IDs
V-217128
Rule IDs
SV-217128r646695_rule
Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Fix: F-18354r646694_fix

Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age. Edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days: PASS_MIN_DAYS [DAYS] The DoD requirement is "1" but a greater value is acceptable.

b
The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day).
RMF Control
IA-5
Severity
Medium
CCI
CCI-000198
Version
SLES-12-010270
Vuln IDs
V-217129
Rule IDs
SV-217129r646698_rule
Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Fix: F-18355r646697_fix

Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age for user accounts. Change the minimum time period between password changes for each [USER] account to "1" day with the command, replacing [USER] with the user account that must be changed: > sudo passwd -n 1 [USER]

b
The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
SLES-12-010280
Vuln IDs
V-217130
Rule IDs
SV-217130r646701_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.
Fix: F-18356r646700_fix

Configure the SUSE operating system to enforce a maximum password age of 60 days or less. Edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days: PASS_MAX_DAYS [DAYS] The DoD requirement is 60 days or less (greater than zero, as zero days will lock the account immediately).

b
The SUSE operating system must employ user passwords with a maximum lifetime of 60 days.
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
SLES-12-010290
Vuln IDs
V-217131
Rule IDs
SV-217131r646704_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.
Fix: F-18357r646703_fix

Configure the SUSE operating system to enforce a maximum password age of each [USER] account to 60 days. The command in the check text will give a list of users that need to be updated to be in compliance: > sudo passwd -x 60 [USER] The DoD requirement is 60 days.

c
The SUSE operating system must not allow unattended or automatic logon via the graphical user interface.
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
SLES-12-010380
Vuln IDs
V-217139
Rule IDs
SV-217139r646707_rule
Failure to restrict system access to authenticated users negatively impacts SUSE operating system security.
Fix: F-18365r646706_fix

Note: If a graphical user interface is not installed, this requirement is Not Applicable. Configure the SUSE operating system graphical user interface to not allow unattended or automatic logon to the system. Add or edit the following lines in the "/etc/sysconfig/displaymanager" configuration file: DISPLAYMANAGER_AUTOLOGIN="" DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"

c
There must be no .shosts files on the SUSE operating system.
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
SLES-12-010400
Vuln IDs
V-217141
Rule IDs
SV-217141r603262_rule
The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Fix: F-18367r369580_fix

Remove any ".shosts" files found on the SUSE operating system. # rm /[path]/[to]/[file]/.shosts

c
There must be no shosts.equiv files on the SUSE operating system.
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
SLES-12-010410
Vuln IDs
V-217142
Rule IDs
SV-217142r603262_rule
The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Fix: F-18368r369583_fix

Remove any "shosts.equiv" files found on the SUSE operating system. # rm /[path]/[to]/[file]/shosts.equiv

b
FIPS 140-2 mode must be enabled on the SUSE operating system.
RMF Control
SC-13
Severity
Medium
CCI
CCI-002450
Version
SLES-12-010420
Vuln IDs
V-217143
Rule IDs
SV-217143r603262_rule
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The SUSE operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223
Fix: F-18369r369586_fix

To configure the SUSE operating system to run in FIPS mode, add "fips=1" to the kernel parameter during the SUSE operating system install. Enabling FIPS mode on a preexisting system involves a number of modifications to the SUSE operating system. Refer to section 9.1, "Crypto Officer Guidance", of the following document for installation guidance: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2435.pdf

b
The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-010620
Vuln IDs
V-217161
Rule IDs
SV-217161r603262_rule
Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.
Fix: F-18387r369640_fix

Configure the SUSE operating system to define the default permissions for all authenticated users in such a way that the users can only read and modify their own files. Add or edit the "UMASK" parameter in the "/etc/login.defs" file to match the example below: UMASK 077

c
The SUSE operating system root account must be the only account having unrestricted access to the system.
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
SLES-12-010650
Vuln IDs
V-217164
Rule IDs
SV-217164r603262_rule
If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire SUSE operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.
Fix: F-18390r369649_fix

Change the UID of any account on the SUSE operating system, other than the root account, that has a UID of "0". If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.

b
All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-010720
Vuln IDs
V-217171
Rule IDs
SV-217171r603262_rule
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
Fix: F-18397r369670_fix

Configure the SUSE operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows. CREATE_HOME yes

b
SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-010810
Vuln IDs
V-217180
Rule IDs
SV-217180r603262_rule
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Fix: F-18406r369697_fix

Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems that are being exported via NFS.

b
SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-010820
Vuln IDs
V-217181
Rule IDs
SV-217181r603262_rule
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Fix: F-18407r369700_fix

Configure the SUSE operating system "/etc/fstab" file to use the "noexec" option on file systems that are being exported via NFS.

b
The SUSE operating system must have the auditing package installed.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SLES-12-020000
Vuln IDs
V-217190
Rule IDs
SV-217190r603262_rule
Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the SUSE operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured SUSE operating system. Satisfies: SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220
Fix: F-18416r369727_fix

The SUSE operating system auditd package must be installed on the system. If it is not installed, use the following command to install it: # sudo zypper in auditd

b
SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-020010
Vuln IDs
V-217191
Rule IDs
SV-217191r603262_rule
Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the SUSE operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured SUSE operating system. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000392-GPOS-00172, SRG-OS-000480-GPOS-00227
Fix: F-18417r369730_fix

Enable the SUSE operating system auditd service by performing the following commands: # sudo systemctl enable auditd.service # sudo systemctl start auditd.service

b
The audit-audispd-plugins must be installed on the SUSE operating system.
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
SLES-12-020070
Vuln IDs
V-217197
Rule IDs
SV-217197r603262_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Fix: F-18423r369748_fix

Install the "audit-audispd-plugins" package on the SUSE operating system by running the following command: # sudo zypper install audit-audispd-plugins In /etc/audisp/plugins.d/au-remote.conf, change the value of "active" to "yes", or add "active = yes" if no such setting exists in the file.

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
RMF Control
AC-2
Severity
Medium
CCI
CCI-001403
Version
SLES-12-020200
Vuln IDs
V-217205
Rule IDs
SV-217205r603262_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000470-GPOS-00214, SRG-OS-000476-GPOS-00221
Fix: F-18431r369772_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/passwd" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/passwd -p wa -k account_mod The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
RMF Control
AC-2
Severity
Medium
CCI
CCI-000018
Version
SLES-12-020210
Vuln IDs
V-217206
Rule IDs
SV-217206r603262_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221
Fix: F-18432r369775_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/group" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/group -p wa -k account_mod The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
RMF Control
AC-2
Severity
Medium
CCI
CCI-001403
Version
SLES-12-020220
Vuln IDs
V-217207
Rule IDs
SV-217207r603262_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221
Fix: F-18433r369778_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/shadow" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/shadow -p wa -k account_mod The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
RMF Control
AC-2
Severity
Medium
CCI
CCI-000018
Version
SLES-12-020230
Vuln IDs
V-217208
Rule IDs
SV-217208r603262_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221
Fix: F-18434r369781_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/security/opasswd" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/security/opasswd -p wa -k account_mod The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the privileged functions.
RMF Control
AU-7
Severity
Low
CCI
CCI-001877
Version
SLES-12-020240
Vuln IDs
V-217209
Rule IDs
SV-217209r603262_rule
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152
Fix: F-18435r369784_fix

Configure the operating system to audit the execution of privileged functions. Add or update the following rules in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the su command.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SLES-12-020250
Vuln IDs
V-217210
Rule IDs
SV-217210r603896_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18436r622359_fix

Configure the SUSE operating system to generate an audit record for all uses of the "su" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the sudo command.
RMF Control
AU-12
Severity
Low
CCI
CCI-000169
Version
SLES-12-020260
Vuln IDs
V-217211
Rule IDs
SV-217211r603899_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18437r622362_fix

Configure the SUSE operating system to generate an audit record for all uses of the "sudo" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-sudo The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the chfn command.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
SLES-12-020280
Vuln IDs
V-217212
Rule IDs
SV-217212r603902_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18438r622365_fix

Configure the SUSE operating system to generate an audit record for all uses the "chfn" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the mount command.
RMF Control
AU-12
Severity
Low
CCI
CCI-000169
Version
SLES-12-020290
Vuln IDs
V-217213
Rule IDs
SV-217213r603262_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18439r369796_fix

Configure the SUSE operating system to generate an audit record for all uses the "mount" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the umount command.
RMF Control
AU-3
Severity
Low
CCI
CCI-000130
Version
SLES-12-020300
Vuln IDs
V-217214
Rule IDs
SV-217214r603262_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18440r369799_fix

Configure the SUSE operating system to generate an audit record for all uses the "umount" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=4294967295 -k privileged-umount -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the ssh-agent command.
RMF Control
AU-12
Severity
Low
CCI
CCI-000169
Version
SLES-12-020310
Vuln IDs
V-217215
Rule IDs
SV-217215r603905_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18441r622368_fix

Configure the SUSE operating system to generate an audit record for all uses the "ssh-agent" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh-agent The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the ssh-keysign command.
RMF Control
AU-3
Severity
Low
CCI
CCI-000130
Version
SLES-12-020320
Vuln IDs
V-217216
Rule IDs
SV-217216r603908_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18442r622371_fix

Configure the SUSE operating system to generate an audit record for all uses the "ssh-keysign" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh-keysign The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the kmod command.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
SLES-12-020360
Vuln IDs
V-217217
Rule IDs
SV-217217r603262_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the following list of events for which the SUSE operating system will provide an audit record generation capability: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18443r369808_fix

Configure the SUSE operating system to audit the execution of the module management program "kmod" by adding the following line to "/etc/audit/rules.d/audit.rules": -w /usr/bin/kmod -p x -k modules The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr syscalls.
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-12-020370
Vuln IDs
V-217218
Rule IDs
SV-217218r809532_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18444r809427_fix

Configure the SUSE operating system to generate an audit record for all uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. > sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown syscalls.
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-12-020420
Vuln IDs
V-217223
Rule IDs
SV-217223r809537_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18449r809536_fix

Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. > sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls.
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-12-020460
Vuln IDs
V-217227
Rule IDs
SV-217227r809539_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18453r809433_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chmod", "fchmod", and "fchmodat" system calls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. > sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls.
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-12-020490
Vuln IDs
V-217230
Rule IDs
SV-217230r833000_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18456r832999_fix

Configure the SUSE operating system to generate an audit record for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access The audit daemon must be restarted for the changes to take effect. > sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the passwd command.
RMF Control
AU-12
Severity
Low
CCI
CCI-000172
Version
SLES-12-020550
Vuln IDs
V-217236
Rule IDs
SV-217236r603911_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18462r622374_fix

Configure the SUSE operating system to generate an audit record for all uses the "passwd" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the gpasswd command.
RMF Control
AU-3
Severity
Low
CCI
CCI-000130
Version
SLES-12-020560
Vuln IDs
V-217237
Rule IDs
SV-217237r603914_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18463r622377_fix

Configure the SUSE operating system to generate an audit record for all uses the "gpasswd" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for all uses of the newgrp command.
RMF Control
AU-12
Severity
Low
CCI
CCI-000169
Version
SLES-12-020570
Vuln IDs
V-217238
Rule IDs
SV-217238r603917_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18464r622380_fix

Configure the SUSE operating system to generate an audit record for all uses the "newgrp" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-newgrp The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

a
The SUSE operating system must generate audit records for a uses of the chsh command.
RMF Control
AU-3
Severity
Low
CCI
CCI-000130
Version
SLES-12-020580
Vuln IDs
V-217239
Rule IDs
SV-217239r603920_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18465r622383_fix

Configure the SUSE operating system to generate an audit record for all uses the "chsh" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chsh The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SLES-12-020590
Vuln IDs
V-217240
Rule IDs
SV-217240r603262_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221
Fix: F-18466r369877_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/gshadow" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/gshadow -p wa -k account_mod The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the chmod command.
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-12-020600
Vuln IDs
V-217241
Rule IDs
SV-217241r603923_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18467r622386_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chmod" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the setfacl command.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
SLES-12-020610
Vuln IDs
V-217242
Rule IDs
SV-217242r603926_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18468r622389_fix

Configure the SUSE operating system to generate an audit record for all uses of the "setfacl" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the chacl command.
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-12-020620
Vuln IDs
V-217243
Rule IDs
SV-217243r603929_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18469r622392_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chacl" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
Successful/unsuccessful attempts to modify categories of information (e.g., classification levels) must generate audit records.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SLES-12-020630
Vuln IDs
V-217244
Rule IDs
SV-217244r603932_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18470r622395_fix

Configure the SUSE operating system to generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the rm command.
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-12-020640
Vuln IDs
V-217245
Rule IDs
SV-217245r603935_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18471r622398_fix

Configure the SUSE operating system to generate an audit record for all uses of the "rm" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SLES-12-020650
Vuln IDs
V-217246
Rule IDs
SV-217246r603262_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218
Fix: F-18472r369895_fix

Configure the SUSE operating system to generate an audit record for any all modifications to the "tallylog" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /var/log/tallylog -p wa -k logins The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all modifications to the lastlog file.
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-12-020660
Vuln IDs
V-217247
Rule IDs
SV-217247r603262_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18473r369898_fix

Configure the SUSE operating system to generate an audit record for any all modifications to the "lastlog" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /var/log/lastlog -p wa -k logins The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the passmass command.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SLES-12-020670
Vuln IDs
V-217248
Rule IDs
SV-217248r603938_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18474r622401_fix

Configure the SUSE operating system to generate an audit record for all uses of the "passmass" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passmass The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the unix_chkpwd command.
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-12-020680
Vuln IDs
V-217249
Rule IDs
SV-217249r603941_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18475r622404_fix

Configure the SUSE operating system to generate an audit record for all uses of the "unix_chkpwd" and "unix2_chkpwd" commands. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-chkpwd -a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix2-chkpwd The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the chage command.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SLES-12-020690
Vuln IDs
V-217250
Rule IDs
SV-217250r603944_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18476r622407_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chage" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the usermod command.
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-12-020700
Vuln IDs
V-217251
Rule IDs
SV-217251r603947_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18477r622410_fix

Configure the SUSE operating system to generate an audit record for all uses of the "usermod" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the crontab command.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SLES-12-020710
Vuln IDs
V-217252
Rule IDs
SV-217252r603950_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18478r622413_fix

Configure the SUSE operating system to generate an audit record for all uses of the "crontab" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command.
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-12-020720
Vuln IDs
V-217253
Rule IDs
SV-217253r603953_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18479r622416_fix

Configure the SUSE operating system to generate an audit record for all uses of the "pam_timestamp_check" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the delete_module command.
RMF Control
AU-12
Severity
Medium
CCI
CCI-000169
Version
SLES-12-020730
Vuln IDs
V-217254
Rule IDs
SV-217254r603262_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18480r369919_fix

Configure the SUSE operating system to generate an audit record for all uses of the "delete_module" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all uses of the init_module and finit_module syscalls.
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-12-020740
Vuln IDs
V-217255
Rule IDs
SV-217255r809543_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18481r809439_fix

Configure the SUSE operating system to generate an audit record for all uses of the "init_module" and "finit_module" syscalls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k moduleload -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k moduleload The audit daemon must be restarted for the changes to take effect. > sudo systemctl restart auditd.service

b
The SUSE operating system must generate audit records for all modifications to the faillog file.
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-12-020760
Vuln IDs
V-217257
Rule IDs
SV-217257r603262_rule
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-18483r369928_fix

Configure the SUSE operating system to generate an audit record for any all modifications to the "faillog" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /var/log/faillog -p wa -k logins The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service

b
The SUSE operating system must not have the telnet-server package installed.
RMF Control
IA-5
Severity
Medium
CCI
CCI-000197
Version
SLES-12-030000
Vuln IDs
V-217258
Rule IDs
SV-217258r603262_rule
It is detrimental for SUSE operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. SUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions and functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but which cannot be disabled. Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049
Fix: F-18484r369931_fix

Remove the telnet-server package from the SUSE operating system by running the following command: # sudo zypper remove telnet-server

c
All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
RMF Control
SC-8
Severity
High
CCI
CCI-002418
Version
SLES-12-030100
Vuln IDs
V-217264
Rule IDs
SV-217264r603262_rule
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190
Fix: F-18490r369949_fix

Note: If the system is not networked this requirement is Not Applicable. Configure the SUSE operating system to implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. Install the OpenSSH package on the SUSE operating system with the following command: # sudo zypper in openssh Enable the OpenSSH service to start automatically on reboot with the following command: # sudo systemctl enable sshd.service For the changes to take effect immediately, start the service with the following command: # sudo systemctl restart sshd.service

b
The SUSE operating system must log SSH connection attempts and failures to the server.
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
SLES-12-030110
Vuln IDs
V-217265
Rule IDs
SV-217265r603262_rule
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
Fix: F-18491r369952_fix

Configure SSH to verbosely log connection attempts and failed logon attempts to the SUSE operating system. Add or update the following line in the "/etc/ssh/sshd_config" file: LogLevel VERBOSE The SSH service will need to be restarted in order for the changes to take effect: # systemctl restart sshd

b
The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030130
Vuln IDs
V-217266
Rule IDs
SV-217266r603262_rule
Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.
Fix: F-18492r369955_fix

Configure the SUSE operating system to provide users with feedback on when account accesses last occurred. Add or edit the following lines in the "/etc/ssh/sshd_config" file: PrintLastLog yes

b
The SUSE operating system must deny direct logons to the root account using remote access via SSH.
RMF Control
IA-2
Severity
Medium
CCI
CCI-000770
Version
SLES-12-030140
Vuln IDs
V-217267
Rule IDs
SV-217267r603262_rule
To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the UNIX OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account. For example, the UNIX and Windows SUSE operating systems offer a "switch user" capability, allowing users to authenticate with their individual credentials and, when needed, "switch" to the administrator role. This method provides for unique individual authentication prior to using a group authenticator. Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the SUSE operating system without identification or authentication. Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.
Fix: F-18493r369958_fix

Configure the SUSE operating system to deny direct logons to the root account using remote access via SSH. Edit the appropriate "/etc/ssh/sshd_config" file, add or uncomment the line for "PermitRootLogin" and set its value to "no" (this file may be named differently or be in a different location): PermitRootLogin no

b
The SUSE operating system must implement DoD-approved encryption to protect the confidentiality of SSH remote connections.
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
SLES-12-030170
Vuln IDs
V-217270
Rule IDs
SV-217270r744120_rule
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. The system will attempt to use the first cipher presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173
Fix: F-18496r622419_fix

Edit the SSH daemon configuration (/etc/ssh/sshd_config) and remove any ciphers not starting with "aes" and remove any ciphers ending with "cbc". If necessary, add a "Ciphers" line: Ciphers aes256-ctr,aes192-ctr,aes128-ctr Restart the SSH daemon: # sudo systemctl restart sshd.service

b
The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
RMF Control
MA-4
Severity
Medium
CCI
CCI-000877
Version
SLES-12-030180
Vuln IDs
V-217271
Rule IDs
SV-217271r744121_rule
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. Satisfies: SRG-OS-000125-GPOS-00065, SRG-OS-000394-GPOS-00174
Fix: F-18497r622422_fix

Configure the SUSE operating system SSH daemon to only use MACs that employ FIPS 140-2 approved hashes. Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512" and/or "hmac-sha2-256" (The file might be named differently or be in a different location): MACs hmac-sha2-512,hmac-sha2-256

b
The SUSE operating system SSH daemon must be configured with a timeout interval.
RMF Control
MA-4
Severity
Medium
CCI
CCI-000879
Version
SLES-12-030190
Vuln IDs
V-217272
Rule IDs
SV-217272r603262_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the SUSE operating system level, and deallocating networking assignments at the application level if multiple application sessions are using a single SUSE operating system-level network connection. This does not mean that the SUSE operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109
Fix: F-18498r369973_fix

Configure the SUSE operating system SSH daemon to timeout idle sessions. Add or modify (to match exactly) the following line in the "/etc/ssh/sshd_config" file: ClientAliveInterval 600 The SSH daemon must be restarted in order for any changes to take effect.

b
The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity.
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
SLES-12-030191
Vuln IDs
V-217273
Rule IDs
SV-217273r603961_rule
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific SUSE operating system functionality where the system owner, data owner, or organization requires additional assurance.
Fix: F-18499r369976_fix

Configure the SUSE operating system to automatically terminate all network connections associated with SSH traffic at the end of a session or after a "10" minute period of inactivity. Modify or append the following lines in the "/etc/ssh/sshd_config" file: ClientAliveCountMax 1 In order for the changes to take effect, the SSH daemon must be restarted. # sudo systemctl restart sshd.service

b
The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030200
Vuln IDs
V-217274
Rule IDs
SV-217274r603262_rule
Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.
Fix: F-18500r369979_fix

Configure the SUSE operating system SSH daemon to not allow authentication using known hosts authentication. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": IgnoreUserKnownHosts yes

b
The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030210
Vuln IDs
V-217275
Rule IDs
SV-217275r646750_rule
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
Fix: F-18501r646749_fix

Configure the SUSE operating system SSH daemon public host key files have mode "0644" or less permissive. Note: SSH public key files may be found in other directories on the system depending on the installation. Change the mode of public host key files under "/etc/ssh" to "0644" with the following command: > sudo chmod 0644 /etc/ssh/ssh_host*key.pub

b
The SUSE operating system SSH daemon private host key files must have mode 0600 or less permissive.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030220
Vuln IDs
V-217276
Rule IDs
SV-217276r646753_rule
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
Fix: F-18502r646752_fix

Configure the mode of the SUSE operating system SSH daemon private host key files under "/etc/ssh" to "0600" with the following command: > sudo chmod 0600 /etc/ssh/ssh_host*key

b
The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030230
Vuln IDs
V-217277
Rule IDs
SV-217277r603262_rule
If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.
Fix: F-18503r369988_fix

Configure the SUSE operating system SSH daemon performs strict mode checking of home directory configuration files. Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" and set the value to "yes": StrictModes yes

b
The SUSE operating system SSH daemon must use privilege separation.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030240
Vuln IDs
V-217278
Rule IDs
SV-217278r603262_rule
SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.
Fix: F-18504r369991_fix

Configure the SUSE operating system SSH daemon is configured to use privilege separation. Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" and set the value to "yes" or "sandbox": UsePrivilegeSeparation yes

b
The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030260
Vuln IDs
V-217280
Rule IDs
SV-217280r603964_rule
The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.
Fix: F-18506r622427_fix

Configure the SUSE operating system SSH daemon to disable forwarded X connections for interactive users. Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): X11Forwarding no

b
The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses.
RMF Control
SI-16
Severity
Medium
CCI
CCI-002824
Version
SLES-12-030320
Vuln IDs
V-217283
Rule IDs
SV-217283r646761_rule
Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.
Fix: F-18509r646760_fix

Configure the SUSE operating system to prevent leaking of internal kernel addresses by running the following command: > sudo sysctl -w kernel.kptr_restrict=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "kernel.kptr_restrict=1" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution.
RMF Control
SI-16
Severity
Medium
CCI
CCI-002824
Version
SLES-12-030330
Vuln IDs
V-217284
Rule IDs
SV-217284r646764_rule
Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.
Fix: F-18510r646763_fix

Configure the SUSE operating system to implement ASLR by running the following commands: > sudo sysctl -w kernel.randomize_va_space=2 If "2" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "kernel.randomize_va_space=2" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must be configured to use TCP syncookies.
RMF Control
SC-5
Severity
Medium
CCI
CCI-001095
Version
SLES-12-030350
Vuln IDs
V-217286
Rule IDs
SV-217286r603262_rule
Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
Fix: F-18512r370015_fix

Configure the SUSE operating system to use TCP syncookies by running the following command as an administrator: # sudo sysctl -w net.ipv4.tcp_syncookies=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.conf": net.ipv4.tcp_syncookies = 1

b
The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030360
Vuln IDs
V-217287
Rule IDs
SV-217287r603262_rule
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
Fix: F-18513r370018_fix

Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.all.accept_source_route = 0 Run the following command to apply this value: # sysctl --system

b
The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030361
Vuln IDs
V-217288
Rule IDs
SV-217288r603262_rule
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
Fix: F-18514r370021_fix

Configure the SUSE operating system to not accept IPv6 source-routed packets by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv6.conf.all.accept_source_route = 0 Run the following command to apply this value: # sysctl --system

b
The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030370
Vuln IDs
V-217289
Rule IDs
SV-217289r603262_rule
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
Fix: F-18515r370024_fix

Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.default.accept_source_route = 0 Run the following command to apply this value: # sysctl --system

b
The SUSE operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030380
Vuln IDs
V-217290
Rule IDs
SV-217290r603262_rule
Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Fix: F-18516r370027_fix

Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following command to apply this value: # sysctl --system

b
The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030390
Vuln IDs
V-217291
Rule IDs
SV-217291r603262_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Fix: F-18517r370030_fix

Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.all.accept_redirects =0 Run the following command to apply this value: # sysctl --system

b
The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030400
Vuln IDs
V-217292
Rule IDs
SV-217292r603262_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Fix: F-18518r370033_fix

Configure the SUSE operating system ignores IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.default.accept_redirects = 0 Run the following command to apply this value: # sysctl --system

b
The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030401
Vuln IDs
V-217293
Rule IDs
SV-217293r603262_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Fix: F-18519r370036_fix

Configure the SUSE operating system to not allow IPv6 ICMP redirect messages by default. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv6.conf.default.accept_redirects=0 Run the following command to apply this value: # sysctl –system

b
The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030410
Vuln IDs
V-217294
Rule IDs
SV-217294r603262_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
Fix: F-18520r370039_fix

Configure the SUSE operating system to not allow interfaces to perform IPv4 ICMP redirects by default. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.default.send_redirects=0 Run the following command to apply this value: # sysctl --system

b
The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030420
Vuln IDs
V-217295
Rule IDs
SV-217295r603262_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
Fix: F-18521r370042_fix

Configure the SUSE operating system to not allow interfaces to perform IPv4 ICMP redirects. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.all.send_redirects=0 Run the following command to apply this value: # sysctl --system

b
The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030430
Vuln IDs
V-217296
Rule IDs
SV-217296r646767_rule
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
Fix: F-18522r646766_fix

Configure the SUSE operating system to not performing IPv4 packet forwarding by running the following command as an administrator: > sudo sysctl -w net.ipv4.ip_forward=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.ip_forward=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must restrict privilege elevation to authorized personnel.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-010111
Vuln IDs
V-237603
Rule IDs
SV-237603r646772_rule
The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.
Fix: F-40785r646771_fix

Remove the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL

b
The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".
RMF Control
AC-6
Severity
Medium
CCI
CCI-002227
Version
SLES-12-010112
Vuln IDs
V-237604
Rule IDs
SV-237604r832991_rule
The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. For more information on each of the listed configurations, reference the sudoers(5) manual page.
Fix: F-40786r646774_fix

Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: Defaults !targetpw Defaults !rootpw Defaults !runaspw

b
The SUSE operating system must require re-authentication when using the "sudo" command.
RMF Control
IA-11
Severity
Medium
CCI
CCI-002038
Version
SLES-12-010113
Vuln IDs
V-237605
Rule IDs
SV-237605r832994_rule
Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.
Fix: F-40787r832993_fix

Configure the "sudo" command to require re-authentication. Edit the /etc/sudoers file: > sudo visudo Add or modify the following line: Defaults timestamp_timeout=[value] Note: The "[value]" must be a number that is greater than or equal to "0".

b
The SUSE operating system library files must have mode 0755 or less permissive.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-12-010871
Vuln IDs
V-237607
Rule IDs
SV-237607r646784_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-40789r646783_fix

Configure the library files to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec chmod 755 '{}' \;

b
The SUSE operating system library directories must have mode 0755 or less permissive.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-12-010872
Vuln IDs
V-237608
Rule IDs
SV-237608r646787_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-40790r646786_fix

Configure the shared library directories to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec chmod 755 '{}' \;

b
The SUSE operating system library files must be owned by root.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-12-010873
Vuln IDs
V-237609
Rule IDs
SV-237609r646790_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-40791r646789_fix

Configure the system library files to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type f -exec chown root '{}' \;

b
The SUSE operating system library directories must be owned by root.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-12-010874
Vuln IDs
V-237610
Rule IDs
SV-237610r646793_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-40792r646792_fix

Configure the library files and their respective parent directories to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec chown root '{}' \;

b
The SUSE operating system library files must be group-owned by root.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-12-010875
Vuln IDs
V-237611
Rule IDs
SV-237611r646796_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-40793r646795_fix

Configure the system library files to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type f -exec chgrp root '{}' \;

b
The SUSE operating system library directories must be group-owned by root.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-12-010876
Vuln IDs
V-237612
Rule IDs
SV-237612r646799_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-40794r646798_fix

Configure the system library directories to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec chgrp root '{}' \;

b
The SUSE operating system must have system commands set to a mode of 0755 or less permissive.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-12-010877
Vuln IDs
V-237613
Rule IDs
SV-237613r646802_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-40795r646801_fix

Configure the system commands to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \;

b
The SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-12-010878
Vuln IDs
V-237614
Rule IDs
SV-237614r646805_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-40796r646804_fix

Configure the system commands directories to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \;

b
The SUSE operating system must have system commands owned by root.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-12-010879
Vuln IDs
V-237615
Rule IDs
SV-237615r646808_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-40797r646807_fix

Configure the system commands - and their respective parent directories - to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec chown root '{}' \;

b
The SUSE operating system must have directories that contain system commands owned by root.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-12-010881
Vuln IDs
V-237616
Rule IDs
SV-237616r646811_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-40798r646810_fix

Configure the system commands directories to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec chown root '{}' \;

b
The SUSE operating system must have system commands group-owned by root or a system account.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-12-010882
Vuln IDs
V-237617
Rule IDs
SV-237617r832997_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-40799r832996_fix

Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account. > sudo chgrp root [FILE]

b
The SUSE operating system must have directories that contain system commands group-owned by root.
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-12-010883
Vuln IDs
V-237618
Rule IDs
SV-237618r646817_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-40800r646816_fix

Configure the system commands directories to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec chgrp root '{}' \;

b
The SUSE operating system must not have the vsftpd package installed if not required for operational support.
RMF Control
IA-5
Severity
Medium
CCI
CCI-000197
Version
SLES-12-030011
Vuln IDs
V-237619
Rule IDs
SV-237619r646820_rule
It is detrimental for SUSE operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked, and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. SUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions and functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but which cannot be disabled.
Fix: F-40801r646819_fix

Document the "vsftpd" package with the ISSO as an operational requirement or remove it from the system with the following command: > sudo zypper remove vsftpd

b
The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030362
Vuln IDs
V-237620
Rule IDs
SV-237620r646823_rule
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
Fix: F-40802r646822_fix

Configure the SUSE operating system to disable IPv6 default source routing by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.default.accept_source_route=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.default.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030363
Vuln IDs
V-237621
Rule IDs
SV-237621r646826_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Fix: F-40803r646825_fix

Configure the SUSE operating system to not accept IPv6 ICMP redirect messages by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.all.accept_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030364
Vuln IDs
V-237622
Rule IDs
SV-237622r646829_rule
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
Fix: F-40804r646828_fix

Configure the SUSE operating system to not performing IPv6 packet forwarding by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.all.forwarding=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.all.forwarding=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-12-030365
Vuln IDs
V-237623
Rule IDs
SV-237623r646832_rule
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
Fix: F-40805r646831_fix

Configure the SUSE operating system to not performing IPv6 packet forwarding by default by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.default.forwarding=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.default.forwarding=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system