SLES 12 Security Technical Implementation Guide
- Version/Release: V3R1
- Published: 2024-08-22
- Released: 2024-10-24
-
Expand All:
- Severity:
-
Sort:
Compare
Select any two versions of this STIG to compare the individual requirements
View
Select any old version/release of this STIG to view the previous requirements
- RMF Control
- SI-2
- Severity
- High
- CCI
- CCI-001230
- Version
- SLES-12-010000
- Vuln IDs
-
- V-217101
- V-77045
- Rule IDs
-
- SV-217101r991589_rule
- SV-91741
Checks: C-18329r369459_chk
Verify the SUSE operating system is a vendor-supported release. Use the following command to verify the SUSE operating system is a vendor-supported release: # cat /etc/os-release NAME="SLES" VERSION="12" Current End of Life for SLES 12 General Support is 31 Oct 2024 and Long-term Support is until 31 Oct 2027. If the release is not supported by the vendor, this is a finding.
Fix: F-18327r369460_fix
Upgrade the SUSE operating system to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription. If the system requires Long-Term Service Pack Support (LTSS), obtain the correct LTSS subscription for the system.
- RMF Control
- SI-2
- Severity
- Medium
- CCI
- CCI-001227
- Version
- SLES-12-010010
- Vuln IDs
-
- V-217102
- V-77047
- Rule IDs
-
- SV-217102r991589_rule
- SV-91743
Checks: C-18330r369462_chk
Verify the SUSE operating system security patches and updates are installed and up to date. Note: Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). Check for required SUSE operating system patches and updates with the following command: # sudo zypper patch-check 0 patches needed (0 security patches) If the patch repository data is corrupt check that the available package security updates have been installed on the system with the following command: # cut -d "|" -f 1-4 -s --output-delimiter " | " /var/log/zypp/history | grep -v " radd " 2016-12-14 11:59:36 | install | libapparmor1-32bit | 2.8.0-2.4.1 2016-12-14 11:59:36 | install | pam_apparmor | 2.8.0-2.4.1 2016-12-14 11:59:36 | install | pam_apparmor-32bit | 2.8.0-2.4.1 If the SUSE operating system has not been patched within the site or PMO frequency, this is a finding.
Fix: F-18328r369463_fix
Install the applicable SUSE operating system patches available from SUSE by running the following command: # sudo zypper patch
- RMF Control
- AC-8
- Severity
- Medium
- CCI
- CCI-000048
- Version
- SLES-12-010020
- Vuln IDs
-
- V-217103
- V-77049
- Rule IDs
-
- SV-217103r958390_rule
- SV-91745
Checks: C-18331r369465_chk
Verify the SUSE operating system displays the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on via the local graphical user interface. Note: If a graphical user interface is not installed, this requirement is Not Applicable. Check the configuration by running the following command: # more /etc/gdm/Xsession The beginning of the file must contain the following text immediately after (#!/bin/sh): if ! zenity --text-info \ --title "Consent" \ --filename=/etc/gdm/banner \ --no-markup \ --checkbox="Accept." 10 10; then sleep 1; exit 1; fi If the beginning of the file does not contain the above text immediately after the line (#!/bin/sh), this is a finding.
Fix: F-18329r369466_fix
Configure the SUSE operating system to display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access. Add the following content to the file "/etc/gdm/Xsession" below the line #!/bin/sh: if ! zenity --text-info \ --title "Consent" \ --filename=/etc/gdm/banner \ --no-markup \ --checkbox="Accept." 10 10; then sleep 1; exit 1; fi Save the file "/etc/gdm/Xsession".
- RMF Control
- AC-8
- Severity
- Medium
- CCI
- CCI-000048
- Version
- SLES-12-010030
- Vuln IDs
-
- V-217104
- V-77051
- Rule IDs
-
- SV-217104r958390_rule
- SV-91747
Checks: C-18332r369468_chk
Verify the SUSE operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via local console. Check the "/etc/issue" file to verify that it contains the DoD required banner text: # more /etc/issue The output must display the following DoD-required banner text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the output does not display the correct banner text, this is a finding.
Fix: F-18330r369469_fix
Configure the SUSE operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via local console by performing the following tasks: Edit the "/etc/issue" file and replace the default text inside with the Standard Mandatory DoD banner text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
- RMF Control
- AC-8
- Severity
- Medium
- CCI
- CCI-001387
- Version
- SLES-12-010040
- Vuln IDs
-
- V-217105
- V-77053
- Rule IDs
-
- SV-217105r958586_rule
- SV-91749
Checks: C-36356r646676_chk
Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. Verify the SUSE operating system to display a banner before local or remote access to the system via a graphical user logon. Check that the SUSE operating system displays a banner at the logon screen by performing the following command: > grep banner-message-enable /etc/dconf/db/gdm.d/* banner-message-enable=true > cat /etc/dconf/profile/gdm user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults If "banner-message-enable" is set to "false" or is missing completely, this is a finding.
Fix: F-36319r646677_fix
Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. Configure the SUSE operating system to display a banner before local or remote access to the system via a graphical user logon. Create a database that will contain the system wide graphical user logon settings (if it does not already exist) with the following command: > sudo touch /etc/dconf/db/gdm.d/01-banner-message Add the following line to the "[org/gnome/login-screen]" section of the "/etc/dconf/db/gdm.d/01-banner-message" file: [org/gnome/login-screen] banner-message-enable=true Update the system databases: > sudo dconf update Users must log out and back in again before the system-wide settings take effect.
- RMF Control
- AC-8
- Severity
- Medium
- CCI
- CCI-001386
- Version
- SLES-12-010050
- Vuln IDs
-
- V-217106
- V-77055
- Rule IDs
-
- SV-217106r958586_rule
- SV-91751
Checks: C-18334r646679_chk
Verify the SUSE operating system displays the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon. Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. Check that the SUSE operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text by performing the following command: > grep banner-message-text /etc/dconf/db/gdm.d/* banner-message-text= "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Note: The "\n" characters are for formatting only. They will not be displayed on the graphical user interface. If the banner text does not exactly match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.
Fix: F-18332r646680_fix
Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. Configure the SUSE operating system to display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon. Create a database to contain the system wide graphical user logon settings (if it does not already exist) by performing the following command: > sudo touch /etc/dconf/db/gdm.d/01-banner-message Add the following lines to the "[org/gnome/login-screen]" section of the "dconf/db/gdm.d/01-banner-message" file: [org/gnome/login-screen] banner-message-text="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Note: The "\n" characters are for formatting only. They will not be displayed on the graphical user interface. Run the following command to update the database: > sudo dconf update
- RMF Control
- AC-11
- Severity
- Medium
- CCI
- CCI-000056
- Version
- SLES-12-010060
- Vuln IDs
-
- V-217107
- V-77057
- Rule IDs
-
- SV-217107r1015203_rule
- SV-91753
Checks: C-18335r369477_chk
Verify the SUSE operating system allows the user to lock the GUI. Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. This command must be run from an X11 session, otherwise the command will not work correctly. Run the following command: # gsettings get org.gnome.desktop.lockdown disable-lock-screen If the result is "true", this is a finding.
Fix: F-18333r369478_fix
This command must be run from an X11 session; otherwise, the command will not work correctly. Configure the SUSE operating system to allow the user to lock the graphical user interface. Run the following command to configure the SUSE operating system to allow the user to lock the graphical user interface: # gsettings set org.gnome.desktop.lockdown disable-lock-screen false
- RMF Control
- AC-11
- Severity
- Low
- CCI
- CCI-000060
- Version
- SLES-12-010070
- Vuln IDs
-
- V-217108
- V-77059
- Rule IDs
-
- SV-217108r1015204_rule
- SV-91755
Checks: C-36357r602672_chk
Check that the SUSE operating system has the "vlock" package installed by running the following command: # zypper se -i --provides vlock If the command outputs "no matching items found", this is a finding.
Fix: F-36320r602673_fix
Allow users to lock the console by installing the "kbd" package using zypper: # sudo zypper install kbd
- RMF Control
- AC-11
- Severity
- Medium
- CCI
- CCI-000057
- Version
- SLES-12-010080
- Vuln IDs
-
- V-217109
- V-77061
- Rule IDs
-
- SV-217109r958402_rule
- SV-91757
Checks: C-18337r646682_chk
Verify the SUSE operating system initiates a session lock after a 15-minute period of inactivity via the graphical user interface by running the following command: Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. > sudo gsettings get org.gnome.desktop.session idle-delay uint32 900 If the command does not return a value less than or equal to "900", this is a finding.
Fix: F-18335r646683_fix
Configure the SUSE operating system initiates a session lock after a 15-minute period of inactivity via the graphical user interface by running the following command: Note: This command must be run from an X11 session, otherwise the command will not work correctly. > sudo gsettings set org.gnome.desktop.session idle-delay 900
- RMF Control
- AC-11
- Severity
- Medium
- CCI
- CCI-000057
- Version
- SLES-12-010090
- Vuln IDs
-
- V-217110
- V-77063
- Rule IDs
-
- SV-217110r1015002_rule
- SV-91759
Checks: C-18338r1015000_chk
Verify the SUSE operating system must initiate a session logout after a 10-minute period of inactivity for all connection types. Check the proper script exists to kill an idle session after a 10-minute period of inactivity with the following command: # cat /etc/profile.d/autologout.sh TMOUT=600 readonly TMOUT export TMOUT If the file "/etc/profile.d/autologout.sh" does not exist or the output from the function call is not the same, this is a finding.
Fix: F-18336r1015001_fix
Configure the SUSE operating system to initiate a session lock after a 10-minute period of inactivity by modifying or creating (if it does not already exist) the "/etc/profile.d/autologout.sh" file and add the following lines to it: TMOUT=600 readonly TMOUT export TMOUT Set the proper permissions for the "/etc/profile.d/autologout.sh" file with the following command: # sudo chmod +x /etc/profile.d/autologout.sh
- RMF Control
- AC-11
- Severity
- Low
- CCI
- CCI-000060
- Version
- SLES-12-010100
- Vuln IDs
-
- V-217111
- V-77065
- Rule IDs
-
- SV-217111r958404_rule
- SV-91761
Checks: C-18339r369489_chk
Verify the SUSE operating system conceals via the session lock information previously visible on the display with a publicly viewable image in the graphical user interface. Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. Check that the lock screen is set to a publicly viewable image by running the following command: # gsettings get org.gnome.desktop.screensaver picture-uri 'file:///usr/share/wallpapers/SLE-default-static.xml' If nothing is returned or "org.gnome.desktop.screensaver" is not set, this is a finding.
Fix: F-18337r918489_fix
Note: If the system does not have X Windows installed, this requirement is Not Applicable. Configure the SUSE operating system to use a publicly viewable image by finding the Settings menu and then navigate to the Background selection section: - Click "Applications" on the bottom left. - Hover over "System Tools" with the mouse. - Click the "Settings" icon under System Tools. - Click "Background" and then "Lock Screen". - Set the Lock Screen image to the user's choice. - Click "Select". - Exit Settings Dialog.
- RMF Control
- IA-11
- Severity
- High
- CCI
- CCI-002038
- Version
- SLES-12-010110
- Vuln IDs
-
- V-217112
- V-77067
- Rule IDs
-
- SV-217112r1015205_rule
- SV-91763
Checks: C-18340r646685_chk
Verify that the SUSE operating system requires reauthentication when changing authenticators, roles, or escalating privileges. Check that "/etc/sudoers" has no occurrences of "NOPASSWD" or "!authenticate" with the following command: > sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers If any uncommented lines containing "!authenticate", or "NOPASSWD" are returned and active accounts on the system have valid passwords, this is a finding.
Fix: F-18338r369493_fix
Configure the SUSE operating system to remove any occurrence of "NOPASSWD" or "!authenticate" found in the "/etc/sudoers" file. If the system does not use passwords for authentication, the "NOPASSWD" tag may exist in the file.
- RMF Control
- AC-10
- Severity
- Low
- CCI
- CCI-000054
- Version
- SLES-12-010120
- Vuln IDs
-
- V-217113
- V-77069
- Rule IDs
-
- SV-217113r958398_rule
- SV-91765
Checks: C-18341r902832_chk
Verify the SUSE operating system limits the number of concurrent sessions to 10 for all accounts and/or account types by running the following command: # grep "maxlogins" /etc/security/limits.conf /etc/security/limits.d/*.conf The result must contain the following line: * hard maxlogins 10 If the "maxlogins" item is missing, the line does not begin with a star symbol, or the value is not set to "10" or less, this is a finding.
Fix: F-18339r902833_fix
Configure the SUSE operating system to limit the number of concurrent sessions to 10 or less for all accounts and/or account types. Add the following line to "/etc/security/limits.conf" or /etc/security/limits.d/*.conf file: * hard maxlogins 10
- RMF Control
- AC-7
- Severity
- Medium
- CCI
- CCI-000044
- Version
- SLES-12-010130
- Vuln IDs
-
- V-217114
- V-77071
- Rule IDs
-
- SV-217114r958388_rule
- SV-91767
Checks: C-36358r602675_chk
Verify the SUSE operating system locks a user account after three consecutive failed access attempts until the locked account is released by an administrator. Check that the system locks a user account after three consecutive failed login attempts using the following command: # grep pam_tally2.so /etc/pam.d/common-auth auth required pam_tally2.so onerr=fail deny=3 If no line is returned or the line is commented out, this is a finding. If the line is missing "onerr=fail", this is a finding. If the line has "deny" set to a value other than 1, 2, or 3, this is a finding. Check that the system resets the failed login attempts counter after a successful login using the following command: # grep pam_tally2.so /etc/pam.d/common-account account required pam_tally2.so If the account option is missing, or commented out, this is a finding.
Fix: F-36321r602676_fix
Configure the operating system to lock an account when three unsuccessful access attempts occur. Modify the first line of the auth section "/etc/pam.d/common-auth" file to match the following lines: auth required pam_tally2.so onerr=fail silent audit deny=3 Add or modify the following line in the /etc/pam.d/common-account file: account required pam_tally2.so Note: Manual changes to the listed files may be overwritten by the "pam-config" program. The "pam-config" program should not be used to update the configurations listed in this requirement.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010140
- Vuln IDs
-
- V-217116
- V-77073
- Rule IDs
-
- SV-217116r991588_rule
- SV-91769
Checks: C-18344r369504_chk
Verify the SUSE operating system enforces a delay of at least four (4) seconds between logon prompts following a failed logon attempt. Check that the SUSE operating system enforces a delay of at least four (4) seconds between logon prompts following a failed logon attempt with the following command: # grep FAIL_DELAY /etc/login.defs FAIL_DELAY 4 If the value of "FAIL_DELAY" is not set to "4", "FAIL_DELAY" is commented out, or "FAIL_DELAY" is missing, then this is a finding.
Fix: F-18342r369505_fix
Configure the SUSE operating system to enforce a delay of at least four (4) seconds between logon prompts following a failed logon attempt. Add or update the following variable in "/etc/login.defs" to match the line below ("FAIL_DELAY" must have a value of "4" or higher): FAIL_DELAY 4
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000192
- Version
- SLES-12-010150
- Vuln IDs
-
- V-217117
- V-77075
- Rule IDs
-
- SV-217117r1015206_rule
- SV-91771
Checks: C-18345r369507_chk
Verify the SUSE operating system enforces password complexity by requiring that at least one upper-case character. Check that the operating system enforces password complexity by requiring that at least one upper-case character be used by using the following command: # grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so ucredit=-1 If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "ucredit=-1", this is a finding.
Fix: F-18343r369508_fix
Configure the SUSE operating system to enforce password complexity by requiring at least one upper-case character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ucredit=-1" after the third column.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000193
- Version
- SLES-12-010160
- Vuln IDs
-
- V-217118
- V-77077
- Rule IDs
-
- SV-217118r1015207_rule
- SV-91773
Checks: C-18346r369510_chk
Verify the SUSE operating system enforces password complexity by requiring that at least one lower-case character. Check that the operating system enforces password complexity by requiring that at least one lower-case character be used by using the following command: # grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so lcredit=-1 If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "lcredit=-1", this is a finding.
Fix: F-18344r369511_fix
Configure the SUSE operating system to enforce password complexity by requiring at least one lower-case character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "lcredit=-1" after the third column.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000194
- Version
- SLES-12-010170
- Vuln IDs
-
- V-217119
- V-77079
- Rule IDs
-
- SV-217119r1015208_rule
- SV-91775
Checks: C-18347r369513_chk
Verify the SUSE operating system enforces password complexity by requiring that at least one numeric character. Check that the operating system enforces password complexity by requiring that at least one numeric character be used by using the following command: # grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so dcredit=-1 If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "dcredit=-1", this is a finding.
Fix: F-18345r369514_fix
Configure the SUSE operating system to enforce password complexity by requiring at least one numeric character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "dcredit=-1" after the third column.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-001619
- Version
- SLES-12-010180
- Vuln IDs
-
- V-217120
- V-77081
- Rule IDs
-
- SV-217120r1015209_rule
- SV-91777
Checks: C-18348r369516_chk
Verify the SUSE operating system enforces password complexity by requiring that at least one special character. Check that the operating system enforces password complexity by requiring that at least one special character be used by using the following command: # grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so ocredit=-1 If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "ocredit=-1", this is a finding.
Fix: F-18346r369517_fix
Configure the SUSE operating system to enforce password complexity by requiring at least one special character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ocredit=-1" after the third column.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000195
- Version
- SLES-12-010190
- Vuln IDs
-
- V-217121
- V-77087
- Rule IDs
-
- SV-217121r1015210_rule
- SV-91783
Checks: C-18349r369519_chk
Verify the SUSE operating system requires at least eight (8) characters be changed between the old and new passwords during a password change. Check that the operating system requires at least eight (8) characters be changed between the old and new passwords during a password change by running the following command: # grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so difok=8 If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "difok", or the value is less than "8", this is a finding.
Fix: F-18347r369520_fix
Configure the SUSE operating system to require at least eight characters be changed between the old and new passwords during a password change with the following command: Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "difok=8" after the third column.
- RMF Control
- IA-7
- Severity
- Medium
- CCI
- CCI-000803
- Version
- SLES-12-010210
- Vuln IDs
-
- V-217122
- V-77093
- Rule IDs
-
- SV-217122r971535_rule
- SV-91789
Checks: C-18350r646687_chk
Verify the SUSE operating system requires that the "ENCRYPT_METHOD" value in "/etc/login.defs" is set to "SHA512". Check the value of "ENCRYPT_METHOD" value in "/etc/login.defs" with the following command: > grep "^ENCRYPT_METHOD " /etc/login.defs ENCRYPT_METHOD SHA512 If "ENCRYPT_METHOD" is not set to "SHA512", if any values other that "SHA512" are configured, or if no output is produced, this is a finding.
Fix: F-18348r646688_fix
Configure the SUSE operating system to require "ENCRYPT_METHOD" of "SHA512". Edit the "/etc/login.defs" file with the following line: ENCRYPT_METHOD SHA512
- RMF Control
- IA-7
- Severity
- Medium
- CCI
- CCI-000803
- Version
- SLES-12-010220
- Vuln IDs
-
- V-217123
- V-77099
- Rule IDs
-
- SV-217123r1015211_rule
- SV-91795
Checks: C-18351r646690_chk
Verify the SUSE operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptographic hash. Check that the interactive user account passwords are using a strong password hash with the following command: > sudo cut -d: -f2 /etc/shadow $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with "$6", this is a finding.
Fix: F-18349r646691_fix
Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. Edit/modify the following line in the "/etc/login.defs" file and set "ENCRYPT_METHOD" to have a value of "SHA512". ENCRYPT_METHOD SHA512 Lock all interactive user accounts not using SHA512 hashing until the passwords can be regenerated.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000196
- Version
- SLES-12-010230
- Vuln IDs
-
- V-217124
- V-77105
- Rule IDs
-
- SV-217124r1015212_rule
- SV-91801
Checks: C-18352r369528_chk
Verify the SUSE operating system configures the Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength. Check that PAM is configured to create SHA512 hashed passwords by running the following command: # grep pam_unix.so /etc/pam.d/common-password password required pam_unix.so sha512 If the command does not return anything or the returned line is commented out, has a second column value different from "required", or does not contain "sha512", this is a finding.
Fix: F-18350r369529_fix
Configure the SUSE operating system Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength. Edit "/etc/pam.d/common-password" and edit the line containing "pam_unix.so" to contain the SHA512 keyword after third column. Remove the "nullok" option.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010231
- Vuln IDs
-
- V-217125
- V-81785
- Rule IDs
-
- SV-217125r991589_rule
- SV-96499
Checks: C-18353r369531_chk
Verify the SUSE operating is not configured to allow blank or null passwords. Check that blank or null passwords cannot be used by running the following command: # grep pam_unix.so /etc/pam.d/* | grep nullok If this produces any output, it may be possible to log on with accounts with empty passwords. If null passwords can be used, this is a finding.
Fix: F-18351r369532_fix
Configure the SUSE operating system to not allow blank or null passwords. Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" and "/etc/pam.d/common-password" to prevent logons with empty passwords.
- RMF Control
- IA-7
- Severity
- Medium
- CCI
- CCI-000803
- Version
- SLES-12-010240
- Vuln IDs
-
- V-217126
- V-77107
- Rule IDs
-
- SV-217126r1015213_rule
- SV-91803
Checks: C-18354r369534_chk
Verify the SUSE operating system configures the shadow password suite configuration to encrypt passwords using a strong cryptographic hash. Check that a minimum number of hash rounds is configured by running the following command: egrep "^SHA_CRYPT_" /etc/login.defs If only one of "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is set, and this value is below "5000", this is a finding. If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.
Fix: F-18352r369535_fix
Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "5000": SHA_CRYPT_MIN_ROUNDS 5000
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000205
- Version
- SLES-12-010250
- Vuln IDs
-
- V-217127
- V-77109
- Rule IDs
-
- SV-217127r1015214_rule
- SV-91805
Checks: C-18355r369537_chk
Verify the SUSE operating system enforces a minimum 15-character password length. Check that the operating system enforces a minimum 15-character password length with the following command: # grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so minlen=15 If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "minlen" value, or the value is less than "15", this is a finding.
Fix: F-18353r369538_fix
Configure the SUSE operating system to enforce a minimum 15-character password length. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "minlen=15" after the third column. The DoD standard requires a minimum 15-character password length.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000198
- Version
- SLES-12-010260
- Vuln IDs
-
- V-217128
- V-77111
- Rule IDs
-
- SV-217128r1015215_rule
- SV-91807
Checks: C-18356r646693_chk
Verify the SUSE operating system to create or update passwords with minimum password age of one day or greater. Check that the SUSE operating system enforces 24 hours/one day as the minimum password age, run the following command: > grep '^PASS_MIN_DAYS' /etc/login.defs PASS_MIN_DAYS 1 If no output is produced, or if "PASS_MIN_DAYS" does not have a value of "1" or greater, this is a finding.
Fix: F-18354r646694_fix
Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age. Edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days: PASS_MIN_DAYS [DAYS] The DoD requirement is "1" but a greater value is acceptable.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000198
- Version
- SLES-12-010270
- Vuln IDs
-
- V-217129
- V-77113
- Rule IDs
-
- SV-217129r1015216_rule
- SV-91809
Checks: C-18357r646696_chk
Verify the SUSE operating system enforces a minimum time period between password changes for each user account of one day or greater. Check the minimum time period between password changes for each user account with the following command: > sudo awk -F: '$4 < 1 {print $1 ":" $4}' /etc/shadow smithj:1 If any results are returned that are not associated with a system account, this is a finding.
Fix: F-18355r646697_fix
Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age for user accounts. Change the minimum time period between password changes for each [USER] account to "1" day with the command, replacing [USER] with the user account that must be changed: > sudo passwd -n 1 [USER]
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000199
- Version
- SLES-12-010280
- Vuln IDs
-
- V-217130
- V-77115
- Rule IDs
-
- SV-217130r1015217_rule
- SV-91811
Checks: C-18358r646699_chk
Verify that the SUSE operating system is configured to create or update passwords with a maximum password age of 60 days or less. Check that the SUSE operating system enforces 60 days or less as the maximum password age with the following command: > grep '^PASS_MAX_DAYS' /etc/login.defs The DoD requirement is "60" days or less (greater than zero, as zero days will lock the account immediately). If no output is produced, or if PASS_MAX_DAYS is not set to "60" days or less, this is a finding.
Fix: F-18356r646700_fix
Configure the SUSE operating system to enforce a maximum password age of 60 days or less. Edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days: PASS_MAX_DAYS [DAYS] The DoD requirement is 60 days or less (greater than zero, as zero days will lock the account immediately).
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000199
- Version
- SLES-12-010290
- Vuln IDs
-
- V-217131
- V-77117
- Rule IDs
-
- SV-217131r1015218_rule
- SV-91813
Checks: C-18359r646702_chk
Verify that the SUSE operating system enforces a maximum user password age of 60 days or less. Check that the SUSE operating system enforces 60 days or less as the maximum user password age with the following command: > sudo awk -F: '$5 > 60 || $5 == "" {print $1 ":" $5}' /etc/shadow If any results are returned that are not associated with a system account, this is a finding.
Fix: F-18357r646703_fix
Configure the SUSE operating system to enforce a maximum password age of each [USER] account to 60 days. The command in the check text will give a list of users that need to be updated to be in compliance: > sudo passwd -x 60 [USER] The DoD requirement is 60 days.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010320
- Vuln IDs
-
- V-217134
- V-77123
- Rule IDs
-
- SV-217134r991587_rule
- SV-91819
Checks: C-18362r369558_chk
Verify the SUSE operating system prevents the use of dictionary words for passwords. Check that the SUSE operating system prevents the use of dictionary words for passwords with the following command: # grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so retry=3 If the command does not return anything, or the returned line is commented out, this is a finding. If the value of "retry" is greater than 3, this is a finding.
Fix: F-18360r369559_fix
Configure the SUSE operating system to prevent the use of dictionary words for passwords. Edit "/etc/pam.d/common-password" and add the following line: password requisite pam_cracklib.so retry=3
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001682
- Version
- SLES-12-010330
- Vuln IDs
-
- V-217135
- V-77125
- Rule IDs
-
- SV-217135r958508_rule
- SV-91821
Checks: C-18363r369561_chk
Verify the SUSE operating system is configured such that emergency administrator accounts are never automatically removed or disabled. Note: Root is typically the "account of last resort" on a system and is also used as the example emergency administrator account. If another account is being used as the emergency administrator account, the command should be used against that account. Check to see if the root account password or account expires with the following command: # sudo chage -l [Emergency_Administrator] Password expires:never If "Password expires" or "Account expires" is set to anything other than "never", this is a finding.
Fix: F-18361r369562_fix
Configure the SUSE operating system to never automatically remove or disable emergency administrator accounts. Replace "[Emergency_Administrator]" in the following command with the correct emergency administrator account. Run the following command as an administrator: # sudo chage -I -1 -M 99999 [Emergency_Administrator]
- RMF Control
- IA-4
- Severity
- Medium
- CCI
- CCI-000795
- Version
- SLES-12-010340
- Vuln IDs
-
- V-217136
- V-77127
- Rule IDs
-
- SV-217136r1015219_rule
- SV-91823
Checks: C-18364r928526_chk
Verify the SUSE operating system disables account identifiers after 35 days of inactivity since the password expiration Check the account inactivity value by performing the following command: # sudo grep -i inactive /etc/default/useradd INACTIVE=35 If "INACTIVE" is not set to a value greater than "0" and less than or equal to "35", this is a finding.
Fix: F-18362r928527_fix
Configure the SUSE operating system to disable account identifiers after 35 days of inactivity since the password expiration. Run the following command to change the configuration for "useradd" to disable the account identifier after 35 days: # sudo useradd -D -f 35 DOD recommendation is 35 days, but a lower value greater than "0" is acceptable.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010370
- Vuln IDs
-
- V-217138
- V-77131
- Rule IDs
-
- SV-217138r991588_rule
- SV-91827
Checks: C-18366r369570_chk
Verify the SUSE operating system enforces a delay of at least four seconds between logon prompts following a failed logon attempt. # grep pam_faildelay /etc/pam.d/common-auth* auth required pam_faildelay.so delay=4000000 If the value of "delay" is not set to "4000000" or greater, "delay" is commented out, "delay" is missing, or the "pam_faildelay" line is missing completely, this is a finding.
Fix: F-18364r369571_fix
Configure the SUSE operating system to enforce a delay of at least four seconds between logon prompts following a failed logon attempt. Edit the file "/etc/pam.d/common-auth". Add a parameter "pam_faildelay" and set it to a value of "4000000" or greater: # delay is in micro seconds auth required pam_faildelay.so delay=4000000
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SLES-12-010380
- Vuln IDs
-
- V-217139
- V-77133
- Rule IDs
-
- SV-217139r991591_rule
- SV-91829
Checks: C-18367r646705_chk
Note: If a graphical user interface is not installed, this requirement is Not Applicable. Verify the SUSE operating system does not allow unattended or automatic logon via a graphical user interface. Check that unattended or automatic login is disabled with the following commands: > grep -i ^DISPLAYMANAGER_AUTOLOGIN /etc/sysconfig/displaymanager DISPLAYMANAGER_AUTOLOGIN="" > grep -i ^DISPLAYMANAGER_PASSWORD_LESS_LOGIN /etc/sysconfig/displaymanager DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no" If the "DISPLAYMANAGER_AUTOLOGIN" parameter includes a username or the "DISPLAYMANAGER_PASSWORD_LESS_LOGIN" parameter is not set to "no", this is a finding.
Fix: F-18365r646706_fix
Note: If a graphical user interface is not installed, this requirement is Not Applicable. Configure the SUSE operating system graphical user interface to not allow unattended or automatic logon to the system. Add or edit the following lines in the "/etc/sysconfig/displaymanager" configuration file: DISPLAYMANAGER_AUTOLOGIN="" DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"
- RMF Control
- AC-9
- Severity
- Low
- CCI
- CCI-000052
- Version
- SLES-12-010390
- Vuln IDs
-
- V-217140
- V-77135
- Rule IDs
-
- SV-217140r991589_rule
- SV-91831
Checks: C-18368r646708_chk
Verify the SUSE operating system users are provided with feedback on when account accesses last occurred. Check that "pam_lastlog" is used and not silent with the following command: > grep pam_lastlog /etc/pam.d/login session required pam_lastlog.so showfailed If "pam_lastlog" is missing from "/etc/pam.d/login" file, the "silent" option is present, or the returned line is commented out, this is a finding.
Fix: F-18366r369577_fix
Configure the SUSE operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/login". Add the following line to the top of "/etc/pam.d/login": session required pam_lastlog.so showfailed
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SLES-12-010400
- Vuln IDs
-
- V-217141
- V-77137
- Rule IDs
-
- SV-217141r991589_rule
- SV-91833
Checks: C-18369r369579_chk
Verify there are no ".shosts" files on the SUSE operating system. Check the system for the existence of these files with the following command: # find / -name '.shosts' If any ".shosts" files are found on the system, this is a finding.
Fix: F-18367r369580_fix
Remove any ".shosts" files found on the SUSE operating system. # rm /[path]/[to]/[file]/.shosts
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SLES-12-010410
- Vuln IDs
-
- V-217142
- V-77139
- Rule IDs
-
- SV-217142r991589_rule
- SV-91835
Checks: C-18370r369582_chk
Verify there are no "shosts.equiv" files on the SUSE operating system. Check the system for the existence of these files with the following command: # find /etc -name shosts.equiv If any "shosts.equiv" files are found on the system, this is a finding.
Fix: F-18368r369583_fix
Remove any "shosts.equiv" files found on the SUSE operating system. # rm /[path]/[to]/[file]/shosts.equiv
- RMF Control
- SC-13
- Severity
- Medium
- CCI
- CCI-002450
- Version
- SLES-12-010420
- Vuln IDs
-
- V-217143
- V-77141
- Rule IDs
-
- SV-217143r959006_rule
- SV-91837
Checks: C-18371r369585_chk
Verify the SUSE operating system is running in FIPS mode by running the following command. # cat /proc/sys/crypto/fips_enabled 1 If nothing is returned, the file does not exist, or the value returned is "0", this is a finding.
Fix: F-18369r369586_fix
To configure the SUSE operating system to run in FIPS mode, add "fips=1" to the kernel parameter during the SUSE operating system install. Enabling FIPS mode on a preexisting system involves a number of modifications to the SUSE operating system. Refer to section 9.1, "Crypto Officer Guidance", of the following document for installation guidance: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2435.pdf
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- SLES-12-010430
- Vuln IDs
-
- V-217144
- V-77143
- Rule IDs
-
- SV-217144r958472_rule
- SV-91839
Checks: C-18372r369588_chk
Verify that the SUSE operating system has set an encrypted root password. Note: If the system does not use a basic input/output system (BIOS) this requirement is Not Applicable. Check that the encrypted password is set for a boot user with the following command: # sudo cat /boot/grub2/grub.cfg | grep -i password password_pbkdf2 boot grub.pbkdf2.sha512.10000.VeryLongString If the boot user password entry does not begin with "password_pbkdf2", this is a finding.
Fix: F-18370r369589_fix
Note: If the system does not use a basic input/output system (BIOS) this requirement is Not Applicable. Configure the SUSE operating system to encrypt the boot password. Generate an encrypted (GRUB2) password for root with the following command: # sudo grub2-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following command to add a password for the boot user entry: # cat << EOF set superusers="boot" password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString EOF Generate an updated "grub.conf" file with the new password using the following commands: # sudo grub2-mkconfig --output=/tmp/grub2.cfg # sudo mv /tmp/grub2.cfg /boot/grub2/grub.cfg
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-000213
- Version
- SLES-12-010440
- Vuln IDs
-
- V-217145
- V-77145
- Rule IDs
-
- SV-217145r958472_rule
- SV-91841
Checks: C-18373r369591_chk
Verify that the SUSE operating system has set an encrypted boot password. Note: If the system does not use Unified Extensible Firmware Interface (UEFI) this requirement is Not Applicable. Check that the encrypted password is set for a boot user with the following command: # sudo cat /boot/efi/EFI/sles/grub.cfg | grep -i password password_pbkdf2 boot grub.pbkdf2.sha512.10000.VeryLongString If the boot user password entry does not begin with "password_pbkdf2", this is a finding.
Fix: F-18371r369592_fix
Note: If the system does not use UEFI, this requirement is Not Applicable. Configure the SUSE operating system to encrypt the boot password. Generate an encrypted (GRUB 2) password for a boot user with the following command: # sudo grub2-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following command to add a boot password for the root entry: # cat << EOF set superusers="boot" password_pbkdf2 boot grub.pbkdf2.sha512.VeryLongString EOF Generate an updated "grub.conf" file with the new password using the following commands: # sudo grub2-mkconfig --output=/tmp/grub2.cfg # sudo mv /tmp/grub2.cfg /boot/efi/EFI/sles/grub.cfg
- RMF Control
- SC-28
- Severity
- High
- CCI
- CCI-001199
- Version
- SLES-12-010450
- Vuln IDs
-
- V-217146
- V-77147
- Rule IDs
-
- SV-217146r1015305_rule
- SV-91843
Checks: C-18374r369594_chk
Verify the SUSE operating system prevents unauthorized disclosure or modification of all information requiring at rest protection by using disk encryption. Determine the partition layout for the system with the following command: # sudo fdisk -l Device Boot Start End Sectors Size Id Type /dev/sda1 2048 4208639 4206592 2G 82 Linux swap / Solaris /dev/sda2 * 4208640 53479423 49270784 23.5G 83 Linux /dev/sda3 53479424 125829119 72349696 34.5G 83 Linux Verify the system partitions are all encrypted with the following command: # sudo more /etc/crypttab luks UUID=114167a-2a94-6cda-f1e7-15ad146c258b swap /dev/sda1 /dev/urandom swap truecrypt /dev/sda2 /etc/container_password tcrypt truecrypt /dev/sda3 /etc/container_password tcrypt Every persistent disk partition present on the system must have an entry in the file. If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding.
Fix: F-18372r369595_fix
Configure the SUSE operating system to prevent unauthorized modification of all information at rest by using disk encryption. Encrypting a partition in an already-installed system is more difficult because of the need to resize and change existing partitions. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted partition by default. Add it manually in the partitioning dialog. Refer to the document "SUSE 12 Security Guide", Section 11.1, for a detailed disk encryption guide: https://www.suse.com/documentation/sles-12/book_security/data/sec_security_cryptofs_y2.html#sec_security_cryptofs_y2_part_run
- RMF Control
- SC-4
- Severity
- Medium
- CCI
- CCI-001090
- Version
- SLES-12-010460
- Vuln IDs
-
- V-217147
- V-77149
- Rule IDs
-
- SV-217147r958524_rule
- SV-91845
Checks: C-18375r369597_chk
Verify the SUSE operating system prevents unauthorized and unintended information transfer via the shared system resources. Note: The example below should be repeated for each locally defined partition. Check that world-writable directories have the sticky bit set with the following command: # sudo find / -xdev -perm -002 -type d -fstype xfs -exec ls -lLd {} \; 256 0 drwxrwxrwt 1 root root 4096 Jun 14 06:45 /tmp If any of the returned directories do not have the sticky bit set, or are not documented as having the write permission for the other class, this is a finding.
Fix: F-18373r369598_fix
Configure the SUSE operating system shared system resources to prevent any unauthorized and unintended information transfer by setting the sticky bit for all world-writable directories. An example of a world-writable directory is "/tmp" directory. Set the sticky bit on all of the world-writable directories (using the "/tmp" directory as an example) with the following command: # sudo chmod 1777 /tmp For every world-writable directory, replace "/tmp" in the command above with the world-writable directory that does not have the sticky bit set.
- RMF Control
- SI-6
- Severity
- Medium
- CCI
- CCI-002696
- Version
- SLES-12-010500
- Vuln IDs
-
- V-217148
- V-77151
- Rule IDs
-
- SV-217148r958794_rule
- SV-91847
Checks: C-18376r902838_chk
Verify the SUSE operating system checks the baseline configuration for unauthorized changes at least once weekly. Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week. Check for a "crontab" that controls the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command: # sudo crontab -l 0 0 * * 6 /usr/bin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil If the file integrity application does not exist, or a "crontab" entry does not exist, check the cron directories for a script that runs the file integrity application: # ls -al /etc/cron.daily /etc/cron.weekly Inspect the file and ensure that the file integrity tool is being executed. If a file integrity tool is not configured in the crontab or in a script that runs at least weekly, this is a finding.
Fix: F-18374r902839_fix
Configure the SUSE operating system to check the baseline configuration for unauthorized changes at least once weekly. Configure the file integrity tool to automatically run on the system at least weekly. The following example output is generic. It will set cron to run AIDE weekly, but other file integrity tools may be used: # sudo crontab -l 0 0 * * 6 /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil Note: Per requirement SLES-12-010498, the "mailx" package must be installed on the system to enable email functionality.
- RMF Control
- SI-6
- Severity
- Medium
- CCI
- CCI-002702
- Version
- SLES-12-010510
- Vuln IDs
-
- V-217149
- V-77153
- Rule IDs
-
- SV-217149r958948_rule
- SV-91849
Checks: C-18377r902841_chk
Verify the SUSE operating system notifies the SA when AIDE discovers anomalies in the operation of any security functions. Check to see if the aide cron job sends an email when executed with the following command: # sudo crontab -l 0 0 * * 6 /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil If a "crontab" entry does not exist, check the cron directories for a script that runs the file integrity application and is configured to execute a binary to send an email: # ls -al /etc/cron.daily /etc/cron.weekly If a cron job is not configured to execute a binary to send an email (such as "/bin/mail"), this is a finding.
Fix: F-18375r902842_fix
Configure the SUSE operating system to notify the SA when AIDE discovers anomalies in the operation of any security functions. Add following command to a cron job replacing the "[E-MAIL]" parameter with a proper email address for the SA: /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil Note: Per requirement SLES-12-010498, the "mailx" package must be installed on the system to enable email functionality.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SLES-12-010520
- Vuln IDs
-
- V-217150
- V-77155
- Rule IDs
-
- SV-217150r991589_rule
- SV-91851
Checks: C-18378r880938_chk
Verify that the SUSE operating system file integrity tool is configured to verify ACLs. Check the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists. An example rule that includes the "acl" rule follows: All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux /bin All # apply the custom rule to the files in bin /sbin All # apply the same custom rule to the files in sbin If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.
Fix: F-18376r369607_fix
Configure the SUSE operating system file integrity tool to check file and directory ACLs. If AIDE is installed, ensure the "acl" rule is present on all file and directory selection lists.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SLES-12-010530
- Vuln IDs
-
- V-217151
- V-77157
- Rule IDs
-
- SV-217151r991589_rule
- SV-91853
Checks: C-18379r880940_chk
Verify that the SUSE operating system file integrity tool is configured to verify extended attributes. Check the "aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists. An example rule that includes the "xattrs" rule follows: All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux /bin All # apply the custom rule to the files in bin /sbin All # apply the same custom rule to the files in sbin If the "xattrs" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.
Fix: F-18377r369610_fix
Configure the SUSE operating system file integrity tool to check file and directory extended attributes. If AIDE is installed, ensure the "xattrs" rule is present on all file and directory selection lists.
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001496
- Version
- SLES-12-010540
- Vuln IDs
-
- V-217152
- V-77159
- Rule IDs
-
- SV-217152r991567_rule
- SV-91855
Checks: C-18380r369612_chk
Verify that the SUSE operating system file integrity tool is configured to protect the integrity of the audit tools. Check that AIDE is properly configured to protect the integrity of the audit tools by running the following command: # sudo cat /etc/aide.conf | grep /usr/sbin/au /usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 If AIDE is configured properly to protect the integrity of the audit tools, all lines listed above will be returned from the command. If one or more lines are missing, this is a finding.
Fix: F-18378r369613_fix
Configure the SUSE operating system file integrity tool to protect the integrity of the audit tools. Add or update the following lines to "/etc/aide.conf" to protect the integrity of the audit tools: # audit tools /usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001749
- Version
- SLES-12-010550
- Vuln IDs
-
- V-217153
- V-77161
- Rule IDs
-
- SV-217153r1015220_rule
- SV-91857
Checks: C-18381r646714_chk
Verify that the SUSE operating system tool zypper has gpgcheck enabled. Check that zypper has gpgcheck enabled with the following command: > grep -i '^gpgcheck' /etc/zypp/zypp.conf gpgcheck = 1 If "gpgcheck" is set to "0", "off", "no", or "false", this is a finding.
Fix: F-18379r646715_fix
Configure that the SUSE operating system tool zypper to enable gpgcheck by editing or adding the following line to "/etc/zypp/zypp.conf": gpgcheck = 1
- RMF Control
- SI-2
- Severity
- Medium
- CCI
- CCI-002617
- Version
- SLES-12-010570
- Vuln IDs
-
- V-217154
- V-77163
- Rule IDs
-
- SV-217154r958936_rule
- SV-91859
Checks: C-18382r369618_chk
Verify the SUSE operating system removes all outdated software components after updated version have been installed by running the following command: # grep -i upgraderemovedroppedpackages /etc/zypp/zypp.conf solver.upgradeRemoveDroppedPackages = true If "solver.upgradeRemoveDroppedPackages" is commented out, is set to "false", or is missing completely, this is a finding.
Fix: F-18380r369619_fix
Configure the SUSE operating system to remove all outdated software components after an update by editing the following line in "/etc/zypp/zypp.conf" to match the one provided below: solver.upgradeRemoveDroppedPackages = true
- RMF Control
- IA-3
- Severity
- Medium
- CCI
- CCI-001958
- Version
- SLES-12-010580
- Vuln IDs
-
- V-217155
- V-77165
- Rule IDs
-
- SV-217155r958820_rule
- SV-91861
Checks: C-18383r369621_chk
Verify the SUSE operating system does not automount USB mass storage devices when connected to the host. Check that "usb-storage" is blacklisted in the "/etc/modprobe.d/50-blacklist.conf" file with the following command: # grep usb-storage /etc/modprobe.d/50-blacklist.conf blacklist usb-storage If nothing is output from the command, this is a finding.
Fix: F-18381r369622_fix
Configure the SUSE operating system to prevent USB mass storage devices from automounting when connected to the host. Add or update the following line to the "/etc/modprobe.d/50-blacklist.conf" file: blacklist usb-storage
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010590
- Vuln IDs
-
- V-217156
- V-77167
- Rule IDs
-
- SV-217156r958498_rule
- SV-91863
Checks: C-18384r369624_chk
Verify the SUSE operating system disables the ability to automount devices. Check to see if automounter service is active with the following command: # systemctl status autofs autofs.service - Automounts filesystems on demand Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) Active: inactive (dead) If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Fix: F-18382r369625_fix
Configure the SUSE operating system to disable the ability to automount devices. Turn off the automount service with the following command: # systemctl stop autofs # systemctl disable autofs If "autofs" is required for Network File System (NFS), it must be documented with the ISSO.
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-001774
- Version
- SLES-12-010600
- Vuln IDs
-
- V-217158
- V-77169
- Rule IDs
-
- SV-217158r958702_rule
- SV-91865
Checks: C-18386r646717_chk
Verify that the SUSE operating system Apparmor tool is configured to control whitelisted applications and user home directory access control. Check that "pam_apparmor" is installed on the system with the following command: > zypper info pam_apparmor | grep "Installed" If the package "pam_apparmor" is not installed on the system, this is a finding. Check that the "apparmor" daemon is running with the following command: > systemctl status apparmor.service | grep -i active Active: active (exited) since Fri 2017-01-13 01:01:01 GMT; 1day 1h ago If something other than "Active: active" is returned, this is a finding. Note: "pam_apparmor" must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "pam_apparmor" documentation for more information on configuring profiles.
Fix: F-18384r646718_fix
Configure the SUSE operating system to blacklist all applications by default and permit by whitelist. Install "pam_apparmor" (if it is not installed) with the following command: > sudo zypper in pam_apparmor Enable/activate "Apparmor" (if it is not already active) with the following command: > sudo systemctl enable apparmor.service Start "Apparmor" with the following command: > sudo systemctl start apparmor.service Note: "pam_apparmor" must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "pam_apparmor" documentation for more information on configuring profiles.
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SLES-12-010610
- Vuln IDs
-
- V-217159
- V-77171
- Rule IDs
-
- SV-217159r991589_rule
- SV-91867
Checks: C-18387r646720_chk
Verify the SUSE operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed. Check that the ctrl-alt-del.target is masked with the following command: > systemctl status ctrl-alt-del.target Loaded: masked (/dev/null; masked) Active: inactive (dead) If the ctrl-alt-del.target is not masked, this is a finding.
Fix: F-18385r646721_fix
Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: > sudo systemctl disable ctrl-alt-del.target > sudo systemctl mask ctrl-alt-del.target And reload the daemon to take effect > sudo systemctl daemon-reload
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SLES-12-010611
- Vuln IDs
-
- V-217160
- V-98987
- Rule IDs
-
- SV-217160r991589_rule
- SV-108091
Checks: C-18388r646723_chk
Note: If a graphical user interface is not installed, this requirement is Not Applicable. Verify the SUSE operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed in the graphical user interface. Check that the dconf setting was disabled to allow the Ctrl-Alt-Delete sequence in the graphical user interface with the following command: Check the default logout key sequence: > sudo gsettings get org.gnome.settings-daemon.plugins.media-keys logout '' Check that the value is not writable and cannot be changed by the user: > sudo gsettings writable org.gnome.settings-daemon.plugins.media-keys logout false If the logout value is not [''] and the writable status is not false, this is a finding.
Fix: F-18386r646724_fix
Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface. Create a database to contain the system-wide setting (if it does not already exist) with the following steps: 1. Create a user profile and with the listed content: /etc/dconf/profile/user user-db:user system-db:local 2. Create the following directories: > sudo mkdir -p /etc/dconf/db/local.d/ > sudo mkdir -p /etc/dconf/db/local.d/locks/ 3. Add the following files with the listed content: /etc/dconf/db/local.d/01-fips-settings [org/gnome/settings-daemon/plugins/media-keys] logout='' /etc/dconf/db/local.d/locks/01-fips-locks /org/gnome/settings-daemon/plugins/media-keys/logout 4. Update the dconf database: > sudo dconf update
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010620
- Vuln IDs
-
- V-217161
- V-77173
- Rule IDs
-
- SV-217161r991590_rule
- SV-91869
Checks: C-18389r369639_chk
Verify the SUSE operating system defines default permissions for all authenticated users in such a way that the users can only read and modify their own files. Check the system default permissions with the following command: # grep -i "umask" /etc/login.defs UMASK 077 If the "UMASK" variable is set to "000", the severity is raised to a CAT I, and this is a finding. If the value of "UMASK" is not set to "077", "UMASK" is commented out, or "UMASK" is missing completely, this is a finding.
Fix: F-18387r369640_fix
Configure the SUSE operating system to define the default permissions for all authenticated users in such a way that the users can only read and modify their own files. Add or edit the "UMASK" parameter in the "/etc/login.defs" file to match the example below: UMASK 077
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010630
- Vuln IDs
-
- V-217162
- V-77175
- Rule IDs
-
- SV-217162r991589_rule
- SV-91871
Checks: C-18390r369642_chk
Verify all SUSE operating system accounts are assigned to an active system, application, or user account. Obtain the list of authorized system accounts from the Information System Security Officer (ISSO). Check the system accounts on the system with the following command: # more /etc/passwd root:x:0:0:root:/root:/bin/bash ... games:x:12:100:Games account:/var/games:/bin/bash Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. If the accounts on the system do not match the provided documentation, this is a finding.
Fix: F-18388r369643_fix
Configure the SUSE operating system so all accounts on the system are assigned to an active system, application, or user account. Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. Document all authorized accounts on the system.
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-000764
- Version
- SLES-12-010640
- Vuln IDs
-
- V-217163
- V-77177
- Rule IDs
-
- SV-217163r958482_rule
- SV-91873
Checks: C-18391r369645_chk
Verify the SUSE operating system contains no duplicate UIDs for interactive users. Check that the SUSE operating system contains no duplicate UIDs for interactive users by running the following command: # awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If output is produced, this is a finding.
Fix: F-18389r369646_fix
Configure the SUSE operating system to contain no duplicate UIDs for interactive users. Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SLES-12-010650
- Vuln IDs
-
- V-217164
- V-77179
- Rule IDs
-
- SV-217164r991589_rule
- SV-91875
Checks: C-18392r369648_chk
Verify that the SUSE operating system root account is the only account with unrestricted access to the system. Check the system for duplicate UID "0" assignments with the following command: # awk -F: '$3 == 0 {print $1}' /etc/passwd root If any accounts other than root have a UID of "0", this is a finding.
Fix: F-18390r369649_fix
Change the UID of any account on the SUSE operating system, other than the root account, that has a UID of "0". If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-002007
- Version
- SLES-12-010670
- Vuln IDs
-
- V-217166
- V-77183
- Rule IDs
-
- SV-217166r958828_rule
- SV-91879
Checks: C-18394r369654_chk
If NSS is not used on the operating system, this is Not Applicable. If NSS is used by the SUSE operating system, verify it prohibits the use of cached authentications after one day. Check that cached authentications cannot be used after one day with the following command: # sudo grep -i "memcache_timeout" /etc/sssd/sssd.conf memcache_timeout = 86400 If "memcache_timeout" has a value greater than "86400", or is missing, this is a finding.
Fix: F-18392r369655_fix
Configure NSS, if used by the SUSE operating system, to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[nss]": memcache_timeout = 86400
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-002007
- Version
- SLES-12-010680
- Vuln IDs
-
- V-217167
- V-77185
- Rule IDs
-
- SV-217167r958828_rule
- SV-91881
Checks: C-18395r369657_chk
If SSSD is not being used on the operating system, this is Not Applicable. Verify that the SUSE operating system Pluggable Authentication Modules (PAM) prohibits the use of cached off line authentications after one day. Check that cached off line authentications cannot be used after one day with the following command: # sudo grep "offline_credentials_expiration" /etc/sssd/sssd.conf offline_credentials_expiration = 1 If "offline_credentials_expiration" is not set to a value of "1", this is a finding.
Fix: F-18393r369658_fix
Configure the SUSE operating system PAM to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]": offline_credentials_expiration = 1
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- SLES-12-010690
- Vuln IDs
-
- V-217168
- V-77187
- Rule IDs
-
- SV-217168r991589_rule
- SV-91883
Checks: C-18396r369660_chk
Verify that all SUSE operating system files and directories on the system have a valid owner. Check the owner of all files and directories with the following command: Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example. # find / -fstype xfs -nouser If any files on the system do not have an assigned owner, this is a finding.
Fix: F-18394r369661_fix
Either remove all files and directories from the SUSE operating system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the "chown" command: # sudo chown <user> <file>
- RMF Control
- AC-3
- Severity
- Medium
- CCI
- CCI-002165
- Version
- SLES-12-010700
- Vuln IDs
-
- V-217169
- V-77193
- Rule IDs
-
- SV-217169r991589_rule
- SV-91889
Checks: C-18397r369663_chk
Verify all SUSE operating system files and directories on the system have a valid group. Check the owner of all files and directories with the following command: Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example. # find / -fstype xfs -nogroup If any files on the system do not have an assigned group, this is a finding.
Fix: F-18395r369664_fix
Either remove all files and directories from the SUSE operating system that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command: # sudo chgrp <group> <file>
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010710
- Vuln IDs
-
- V-217170
- V-77197
- Rule IDs
-
- SV-217170r991589_rule
- SV-91893
Checks: C-18398r646726_chk
Verify SUSE operating system local interactive users on the system have a home directory assigned. Check for missing local interactive user home directories with the following command: > sudo pwck -r user 'smithj': directory '/home/smithj' does not exist Ask the System Administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command: > sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd If any interactive users do not have a home directory assigned, this is a finding.
Fix: F-18396r646727_fix
Assign home directories to all SUSE operating system local interactive users that currently do not have a home directory assigned. Assign a home directory to users via the usermod command: > sudo usermod -d /home/smithj smithj
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010720
- Vuln IDs
-
- V-217171
- V-77199
- Rule IDs
-
- SV-217171r991589_rule
- SV-91895
Checks: C-18399r369669_chk
Verify all SUSE operating system local interactive users on the system are assigned a home directory upon creation. Check to see if the system is configured to create home directories for local interactive users with the following command: # grep -i create_home /etc/login.defs CREATE_HOME yes If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.
Fix: F-18397r369670_fix
Configure the SUSE operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows. CREATE_HOME yes
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010730
- Vuln IDs
-
- V-217172
- V-77203
- Rule IDs
-
- SV-217172r991589_rule
- SV-91899
Checks: C-18400r622348_chk
Verify the assigned home directory of all SUSE operating system local interactive users on the system exists. Check the home directory assignment for all local interactive non-privileged users on the system with the following command: # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $6}' /etc/passwd smithj /home/smithj Note: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. Check that all referenced home directories exist with the following command: # pwck -r user 'smithj': directory '/home/smithj' does not exist If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.
Fix: F-18398r369673_fix
Create home directories to all SUSE operating system local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd": Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users assigned" in "/etc/passwd". # mkdir /home/smithj # chown smithj /home/smithj # chgrp users /home/smithj # chmod 0750 /home/smithj
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010740
- Vuln IDs
-
- V-217173
- V-77207
- Rule IDs
-
- SV-217173r991589_rule
- SV-91903
Checks: C-18401r622350_chk
Verify the assigned home directory of all SUSE operating system local interactive users has a mode of "0750" or less permissive. Check the home directory assignment for all non-privileged users on the system with the following command: Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. # ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.
Fix: F-18399r369676_fix
Change the mode of SUSE operating system local interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command: Note: The example will be for the user "smithj". # chmod 0750 /home/smithj
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010750
- Vuln IDs
-
- V-217174
- V-77211
- Rule IDs
-
- SV-217174r991589_rule
- SV-91907
Checks: C-18402r622352_chk
Verify the assigned home directory of all SUSE operating system local interactive users is group-owned by that user's primary GID. Check the home directory assignment for all non-privileged users on the system with the following command: Note: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/smithj" is used as an example. # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $4, $6}' /etc/passwd 250 /home/smithj Check the user's primary group with the following command: # grep users /etc/group users:x:250:smithj,jonesj,jacksons If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.
Fix: F-18400r369679_fix
Change the group owner of a SUSE operating system local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users. # chgrp users /home/smithj
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010760
- Vuln IDs
-
- V-217175
- V-77215
- Rule IDs
-
- SV-217175r991589_rule
- SV-91911
Checks: C-18403r369681_chk
Verify that all SUSE operating system local initialization files have a mode of "0740" or less permissive. Check the mode on all SUSE operating system local initialization files with the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". # ls -al /home/smithj/.* | more -rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile -rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login -rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something If any local initialization files have a mode more permissive than "0740", this is a finding.
Fix: F-18401r369682_fix
Set the mode of SUSE operating system local initialization files to "0740" with the following command: Note: The example will be for the smithj user, who has a home directory of "/home/smithj". # chmod 0740 /home/smithj/.<INIT_FILE>
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010770
- Vuln IDs
-
- V-217176
- V-77219
- Rule IDs
-
- SV-217176r991589_rule
- SV-91915
Checks: C-18404r793055_chk
Verify that all SUSE operating system local interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the user's home directory. Check the executable search path statement for all operating system local interactive user initialization files in the user's home directory with the following commands: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". # sudo grep -i path= /home/smithj/.* /home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, and the additional path statements are not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Fix: F-18402r369685_fix
Edit the SUSE operating system local interactive user initialization files to change any PATH variable statements for executables that reference directories other than their home directory. If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010780
- Vuln IDs
-
- V-217177
- V-77225
- Rule IDs
-
- SV-217177r991589_rule
- SV-91921
Checks: C-18405r646729_chk
Verify that SUSE operating system local initialization files do not execute world-writable programs. Check the system for world-writable files with the following command: > sudo find / -xdev -perm -002 -type f -exec ls -ld {} \; For all files listed, check for their presence in the local initialization files with the following command: Note: The example will be for a system that is configured to create users' home directories in the "/home" directory. > sudo find /home/* -maxdepth 1 -type f -name \.\* -exec grep -H <file> {} \; If any local initialization files are found to reference world-writable files, this is a finding.
Fix: F-18403r646730_fix
Remove the references to these files in the local initialization scripts or remove the world-writable permission of files referenced by SUSE operating system local initialization scripts with the following command: > sudo chmod 0755 <file>
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010790
- Vuln IDs
-
- V-217178
- V-77229
- Rule IDs
-
- SV-217178r991589_rule
- SV-91925
Checks: C-18406r622354_chk
Verify that SUSE operating system file systems that contain user home directories are mounted with the "nosuid" option. Print the currently active file system mount options of the file system(s) that contain the user home directories with the following command: # for X in `awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd`; do findmnt -nkT $X; done | sort -r /home /dev/mapper/system-home ext4 rw,nosuid,relatime,data=ordered If a file system containing user home directories is not mounted with the FSTYPE OPTION nosuid, this is a finding. Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.
Fix: F-18404r369691_fix
Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems that contain user home directories for interactive users. Re-mount the filesystems. # mount -o remount /home
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010800
- Vuln IDs
-
- V-217179
- V-77237
- Rule IDs
-
- SV-217179r991589_rule
- SV-91933
Checks: C-18407r369693_chk
Verify SUSE operating system file systems used for removable media are mounted with the "nosuid" option. Check the file systems that are mounted at boot time with the following command: # more /etc/fstab UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0 If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.
Fix: F-18405r369694_fix
Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems that are associated with removable media.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010810
- Vuln IDs
-
- V-217180
- V-77241
- Rule IDs
-
- SV-217180r991589_rule
- SV-91937
Checks: C-18408r369696_chk
Verify SUSE operating system file systems that are being NFS exported are mounted with the "nosuid" option. Find the file system(s) that contain the directories being exported with the following command: # more /etc/fstab | grep nfs UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0 If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.
Fix: F-18406r369697_fix
Configure the SUSE operating system "/etc/fstab" file to use the "nosuid" option on file systems that are being exported via NFS.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010820
- Vuln IDs
-
- V-217181
- V-77251
- Rule IDs
-
- SV-217181r991589_rule
- SV-91947
Checks: C-18409r369699_chk
Verify the SUSE operating system file systems that are being NFS exported are mounted with the "noexec" option. Find the file system(s) that contain the directories being exported with the following command: # more /etc/fstab | grep nfs UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0 If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS exported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Fix: F-18407r369700_fix
Configure the SUSE operating system "/etc/fstab" file to use the "noexec" option on file systems that are being exported via NFS.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010830
- Vuln IDs
-
- V-217182
- V-77253
- Rule IDs
-
- SV-217182r991589_rule
- SV-91949
Checks: C-18410r369702_chk
Verify all SUSE operating system world-writable directories are group-owned by root, sys, bin, or an application group. Check the system for world-writable directories with the following command: Note: The example below should be repeated for each locally defined partition. The value after -fstype must be replaced with the filesystem type. XFS is used as an example. # find / -xdev -perm -002 -type d -fstype xfs -exec ls -lLd {} \; drwxrwxrwt. 2 root root 40 Aug 26 13:07 /dev/mqueue drwxrwxrwt. 2 root root 220 Aug 26 13:23 /dev/shm drwxrwxrwt. 14 root root 4096 Aug 26 13:29 /tmp If any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding.
Fix: F-18408r369703_fix
Change the group of the SUSE operating system world-writable directories to root with the following command: # chgrp root <directory>
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010840
- Vuln IDs
-
- V-217183
- V-77257
- Rule IDs
-
- SV-217183r991589_rule
- SV-91953
Checks: C-18411r369705_chk
Verify that SUSE operating system kernel core dumps are disabled unless needed. Check the status of the "kdump" service with the following command: # systemctl status kdump.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO). If the service is active and is not documented, this is a finding.
Fix: F-18409r369706_fix
If SUSE operating system kernel core dumps are not required, disable the "kdump" service with the following command: # systemctl disable kdump.service If kernel core dumps are required, document the need with the ISSO.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SLES-12-010850
- Vuln IDs
-
- V-217184
- V-77261
- Rule IDs
-
- SV-217184r991589_rule
- SV-91957
Checks: C-18412r622356_chk
Verify that a separate file system/partition has been created for SUSE operating system non-privileged local interactive user home directories. Check the home directory assignment for all non-privileged users (those with a UID greater than 1000) on the system with the following command: # awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6, $7}' /etc/passwd adamsj 1002 /home/adamsj /bin/bash jacksonm 1003 /home/jacksonm /bin/bash smithj 1001 /home/smithj /bin/bash The output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, /home) and user's shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users. Check that a file system/partition has been created for the non-privileged interactive users with the following command: Note: The partition of /home is used in the example. # grep /home /etc/fstab UUID=333ada18 /home ext4 noatime,nobarrier,nodev 1 2 If a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not exist, this is a finding.
Fix: F-18410r369709_fix
Create a separate file system/partition for SUSE operating system non-privileged local interactive user home directories. Migrate the non-privileged local interactive user home directories onto the separate file system/partition.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SLES-12-010860
- Vuln IDs
-
- V-217185
- V-77265
- Rule IDs
-
- SV-217185r991589_rule
- SV-91961
Checks: C-18413r369711_chk
Verify that the SUSE operating system has a separate file system/partition for "/var". Check that a file system/partition has been created for "/var" with the following command: # grep /var /etc/fstab UUID=c274f65f /var ext4 noatime,nobarrier 1 2 If a separate entry for "/var" is not in use, this is a finding.
Fix: F-18411r369712_fix
Create a separate file system/partition on the SUSE operating system for "/var". Migrate "/var" onto the separate file system/partition.
- RMF Control
- CM-6
- Severity
- Low
- CCI
- CCI-000366
- Version
- SLES-12-010870
- Vuln IDs
-
- V-217186
- V-77271
- Rule IDs
-
- SV-217186r991589_rule
- SV-91967
Checks: C-18414r369714_chk
Verify that the SUSE operating system has a separate file system/partition for the system audit data path. Check that a file system/partition has been created for the system audit data path with the following command: Note: "/var/log/audit" is used as the example as it is a common location. #grep /var/log/audit /etc/fstab UUID=3645951a /var/log/audit ext4 defaults 1 2 If a separate entry for the system audit data path (in this example the "/var/log/audit" path) does not exist, ask the System Administrator if the system audit logs are being written to a different file system/partition on the system and then grep for that file system/partition. If a separate file system/partition does not exist for the system audit data path, this is a finding.
Fix: F-18412r369715_fix
Migrate the SUSE operating system audit data path onto a separate file system.
- RMF Control
- SI-11
- Severity
- Medium
- CCI
- CCI-001314
- Version
- SLES-12-010890
- Vuln IDs
-
- V-217188
- V-77275
- Rule IDs
-
- SV-217188r958566_rule
- SV-91971
Checks: C-18416r646732_chk
Verify that the SUSE operating system prevents unauthorized users from accessing system error messages. Check the "/var/log/messages" file permissions with the following comand: > sudo stat -c "%n %U:%G %a" /var/log/messages /var/log/messages root:root 640 Check that "permissions.local" file contains the correct permissions rules with the following command: > grep -i messages /etc/permissions.local /var/log/messages root:root 640 If the effective permissions do not match the "permissions.local" file, the command does not return any output, or is commented out, this is a finding.
Fix: F-18414r646733_fix
Configure the SUSE operating system to prevent unauthorized users from accessing system error messages. Add or update the following rules in "/etc/permissions.local": /var/log/messages root:root 640 Set the correct permissions with the following command: > sudo chkstat --set --system
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010910
- Vuln IDs
-
- V-217189
- V-77285
- Rule IDs
-
- SV-217189r991589_rule
- SV-91981
Checks: C-18417r646735_chk
Verify the SUSE operating system is configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes. Check that soft links between PAM configuration files are removed with the following command: > find /etc/pam.d/ -type l -iname "common-*" If any results are returned, this is a finding.
Fix: F-18415r646736_fix
Copy the PAM configuration files to their static locations and remove the SUSE operating system soft links for the PAM configuration files with the following command: > sudo sh -c 'for X in /etc/pam.d/common-*-pc; do cp -ivp --remove-destination $X ${X:0:-3}; done' Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- SLES-12-020000
- Vuln IDs
-
- V-217190
- V-77287
- Rule IDs
-
- SV-217190r1015221_rule
- SV-91983
Checks: C-18418r369726_chk
Verify the SUSE operating system auditing package is installed. Check that the "audit" package is installed by performing the following command: # zypper se audit i | audit | User Space Tools for 2.6 Kernel Auditing If the package "audit" is not installed on the system, then this is a finding.
Fix: F-18416r369727_fix
The SUSE operating system auditd package must be installed on the system. If it is not installed, use the following command to install it: # sudo zypper in auditd
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-020010
- Vuln IDs
-
- V-217191
- V-77289
- Rule IDs
-
- SV-217191r958412_rule
- SV-91985
Checks: C-18419r369729_chk
Verify the SUSE operating system produces audit records. Check that the SUSE operating system produces audit records by running the following command to determine the current status of the auditd service: # systemctl status auditd.service If the service is enabled, the returned message must contain the following text: Active: active (running) If the service is not running, this is a finding.
Fix: F-18417r369730_fix
Enable the SUSE operating system auditd service by performing the following commands: # sudo systemctl enable auditd.service # sudo systemctl start auditd.service
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001849
- Version
- SLES-12-020020
- Vuln IDs
-
- V-217192
- V-77291
- Rule IDs
-
- SV-217192r958752_rule
- SV-91987
Checks: C-18420r369732_chk
Verify the SUSE operating system allocates audit record storage capacity to store at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility. Determine which partition the audit records are being written to with the following command: # sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition that audit records are written to (with the example being /var/log/audit/) with the following command: # df -h /var/log/audit/ /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit If the audit records are not written to a partition made specifically for audit records (/var/log/audit is a separate partition), determine the amount of space being used by other files in the partition with the following command: #du -sh [audit_partition] 1.8G /var/log/audit The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. If the audit record partition is not allocated sufficient storage capacity, this is a finding.
Fix: F-18418r369733_fix
Allocate enough storage capacity for at least one week's worth of SUSE operating system audit records when audit records are not immediately sent to a central audit record storage facility. If audit records are stored on a partition made specifically for audit records, use the "YaST2 - Partitioner" program (installation and configuration tool for Linux) to resize the partition with sufficient space to contain one week's worth of audit records. If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient amount of space will need be to be created. The new partition can be created using the "YaST2 - Partitioner" program on the system.
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-001855
- Version
- SLES-12-020030
- Vuln IDs
-
- V-217193
- V-77293
- Rule IDs
-
- SV-217193r971542_rule
- SV-91989
Checks: C-18421r369735_chk
Determine if the SUSE operating system auditd is configured to notify the System Administrator (SA) and Information System Security Officer (ISSO) when the audit record storage volume reaches 75 percent of the storage capacity. Check the system configuration to determine the partition to which audit records are written using the following command: # grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition to which audit records are written (e.g., "/var/log/audit/"): # df -h /var/log/audit/ 0.9G /var/log/audit If the audit records are not being written to a partition specifically created for audit records (in this example "/var/log/audit" is a separate partition), use the following command to determine the amount of space other files in the partition currently occupy: # du -sh <partition> 1.8G /var Determine the threshold for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached: # grep -iw space_left /etc/audit/auditd.conf space_left = 225 If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.
Fix: F-18419r369736_fix
Check the system configuration to determine the partition to which the audit records are written: # grep -iw log_file /etc/audit/auditd.conf Determine the size of the partition to which audit records are written (e.g., "/var/log/audit/"): # df -h /var/log/audit/ Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size.
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-000139
- Version
- SLES-12-020040
- Vuln IDs
-
- V-217194
- V-77295
- Rule IDs
-
- SV-217194r958424_rule
- SV-91991
Checks: C-18422r369738_chk
Verify the administrators are notified in the event of a SUSE operating system audit processing failure by inspecting "/etc/audit/auditd.conf". Check if the system is configured to send email to an account when it needs to notify an administrator with the following command: sudo grep action_mail /etc/audit/auditd.conf action_mail_acct = root If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, this is a finding.
Fix: F-18420r369739_fix
Configure the auditd service to notify the administrators in the event of a SUSE operating system audit processing failure. Edit the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: action_mail_acct = root
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-000139
- Version
- SLES-12-020050
- Vuln IDs
-
- V-217195
- V-77297
- Rule IDs
-
- SV-217195r958424_rule
- SV-91993
Checks: C-18423r646738_chk
Verify the administrators are notified in the event of a SUSE operating system audit processing failure by checking that "/etc/aliases" has a defined value for root. > grep -i "^postmaster:" /etc/aliases postmaster: root If the above command does not return a value of "root", this is a finding Verify the alias for root forwards to a monitored e-mail account: > grep -i "^root:" /etc/aliases root: person@server.mil If the alias for root does not forward to a monitored e-mail account, this is a finding.
Fix: F-18421r646739_fix
Configure the auditd service to notify the administrators in the event of a SUSE operating system audit processing failure. Configure an alias value for the postmaster with the following command: > sudo sh -c 'echo "postmaster: root" >> /etc/aliases' Configure an alias for root that forwards to a monitored email address with the following command: > sudo sh -c 'echo "root: box@server.mil" >> /etc/aliases' The following command must be run to implement changes to the /etc/aliases file: > sudo newaliases
- RMF Control
- AU-5
- Severity
- Medium
- CCI
- CCI-000140
- Version
- SLES-12-020060
- Vuln IDs
-
- V-217196
- V-77299
- Rule IDs
-
- SV-217196r958426_rule
- SV-91995
Checks: C-18424r369744_chk
Verify the SUSE operating system takes the appropriate action when the audit storage volume is full. Check that the SUSE operating system takes the appropriate action when the audit storage volume is full with the following command: # sudo grep disk_full_action /etc/audit/auditd.conf disk_full_action = SYSLOG If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding.
Fix: F-18422r369745_fix
Configure the SUSE operating system to shut down by default upon audit failure (unless availability is an overriding concern). Add or update the following line (depending on configuration "disk_full_action" can be set to "SYSLOG", "SINGLE", or "HALT" depending on configuration) in "/etc/audit/auditd.conf" file: disk_full_action = HALT
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001851
- Version
- SLES-12-020070
- Vuln IDs
-
- V-217197
- V-77301
- Rule IDs
-
- SV-217197r958754_rule
- SV-91997
Checks: C-18425r369747_chk
Verify that the "audit-audispd-plugins" package is installed on the SUSE operating system. Check that the "audit-audispd-plugins" package is installed on the SUSE operating system with the following command: # zypper se audit-audispd-plugins If the "audit-audispd-plugins" package is not installed, this is a finding. Verify the "au-remote" plugin is enabled with the following command: # grep -i active /etc/audisp/plugins.d/au-remote.conf active = yes If "active" is missing, commented out, or is not set to "yes", this is a finding.
Fix: F-18423r369748_fix
Install the "audit-audispd-plugins" package on the SUSE operating system by running the following command: # sudo zypper install audit-audispd-plugins In /etc/audisp/plugins.d/au-remote.conf, change the value of "active" to "yes", or add "active = yes" if no such setting exists in the file.
- RMF Control
- AU-4
- Severity
- Low
- CCI
- CCI-001851
- Version
- SLES-12-020080
- Vuln IDs
-
- V-217198
- V-77303
- Rule IDs
-
- SV-217198r958754_rule
- SV-91999
Checks: C-18426r369750_chk
Determine if the SUSE operating system audit event multiplexor is configured to use Kerberos by running the following command: # sudo cat /etc/audisp/audisp-remote.conf | grep enable_krb5 enable_krb5 = yes If "enable-krb5" is not set to "yes", this is a finding.
Fix: F-18424r369751_fix
Configure the SUSE operating system audit event multiplexor to use Kerberos by editing the "/etc/audisp/audisp-remote.conf" file. Edit or add the following line to match the text below: enable_krb5 = yes
- RMF Control
- AU-4
- Severity
- Low
- CCI
- CCI-001851
- Version
- SLES-12-020090
- Vuln IDs
-
- V-217199
- V-77305
- Rule IDs
-
- SV-217199r958754_rule
- SV-92001
Checks: C-18427r369753_chk
Verify "audispd" off-loads audit records onto a different system or media from the SUSE operating system being audited. Check if "audispd" is configured to off-load audit records onto a different system or media from the SUSE operating system by running the following command: # sudo cat /etc/audisp/audisp-remote.conf | grep remote_server remote_server = 192.168.1.101 If "remote_server" is not set to an external server or media, this is a finding.
Fix: F-18425r369754_fix
Configure the SUSE operating system "/etc/audisp/audisp-remote.conf" file to off-load audit records onto a different system or media by adding or editing the following line with the correct IP address: remote_server = [IP ADDRESS]
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001851
- Version
- SLES-12-020100
- Vuln IDs
-
- V-217200
- V-77307
- Rule IDs
-
- SV-217200r959008_rule
- SV-92003
Checks: C-18428r369756_chk
Verify what action the audit system takes if it cannot off-load audit records to a different system or storage media from the SUSE operating system being audited. Check the action that the audit system takes in the event of a network failure with the following command: # sudo grep -i "network_failure_action" /etc/audisp/audisp-remote.conf network_failure_action = syslog If the "network_failure_action" option is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.
Fix: F-18426r369757_fix
Configure the SUSE operating system to take the appropriate action if it cannot off-load audit records to a different system or storage media from the system being audited due to a network failure. Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt". See the example below: network_failure_action = syslog
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001851
- Version
- SLES-12-020110
- Vuln IDs
-
- V-217201
- V-77309
- Rule IDs
-
- SV-217201r959008_rule
- SV-92005
Checks: C-18429r369759_chk
Verify the audit system off-loads audit records if the SUSE operating system storage volume becomes full. Check that the records are properly off-loaded to a remote server with the following command: # sudo grep -i "disk_full_action" /etc/audisp/audisp-remote.conf disk_full_action = syslog If "disk_full_action" is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.
Fix: F-18427r369760_fix
Configure the SUSE operating system to take the appropriate action if the audit storage is full. Add, edit, or uncomment the "disk_full_action" option in "/etc/audisp/audisp-remote.conf". Set it to "syslog", "single" or "halt" as in the example below: disk_full_action = syslog
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-000162
- Version
- SLES-12-020120
- Vuln IDs
-
- V-217202
- V-77311
- Rule IDs
-
- SV-217202r958434_rule
- SV-92007
Checks: C-18430r369762_chk
Verify that the SUSE operating system protects audit rules from unauthorized modification. Check that "permissions.local" file contains the correct permissions rules with the following command: # grep -i audit /etc/permissions.local /var/log/audit root:root 600 /var/log/audit/audit.log root:root 600 /etc/audit/audit.rules root:root 640 /etc/audit/rules.d/audit.rules root:root 640 If the command does not return any output, this is a finding. Check that all of the audit information files and folders have the correct permissions with the following command: # sudo chkstat /etc/permissions.local If the command returns any output, this is a finding.
Fix: F-18428r369763_fix
Configure the SUSE operating system to protect audit rules from unauthorized modification. Add or update the following rules in "/etc/permissions.local": /var/log/audit root:root 600 /var/log/audit/audit.log root:root 600 /etc/audit/audit.rules root:root 640 /etc/audit/rules.d/audit.rules root:root 640 Set the correct permissions with the following command: # sudo chkstat --set /etc/permissions.local
- RMF Control
- AU-9
- Severity
- Medium
- CCI
- CCI-001493
- Version
- SLES-12-020130
- Vuln IDs
-
- V-217203
- V-77313
- Rule IDs
-
- SV-217203r991557_rule
- SV-92009
Checks: C-18431r646741_chk
Verify that the SUSE operating system audit tools have the proper permissions configured in the permissions profile to protect from unauthorized access. Check that "permissions.local" file contains the correct permissions rules with the following command: > grep "^/usr/sbin/au" /etc/permissions.local /usr/sbin/audispd root:root 0750 /usr/sbin/auditctl root:root 0750 /usr/sbin/auditd root:root 0750 /usr/sbin/ausearch root:root 0755 /usr/sbin/aureport root:root 0755 /usr/sbin/autrace root:root 0750 /usr/sbin/augenrules root:root 0750 If the command does not return any output, this is a finding. Check that all of the audit information files and folders have the correct permissions with the following command: > sudo chkstat /etc/permissions.local If the command returns any output, this is a finding.
Fix: F-18429r646742_fix
Configure the SUSE operating system audit tools to have with proper permissions set in the permissions profile to protect from unauthorized access. Edit the file "/etc/permissions.local" and insert the following text: /usr/sbin/audispd root:root 0750 /usr/sbin/auditctl root:root 0750 /usr/sbin/auditd root:root 0750 /usr/sbin/ausearch root:root 0755 /usr/sbin/aureport root:root 0755 /usr/sbin/autrace root:root 0750 /usr/sbin/augenrules root:root 0750 Set the correct permissions with the following command: > sudo chkstat --set /etc/permissions.local
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-020199
- Vuln IDs
-
- V-217204
- V-97227
- Rule IDs
-
- SV-217204r991589_rule
- SV-106365
Checks: C-18432r646744_chk
Verify syscall auditing has not been disabled: > sudo auditctl -l | grep -i "a task,never" If any results are returned, this is a finding. Verify the default rule "-a task,never" is not statically defined : > sudo grep -rv "^#" /etc/audit/rules.d/ | grep -i "a task,never" If any results are returned, this is a finding.
Fix: F-18430r646745_fix
Remove the "-a task,never" rule from the /etc/audit/rules.d/audit.rules file. The audit daemon must be restarted for the changes to take effect. > sudo systemctl restart auditd.service
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001403
- Version
- SLES-12-020200
- Vuln IDs
-
- V-217205
- V-77315
- Rule IDs
-
- SV-217205r1015222_rule
- SV-92011
Checks: C-18433r369771_chk
Verify the SUSE operating system generates an audit record when all modifications occur to the "/etc/passwd" file. Check that the following file is being watched by performing the following command on the system rules in "/etc/audit/audit.rules": # sudo grep /etc/passwd /etc/audit/audit.rules -w /etc/passwd -p wa -k account_mod If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-18431r369772_fix
Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/passwd" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/passwd -p wa -k account_mod The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000018
- Version
- SLES-12-020210
- Vuln IDs
-
- V-217206
- V-77317
- Rule IDs
-
- SV-217206r1015223_rule
- SV-92013
Checks: C-18434r369774_chk
Verify the SUSE operating system generates an audit record when modifications occur to the "/etc/group" file. Check that the following file is being watched by performing the following command on the system rules in "/etc/audit/audit.rules": # sudo grep /etc/group /etc/audit/audit.rules -w /etc/group -p wa -k account_mod If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-18432r369775_fix
Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/group" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/group -p wa -k account_mod The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001403
- Version
- SLES-12-020220
- Vuln IDs
-
- V-217207
- V-77319
- Rule IDs
-
- SV-217207r1015224_rule
- SV-92015
Checks: C-18435r369777_chk
Verify the SUSE operating system generates an audit record when modifications occur to the "/etc/shadow" file. Check that the following file is being watched by performing the following command on the system rules in "/etc/audit/audit.rules": # sudo grep /etc/shadow /etc/audit/audit.rules -w /etc/shadow -p wa -k account_mod If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-18433r369778_fix
Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/shadow" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/shadow -p wa -k account_mod The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-000018
- Version
- SLES-12-020230
- Vuln IDs
-
- V-217208
- V-77321
- Rule IDs
-
- SV-217208r1015225_rule
- SV-92017
Checks: C-18436r369780_chk
Verify the SUSE operating system generates an audit record when modifications occur to the "/etc/security/opasswd" file. Check that the following file is being watched by performing the following command on the system rules in "/etc/audit/audit.rules": # grep /etc/security/opasswd /etc/audit/audit.rules -w /etc/security/opasswd -p wa -k account_mod If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-18434r369781_fix
Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/security/opasswd" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/security/opasswd -p wa -k account_mod The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-7
- Severity
- Low
- CCI
- CCI-001877
- Version
- SLES-12-020240
- Vuln IDs
-
- V-217209
- V-77323
- Rule IDs
-
- SV-217209r1015226_rule
- SV-92019
Checks: C-18437r369783_chk
Verify the operating system audits the execution of privileged functions using the following command: # grep -iw execve /etc/audit/audit.rules -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.
Fix: F-18435r369784_fix
Configure the operating system to audit the execution of privileged functions. Add or update the following rules in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- SLES-12-020250
- Vuln IDs
-
- V-217210
- V-77325
- Rule IDs
-
- SV-217210r958412_rule
- SV-92021
Checks: C-18438r622358_chk
Verify the SUSE operating system generates an audit record for any use of the "su" command. Check that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo egrep "\/usr\/bin\/su\s" /etc/audit/audit.rules -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18436r622359_fix
Configure the SUSE operating system to generate an audit record for all uses of the "su" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-12
- Severity
- Low
- CCI
- CCI-000169
- Version
- SLES-12-020260
- Vuln IDs
-
- V-217211
- V-77327
- Rule IDs
-
- SV-217211r958412_rule
- SV-92023
Checks: C-18439r622361_chk
Verify the SUSE operating system generates an audit record for any use of the "sudo" command. Check that the following command call is being audited by performing the following command on the system rules in "/etc/audit/audit.rules": # sudo grep -iw sudo /etc/audit/audit.rules -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-sudo If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18437r622362_fix
Configure the SUSE operating system to generate an audit record for all uses of the "sudo" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-sudo The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-12
- Severity
- Low
- CCI
- CCI-000172
- Version
- SLES-12-020280
- Vuln IDs
-
- V-217212
- V-77331
- Rule IDs
-
- SV-217212r958412_rule
- SV-92027
Checks: C-18440r622364_chk
Verify the SUSE operating system generates an audit record for all uses of the "chfn" command. Check that the following command call is being audited by performing the following command on the system rules in "/etc/audit/audit.rules": # sudo grep -i chfn /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18438r622365_fix
Configure the SUSE operating system to generate an audit record for all uses the "chfn" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-12
- Severity
- Low
- CCI
- CCI-000169
- Version
- SLES-12-020290
- Vuln IDs
-
- V-217213
- V-77333
- Rule IDs
-
- SV-217213r958412_rule
- SV-92029
Checks: C-18441r369795_chk
Verify the SUSE operating system generates an audit record for all uses of the "mount" command. Check that the following command call is being audited by performing the following command on the system rules in "/etc/audit/audit.rules": # sudo grep -iw mount /etc/audit/audit.rules -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount If both the "b32" and "b64" audit rules are not defined for the "mount" syscall, this is a finding. If all uses of the "mount" command are not being audited, this is a finding.
Fix: F-18439r369796_fix
Configure the SUSE operating system to generate an audit record for all uses the "mount" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-3
- Severity
- Low
- CCI
- CCI-000130
- Version
- SLES-12-020300
- Vuln IDs
-
- V-217214
- V-77335
- Rule IDs
-
- SV-217214r958412_rule
- SV-92031
Checks: C-18442r369798_chk
Verify the SUSE operating system generates an audit record for all uses of the "umount" command. Check that the following command call is being audited by performing the following command on the system rules in "/etc/audit/audit.rules": # sudo grep -iw umount /etc/audit/audit.rules -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=4294967295 -k privileged-umount -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount If both the "b32" and "b64" audit rules are not defined for the "umount" syscall, this is a finding.
Fix: F-18440r369799_fix
Configure the SUSE operating system to generate an audit record for all uses the "umount" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=4294967295 -k privileged-umount -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-12
- Severity
- Low
- CCI
- CCI-000169
- Version
- SLES-12-020310
- Vuln IDs
-
- V-217215
- V-77337
- Rule IDs
-
- SV-217215r958412_rule
- SV-92033
Checks: C-18443r622367_chk
Verify the SUSE operating system generates an audit record for all uses of the "ssh-agent" command. Check that the following command call is being audited by performing the following command on the system rules in "/etc/audit/audit.rules": # sudo grep -i ssh-agent /etc/audit/audit.rules -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh-agent If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18441r622368_fix
Configure the SUSE operating system to generate an audit record for all uses the "ssh-agent" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh-agent The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-3
- Severity
- Low
- CCI
- CCI-000130
- Version
- SLES-12-020320
- Vuln IDs
-
- V-217216
- V-77339
- Rule IDs
-
- SV-217216r958412_rule
- SV-92035
Checks: C-18444r622370_chk
Verify the SUSE operating system generates an audit record for all uses of the "ssh-keysign" command. Check that the following command call is being audited by performing the following command on the system rules in "/etc/audit/audit.rules": # sudo grep -i ssh-keysign /etc/audit/audit.rules -a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh-keysign If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18442r622371_fix
Configure the SUSE operating system to generate an audit record for all uses the "ssh-keysign" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh-keysign The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- SLES-12-020360
- Vuln IDs
-
- V-217217
- V-77347
- Rule IDs
-
- SV-217217r958412_rule
- SV-92043
Checks: C-18445r369807_chk
Verify the SUSE operating system generates an audit record for all uses of the "kmod" command. Check that the following command call is being audited by performing the following command on the system rules in "/etc/audit/audit.rules": # sudo grep kmod /etc/audit/audit.rules -w /usr/bin/kmod -p x -k modules If the system is configured to audit the execution of the module management program "kmod", the command will return a line. If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-18443r369808_fix
Configure the SUSE operating system to audit the execution of the module management program "kmod" by adding the following line to "/etc/audit/rules.d/audit.rules": -w /usr/bin/kmod -p x -k modules The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- SLES-12-020370
- Vuln IDs
-
- V-217218
- V-77349
- Rule IDs
-
- SV-217218r958412_rule
- SV-92045
Checks: C-18446r854120_chk
Verify the SUSE operating system generates an audit record for all uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls. Verify that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": > sudo grep xattr /etc/audit/audit.rules -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod If both the "b32" and "b64" audit rules are not defined for the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls, this is a finding.
Fix: F-18444r809427_fix
Configure the SUSE operating system to generate an audit record for all uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. > sudo systemctl restart auditd.service
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- SLES-12-020420
- Vuln IDs
-
- V-217223
- V-77359
- Rule IDs
-
- SV-217223r958412_rule
- SV-92055
Checks: C-18451r854122_chk
Verify the SUSE operating system generates an audit record for all uses of the "chown", "fchown", "fchownat", and "lchown" syscalls. Verify that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": > sudo grep chown /etc/audit/audit.rules -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod If both the "b32" and "b64" audit rules are not defined for the "chown", "fchown", "fchownat", "lchown" syscalls, this is a finding.
Fix: F-18449r854123_fix
Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. > sudo systemctl restart auditd.service
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- SLES-12-020460
- Vuln IDs
-
- V-217227
- V-77367
- Rule IDs
-
- SV-217227r958412_rule
- SV-92063
Checks: C-18455r854125_chk
Verify the SUSE operating system generates an audit record for all uses of the "chmod", "fchmod" and "fchmodat" system calls. Verify that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": > sudo grep chmod /etc/audit/audit.rules -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod If both the "b32" and "b64" audit rules are not defined for the "chmod", "fchmod", and "fchmodat" syscalls, this is a finding.
Fix: F-18453r809433_fix
Configure the SUSE operating system to generate an audit record for all uses of the "chmod", "fchmod", and "fchmodat" system calls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod The audit daemon must be restarted for the changes to take effect. > sudo systemctl restart auditd.service
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- SLES-12-020490
- Vuln IDs
-
- V-217230
- V-77373
- Rule IDs
-
- SV-217230r958412_rule
- SV-92069
Checks: C-18458r861097_chk
Verify the SUSE operating system generates an audit record for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls. Verify that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": > sudo grep 'open\|truncate\|creat' /etc/audit/audit.rules -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access If both the "b32" and "b64" audit rules are not defined for the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls, this is a finding. If the output does not produce rules containing "-F exit=-EPERM", this is a finding. If the output does not produce rules containing "-F exit=-EACCES", this is a finding.
Fix: F-18456r861098_fix
Configure the SUSE operating system to generate an audit record for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access The audit daemon must be restarted for the changes to take effect. > sudo systemctl restart auditd.service
- RMF Control
- AU-12
- Severity
- Low
- CCI
- CCI-000172
- Version
- SLES-12-020550
- Vuln IDs
-
- V-217236
- V-77385
- Rule IDs
-
- SV-217236r958412_rule
- SV-92081
Checks: C-18464r622373_chk
Verify the SUSE operating system generates an audit record for all uses of the "passwd" command. Check that the following command call is being audited by performing the following command on the system rules in "/etc/audit/audit.rules": # sudo grep -i /usr/bin/passwd /etc/audit/audit.rules -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18462r622374_fix
Configure the SUSE operating system to generate an audit record for all uses the "passwd" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-3
- Severity
- Low
- CCI
- CCI-000130
- Version
- SLES-12-020560
- Vuln IDs
-
- V-217237
- V-77387
- Rule IDs
-
- SV-217237r958412_rule
- SV-92083
Checks: C-18465r622376_chk
Verify the SUSE operating system generates an audit record for all uses of the "gpasswd" command. Check that the following command call is being audited by performing the following command on the system rules in "/etc/audit/audit.rules": # sudo grep -i gpasswd /etc/audit/audit.rules -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18463r622377_fix
Configure the SUSE operating system to generate an audit record for all uses the "gpasswd" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-12
- Severity
- Low
- CCI
- CCI-000169
- Version
- SLES-12-020570
- Vuln IDs
-
- V-217238
- V-77389
- Rule IDs
-
- SV-217238r958412_rule
- SV-92085
Checks: C-18466r622379_chk
Verify the SUSE operating system generates an audit record for all uses of the "newgrp" command. Check that the following command call is being audited by performing the following command on the system rules in "/etc/audit/audit.rules": # sudo grep -i newgrp /etc/audit/audit.rules -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-newgrp If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18464r622380_fix
Configure the SUSE operating system to generate an audit record for all uses the "newgrp" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-newgrp The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-3
- Severity
- Low
- CCI
- CCI-000130
- Version
- SLES-12-020580
- Vuln IDs
-
- V-217239
- V-77391
- Rule IDs
-
- SV-217239r958412_rule
- SV-92087
Checks: C-18467r622382_chk
Verify the SUSE operating system generates an audit record for all uses of the "chsh" command. Check that the following command call is being audited by performing the following command on the system rules in "/etc/audit/audit.rules": # sudo grep -i chsh /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chsh If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18465r622383_fix
Configure the SUSE operating system to generate an audit record for all uses the "chsh" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chsh The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- SLES-12-020590
- Vuln IDs
-
- V-217240
- V-77393
- Rule IDs
-
- SV-217240r958368_rule
- SV-92089
Checks: C-18468r369876_chk
Verify the SUSE operating system generates an audit record when all modifications occur to the "/etc/gshadow" file. Check that the following file is being watched by performing the following command on the system rules in "/etc/audit/audit.rules": # sudo grep /etc/gshadow /etc/audit/audit.rules -w /etc/gshadow -p wa -k account_mod If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-18466r369877_fix
Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/gshadow" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/gshadow -p wa -k account_mod The audit daemon must be restarted for any changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- SLES-12-020600
- Vuln IDs
-
- V-217241
- V-77395
- Rule IDs
-
- SV-217241r958412_rule
- SV-92091
Checks: C-18469r622385_chk
Verify the SUSE operating system generates an audit record for all uses of the "chmod" command. Check that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -i chmod /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18467r622386_fix
Configure the SUSE operating system to generate an audit record for all uses of the "chmod" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- SLES-12-020610
- Vuln IDs
-
- V-217242
- V-77397
- Rule IDs
-
- SV-217242r958412_rule
- SV-92093
Checks: C-18470r622388_chk
Verify the SUSE operating system generates an audit record for all uses of the "setfacl" command. Check that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -i setfacl /etc/audit/audit.rules -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18468r622389_fix
Configure the SUSE operating system to generate an audit record for all uses of the "setfacl" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- SLES-12-020620
- Vuln IDs
-
- V-217243
- V-77399
- Rule IDs
-
- SV-217243r958412_rule
- SV-92095
Checks: C-18471r622391_chk
Verify the SUSE operating system generates an audit record for all uses of the "chacl" command. Check that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -i chacl /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18469r622392_fix
Configure the SUSE operating system to generate an audit record for all uses of the "chacl" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- SLES-12-020630
- Vuln IDs
-
- V-217244
- V-77401
- Rule IDs
-
- SV-217244r958412_rule
- SV-92097
Checks: C-18472r622394_chk
Verify audit records are generated when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. Check that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -i 'chcon' /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18470r622395_fix
Configure the SUSE operating system to generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- SLES-12-020640
- Vuln IDs
-
- V-217245
- V-77403
- Rule IDs
-
- SV-217245r958412_rule
- SV-92099
Checks: C-18473r622397_chk
Verify the SUSE operating system generates an audit record for all uses of the "rm" command. Check that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -i rm /etc/audit/audit.rules -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18471r622398_fix
Configure the SUSE operating system to generate an audit record for all uses of the "rm" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- SLES-12-020650
- Vuln IDs
-
- V-217246
- V-77405
- Rule IDs
-
- SV-217246r958412_rule
- SV-92101
Checks: C-18474r369894_chk
Verify the SUSE operating system generates an audit record when all modifications to the "tallylog" file occur. Check that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -i tallylog /etc/audit/audit.rules -w /var/log/tallylog -p wa -k logins If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-18472r369895_fix
Configure the SUSE operating system to generate an audit record for any all modifications to the "tallylog" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /var/log/tallylog -p wa -k logins The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- SLES-12-020660
- Vuln IDs
-
- V-217247
- V-77407
- Rule IDs
-
- SV-217247r958412_rule
- SV-92103
Checks: C-18475r369897_chk
Verify the SUSE operating system generates an audit record when all modifications to the "lastlog" file occur. Check that the following is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -i lastlog /etc/audit/audit.rules -w /var/log/lastlog -p wa -k logins If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-18473r369898_fix
Configure the SUSE operating system to generate an audit record for any all modifications to the "lastlog" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /var/log/lastlog -p wa -k logins The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- SLES-12-020670
- Vuln IDs
-
- V-217248
- V-77409
- Rule IDs
-
- SV-217248r958412_rule
- SV-92105
Checks: C-18476r622400_chk
Verify the SUSE operating system generates an audit record for all uses of the "passmass" command. Check that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -i passmass /etc/audit/audit.rules -a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passmass If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18474r622401_fix
Configure the SUSE operating system to generate an audit record for all uses of the "passmass" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passmass The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- SLES-12-020680
- Vuln IDs
-
- V-217249
- V-77411
- Rule IDs
-
- SV-217249r958412_rule
- SV-92107
Checks: C-18477r622403_chk
Verify an audit record is generated for all uses of the "unix_chkpwd" command. Check that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo egrep -i '(unix_chkpwd|unix2_chkpwd)' /etc/audit/audit.rules -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-chkpwd -a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix2-chkpwd If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18475r622404_fix
Configure the SUSE operating system to generate an audit record for all uses of the "unix_chkpwd" and "unix2_chkpwd" commands. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-chkpwd -a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix2-chkpwd The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- SLES-12-020690
- Vuln IDs
-
- V-217250
- V-77413
- Rule IDs
-
- SV-217250r958412_rule
- SV-92109
Checks: C-18478r622406_chk
Verify an audit record is generated for all uses of the "chage" command. Perform the verification by running the following command: Check that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -i 'chage' /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18476r622407_fix
Configure the SUSE operating system to generate an audit record for all uses of the "chage" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- SLES-12-020700
- Vuln IDs
-
- V-217251
- V-77415
- Rule IDs
-
- SV-217251r958412_rule
- SV-92111
Checks: C-18479r622409_chk
Verify an audit record is generated for all uses of the "usermod" command. Check that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -i 'usermod' /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18477r622410_fix
Configure the SUSE operating system to generate an audit record for all uses of the "usermod" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000172
- Version
- SLES-12-020710
- Vuln IDs
-
- V-217252
- V-77417
- Rule IDs
-
- SV-217252r958412_rule
- SV-92113
Checks: C-18480r622412_chk
Verify an audit record is generated for all uses of the "crontab" command. Check for the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -i 'crontab' /etc/audit/audit.rules -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18478r622413_fix
Configure the SUSE operating system to generate an audit record for all uses of the "crontab" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- SLES-12-020720
- Vuln IDs
-
- V-217253
- V-77419
- Rule IDs
-
- SV-217253r958412_rule
- SV-92115
Checks: C-18481r622415_chk
Verify an audit record is generated for all uses of the "pam_timestamp_check" command. Check for the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -i 'pam_timestamp_check' /etc/audit/audit.rules -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check If the command does not return any output or the returned line is commented out, this is a finding.
Fix: F-18479r622416_fix
Configure the SUSE operating system to generate an audit record for all uses of the "pam_timestamp_check" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-12
- Severity
- Medium
- CCI
- CCI-000169
- Version
- SLES-12-020730
- Vuln IDs
-
- V-217254
- V-77421
- Rule IDs
-
- SV-217254r958412_rule
- SV-92117
Checks: C-18482r369918_chk
Verify the SUSE operating system generates an audit record for all uses of the "delete_module" command. Check that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -i delete_module /etc/audit/audit.rules -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module If both the "b32" and "b64" audit rules are not defined for the "unload_module" syscall, this is a finding.
Fix: F-18480r369919_fix
Configure the SUSE operating system to generate an audit record for all uses of the "delete_module" command. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- SLES-12-020740
- Vuln IDs
-
- V-217255
- V-77423
- Rule IDs
-
- SV-217255r958412_rule
- SV-92119
Checks: C-18483r854149_chk
Verify the SUSE operating system generates an audit record for all uses of the "init_module" and "finit_module" syscalls. Verify that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": > sudo grep init_module /etc/audit/audit.rules -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k moduleload -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k moduleload If both the "b32" and "b64" audit rules are not defined for the "init_module" and "finit_module" syscalls, this is a finding.
Fix: F-18481r809439_fix
Configure the SUSE operating system to generate an audit record for all uses of the "init_module" and "finit_module" syscalls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k moduleload -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k moduleload The audit daemon must be restarted for the changes to take effect. > sudo systemctl restart auditd.service
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- SLES-12-020760
- Vuln IDs
-
- V-217257
- V-77427
- Rule IDs
-
- SV-217257r958412_rule
- SV-92123
Checks: C-18485r369927_chk
Verify the SUSE operating system generates an audit record when all modifications to the "faillog" file occur. Check that the following is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": # sudo grep -i faillog /etc/audit/audit.rules -w /var/log/faillog -p wa -k logins If the command does not return a line, or the line is commented out, this is a finding.
Fix: F-18483r369928_fix
Configure the SUSE operating system to generate an audit record for any all modifications to the "faillog" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /var/log/faillog -p wa -k logins The audit daemon must be restarted for the changes to take effect. # sudo systemctl restart auditd.service
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000197
- Version
- SLES-12-030000
- Vuln IDs
-
- V-217258
- V-77429
- Rule IDs
-
- SV-217258r987796_rule
- SV-92125
Checks: C-18486r369930_chk
Verify the telnet-server package is not installed on the SUSE operating system. Check that the telnet-server package is not installed on the SUSE operating system by running the following command: # zypper se telnet-server If the telnet-server package is installed, this is a finding.
Fix: F-18484r369931_fix
Remove the telnet-server package from the SUSE operating system by running the following command: # sudo zypper remove telnet-server
- RMF Control
- AC-8
- Severity
- Medium
- CCI
- CCI-000050
- Version
- SLES-12-030020
- Vuln IDs
-
- V-217260
- V-77433
- Rule IDs
-
- SV-217260r958392_rule
- SV-92129
Checks: C-18488r369936_chk
Verify the SUSE operating system file "/etc/gdm/banner" contains the Standard Mandatory DoD Notice and Consent Banner text by running the following command: # more /etc/gdm/banner If the file does not contain the following text, this is a finding. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Fix: F-18486r369937_fix
Configure the SUSE operating system file "/etc/gdm/banner" to contain the Standard Mandatory DoD Notice and Consent Banner by running the following commands: # sudo vi /etc/gdm/banner Add the following information to the file: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
- RMF Control
- CM-7
- Severity
- Medium
- CCI
- CCI-000382
- Version
- SLES-12-030030
- Vuln IDs
-
- V-217261
- V-77435
- Rule IDs
-
- SV-217261r958480_rule
- SV-92131
Checks: C-18489r369939_chk
Verify the SUSE operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. Check that the "SuSEfirewall2.service" is enabled and running by running the following command: # systemctl status SuSEfirewall2.service * SuSEfirewall2.service - SuSEfirewall2 phase 2 Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled; vendor preset: disabled) Active: active (exited) since Thu 2017-03-09 17:33:29 UTC; 6 days ago Main PID: 2533 (code=exited, status=0/SUCCESS) Tasks: 0 (limit: 512) Memory: 0B CPU: 0 CGroup: /system.slice/SuSEfirewall2.service If the service is not enabled, this is a finding. If the service is not active, this is a finding. Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command: # grep ^FW_ /etc/sysconfig/SuSEfirewall2 Ask the System Administrator for the site or program PPSM Component Local Services Assessment (Component Local Services Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA. If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.
Fix: F-18487r369940_fix
Configure the SUSE operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. Add/modify /etc/sysconfig/SuSEfirewall2 file to comply with the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL). Enable the "SuSEfirewall2.service" by running the following command: # systemctl enable SuSEfirewall2.service Start the "SuSEfirewall2.service" by running the following command: # systemctl start SuSEfirewall2.service
- RMF Control
- SC-5
- Severity
- High
- CCI
- CCI-002385
- Version
- SLES-12-030040
- Vuln IDs
-
- V-217262
- V-77437
- Rule IDs
-
- SV-217262r958902_rule
- SV-92133
Checks: C-18490r369942_chk
Verify "SuSEfirewall2" is configured to protect the SUSE operating system against or limit the effects of DoS attacks. Run the following command: # grep -i fw_services_accept_ext /etc/sysconfig/SuSEfirewall2 FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" If the "FW_SERVICES_ACCEPT_EXT" rule does not contain both the "hitcount" and "blockseconds" parameters, this is a finding.
Fix: F-18488r369943_fix
Configure "SuSEfirewall2" to protect the SUSE operating system against or limit the effects of DoS attacks by implementing rate-limiting measures on impacted network interfaces. Add or replace the following line in "/etc/sysconfig/SuSEfirewall2": FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" The firewall must be restarted in order for the changes to take effect. # sudo systemctl restart SuSEfirewall2.service
- RMF Control
- AC-8
- Severity
- Medium
- CCI
- CCI-001388
- Version
- SLES-12-030050
- Vuln IDs
-
- V-217263
- V-77439
- Rule IDs
-
- SV-217263r958390_rule
- SV-92135
Checks: C-18491r369945_chk
Verify the SUSE operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via SSH. Check the issue file to verify that it contains one of the DoD required banners. If it does not, this is a finding. # more /etc/issue The output must display the following DoD-required banner text. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the output does not display the banner text, this is a finding. Check the banner setting for sshd_config: # sudo grep "Banner" /etc/ssh/sshd_config The output must show the value of "Banner" set to "/etc/issue". An example is shown below: # sudo grep "Banner" /etc/ssh/sshd_config Banner /etc/issue If it does not, this is a finding.
Fix: F-18489r369946_fix
Configure the SUSE operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system by running the following commands: Edit the "sshd_config" file and edit the Banner flag to be the following: Banner /etc/issue/ Restart the sshd daemon: # sudo systemctl restart sshd.service To configure the system logon banner, edit the "/etc/issue" file. Replace the default text inside with the Standard Mandatory DoD banner text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
- RMF Control
- SC-8
- Severity
- High
- CCI
- CCI-002418
- Version
- SLES-12-030100
- Vuln IDs
-
- V-217264
- V-77441
- Rule IDs
-
- SV-217264r958908_rule
- SV-92137
Checks: C-18492r369948_chk
Note: If the system is not networked this requirement is Not Applicable. Verify that the SUSE operating system implements SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. Check that the OpenSSH package is installed on the SUSE operating system with the following command: # zypper se openssh S | Name | Summary | Type --+---------------- --+------------------------------------------------------+-------- i | openssh | Secure Shell Client and Server (Remote L-> | package If the OpenSSH package is not installed, this is a finding. Check that the OpenSSH service active on the SUSE operating system with the following command: # systemctl status sshd.service | grep -i "active:" Active: active (running) since Thu 2017-01-12 15:03:38 UTC; 1 months 4 days ago If OpenSSH service is not active, this is a finding.
Fix: F-18490r369949_fix
Note: If the system is not networked this requirement is Not Applicable. Configure the SUSE operating system to implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. Install the OpenSSH package on the SUSE operating system with the following command: # sudo zypper in openssh Enable the OpenSSH service to start automatically on reboot with the following command: # sudo systemctl enable sshd.service For the changes to take effect immediately, start the service with the following command: # sudo systemctl restart sshd.service
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-000067
- Version
- SLES-12-030110
- Vuln IDs
-
- V-217265
- V-77443
- Rule IDs
-
- SV-217265r958406_rule
- SV-92139
Checks: C-18493r369951_chk
Verify SSH is configured to verbosely log connection attempts and failed logon attempts to the SUSE operating system. Check that the SSH daemon configuration verbosely logs connection attempts and failed logon attempts to the server with the following command: # sudo grep -i loglevel /etc/ssh/sshd_config The output message must contain the following text: LogLevel VERBOSE If "LogLevel" is not set to "VERBOSE" or "INFO", the LogLevel keyword is missing, or the line is commented out, this is a finding.
Fix: F-18491r369952_fix
Configure SSH to verbosely log connection attempts and failed logon attempts to the SUSE operating system. Add or update the following line in the "/etc/ssh/sshd_config" file: LogLevel VERBOSE The SSH service will need to be restarted in order for the changes to take effect: # systemctl restart sshd
- RMF Control
- AC-9
- Severity
- Medium
- CCI
- CCI-000052
- Version
- SLES-12-030130
- Vuln IDs
-
- V-217266
- V-77447
- Rule IDs
-
- SV-217266r991589_rule
- SV-92143
Checks: C-18494r369954_chk
Verify all remote connections via SSH to the SUSE operating system display feedback on when account accesses last occurred. Check that "PrintLastLog" keyword in the sshd daemon configuration file is used and set to "yes" with the following command: # sudo grep -i printlastlog /etc/ssh/sshd_config PrintLastLog yes If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.
Fix: F-18492r369955_fix
Configure the SUSE operating system to provide users with feedback on when account accesses last occurred. Add or edit the following lines in the "/etc/ssh/sshd_config" file: PrintLastLog yes
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-000770
- Version
- SLES-12-030140
- Vuln IDs
-
- V-217267
- V-77449
- Rule IDs
-
- SV-217267r1015227_rule
- SV-92145
Checks: C-18495r369957_chk
Verify the SUSE operating system denies direct logons to the root account using remote access via SSH. Check that SSH denies any user trying to log on directly as root with the following command: # sudo grep -i permitrootlogin /etc/ssh/sshd_config PermitRootLogin no If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.
Fix: F-18493r369958_fix
Configure the SUSE operating system to deny direct logons to the root account using remote access via SSH. Edit the appropriate "/etc/ssh/sshd_config" file, add or uncomment the line for "PermitRootLogin" and set its value to "no" (this file may be named differently or be in a different location): PermitRootLogin no
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SLES-12-030150
- Vuln IDs
-
- V-217268
- V-77451
- Rule IDs
-
- SV-217268r991591_rule
- SV-92147
Checks: C-18496r369960_chk
Verify the SUSE operating system disables automatic logon via SSH. Check that automatic logon via SSH is disabled with the following command: # sudo grep -i "permitemptypasswords" /etc/ssh/sshd_config PermitEmptyPasswords no If "PermitEmptyPasswords" is not set to "no", is missing completely, or is commented out, this is a finding.
Fix: F-18494r369961_fix
Configure the SUSE operating system disables automatic logon via SSH. Add or edit the following line in the "/etc/ssh/sshd_config" file: PermitEmptyPasswords no
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030151
- Vuln IDs
-
- V-217269
- V-99011
- Rule IDs
-
- SV-217269r991591_rule
- SV-108115
Checks: C-18497r369963_chk
Verify the SUSE operating system disables unattended via SSH. Check that unattended logon via SSH is disabled with the following command: # sudo grep -i "permituserenvironment" /etc/ssh/sshd_config PermitUserEnvironment no If the "PermitUserEnvironment" keyword is not set to "no", is missing completely, or is commented out, this is a finding.
Fix: F-18495r369964_fix
Configure the SUSE operating system disables unattended logon via SSH. Add or edit the following lines in the "/etc/ssh/sshd_config" file: PermitUserEnvironment no
- RMF Control
- IA-7
- Severity
- Medium
- CCI
- CCI-000803
- Version
- SLES-12-030170
- Vuln IDs
-
- V-217270
- V-77455
- Rule IDs
-
- SV-217270r958408_rule
- SV-92151
Checks: C-18498r622418_chk
Verify that the SUSE operating system implements DoD-approved encryption to protect the confidentiality of SSH remote connections. Check the SSH daemon configuration for allowed ciphers with the following command: # sudo grep -i ciphers /etc/ssh/sshd_config | grep -v '^#' Ciphers aes256-ctr,aes192-ctr,aes128-ctr If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.
Fix: F-18496r622419_fix
Edit the SSH daemon configuration (/etc/ssh/sshd_config) and remove any ciphers not starting with "aes" and remove any ciphers ending with "cbc". If necessary, add a "Ciphers" line: Ciphers aes256-ctr,aes192-ctr,aes128-ctr Restart the SSH daemon: # sudo systemctl restart sshd.service
- RMF Control
- MA-4
- Severity
- Medium
- CCI
- CCI-000877
- Version
- SLES-12-030180
- Vuln IDs
-
- V-217271
- V-77457
- Rule IDs
-
- SV-217271r958510_rule
- SV-92153
Checks: C-18499r622421_chk
Verify the SUSE operating system SSH daemon is configured to only use MACs that employ FIPS 140-2 approved hashes. Check that the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved hashes with the following command: # sudo grep -i macs /etc/ssh/sshd_config MACs hmac-sha2-512,hmac-sha2-256 If any hashes other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, they are missing, or the returned line is commented out, this is a finding.
Fix: F-18497r622422_fix
Configure the SUSE operating system SSH daemon to only use MACs that employ FIPS 140-2 approved hashes. Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512" and/or "hmac-sha2-256" (The file might be named differently or be in a different location): MACs hmac-sha2-512,hmac-sha2-256
- RMF Control
- SC-10
- Severity
- Medium
- CCI
- CCI-001133
- Version
- SLES-12-030190
- Vuln IDs
-
- V-217272
- V-77459
- Rule IDs
-
- SV-217272r1015228_rule
- SV-92155
Checks: C-18500r369972_chk
Verify the SUSE operating system SSH daemon is configured to timeout idle sessions. Check that the "ClientAliveInterval" parameter is set to a value of "600" with the following command: # sudo grep -i clientalive /etc/ssh/sshd_config ClientAliveInterval 600 If "ClientAliveInterval" is not set to "600" in "/etc/ssh/sshd_config", this is a finding.
Fix: F-18498r369973_fix
Configure the SUSE operating system SSH daemon to timeout idle sessions. Add or modify (to match exactly) the following line in the "/etc/ssh/sshd_config" file: ClientAliveInterval 600 The SSH daemon must be restarted in order for any changes to take effect.
- RMF Control
- SC-10
- Severity
- Medium
- CCI
- CCI-001133
- Version
- SLES-12-030191
- Vuln IDs
-
- V-217273
- V-81801
- Rule IDs
-
- SV-217273r1015229_rule
- SV-96515
Checks: C-18501r622424_chk
Verify that all network connections associated with SSH traffic are automatically terminated at the end of the session or after "10" minutes of inactivity. Check that the "ClientAliveCountMax" variable is set to a value of "1" or less by performing the following command: # sudo grep -i clientalive /etc/ssh/sshd_config ClientAliveInterval 600 ClientAliveCountMax 1 If "ClientAliveCountMax" does not exist or "ClientAliveCountMax" is not set to a value of "1" in "/etc/ssh/sshd_config", or the line is commented out, this is a finding.
Fix: F-18499r369976_fix
Configure the SUSE operating system to automatically terminate all network connections associated with SSH traffic at the end of a session or after a "10" minute period of inactivity. Modify or append the following lines in the "/etc/ssh/sshd_config" file: ClientAliveCountMax 1 In order for the changes to take effect, the SSH daemon must be restarted. # sudo systemctl restart sshd.service
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030200
- Vuln IDs
-
- V-217274
- V-77461
- Rule IDs
-
- SV-217274r991589_rule
- SV-92157
Checks: C-18502r369978_chk
Verify the SUSE operating system SSH daemon is configured to not allow authentication using known hosts authentication. To determine how the SSH daemon's "IgnoreUserKnownHosts" option is set, run the following command: # sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config IgnoreUserKnownHosts yes If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.
Fix: F-18500r369979_fix
Configure the SUSE operating system SSH daemon to not allow authentication using known hosts authentication. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": IgnoreUserKnownHosts yes
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030210
- Vuln IDs
-
- V-217275
- V-77463
- Rule IDs
-
- SV-217275r991589_rule
- SV-92159
Checks: C-18503r646748_chk
Verify the SUSE operating system SSH daemon public host key files have mode "0644" or less permissive. Note: SSH public key files may be found in other directories on the system depending on the installation. The following command will find all SSH public key files on the system: > find /etc/ssh -name 'ssh_host*key.pub' -exec stat -c "%a %n" {} \; 644 /etc/ssh/ssh_host_rsa_key.pub 644 /etc/ssh/ssh_host_dsa_key.pub 644 /etc/ssh/ssh_host_ecdsa_key.pub 644 /etc/ssh/ssh_host_ed25519_key.pub If any file has a mode more permissive than "0644", this is a finding.
Fix: F-18501r646749_fix
Configure the SUSE operating system SSH daemon public host key files have mode "0644" or less permissive. Note: SSH public key files may be found in other directories on the system depending on the installation. Change the mode of public host key files under "/etc/ssh" to "0644" with the following command: > sudo chmod 0644 /etc/ssh/ssh_host*key.pub
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030220
- Vuln IDs
-
- V-217276
- V-77465
- Rule IDs
-
- SV-217276r991589_rule
- SV-92161
Checks: C-18504r880917_chk
Verify the SUSE operating system SSH daemon private host key files have mode "0640" or less permissive. The following command will find all SSH private key files on the system: > sudo find / -name '*ssh_host*key' -exec ls -lL {} \; Check the mode of the private host key files under "/etc/ssh" file with the following command: > find /etc/ssh -name 'ssh_host*key' -exec stat -c "%a %n" {} \; 640 /etc/ssh/ssh_host_rsa_key 640 /etc/ssh/ssh_host_dsa_key 640 /etc/ssh/ssh_host_ecdsa_key 640 /etc/ssh/ssh_host_ed25519_key If any file has a mode more permissive than "0640", this is a finding.
Fix: F-18502r880918_fix
Configure the mode of the SUSE operating system SSH daemon private host key files under "/etc/ssh" to "0640" with the following command: > sudo chmod 0640 /etc/ssh/ssh_host*key
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030230
- Vuln IDs
-
- V-217277
- V-77467
- Rule IDs
-
- SV-217277r991589_rule
- SV-92163
Checks: C-18505r369987_chk
Verify the SUSE operating system SSH daemon performs strict mode checking of home directory configuration files. Check that the SSH daemon performs strict mode checking of home directory configuration files with the following command: # sudo grep -i strictmodes /etc/ssh/sshd_config StrictModes yes If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.
Fix: F-18503r369988_fix
Configure the SUSE operating system SSH daemon performs strict mode checking of home directory configuration files. Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" and set the value to "yes": StrictModes yes
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030240
- Vuln IDs
-
- V-217278
- V-77469
- Rule IDs
-
- SV-217278r991589_rule
- SV-92165
Checks: C-18506r369990_chk
Determine the version of SSH using the following command: # ssh -V OpenSSH_7.9p1 If the version of SSH is 7.5 or newer, this is Not Applicable. Verify the SUSE operating system SSH daemon is configured to use privilege separation. Check that the SUSE operating system SSH daemon performs privilege separation with the following command: # sudo grep -i usepriv /etc/ssh/sshd_config UsePrivilegeSeparation yes If the "UsePrivilegeSeparation" keyword is not set to "yes" or "sandbox", is missing, or the returned line is commented out, this is a finding.
Fix: F-18504r369991_fix
Configure the SUSE operating system SSH daemon is configured to use privilege separation. Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" and set the value to "yes" or "sandbox": UsePrivilegeSeparation yes
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030250
- Vuln IDs
-
- V-217279
- V-77471
- Rule IDs
-
- SV-217279r991589_rule
- SV-92167
Checks: C-18507r880923_chk
Note: If the installed version of OpenSSH is 7.4 or above, this requirement is not applicable. Verify the SUSE operating system SSH daemon performs compression after a user successfully authenticates. Check that the SSH daemon performs compression after a user successfully authenticates with the following command: # sudo grep -i compression /etc/ssh/sshd_config Compression delayed If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.
Fix: F-18505r880924_fix
Configure the SUSE operating system SSH daemon performs compression after a user successfully authenticates. Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" on the system and set the value to "delayed" or "no": Compression no
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030260
- Vuln IDs
-
- V-217280
- V-77473
- Rule IDs
-
- SV-217280r991589_rule
- SV-92169
Checks: C-18508r622426_chk
Determine if X11Forwarding is disabled with the following command: # sudo grep -i x11forwarding /etc/ssh/sshd_config X11Forwarding no If the "X11Forwarding" keyword is set to "yes" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, is missing, or is commented out, this is a finding.
Fix: F-18506r622427_fix
Configure the SUSE operating system SSH daemon to disable forwarded X connections for interactive users. Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): X11Forwarding no
- RMF Control
- AU-8
- Severity
- Medium
- CCI
- CCI-002046
- Version
- SLES-12-030300
- Vuln IDs
-
- V-217281
- V-77475
- Rule IDs
-
- SV-217281r1015230_rule
- SV-92171
Checks: C-18509r646754_chk
Verify the SUSE operating system clock must be configured to synchronize to an authoritative DoD time source when the time difference is greater than one second. Check that the SUSE operating system clock must be configured to synchronize to an authoritative DoD time source when the time difference is greater than one second with the following command: > sudo grep maxpoll /etc/ntp.conf server 0.us.pool.ntp.mil maxpoll 16 If nothing is returned or "maxpoll" is greater than "16", or is commented out, this is a finding. Verify the "ntp.conf" file is configured to an authoritative DoD time source by running the following command: > sudo grep -i server /etc/ntp.conf server 0.us.pool.ntp.mil If the parameter "server" is not set or is not set to an authoritative DoD time source, this is a finding.
Fix: F-18507r370000_fix
Configure the SUSE operating system clock must be configured to synchronize to an authoritative DoD time source when the time difference is greater than one second. To configure the system clock to synchronize to an authoritative DoD time source at least every 24 hours, edit the file "/etc/ntp.conf". Add or correct the following lines by replacing "[time_source]" with an authoritative DoD time source: server [time_source] maxpoll 16
- RMF Control
- AU-8
- Severity
- Low
- CCI
- CCI-001890
- Version
- SLES-12-030310
- Vuln IDs
-
- V-217282
- V-77477
- Rule IDs
-
- SV-217282r958788_rule
- SV-92173
Checks: C-18510r646756_chk
Verify that the SUSE operating system is configured to use UTC or GMT. Check that the SUSE operating system is configured to use UTC or GMT with the following command: > timedatectl status | grep -i "time zone" Timezone: UTC (UTC, +0000) If "Time zone" is not set to "UTC" or "GMT", this is a finding.
Fix: F-18508r646757_fix
Configure the SUSE operating system is configured to use UTC or GMT. To configure the system time zone to use UTC or GMT, run the following command, replacing [ZONE] with "UTC" or "GMT". > sudo timedatectl set-timezone [ZONE]
- RMF Control
- SI-16
- Severity
- Medium
- CCI
- CCI-002824
- Version
- SLES-12-030320
- Vuln IDs
-
- V-217283
- V-77479
- Rule IDs
-
- SV-217283r958928_rule
- SV-92175
Checks: C-18511r646759_chk
Verify the SUSE operating system prevents leaking of internal kernel addresses. Check that the SUSE operating system prevents leaking of internal kernel addresses by running the following command: > sudo sysctl kernel.kptr_restrict kernel.kptr_restrict = 1 If the kernel parameter "kptr_restrict" is not equal to "1" or nothing is returned, this is a finding.
Fix: F-18509r646760_fix
Configure the SUSE operating system to prevent leaking of internal kernel addresses by running the following command: > sudo sysctl -w kernel.kptr_restrict=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "kernel.kptr_restrict=1" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
- RMF Control
- SI-16
- Severity
- Medium
- CCI
- CCI-002824
- Version
- SLES-12-030330
- Vuln IDs
-
- V-217284
- V-77481
- Rule IDs
-
- SV-217284r958928_rule
- SV-92177
Checks: C-18512r646762_chk
Verify the SUSE operating system implements ASLR. Check that the SUSE operating system implements ASLR by running the following command: > sudo sysctl kernel.randomize_va_space kernel.randomize_va_space = 2 If the kernel parameter "randomize_va_space" is not equal to "2" or nothing is returned, this is a finding.
Fix: F-18510r646763_fix
Configure the SUSE operating system to implement ASLR by running the following commands: > sudo sysctl -w kernel.randomize_va_space=2 If "2" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "kernel.randomize_va_space=2" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
- RMF Control
- AU-4
- Severity
- Medium
- CCI
- CCI-001851
- Version
- SLES-12-030340
- Vuln IDs
-
- V-217285
- V-77483
- Rule IDs
-
- SV-217285r959008_rule
- SV-92179
Checks: C-18513r370011_chk
Verify that the SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly. For stand-alone hosts, verify with the System Administrator that the log files are off-loaded at least weekly. For networked systems, check that rsyslog is sending log messages to a remote server with the following command: # sudo grep "\*.\*" /etc/rsyslog.conf | grep "@" | grep -v "^#" *.*;mail.none;news.none @192.168.1.101:514 If any active message labels in the file do not have a line to send log messages to a remote server, this is a finding.
Fix: F-18511r370012_fix
Configure the SUSE operating system to off-load rsyslog messages for networked systems in real time. For stand-alone systems establish a procedure to off-load log messages at least once a week. For networked systems add a "@[Log_Server_IP_Address]" option to every active message label in "/etc/rsyslog.conf" that does not have one. Some examples are listed below: *.*;mail.none;news.none -/var/log/messages *.*;mail.none;news.none @192.168.1.101:514 An additional option is to capture all of the log messages and send them to a remote log host: *.* @@loghost:514
- RMF Control
- SC-5
- Severity
- Medium
- CCI
- CCI-001095
- Version
- SLES-12-030350
- Vuln IDs
-
- V-217286
- V-77485
- Rule IDs
-
- SV-217286r958528_rule
- SV-92181
Checks: C-18514r370014_chk
Verify the SUSE operating system is configured to use TCP syncookies. Check to see if syncookies are used with the following command: # sudo sysctl net.ipv4.tcp_syncookies net.ipv4.tcp_syncookies = 1 If the value is not set to "1", this is a finding.
Fix: F-18512r370015_fix
Configure the SUSE operating system to use TCP syncookies by running the following command as an administrator: # sudo sysctl -w net.ipv4.tcp_syncookies=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.conf": net.ipv4.tcp_syncookies = 1
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030360
- Vuln IDs
-
- V-217287
- V-77487
- Rule IDs
-
- SV-217287r991589_rule
- SV-92183
Checks: C-18515r370017_chk
Verify the SUSE operating system does not accept IPv4 source-routed packets. Check the value of the accept source route variable with the following command: # sysctl net.ipv4.conf.all.accept_source_route net.ipv4.conf.all.accept_source_route = 0 If the returned line does not have a value of "0" this is a finding.
Fix: F-18513r370018_fix
Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.all.accept_source_route = 0 Run the following command to apply this value: # sysctl --system
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030361
- Vuln IDs
-
- V-217288
- V-81803
- Rule IDs
-
- SV-217288r991589_rule
- SV-96517
Checks: C-18516r370020_chk
Verify the SUSE operating system does not accept IPv6 source-routed packets. Check the value of the accept source route variable with the following command: # sudo sysctl net.ipv6.conf.all.accept_source_route net.ipv6.conf.all.accept_source_route = 0 If the returned line does not have a value of "0", this is a finding.
Fix: F-18514r370021_fix
Configure the SUSE operating system to not accept IPv6 source-routed packets by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv6.conf.all.accept_source_route = 0 Run the following command to apply this value: # sysctl --system
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030370
- Vuln IDs
-
- V-217289
- V-77489
- Rule IDs
-
- SV-217289r991589_rule
- SV-92185
Checks: C-18517r370023_chk
Verify the SUSE operating system does not accept IPv4 source-routed packets by default. Check the value of the default accept source route variable with the following command: # sysctl net.ipv4.conf.default.accept_source_route net.ipv4.conf.default.accept_source_route = 0 If the returned line does not have a value of "0" this is a finding.
Fix: F-18515r370024_fix
Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.default.accept_source_route = 0 Run the following command to apply this value: # sysctl --system
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030380
- Vuln IDs
-
- V-217290
- V-77491
- Rule IDs
-
- SV-217290r991589_rule
- SV-92187
Checks: C-18518r370026_chk
Verify the SUSE operating system does not accept IPv4 source-routed packets. Check the value of the accept source route variable with the following command: # sysctl net.ipv4.icmp_echo_ignore_broadcasts net.ipv4.icmp_echo_ignore_broadcasts = 1 If the returned line does not have a value of "1" this is a finding.
Fix: F-18516r370027_fix
Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.icmp_echo_ignore_broadcasts = 1 Run the following command to apply this value: # sysctl --system
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030390
- Vuln IDs
-
- V-217291
- V-77493
- Rule IDs
-
- SV-217291r991589_rule
- SV-92189
Checks: C-18519r370029_chk
Verify the SUSE operating system does not accept ICMP redirect messages. Check the value of the "net.ipv4.conf.all.accept_redirects" variable with the following command: # sysctl net.ipv4.conf.all.accept_redirects net.ipv4.conf.all.accept_redirects =0 If the returned line does not have a value of "0" this is a finding.
Fix: F-18517r370030_fix
Configure the SUSE operating system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.all.accept_redirects =0 Run the following command to apply this value: # sysctl --system
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030400
- Vuln IDs
-
- V-217292
- V-77495
- Rule IDs
-
- SV-217292r991589_rule
- SV-92191
Checks: C-18520r370032_chk
Verify the SUSE operating system ignores IPv4 ICMP redirect messages. Check the value of the "accept_redirects" variables with the following command: # sysctl net.ipv4.conf.default.accept_redirects net.ipv4.conf.default.accept_redirects = 0 If the returned line does not have a value of "0" this is a finding.
Fix: F-18518r370033_fix
Configure the SUSE operating system ignores IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.default.accept_redirects = 0 Run the following command to apply this value: # sysctl --system
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030401
- Vuln IDs
-
- V-217293
- V-81805
- Rule IDs
-
- SV-217293r991589_rule
- SV-96519
Checks: C-18521r370035_chk
Verify the SUSE operating system does not allow IPv6 ICMP redirect messages by default. Check the value of the "default accept_redirects" variables with the following command: # sudo sysctl net.ipv6.conf.default.accept_redirects net.ipv6.conf.default.accept_redirects = 0 If the returned line does not have a value of "0", this is a finding.
Fix: F-18519r370036_fix
Configure the SUSE operating system to not allow IPv6 ICMP redirect messages by default. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv6.conf.default.accept_redirects=0 Run the following command to apply this value: # sysctl –system
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030410
- Vuln IDs
-
- V-217294
- V-77497
- Rule IDs
-
- SV-217294r991589_rule
- SV-92193
Checks: C-18522r370038_chk
Verify the SUSE operating system does not allow interfaces to perform IPv4 ICMP redirects by default. Check the value of the "default send_redirects" variables with the following command: # sysctl net.ipv4.conf.default.send_redirects net.ipv4.conf.default.send_redirects = 0 If the returned line does not have a value of "0” this is a finding.
Fix: F-18520r370039_fix
Configure the SUSE operating system to not allow interfaces to perform IPv4 ICMP redirects by default. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.default.send_redirects=0 Run the following command to apply this value: # sysctl --system
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030420
- Vuln IDs
-
- V-217295
- V-77499
- Rule IDs
-
- SV-217295r991589_rule
- SV-92195
Checks: C-18523r370041_chk
Verify the SUSE operating system does not send IPv4 ICMP redirect messages. Check the value of the "all send_redirects" variables with the following command: # sysctl net.ipv4.conf.all.send_redirects net.ipv4.conf.all.send_redirects =0 If the returned line does not have a value of "0” this is a finding.
Fix: F-18521r370042_fix
Configure the SUSE operating system to not allow interfaces to perform IPv4 ICMP redirects. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" (or modify the line to have the required value): net.ipv4.conf.all.send_redirects=0 Run the following command to apply this value: # sysctl --system
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030430
- Vuln IDs
-
- V-217296
- V-77501
- Rule IDs
-
- SV-217296r991589_rule
- SV-92197
Checks: C-18524r646765_chk
Verify the SUSE operating system is not performing IPv4packet forwarding, unless the system is a router. Check to see if IPv4 forwarding is enabled using the following command: > sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0 If the network parameter "ipv4.ip_forward" is not equal to "0" or nothing is returned, this is a finding.
Fix: F-18522r646766_fix
Configure the SUSE operating system to not performing IPv4 packet forwarding by running the following command as an administrator: > sudo sysctl -w net.ipv4.ip_forward=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.ip_forward=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030440
- Vuln IDs
-
- V-217297
- V-77503
- Rule IDs
-
- SV-217297r991589_rule
- SV-92199
Checks: C-18525r370047_chk
Verify the SUSE operating system network interfaces are not in promiscuous mode unless approved by the ISSO and documented. Check for the status with the following command: # ip link | grep -i promisc If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.
Fix: F-18523r370048_fix
Configure the SUSE operating system network interfaces to turn off promiscuous mode unless approved by the ISSO and documented. Set the promiscuous mode of an interface to off with the following command: # ip link set dev <devicename> promisc off
- RMF Control
- AC-18
- Severity
- Medium
- CCI
- CCI-001443
- Version
- SLES-12-030450
- Vuln IDs
-
- V-217298
- V-77505
- Rule IDs
-
- SV-217298r991568_rule
- SV-92201
Checks: C-18526r370050_chk
Verify that the SUSE operating system has no wireless network adapters enabled. Check that there are no wireless interfaces configured on the system with the following command: # wicked show all lo up link: #1, state up type: loopback config: compat:suse:/etc/sysconfig/network/ifcfg-lo leases: ipv4 static granted leases: ipv6 static granted addr: ipv4 127.0.0.1/8 [static] addr: ipv6 ::1/128 [static] eth0 up link: #2, state up, mtu 1500 type: ethernet, hwaddr 06:00:00:00:00:01 config: compat:suse:/etc/sysconfig/network/ifcfg-eth0 leases: ipv4 dhcp granted leases: ipv6 dhcp granted, ipv6 auto granted addr: ipv4 10.0.0.100/16 [dhcp] route: ipv4 default via 10.0.0.1 proto dhcp wlan0 up link: #3, state up, mtu 1500 type: wireless, hwaddr 06:00:00:00:00:02 config: wicked:xml:/etc/wicked/ifconfig/wlan0.xml leases: ipv4 dhcp granted addr: ipv4 10.0.0.101/16 [dhcp] route: ipv4 default via 10.0.0.1 proto dhcp If a wireless interface is configured it must be documented and approved by the local Authorizing Official. If a wireless interface is configured and has not been documented and approved, this is a finding.
Fix: F-18524r370051_fix
Configure the SUSE operating system to disable all wireless network interfaces with the following command: For each interface of type wireless, bring the interface into "down" state: # wicked ifdown wlan0 For each interface of type wireless with a configuration of type "compat:suse:", remove the associated file: # rm /etc/sysconfig/network/ifcfg-wlan0 For each interface of type wireless, for each configuration of type "wicked:xml:", remove the associated file or remove the interface configuration from the file. # rm /etc/wicked/ifconfig/wlan0.xml
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-001948
- Version
- SLES-12-030500
- Vuln IDs
-
- V-217299
- V-77507
- Rule IDs
-
- SV-217299r1015231_rule
- SV-92203
Checks: C-18527r370053_chk
Verify the SUSE operating system has the packages required for multifactor authentication installed. Check for the presence of the packages required to support multifactor authentication with the following commands: # zypper se pam_pkcs11 i | pam_pkcs11 | PKCS #11 PAM Module | package # zypper se mozilla-nss i | mozilla-nss | Network Security Services | package i | mozilla-nss-tools | Tools for developing, debugging, and managing applications t-> | package # zypper se pcsc i | pcsc-ccid | PCSC Driver for CCID Based Smart Card Readers and GemPC Twin -> | package i | pcsc-lite | PCSC Smart Cards Library | package i | pcsc-tools | PCSC Tools | package # zypper se opensc i | opensc | Smart Card Utilities | package # zypper info coolkey | grep -i installed Installed: Yes If any of the packages required for multifactor authentication are not installed, this is a finding.
Fix: F-18525r370054_fix
Configure the SUSE operating system to implement multifactor authentication by installing the required packages. Install the packages required to support multifactor authentication with the following commands: #zypper install pam_pkcs11 #zypper install mozilla-nss #zypper install mozilla-nss-tools #zypper install pcsc-ccid #zypper install pcsc-lite #zypper install pcsc-tools #zypper install opensc #zypper install coolkey Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-001954
- Version
- SLES-12-030510
- Vuln IDs
-
- V-217300
- V-77509
- Rule IDs
-
- SV-217300r1015232_rule
- SV-92205
Checks: C-18528r370056_chk
Verify the SUSE operating system implements certificate status checking for multifactor authentication. Check that certificate status checking for multifactor authentication is implemented with the following command: # grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module coolkey {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy cert_policy = ca,ocsp_on,signature,crl_auto; If "cert_policy" is not set to include "ocsp_on", this is a finding.
Fix: F-18526r370057_fix
Configure the SUSE operating system to certificate status checking for PKI authentication. Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on". Note: OCSP allows sending request for certificate status information. Additional certificate validation polices are permitted. Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/
- RMF Control
- IA-2
- Severity
- Medium
- CCI
- CCI-000765
- Version
- SLES-12-030520
- Vuln IDs
-
- V-217301
- V-77511
- Rule IDs
-
- SV-217301r1015233_rule
- SV-92207
Checks: C-18529r370059_chk
Verify the SUSE operating system implements multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM). Check that the "pam_pkcs11.so" option is configured in the "/etc/pam.d/common-auth" file with the following command: # grep pam_pkcs11.so /etc/pam.d/common-auth auth sufficient pam_pkcs11.so If "pam_pkcs11.so" is not set in "/etc/pam.d/common-auth", this is a finding.
Fix: F-18527r370060_fix
Configure the SUSE operating system to implement multifactor authentication for remote access to privileged accounts via PAM. Add or update "pam_pkcs11.so" in "/etc/pam.d/common-auth" to match the following line: auth sufficient pam_pkcs11.so
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000185
- Version
- SLES-12-030530
- Vuln IDs
-
- V-217302
- V-77513
- Rule IDs
-
- SV-217302r1015234_rule
- SV-92209
Checks: C-18530r646768_chk
Verify the SUSE operating system, for PKI-based authentication, had valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor. Check that the certification path to an accepted trust anchor for multifactor authentication is implemented with the following command: > grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca,oscp_on,signature,crl_auto; If "cert_policy" is not set to include "ca", this is a finding.
Fix: F-18528r370063_fix
Configure the SUSE operating system, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ca": cert_policy = ca,signature,oscp_on; Note: Additional certificate validation polices are permitted. Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/
- RMF Control
- SI-3
- Severity
- High
- CCI
- CCI-001668
- Version
- SLES-12-030611
- Vuln IDs
-
- V-222386
- V-102727
- Rule IDs
-
- SV-222386r991589_rule
- SV-111689
Checks: C-19592r466210_chk
Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution. If there is no anti-virus solution installed on the system, this is a finding.
Fix: F-21313r466211_fix
Install an antivirus solution on the system.
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030261
- Vuln IDs
-
- V-233308
- Rule IDs
-
- SV-233308r991589_rule
Checks: C-36503r622236_chk
Verify the SUSE operating system SSH daemon prevents remote hosts from connecting to the proxy display. Check the SSH X11UseLocalhost setting with the following command: # sudo grep -i x11uselocalhost /etc/ssh/sshd_config X11UseLocalhost yes If the "X11UseLocalhost" keyword is set to "no", is missing, or is commented out, this is a finding.
Fix: F-36467r622237_fix
Configure the SUSE operating system SSH daemon to prevent remote hosts from connecting to the proxy display. Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11UseLocalhost" keyword and set its value to "yes" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): X11UseLocalhost yes
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010111
- Vuln IDs
-
- V-237603
- Rule IDs
-
- SV-237603r991589_rule
Checks: C-40822r646770_chk
Verify the "sudoers" file restricts sudo access to authorized personnel. $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* If the either of the following entries are returned, this is a finding: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL
Fix: F-40785r646771_fix
Remove the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL
- RMF Control
- AC-6
- Severity
- Medium
- CCI
- CCI-002227
- Version
- SLES-12-010112
- Vuln IDs
-
- V-237604
- Rule IDs
-
- SV-237604r991589_rule
Checks: C-40823r861100_chk
Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. > sudo egrep -ir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#' /etc/sudoers:Defaults !targetpw /etc/sudoers:Defaults !rootpw /etc/sudoers:Defaults !runaspw If conflicting results are returned, this is a finding. If "Defaults !targetpw" is not defined, this is a finding. If "Defaults !rootpw" is not defined, this is a finding. If "Defaults !runaspw" is not defined, this is a finding.
Fix: F-40786r646774_fix
Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: Defaults !targetpw Defaults !rootpw Defaults !runaspw
- RMF Control
- IA-11
- Severity
- Medium
- CCI
- CCI-002038
- Version
- SLES-12-010113
- Vuln IDs
-
- V-237605
- Rule IDs
-
- SV-237605r1015235_rule
Checks: C-40824r861102_chk
Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. > sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d /etc/sudoers:Defaults timestamp_timeout=0 If conflicting results are returned, this is a finding. If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.
Fix: F-40787r861103_fix
Configure the "sudo" command to require re-authentication. Edit the /etc/sudoers file: > sudo visudo Add or modify the following line: Defaults timestamp_timeout=[value] Note: The "[value]" must be a number that is greater than or equal to "0".
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010631
- Vuln IDs
-
- V-237606
- Rule IDs
-
- SV-237606r991589_rule
Checks: C-40825r646779_chk
Verify all non-interactive SUSE operating system accounts do not have an interactive shell assigned to them. Obtain the list of authorized system accounts from the Information System Security Officer (ISSO). Check the system accounts on the system with the following command: > awk -F: '($7 !~ "/sbin/nologin" && $7 !~ "/bin/false"){print $1 ":" $3 ":" $7}' /etc/passwd root:0:/bin/bash nobody:65534:/bin/bash If a non-interactive accounts such as "games" or "nobody" is listed with an interactive shell, this is a finding.
Fix: F-40788r646780_fix
Configure the SUSE operating system so that all non-interactive accounts on the system have no interactive shell assigned to them. Run the following command to disable the interactive shell for a specific non-interactive user account: > sudo usermod --shell /sbin/nologin nobody
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- SLES-12-010871
- Vuln IDs
-
- V-237607
- Rule IDs
-
- SV-237607r991560_rule
Checks: C-40826r646782_chk
Verify the system-wide shared library files contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" have mode 0755 or less permissive. Check that the system-wide shared library files have mode 0755 or less permissive with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec stat -c "%n %a" '{}' \; If any files are found to be group-writable or world-writable, this is a finding.
Fix: F-40789r646783_fix
Configure the library files to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec chmod 755 '{}' \;
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- SLES-12-010872
- Vuln IDs
-
- V-237608
- Rule IDs
-
- SV-237608r991560_rule
Checks: C-40827r646785_chk
Verify the system-wide shared library directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" have mode 0755 or less permissive. Check that the system-wide shared library directories have mode 0755 or less permissive with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec stat -c "%n %a" '{}' \; If any of the aforementioned directories are found to be group-writable or world-writable, this is a finding.
Fix: F-40790r646786_fix
Configure the shared library directories to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec chmod 755 '{}' \;
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- SLES-12-010873
- Vuln IDs
-
- V-237609
- Rule IDs
-
- SV-237609r991560_rule
Checks: C-40828r646788_chk
Verify the system-wide shared library files contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are owned by root. Check that the system-wide shared library files are owned by root with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type f -exec stat -c "%n %U" '{}' \; If any system wide library file is returned, this is a finding.
Fix: F-40791r646789_fix
Configure the system library files to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type f -exec chown root '{}' \;
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- SLES-12-010874
- Vuln IDs
-
- V-237610
- Rule IDs
-
- SV-237610r991560_rule
Checks: C-40829r646791_chk
Verify the system-wide shared library directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are owned by root. Check that the system-wide shared library directories are owned by root with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; If any system wide library directory is returned, this is a finding.
Fix: F-40792r646792_fix
Configure the library files and their respective parent directories to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec chown root '{}' \;
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- SLES-12-010875
- Vuln IDs
-
- V-237611
- Rule IDs
-
- SV-237611r991560_rule
Checks: C-40830r646794_chk
Verify the system-wide library files contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are group-owned by root. Check that the system-wide library files are group-owned by root with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type f -exec stat -c "%n %G" '{}' \; If any system wide shared library file is returned, this is a finding.
Fix: F-40793r646795_fix
Configure the system library files to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type f -exec chgrp root '{}' \;
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- SLES-12-010876
- Vuln IDs
-
- V-237612
- Rule IDs
-
- SV-237612r991560_rule
Checks: C-40831r646797_chk
Verify the system-wide library directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are group-owned by root. Check that the system-wide library directories are group-owned by root with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; If any system wide shared library directory is returned, this is a finding.
Fix: F-40794r646798_fix
Configure the system library directories to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec chgrp root '{}' \;
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- SLES-12-010877
- Vuln IDs
-
- V-237613
- Rule IDs
-
- SV-237613r991560_rule
Checks: C-40832r917813_chk
Verify the system commands contained in the following directories have mode 755 or less permissive: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin Check that the system command files have mode 755 or less permissive with the following command: > find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec stat -c "%n %a" '{}' \; If any files are found to be group-writable or world-writable, this is a finding.
Fix: F-40795r646801_fix
Configure the system commands to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \;
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- SLES-12-010878
- Vuln IDs
-
- V-237614
- Rule IDs
-
- SV-237614r991560_rule
Checks: C-40833r646803_chk
Verify the system commands directories have mode 0755 or less permissive: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin Check that the system command directories have mode 0755 or less permissive with the following command: > find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c "%n %a" '{}' \; If any directories are found to be group-writable or world-writable, this is a finding.
Fix: F-40796r646804_fix
Configure the system commands directories to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \;
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- SLES-12-010879
- Vuln IDs
-
- V-237615
- Rule IDs
-
- SV-237615r991560_rule
Checks: C-40834r646806_chk
Verify the system commands contained in the following directories are owned by root: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin Use the following command for the check: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c "%n %U" '{}' \; If any system commands are returned, this is a finding.
Fix: F-40797r646807_fix
Configure the system commands - and their respective parent directories - to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec chown root '{}' \;
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- SLES-12-010881
- Vuln IDs
-
- V-237616
- Rule IDs
-
- SV-237616r991560_rule
Checks: C-40835r646809_chk
Verify the system commands directories are owned by root: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin Use the following command for the check: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec stat -c "%n %U" '{}' \; If any system commands directories are returned, this is a finding.
Fix: F-40798r646810_fix
Configure the system commands directories to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec chown root '{}' \;
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- SLES-12-010882
- Vuln IDs
-
- V-237617
- Rule IDs
-
- SV-237617r991560_rule
Checks: C-40836r832995_chk
Verify the system commands contained in the following directories are group-owned by root or a system account: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin Run the check with the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f -exec stat -c "%n %G" '{}' \; If any system commands are returned that are not Set Group ID upon execution (SGID) files and group-owned by a required system account, this is a finding.
Fix: F-40799r832996_fix
Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account. > sudo chgrp root [FILE]
- RMF Control
- CM-5
- Severity
- Medium
- CCI
- CCI-001499
- Version
- SLES-12-010883
- Vuln IDs
-
- V-237618
- Rule IDs
-
- SV-237618r991560_rule
Checks: C-40837r646815_chk
Verify the system commands directories are group-owned by root: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin Run the check with the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec stat -c "%n %G" '{}' \; If any system commands directories are returned that are not Set Group ID up on execution (SGID) files and owned by a privileged account, this is a finding.
Fix: F-40800r646816_fix
Configure the system commands directories to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec chgrp root '{}' \;
- RMF Control
- IA-5
- Severity
- Medium
- CCI
- CCI-000197
- Version
- SLES-12-030011
- Vuln IDs
-
- V-237619
- Rule IDs
-
- SV-237619r987796_rule
Checks: C-40838r646818_chk
Verify the vsftpd package is not installed on the SUSE operating system. Check that the vsftpd package is not installed on the SUSE operating system by running the following command: > zypper info vsftpd | grep Installed If "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Fix: F-40801r646819_fix
Document the "vsftpd" package with the ISSO as an operational requirement or remove it from the system with the following command: > sudo zypper remove vsftpd
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030362
- Vuln IDs
-
- V-237620
- Rule IDs
-
- SV-237620r991589_rule
Checks: C-40839r646821_chk
Verify the SUSE operating system does not accept IPv6 source-routed packets by default. Check the value of the default IPv6 accept source route variable with the following command: > sudo sysctl net.ipv6.conf.default.accept_source_route net.ipv6.conf.default.accept_source_route = 0 If the network parameter "ipv6.conf.default.accept_source_route" is not equal to "0" or nothing is returned, this is a finding.
Fix: F-40802r646822_fix
Configure the SUSE operating system to disable IPv6 default source routing by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.default.accept_source_route=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.default.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030363
- Vuln IDs
-
- V-237621
- Rule IDs
-
- SV-237621r991589_rule
Checks: C-40840r646824_chk
Verify the SUSE operating system does not accept IPv6 source-routed packets by default. Verify the SUSE operating system does not accept IPv6 ICMP redirect messages. Check the value of the IPv6 accept_redirects variable with the following command: > sudo sysctl net.ipv6.conf.all.accept_redirects net.ipv6.conf.all.accept_redirects =0 If the network parameter "ipv6.conf.all.accept_redirects" is not equal to "0" or nothing is returned, this is a finding.
Fix: F-40803r646825_fix
Configure the SUSE operating system to not accept IPv6 ICMP redirect messages by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.all.accept_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030364
- Vuln IDs
-
- V-237622
- Rule IDs
-
- SV-237622r991589_rule
Checks: C-40841r646827_chk
Verify the SUSE operating system is not performing IPv6 packet forwarding, unless the system is a router. Check to see if IPv6 forwarding is enabled using the following command: > sudo sysctl net.ipv6.conf.all.forwarding net.ipv6.conf.all.forwarding = 0 If the network parameter "ipv6.conf.all.forwarding" is not equal to "0" or nothing is returned, this is a finding.
Fix: F-40804r646828_fix
Configure the SUSE operating system to not performing IPv6 packet forwarding by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.all.forwarding=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.all.forwarding=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-030365
- Vuln IDs
-
- V-237623
- Rule IDs
-
- SV-237623r991589_rule
Checks: C-40842r646830_chk
Verify the SUSE operating system is not performing IPv6 packet forwarding by default, unless the system is a router. Check to see if IPv6 forwarding is disabled by default using the following command: > sudo sysctl net.ipv6.conf.default.forwarding net.ipv6.conf.default.forwarding = 0 If the network parameter "ipv6.conf.default.forwarding" is not equal to "0" or nothing is returned, this is a finding.
Fix: F-40805r646831_fix
Configure the SUSE operating system to not performing IPv6 packet forwarding by default by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.default.forwarding=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.default.forwarding=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
- RMF Control
- CM-6
- Severity
- Medium
- CCI
- CCI-000366
- Version
- SLES-12-010109
- Vuln IDs
-
- V-251719
- Rule IDs
-
- SV-251719r991589_rule
Checks: C-55156r832987_chk
Note: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable. Verify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command: > sudo grep include /etc/sudoers #includedir /etc/sudoers.d If the results are not "/etc/sudoers.d" or additional files or directories are specified, this is a finding. Verify the operating system does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command: > sudo grep -r include /etc/sudoers.d If results are returned, this is a finding.
Fix: F-55110r832988_fix
Configure the /etc/sudoers file to only include the /etc/sudoers.d directory. Edit the /etc/sudoers file with the following command: > sudo visudo Add or modify the following line: #includedir /etc/sudoers.d
- RMF Control
- IA-11
- Severity
- Medium
- CCI
- CCI-002038
- Version
- SLES-12-010114
- Vuln IDs
-
- V-251720
- Rule IDs
-
- SV-251720r1015236_rule
Checks: C-55157r854174_chk
Verify the operating system is not configured to bypass password requirements for privilege escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: $ sudo grep pam_succeed_if /etc/pam.d/sudo If any occurrences of "pam_succeed_if" are returned from the command, this is a finding.
Fix: F-55111r854175_fix
Configure the operating system to require users to supply a password for privilege escalation. Check the configuration of the "/etc/ pam.d/sudo" file with the following command: $ sudo vi /etc/pam.d/sudo Remove any occurrences of "pam_succeed_if" in the file.
- RMF Control
- CM-6
- Severity
- High
- CCI
- CCI-000366
- Version
- SLES-12-010221
- Vuln IDs
-
- V-251721
- Rule IDs
-
- SV-251721r991589_rule
Checks: C-55158r809451_chk
Check the "/etc/shadow" file for blank passwords with the following command: $ sudo awk -F: '!$2 {print $1}' /etc/shadow If the command returns any results, this is a finding.
Fix: F-55112r809452_fix
Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset: $ sudo passwd [username] Lock an account: $ sudo passwd -l [username]
- RMF Control
- AU-3
- Severity
- Medium
- CCI
- CCI-000130
- Version
- SLES-12-020411
- Vuln IDs
-
- V-251722
- Rule IDs
-
- SV-251722r958412_rule
Checks: C-55159r854177_chk
Verify the SUSE operating system generates an audit record for all uses of the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls. Verify that the following command call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": > sudo grep 'unlink\|rename\|rmdir' /etc/audit/audit.rules -a always,exit -F arch=b32 -S unlink, unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S unlink, unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete If both the "b32" and "b64" audit rules are not defined for the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls, this is a finding.
Fix: F-55113r809455_fix
Configure the SUSE operating system to generate an audit record for all uses of the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S unlink, unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S unlink, unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete The audit daemon must be restarted for the changes to take effect. > sudo systemctl restart auditd.service
- RMF Control
- AC-17
- Severity
- Medium
- CCI
- CCI-001453
- Version
- SLES-12-030270
- Vuln IDs
-
- V-255914
- Rule IDs
-
- SV-255914r991554_rule
Checks: C-59591r880920_chk
Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms: $ sudo grep -i kexalgorithms /etc/ssh/sshd_config KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 If "KexAlgorithms" is not configured, is commented out, or does not contain only the algorithms "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256" in exact order, this is a finding.
Fix: F-59534r880921_fix
Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in "/etc/ssh/sshd_config": KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 Restart the "sshd" service for changes to take effect: $ sudo systemctl restart sshd
- RMF Control
- SC-4
- Severity
- Low
- CCI
- CCI-001090
- Version
- SLES-12-010375
- Vuln IDs
-
- V-255915
- Rule IDs
-
- SV-255915r958524_rule
Checks: C-59592r880926_chk
Verify the operating system is configured to restrict access to the kernel message buffer with the following commands: $ sudo sysctl kernel.dmesg_restrict kernel.dmesg_restrict = 1 If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding. Check that the configuration files are present to enable this kernel parameter: $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null /etc/sysctl.conf:kernel.dmesg_restrict = 1 /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1 If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Fix: F-59535r880927_fix
Configure the operating system to restrict access to the kernel message buffer. Set the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory: kernel.dmesg_restrict = 1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/ /etc/sysctl.d/ /usr/local/lib/sysctl.d/ /usr/lib/sysctl.d/ /lib/sysctl.d/ /etc/sysctl.conf Reload settings from all system configuration files with the following command: $ sudo sysctl --system
- RMF Control
- SI-6
- Severity
- Medium
- CCI
- CCI-002696
- Version
- SLES-12-010499
- Vuln IDs
-
- V-255916
- Rule IDs
-
- SV-255916r958794_rule
Checks: C-59593r880935_chk
Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions. Check that the AIDE package is installed with the following command: $ sudo zypper if aide | grep "Installed" Installed: Yes If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. If there is no application installed to perform integrity checks, this is a finding. If AIDE is installed, check if it has been initialized with the following command: $ sudo aide --check If the output is "Couldn't open file /var/lib/aide/aide.db for reading", this is a finding.
Fix: F-59536r880936_fix
Install AIDE, initialize it, and perform a manual check. Install AIDE: $ sudo zipper in aide Initialize it (this may take a few minutes): $ sudo aide -i The new database will need to be renamed to be read by AIDE: $ sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db Perform a manual check: $ sudo aide --check Example output: Summary: Total number of files: 140621 Added files: 1 Removed files: 1 Changed files: 0 Done.
- RMF Control
- AC-2
- Severity
- Medium
- CCI
- CCI-001682
- Version
- SLES-12-010331
- Vuln IDs
-
- V-256980
- Rule IDs
-
- SV-256980r958508_rule
Checks: C-60658r902829_chk
Verify temporary accounts have been provisioned with an expiration date of 72 hours. For every existing temporary account, run the following command to obtain its account expiration information: > sudo chage -l <temporary_account_name> | grep -i "account expires" Verify each of these accounts has an expiration date set within 72 hours. If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.
Fix: F-60600r902830_fix
Configure the operating system to expire temporary accounts after 72 hours with the following command: > sudo chage -E $(date -d +3days +%Y-%m-%d) <temporary_account_name>
- RMF Control
- CM-3
- Severity
- Medium
- CCI
- CCI-001744
- Version
- SLES-12-010498
- Vuln IDs
-
- V-256981
- Rule IDs
-
- SV-256981r958794_rule
Checks: C-60659r902835_chk
Verify that the operating system is configured to allow sending email notifications. Note: The "mailx" package provides the "mail" command that is used to send email messages. Verify that the "mailx" package is installed on the system: > sudo zypper se mailx i | mailx | A MIME-Capable Implementation of the mailx Command | package If "mailx" package is not installed, this is a finding.
Fix: F-60601r902836_fix
Install the "mailx" package on the system: > sudo zypper install mailx