Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · SCAP

SUSE Linux Enterprise Server 15 STIG SCAP Benchmark

V2R4 · · · Published 27 Feb 2025 · 120 rules
View

Open a previous version of this SCAP benchmark.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Sort by
c
The SUSE operating system must be a vendor-supported release.
RMF Control
SI-2
Severity
H
CCI
CCI-001230
Version
SLES-15-010000
Vuln IDs
V-234800
Rule IDs
SV-234800r991589_rule
A SUSE operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
Fix: F-37951r618670_fix

Upgrade the SUSE operating system to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription. If the system requires Long-Term Service Pack Support (LTSS), obtain the correct LTSS subscription for the system.

c
The SUSE operating system must not have the vsftpd package installed if not required for operational support.
RMF Control
IA-5
Severity
H
CCI
CCI-000197
Version
SLES-15-010030
Vuln IDs
V-234804
Rule IDs
SV-234804r987796_rule
It is detrimental for SUSE operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked, and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. SUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions and functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but which cannot be disabled. Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049
Fix: F-37955r618682_fix

Document the "vsftpd" package with the ISSO as an operational requirement or remove it from the system with the following command: > sudo zypper remove vsftpd

a
The SUSE operating system must utilize vlock to allow for session locking.
RMF Control
AC-11
Severity
L
CCI
CCI-000056
Version
SLES-15-010110
Vuln IDs
V-234811
Rule IDs
SV-234811r1009610_rule
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, SRG-OS-000031-GPOS-00012
Fix: F-37962r618703_fix

Allow users to lock the console by installing the "kbd" package using zypper: > sudo zypper install kbd

b
The SUSE operating system must log SSH connection attempts and failures to the server.
RMF Control
AC-17
Severity
M
CCI
CCI-000067
Version
SLES-15-010150
Vuln IDs
V-234815
Rule IDs
SV-234815r958406_rule
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
Fix: F-37966r618715_fix

Configure SSH to verbosely log connection attempts and failed logon attempts to the SUSE operating system. Add or update the following line in the "/etc/ssh/sshd_config" file: LogLevel VERBOSE The SSH service will need to be restarted in order for the changes to take effect.

b
The SUSE operating system must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.
RMF Control
AC-17
Severity
M
CCI
CCI-000068
Version
SLES-15-010160
Vuln IDs
V-234816
Rule IDs
SV-234816r958408_rule
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. The system will attempt to use the first cipher presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173
Fix: F-37967r618718_fix

Edit the SSH daemon configuration (/etc/ssh/sshd_config) and remove any ciphers not starting with "aes" and remove any ciphers ending with "cbc". If necessary, add a "Ciphers" line: Ciphers aes256-ctr,aes192-ctr,aes128-ctr Restart the SSH daemon: > sudo systemctl restart sshd.service

c
The SUSE operating system must not have the telnet-server package installed.
RMF Control
IA-5
Severity
H
CCI
CCI-000197
Version
SLES-15-010180
Vuln IDs
V-234818
Rule IDs
SV-234818r987796_rule
It is detrimental for SUSE operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked, and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. SUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions and functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but which cannot be disabled. Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049
Fix: F-37969r618724_fix

Remove the telnet-server package from the SUSE operating system by running the following command: > sudo zypper remove telnet-server

b
The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
SLES-15-010260
Vuln IDs
V-234825
Rule IDs
SV-234825r971535_rule
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised. SUSE operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.
Fix: F-37976r618745_fix

Configure the SUSE operating system to require "ENCRYPT_METHOD" of "SHA512". Edit the "/etc/login.defs" file with the following line: ENCRYPT_METHOD SHA512

b
The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
RMF Control
MA-4
Severity
M
CCI
CCI-000877
Version
SLES-15-010270
Vuln IDs
V-234826
Rule IDs
SV-234826r958510_rule
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. Satisfies: SRG-OS-000125-GPOS-00065, SRG-OS-000394-GPOS-00174
Fix: F-37977r618748_fix

Configure the SUSE operating system SSH daemon to only use MACs that employ FIPS 140-2 approved hashes. Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512" and/or "hmac-sha2-256" (The file might be named differently or be in a different location): MACs hmac-sha2-512,hmac-sha2-256

b
The SUSE operating system SSH daemon must be configured with a timeout interval.
RMF Control
SC-10
Severity
M
CCI
CCI-001133
Version
SLES-15-010280
Vuln IDs
V-234827
Rule IDs
SV-234827r986464_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the SUSE operating system-level, and deallocating networking assignments at the application level if multiple application sessions are using a single SUSE operating system-level network connection. This does not mean that the SUSE operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109
Fix: F-37978r618751_fix

Configure the SUSE operating system SSH daemon to timeout idle sessions. Add or modify (to match exactly) the following line in the "/etc/ssh/sshd_config" file: ClientAliveInterval 600 The SSH daemon must be restarted for any changes to take effect.

b
The SUSE operating system must be configured to use TCP syncookies.
RMF Control
SC-5
Severity
M
CCI
CCI-001095
Version
SLES-15-010310
Vuln IDs
V-234829
Rule IDs
SV-234829r958528_rule
Denial of Service (DoS) is a condition in which a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
Fix: F-37980r618757_fix

Configure the SUSE operating system to use IPv4 TCP syncookies by running the following command as an administrator: > sudo sysctl -w net.ipv4.tcp_syncookies=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity.
RMF Control
SC-10
Severity
M
CCI
CCI-001133
Version
SLES-15-010320
Vuln IDs
V-234830
Rule IDs
SV-234830r1069400_rule
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific SUSE operating system functionality where the system owner, data owner, or organization requires additional assurance. In Linux, ClientAliveCountMax directive is used in the SSH daemon configuration file to define the number of client alive messages the SSH server will send without receiving any response from the client before terminating the session. The ClientAliveInterval (SLES-15-010280/ V-234827) sets a timeout interval in seconds after which if no data has been received from the client, the ssh daemon will send a message through the encrypted channel to request a response from the client. Together, these two settings provide a way to configure a timeout for inactive sessions.
Fix: F-37981r1069399_fix

Configure the SUSE operating system to automatically terminate all network connections associated with SSH traffic at the end of a session or after a 10-minute period of inactivity. Modify or append the following lines in the "/etc/ssh/sshd_config" file: ClientAliveCountMax 1 For the changes to take effect, the SSH daemon must be restarted. > sudo systemctl restart sshd.service

b
The SUSE operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
RMF Control
SI-11
Severity
M
CCI
CCI-001312
Version
SLES-15-010340
Vuln IDs
V-234832
Rule IDs
SV-234832r958564_rule
Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization. Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. The /var/log/btmp, /var/log/wtmp, and /var/log/lastlog files have group write and global read permissions to allow for the lastlog function to perform. Limiting the permissions beyond this configuration will result in the failure of functions that rely on the lastlog database.
Fix: F-37983r880883_fix

Configure the SUSE operating system to set permissions of all log files under /var/log directory to "640" or more restricted, by using the following command: Note: The btmp, wtmp, and lastlog files are excluded. Refer to the Discussion for details. > sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec chmod 640 '{}' \;

b
The SUSE operating system library files must have mode 0755 or less permissive.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
SLES-15-010351
Vuln IDs
V-234834
Rule IDs
SV-234834r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-37985r618772_fix

Configure the library files to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec chmod 755 '{}' \;

b
The SUSE operating system library directories must have mode 0755 or less permissive.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
SLES-15-010352
Vuln IDs
V-234835
Rule IDs
SV-234835r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-37986r618775_fix

Configure the shared library directories to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec chmod 755 '{}' \;

b
The SUSE operating system library files must be owned by root.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
SLES-15-010353
Vuln IDs
V-234836
Rule IDs
SV-234836r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-37987r618778_fix

Configure the system library files to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type f -exec chown root '{}' \;

b
The SUSE operating system library directories must be owned by root.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
SLES-15-010354
Vuln IDs
V-234837
Rule IDs
SV-234837r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-37988r618781_fix

Configure the library files and their respective parent directories to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec chown root '{}' \;

b
The SUSE operating system library files must be group-owned by root.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
SLES-15-010355
Vuln IDs
V-234838
Rule IDs
SV-234838r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-37989r618784_fix

Configure the system library files to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type f -exec chgrp root '{}' \;

b
The SUSE operating system library directories must be group-owned by root.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
SLES-15-010356
Vuln IDs
V-234839
Rule IDs
SV-234839r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-37990r618787_fix

Configure the system library directories to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec chgrp root '{}' \;

b
The SUSE operating system must have system commands set to a mode of 0755 or less permissive.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
SLES-15-010357
Vuln IDs
V-234840
Rule IDs
SV-234840r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-37991r618790_fix

Configure the system commands to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \;

b
The SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
SLES-15-010358
Vuln IDs
V-234841
Rule IDs
SV-234841r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-37992r618793_fix

Configure the system commands directories to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \;

b
The SUSE operating system must have system commands owned by root.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
SLES-15-010359
Vuln IDs
V-234842
Rule IDs
SV-234842r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-37993r618796_fix

Configure the system commands - and their respective parent directories - to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec chown root '{}' \;

b
The SUSE operating system must have directories that contain system commands owned by root.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
SLES-15-010360
Vuln IDs
V-234843
Rule IDs
SV-234843r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-37994r618799_fix

Configure the system commands directories to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec chown root '{}' \;

b
The SUSE operating system must have system commands group-owned by root or a system account.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
SLES-15-010361
Vuln IDs
V-234844
Rule IDs
SV-234844r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-37995r833002_fix

Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account. > sudo chgrp root [FILE]

b
The SUSE operating system must have directories that contain system commands group-owned by root.
RMF Control
CM-5
Severity
M
CCI
CCI-001499
Version
SLES-15-010362
Vuln IDs
V-234845
Rule IDs
SV-234845r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Fix: F-37996r618805_fix

Configure the system commands directories to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec chgrp root '{}' \;

c
The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.
RMF Control
Severity
H
CCI
CCI-004895
Version
SLES-15-010450
Vuln IDs
V-234853
Rule IDs
SV-234853r1050789_rule
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When the SUSE operating system provides the capability to change user authenticators, change security roles, or escalate a functional capability, it is critical the user reauthenticate. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158
Fix: F-38004r618829_fix

Configure the SUSE operating system to remove any occurrence of "NOPASSWD" or "!authenticate" found in the "/etc/sudoers" file. If the system does not use passwords for authentication, the "NOPASSWD" tag may exist in the file.

c
FIPS 140-2 mode must be enabled on the SUSE operating system.
RMF Control
SC-13
Severity
H
CCI
CCI-002450
Version
SLES-15-010510
Vuln IDs
V-234859
Rule IDs
SV-234859r987791_rule
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The SUSE operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223
Fix: F-38010r618847_fix

To configure the SUSE operating system to run in FIPS mode, add "fips=1" to the kernel parameter during the SUSE operating system install. Enabling FIPS mode on a preexisting system involves a number of modifications to the SUSE operating system. Refer to section 9.1, "Crypto Officer Guidance", of the following document for installation guidance: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2435.pdf

c
All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
RMF Control
SC-8
Severity
H
CCI
CCI-002418
Version
SLES-15-010530
Vuln IDs
V-234860
Rule IDs
SV-234860r958908_rule
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190
Fix: F-38011r618850_fix

Note: If the system is not networked, this requirement is Not Applicable. Configure the SUSE operating system to implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. Install the OpenSSH package on the SUSE operating system with the following command: > sudo zypper in openssh Enable the OpenSSH service to start automatically on reboot with the following command: > sudo systemctl enable sshd.service For the changes to take effect immediately, start the service with the following command: > sudo systemctl restart sshd.service

b
The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses.
RMF Control
SI-16
Severity
M
CCI
CCI-002824
Version
SLES-15-010540
Vuln IDs
V-234861
Rule IDs
SV-234861r958928_rule
Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.
Fix: F-38012r618853_fix

Configure the SUSE operating system to prevent leaking of internal kernel addresses by running the following command: > sudo sysctl -w kernel.kptr_restrict=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "kernel.kptr_restrict=1" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution.
RMF Control
SI-16
Severity
M
CCI
CCI-002824
Version
SLES-15-010550
Vuln IDs
V-234862
Rule IDs
SV-234862r958928_rule
Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.
Fix: F-38013r618856_fix

Configure the SUSE operating system to implement ASLR by running the following command as an administrator: > sudo sysctl -w kernel.randomize_va_space=2 If "2" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "kernel.randomize_va_space=2" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

a
The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
RMF Control
AC-10
Severity
L
CCI
CCI-000054
Version
SLES-15-020020
Vuln IDs
V-234868
Rule IDs
SV-234868r958398_rule
SUSE operating system management includes the ability to control the number of users and user sessions that utilize a SUSE operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to Denial-of-Service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.
Fix: F-38019r618874_fix

Configure the SUSE operating system to limit the number of concurrent sessions to "10" or less for all accounts and/or account types. Add the following line to the file "/etc/security/limits.conf": * hard maxlogins 10

b
The SUSE operating system must deny direct logons to the root account using remote access via SSH.
RMF Control
Severity
M
CCI
CCI-004045
Version
SLES-15-020040
Vuln IDs
V-234870
Rule IDs
SV-234870r1009618_rule
To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the UNIX OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account. For example, the UNIX and Windows SUSE operating systems offer a "switch user" capability, allowing users to authenticate with their individual credentials and, when needed, "switch" to the administrator role. This method provides for unique individual authentication prior to using a group authenticator. Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the SUSE operating system without identification or authentication. Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.
Fix: F-38021r618880_fix

Configure the SUSE operating system to deny direct logons to the root account using remote access via SSH. Edit the appropriate "/etc/ssh/sshd_config" file, add or uncomment the line for "PermitRootLogin" and set its value to "no" (this file may be named differently or be in a different location): PermitRootLogin no

c
The SUSE operating system root account must be the only account with unrestricted access to the system.
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
SLES-15-020100
Vuln IDs
V-234876
Rule IDs
SV-234876r991589_rule
If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire SUSE operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.
Fix: F-38027r618898_fix

Change the UID of any account on the SUSE operating system, other than the root account, that has a UID of "0". If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.

b
The SUSE operating system must restrict privilege elevation to authorized personnel.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-020101
Vuln IDs
V-234877
Rule IDs
SV-234877r991589_rule
The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.
Fix: F-38028r618901_fix

Remove the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL

b
The SUSE operating system must require reauthentication when using the "sudo" command.
RMF Control
Severity
M
CCI
CCI-004895
Version
SLES-15-020102
Vuln IDs
V-234878
Rule IDs
SV-234878r1050789_rule
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to reauthenticate for privileged actions until the user's session is terminated.
Fix: F-38029r986476_fix

Configure the "sudo" command to require reauthentication. Edit the /etc/sudoers file: > sudo visudo Add or modify the following line: Defaults timestamp_timeout=[value] Note: The "[value]" must be a number that is greater than or equal to "0".

b
The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-020103
Vuln IDs
V-234879
Rule IDs
SV-234879r991589_rule
The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. For more information on each of the listed configurations, reference the sudoers(5) manual page.
Fix: F-38030r618907_fix

Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: Defaults !targetpw Defaults !rootpw Defaults !runaspw

b
All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-020110
Vuln IDs
V-234880
Rule IDs
SV-234880r991589_rule
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
Fix: F-38031r618910_fix

Configure the SUSE operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows. CREATE_HOME yes

b
The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.
RMF Control
AC-9
Severity
M
CCI
CCI-000052
Version
SLES-15-020120
Vuln IDs
V-234881
Rule IDs
SV-234881r991589_rule
Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.
Fix: F-38032r618913_fix

Configure the SUSE operating system to provide users with feedback on when account accesses last occurred. Add or edit the following lines in the "/etc/ssh/sshd_config" file: PrintLastLog yes

b
The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
RMF Control
Severity
M
CCI
CCI-004062
Version
SLES-15-020180
Vuln IDs
V-234887
Rule IDs
SV-234887r1009626_rule
The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
Fix: F-38038r618931_fix

Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. Edit/modify the following line in the "/etc/login.defs" file and set "ENCRYPT_METHOD" to have a value of "SHA512". ENCRYPT_METHOD SHA512 Lock all interactive user accounts not using SHA512 hashing until the passwords can be regenerated.

b
The SUSE operating system must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.
RMF Control
Severity
M
CCI
CCI-004062
Version
SLES-15-020190
Vuln IDs
V-234888
Rule IDs
SV-234888r1044810_rule
The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
Fix: F-38039r1044809_fix

Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "100000": SHA_CRYPT_MIN_ROUNDS 100000

b
The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day).
RMF Control
Severity
M
CCI
CCI-004066
Version
SLES-15-020200
Vuln IDs
V-234889
Rule IDs
SV-234889r1009628_rule
Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Fix: F-38040r986485_fix

Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age. Edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days: PASS_MIN_DAYS [DAYS] The DOD requirement is "1" but a greater value is acceptable.

b
The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day).
RMF Control
Severity
M
CCI
CCI-004066
Version
SLES-15-020210
Vuln IDs
V-234890
Rule IDs
SV-234890r1009629_rule
Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Fix: F-38041r618940_fix

Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age for user accounts. Change the minimum time period between password changes for each [USER] account to "1" day with the command, replacing [USER] with the user account that must be changed: > sudo passwd -n 1 [USER]

b
The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.
RMF Control
Severity
M
CCI
CCI-004066
Version
SLES-15-020220
Vuln IDs
V-234891
Rule IDs
SV-234891r1038967_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.
Fix: F-38042r986489_fix

Configure the SUSE operating system to enforce a maximum password age of 60 days or less. Edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days: PASS_MAX_DAYS [DAYS] The DOD requirement is 60 days or less (greater than zero, as zero days will lock the account immediately).

b
The SUSE operating system must employ user passwords with a maximum lifetime of 60 days.
RMF Control
Severity
M
CCI
CCI-004066
Version
SLES-15-020230
Vuln IDs
V-234892
Rule IDs
SV-234892r1038967_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.
Fix: F-38043r986491_fix

Configure the SUSE operating system to enforce a maximum password age of each [USER] account to 60 days. The command in the check text will give a list of users that need to be updated to be in compliance: > sudo passwd -x 60 [USER] The DOD requirement is 60 days.

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
RMF Control
AC-2
Severity
M
CCI
CCI-000015
Version
SLES-15-030000
Vuln IDs
V-234899
Rule IDs
SV-234899r1009634_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000304-GPOS-00121, SRG-OS-000470-GPOS-00214, SRG-OS-000476-GPOS-00221
Fix: F-38050r986497_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/passwd" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/passwd -p wa -k account_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
RMF Control
AC-2
Severity
M
CCI
CCI-000018
Version
SLES-15-030010
Vuln IDs
V-234900
Rule IDs
SV-234900r1009635_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221
Fix: F-38051r986500_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/group" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/group -p wa -k account_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
RMF Control
AC-2
Severity
M
CCI
CCI-000018
Version
SLES-15-030020
Vuln IDs
V-234901
Rule IDs
SV-234901r1009636_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221
Fix: F-38052r986503_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/shadow" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/shadow -p wa -k account_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
RMF Control
AC-2
Severity
M
CCI
CCI-000018
Version
SLES-15-030030
Vuln IDs
V-234902
Rule IDs
SV-234902r1009637_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221
Fix: F-38053r986506_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/security/opasswd" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/security/opasswd -p wa -k account_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
RMF Control
AC-2
Severity
M
CCI
CCI-000018
Version
SLES-15-030040
Vuln IDs
V-234903
Rule IDs
SV-234903r958368_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221
Fix: F-38054r618979_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/gshadow" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/gshadow -p wa -k account_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030050
Vuln IDs
V-234904
Rule IDs
SV-234904r958412_rule
Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the SUSE operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured SUSE operating system. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000392-GPOS-00172
Fix: F-38055r618982_fix

Enable the SUSE operating system auditd service by performing the following commands: > sudo systemctl enable auditd.service > sudo systemctl start auditd.service

a
The SUSE operating system must generate audit records for all uses of the ssh-keysign command.
RMF Control
AU-3
Severity
L
CCI
CCI-000130
Version
SLES-15-030060
Vuln IDs
V-234905
Rule IDs
SV-234905r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38056r618985_fix

Configure the SUSE operating system to generate an audit record for all uses of the "ssh-keysign" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh-keysign To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the passwd command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030070
Vuln IDs
V-234906
Rule IDs
SV-234906r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38057r618988_fix

Configure the SUSE operating system to generate an audit record for all uses of the "passwd" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

a
The SUSE operating system must generate audit records for all uses of the gpasswd command.
RMF Control
AU-3
Severity
L
CCI
CCI-000130
Version
SLES-15-030080
Vuln IDs
V-234907
Rule IDs
SV-234907r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38058r618991_fix

Configure the SUSE operating system to generate an audit record for all uses of the "gpasswd" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

a
The SUSE operating system must generate audit records for all uses of the newgrp command.
RMF Control
AU-3
Severity
L
CCI
CCI-000130
Version
SLES-15-030090
Vuln IDs
V-234908
Rule IDs
SV-234908r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38059r618994_fix

Configure the SUSE operating system to generate an audit record for all uses of the "newgrp" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-newgrp To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

a
The SUSE operating system must generate audit records for a uses of the chsh command.
RMF Control
AU-3
Severity
L
CCI
CCI-000130
Version
SLES-15-030100
Vuln IDs
V-234909
Rule IDs
SV-234909r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38060r618997_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chsh" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chsh To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the unix_chkpwd or unix2_chkpwd commands.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030110
Vuln IDs
V-234910
Rule IDs
SV-234910r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38061r619000_fix

Configure the SUSE operating system to generate an audit record for all uses of the "unix_chkpwd" and "unix2_chkpwd" commands. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-chkpwd -a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix2-chkpwd To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the chage command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030120
Vuln IDs
V-234911
Rule IDs
SV-234911r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38062r619003_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chage" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the crontab command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030130
Vuln IDs
V-234912
Rule IDs
SV-234912r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38063r619006_fix

Configure the SUSE operating system to generate an audit record for all uses of the "crontab" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030140
Vuln IDs
V-234913
Rule IDs
SV-234913r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38064r619009_fix

Configure the SUSE operating system to generate audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. Add or update the following rule in "/etc/audit/rules.d/audit.rules": -w /etc/sudoers -p wa -k privileged-actions -w /etc/sudoers.d -p wa -k privileged-actions To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030150
Vuln IDs
V-234914
Rule IDs
SV-234914r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38065r854231_fix

Configure the SUSE operating system to generate an audit record for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030190
Vuln IDs
V-234918
Rule IDs
SV-234918r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215
Fix: F-38069r854233_fix

Configure the SUSE operating system to generate an audit record for all uses of the "setxattr", "fsetxattr", "lsetxattr","removexattr", "fremovexattr", and "lremovexattr" system calls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown system calls.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030250
Vuln IDs
V-234924
Rule IDs
SV-234924r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38075r854235_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chown", "fchown", "fchownat", and "lchown" system calls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030290
Vuln IDs
V-234928
Rule IDs
SV-234928r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38079r854237_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chmod", "fchmod", and "fchmodat" system calls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the sudoedit command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030330
Vuln IDs
V-234932
Rule IDs
SV-234932r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38083r619066_fix

Configure the SUSE operating system to generate an audit record for all uses of the "sudoedit" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-sudoedit To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

a
The SUSE operating system must generate audit records for all uses of the chfn command.
RMF Control
AU-3
Severity
L
CCI
CCI-000130
Version
SLES-15-030340
Vuln IDs
V-234933
Rule IDs
SV-234933r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38084r619069_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chfn" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

a
The SUSE operating system must generate audit records for all uses of the mount system call.
RMF Control
AU-3
Severity
L
CCI
CCI-000130
Version
SLES-15-030350
Vuln IDs
V-234934
Rule IDs
SV-234934r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38085r619072_fix

Configure the SUSE operating system to generate an audit record for all uses of the "mount" system call. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

a
The SUSE operating system must generate audit records for all uses of the umount system call.
RMF Control
AU-3
Severity
L
CCI
CCI-000130
Version
SLES-15-030360
Vuln IDs
V-234935
Rule IDs
SV-234935r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38086r619075_fix

Configure the SUSE operating system to generate an audit record for all uses of the "umount" and "umount2" system calls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=4294967295 -k privileged-umount -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

a
The SUSE operating system must generate audit records for all uses of the ssh-agent command.
RMF Control
AU-3
Severity
L
CCI
CCI-000130
Version
SLES-15-030370
Vuln IDs
V-234936
Rule IDs
SV-234936r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38087r619078_fix

Configure the SUSE operating system to generate an audit record for all uses of the "ssh-agent" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh-agent To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the insmod command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030380
Vuln IDs
V-234937
Rule IDs
SV-234937r958412_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the following list of events for which the SUSE operating system will provide an audit record generation capability: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38088r619081_fix

Configure the SUSE operating system to audit the execution of the module management program "insmod" by adding the following line to "/etc/audit/rules.d/audit.rules": -w /sbin/insmod -p x -k modules To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the rmmod command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030390
Vuln IDs
V-234938
Rule IDs
SV-234938r958412_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the following list of events for which the SUSE operating system will provide an audit record generation capability: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38089r619084_fix

Configure the SUSE operating system to audit the execution of the module management program "rmmod" by adding the following line to "/etc/audit/rules.d/audit.rules": -w /sbin/rmmod -p x -k modules To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the modprobe command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030400
Vuln IDs
V-234939
Rule IDs
SV-234939r958412_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the following list of events for which the SUSE operating system will provide an audit record generation capability: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38090r619087_fix

Configure the SUSE operating system to audit the execution of the module management program "modprobe" by adding the following line to "/etc/audit/rules.d/audit.rules": -w /sbin/modprobe -p x -k modules To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the kmod command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030410
Vuln IDs
V-234940
Rule IDs
SV-234940r958412_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the following list of events for which the SUSE operating system will provide an audit record generation capability: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
Fix: F-38091r619090_fix

Configure the SUSE operating system to audit the execution of the module management program "kmod" by adding the following line to "/etc/audit/rules.d/audit.rules": -w /usr/bin/kmod -p x -k modules To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the chmod command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030420
Vuln IDs
V-234941
Rule IDs
SV-234941r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38092r619093_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chmod" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the setfacl command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030430
Vuln IDs
V-234942
Rule IDs
SV-234942r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38093r619096_fix

Configure the SUSE operating system to generate an audit record for all uses of the "setfacl" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the chacl command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030440
Vuln IDs
V-234943
Rule IDs
SV-234943r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38094r619099_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chacl" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the chcon command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030450
Vuln IDs
V-234944
Rule IDs
SV-234944r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38095r619102_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chcon" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the rm command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030460
Vuln IDs
V-234945
Rule IDs
SV-234945r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38096r619105_fix

Configure the SUSE operating system to generate an audit record for all uses of the "rm" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030470
Vuln IDs
V-234946
Rule IDs
SV-234946r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218
Fix: F-38097r619108_fix

Configure the SUSE operating system to generate an audit record for any all modifications to the "tallylog" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /var/log/tallylog -p wa -k logins To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all modifications to the lastlog file.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030480
Vuln IDs
V-234947
Rule IDs
SV-234947r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218
Fix: F-38098r619111_fix

Configure the SUSE operating system to generate an audit record for any all modifications to the "lastlog" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /var/log/lastlog -p wa -k logins To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the passmass command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030490
Vuln IDs
V-234948
Rule IDs
SV-234948r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38099r619114_fix

Configure the SUSE operating system to generate an audit record for all uses of the "passmass" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passmass To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the usermod command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030500
Vuln IDs
V-234949
Rule IDs
SV-234949r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38100r619117_fix

Configure the SUSE operating system to generate an audit record for all uses of the "usermod" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030510
Vuln IDs
V-234950
Rule IDs
SV-234950r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Fix: F-38101r619120_fix

Configure the SUSE operating system to generate an audit record for all uses of the "pam_timestamp_check" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the delete_module system call.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030520
Vuln IDs
V-234951
Rule IDs
SV-234951r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
Fix: F-38102r619123_fix

Configure the SUSE operating system to generate an audit record for all uses of the "delete_module" system call. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the init_module and finit_module system calls.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030530
Vuln IDs
V-234952
Rule IDs
SV-234952r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
Fix: F-38103r854259_fix

Configure the SUSE operating system to generate an audit record for all uses of the "init_module" and "finit_module" system calls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k moduleload -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k moduleload To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the su command.
RMF Control
AU-3
Severity
M
CCI
CCI-000130
Version
SLES-15-030550
Vuln IDs
V-234954
Rule IDs
SV-234954r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000042-GPOS-00020
Fix: F-38105r619132_fix

Configure the SUSE operating system to generate an audit record for all uses of the "su" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

a
The SUSE operating system must generate audit records for all uses of the sudo command.
RMF Control
AU-3
Severity
L
CCI
CCI-000130
Version
SLES-15-030560
Vuln IDs
V-234955
Rule IDs
SV-234955r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000042-GPOS-00020
Fix: F-38106r619135_fix

Configure the SUSE operating system to generate an audit record for all uses of the "sudo" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-sudo To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

a
The SUSE operating system must generate audit records for all uses of the privileged functions.
RMF Control
Severity
L
CCI
CCI-003938
Version
SLES-15-030640
Vuln IDs
V-234963
Rule IDs
SV-234963r1009638_rule
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152
Fix: F-38114r986509_fix

Configure the SUSE operating system to generate an audit record for any privileged use of the "execve" system call. Add or update the following rules in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must have the auditing package installed.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-15-030650
Vuln IDs
V-234964
Rule IDs
SV-234964r1009639_rule
Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the SUSE operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured SUSE operating system. Satisfies: SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220
Fix: F-38115r619162_fix

The SUSE operating system auditd package must be installed on the system. If it is not installed, use the following command to install it: > sudo zypper in audit

b
The audit-audispd-plugins must be installed on the SUSE operating system.
RMF Control
AU-4
Severity
M
CCI
CCI-001851
Version
SLES-15-030670
Vuln IDs
V-234966
Rule IDs
SV-234966r1009564_rule
The audit-audispd-plugins must be installed on the SUSE operating system.
Fix: F-38117r1009563_fix

Install the "audit-audispd-plugins" package on the SUSE operating system by running the following command: > sudo zypper install audit-audispd-plugins

b
The SUSE operating system must generate audit records for all uses of the unlink, unlinkat, rename, renameat, and rmdir system calls.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-15-030740
Vuln IDs
V-234973
Rule IDs
SV-234973r991577_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
Fix: F-38124r809558_fix

Configure the SUSE operating system to generate an audit record for all uses of the "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k perm_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for the /run/utmp file.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-15-030760
Vuln IDs
V-234975
Rule IDs
SV-234975r991581_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-38126r619195_fix

Configure the SUSE operating system to generate an audit record for the "/run/utmp" file. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -w /run/utmp -p wa -k login_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for the /var/log/wtmp file.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-15-030770
Vuln IDs
V-234976
Rule IDs
SV-234976r991581_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-38127r619198_fix

Configure the SUSE operating system to generate an audit record for the "/var/log/wtmp" file. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -w /var/log/wtmp -p wa -k login_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for the /var/log/btmp file.
RMF Control
AU-12
Severity
M
CCI
CCI-000172
Version
SLES-15-030780
Vuln IDs
V-234977
Rule IDs
SV-234977r991581_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Fix: F-38128r619201_fix

Configure the SUSE operating system to generate an audit record for the "/var/log/btmp" file. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -w /var/log/btmp -p wa -k login_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must off-load audit records onto a different system or media from the system being audited.
RMF Control
AU-4
Severity
M
CCI
CCI-001851
Version
SLES-15-030790
Vuln IDs
V-234978
Rule IDs
SV-234978r1009573_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Fix: F-38129r1009572_fix

Configure the SUSE operating system to take the appropriate action if it cannot off-load audit records to a different system or storage media from the system being audited due to a network failure. Uncomment the "network_failure_action" option in "/etc/audit/audisp-remote.conf" and set it to "syslog", "single", or "halt". See the example below: network_failure_action = syslog

b
The SUSE operating system must not disable syscall auditing.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-030820
Vuln IDs
V-234981
Rule IDs
SV-234981r991589_rule
By default, the SUSE operating system includes the "-a task,never" audit rule as a default. This rule suppresses syscall auditing for all tasks started with this rule in effect. Because the audit daemon processes the "audit.rules" file from the top down, this rule supersedes all other defined syscall rules; therefore no syscall auditing can take place on the operating system.
Fix: F-38132r619213_fix

Remove the "-a task,never" rule from the /etc/audit/rules.d/audit.rules file. The audit daemon must be restarted for the changes to take effect. > sudo systemctl restart auditd.service

c
There must be no .shosts files on the SUSE operating system.
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
SLES-15-040020
Vuln IDs
V-234984
Rule IDs
SV-234984r991589_rule
The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Fix: F-38135r619222_fix

Remove any ".shosts" files found on the SUSE operating system. > sudo rm /[path]/[to]/[file]/.shosts

c
There must be no shosts.equiv files on the SUSE operating system.
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
SLES-15-040030
Vuln IDs
V-234985
Rule IDs
SV-234985r991589_rule
The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Fix: F-38136r619225_fix

Remove any "shosts.equiv" files found on the SUSE operating system. > sudo rm /[path]/[to]/[file]/shosts.equiv

c
The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence.
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
SLES-15-040062
Vuln IDs
V-234990
Rule IDs
SV-234990r991589_rule
A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical user interface environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
Fix: F-38141r619240_fix

Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file: CtrlAltDelBurstAction=none Reload the daemon for this change to take effect > sudo systemctl daemon-reload

b
SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040160
Vuln IDs
V-235000
Rule IDs
SV-235000r991589_rule
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Fix: F-38151r619270_fix

Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems that are being exported via NFS.

b
SUSE operating system file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040170
Vuln IDs
V-235001
Rule IDs
SV-235001r991589_rule
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
Fix: F-38152r619273_fix

Configure the SUSE operating system "/etc/fstab" file to use the "noexec" option on file systems that are being exported via NFS.

a
The SUSE operating system must use a separate file system for /var.
RMF Control
CM-6
Severity
L
CCI
CCI-000366
Version
SLES-15-040210
Vuln IDs
V-235005
Rule IDs
SV-235005r991589_rule
The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.
Fix: F-38156r619285_fix

Create a separate file system/partition on the SUSE operating system for "/var". Migrate "/var" onto the separate file system/partition.

b
The SUSE operating system SSH daemon must be configured to not allow authentication using known hosts authentication.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040230
Vuln IDs
V-235007
Rule IDs
SV-235007r991589_rule
Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.
Fix: F-38158r619291_fix

Configure the SUSE operating system SSH daemon to not allow authentication using "known hosts" authentication. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": IgnoreUserKnownHosts yes

b
The SUSE operating system SSH daemon public host key files must have mode 0644 or less permissive.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040240
Vuln IDs
V-235008
Rule IDs
SV-235008r991589_rule
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
Fix: F-38159r619294_fix

Configure the SUSE operating system SSH daemon public host key files have mode "0644" or less permissive. Note: SSH public key files may be found in other directories on the system depending on the installation. Change the mode of public host key files under "/etc/ssh" to "0644" with the following command: > sudo chmod 0644 /etc/ssh/ssh_host*key.pub

b
The SUSE operating system SSH daemon private host key files must have mode 0640 or less permissive.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040250
Vuln IDs
V-235009
Rule IDs
SV-235009r991589_rule
If an unauthorized user obtains the private SSH host key file, the host could be impersonated.
Fix: F-38160r880957_fix

Configure the mode of the SUSE operating system SSH daemon private host key files under "/etc/ssh" to "0640" with the following command: > sudo chmod 0640 /etc/ssh/ssh_host*key

b
The SUSE operating system SSH daemon must perform strict mode checking of home directory configuration files.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040260
Vuln IDs
V-235010
Rule IDs
SV-235010r991589_rule
If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.
Fix: F-38161r619300_fix

Configure the SUSE operating system SSH daemon performs strict mode checking of home directory configuration files. Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" and set the value to "yes": StrictModes yes

b
The SUSE operating system SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040290
Vuln IDs
V-235013
Rule IDs
SV-235013r991589_rule
The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.
Fix: F-38164r619309_fix

Configure the SUSE operating system SSH daemon to disable forwarded X connections for interactive users. Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): X11Forwarding no

b
The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040300
Vuln IDs
V-235014
Rule IDs
SV-235014r991589_rule
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4/IPv6 forwarding is enabled and the system is functioning as a router.
Fix: F-38165r619312_fix

Configure the SUSE operating system to disable IPv4 source routing by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.all.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040310
Vuln IDs
V-235015
Rule IDs
SV-235015r991589_rule
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
Fix: F-38166r619315_fix

Configure the SUSE operating system to disable IPv6 source routing by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.all.accept_source_route=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.all.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040320
Vuln IDs
V-235016
Rule IDs
SV-235016r991589_rule
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
Fix: F-38167r619318_fix

Configure the SUSE operating system to disable IPv4 default source routing by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.default.accept_source_route=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.default.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040321
Vuln IDs
V-235017
Rule IDs
SV-235017r991589_rule
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.
Fix: F-38168r619321_fix

Configure the SUSE operating system to disable IPv6 default source routing by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.default.accept_source_route=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.default.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040330
Vuln IDs
V-235018
Rule IDs
SV-235018r991589_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Fix: F-38169r619324_fix

Configure the SUSE operating system to not accept IPv4 ICMP redirect messages by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040340
Vuln IDs
V-235019
Rule IDs
SV-235019r991589_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Fix: F-38170r619327_fix

Configure the SUSE operating system to not accept IPv4 ICMP redirect messages by default by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.default.accept_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.default.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040341
Vuln IDs
V-235020
Rule IDs
SV-235020r991589_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Fix: F-38171r619330_fix

Configure the SUSE operating system to not accept IPv6 ICMP redirect messages by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.all.accept_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040350
Vuln IDs
V-235021
Rule IDs
SV-235021r991589_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
Fix: F-38172r619333_fix

Configure the SUSE operating system to not accept IPv6 ICMP redirect messages by default by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.default.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040360
Vuln IDs
V-235022
Rule IDs
SV-235022r991589_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
Fix: F-38173r619336_fix

Configure the SUSE operating system to not allow interfaces to perform IPv4 ICMP redirects by default by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.default.send_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.default.send_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040370
Vuln IDs
V-235023
Rule IDs
SV-235023r991589_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.
Fix: F-38174r619339_fix

Configure the SUSE operating system to not allow interfaces to perform IPv4 ICMP redirects by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.all.send_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040380
Vuln IDs
V-235024
Rule IDs
SV-235024r991589_rule
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
Fix: F-38175r619342_fix

Configure the SUSE operating system to not performing IPv4 packet forwarding by running the following command as an administrator: > sudo sysctl -w net.ipv4.ip_forward=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.ip_forward=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040381
Vuln IDs
V-235025
Rule IDs
SV-235025r991589_rule
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
Fix: F-38176r619345_fix

Configure the SUSE operating system to not performing IPv6 packet forwarding by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.all.forwarding=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.all.forwarding=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040382
Vuln IDs
V-235026
Rule IDs
SV-235026r991589_rule
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.
Fix: F-38177r619348_fix

Configure the SUSE operating system to not performing IPv6 packet forwarding by default by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.default.forwarding=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.default.forwarding=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system default permissions must be defined in such a way that all authenticated users can only read and modify their own files.
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
SLES-15-040420
Vuln IDs
V-235030
Rule IDs
SV-235030r991590_rule
Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.
Fix: F-38181r619360_fix

Configure the SUSE operating system to define the default permissions for all authenticated users in such a way that the users can only read and modify their own files. Add or edit the "UMASK" parameter in the "/etc/login.defs" file to match the example below: UMASK 077

c
The SUSE operating system must not allow unattended or automatic logon via the graphical user interface (GUI).
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
SLES-15-040430
Vuln IDs
V-235031
Rule IDs
SV-235031r991591_rule
Failure to restrict system access to authenticated users negatively impacts SUSE operating system security.
Fix: F-38182r619363_fix

Note: If a graphical user interface is not installed, this requirement is Not Applicable. Configure the SUSE operating system GUI to not allow unattended or automatic logon to the system. Add or edit the following lines in the "/etc/sysconfig/displaymanager" configuration file: DISPLAYMANAGER_AUTOLOGIN="" DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"