Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify that the version of SLEM 5 is vendor supported with the following command: > cat /etc/os-release NAME="SLE Micro" VERSION="5.2" ... If the installed version of SLEM 5 is not supported, this is a finding.
Upgrade SLEM 5 to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription. If the system requires Long-Term Service Pack Support (LTSS), obtain the correct LTSS subscription for the system.
Verify that SLEM 5 has implemented an endpoint security tool. If no endpoint security tool is present and enabled on the system, this is a finding.
Install and enable an endpoint security tool.
Verify SLEM 5 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via SSH. Check the issue file to verify it contains one of the DOD required banners. If it does not, this is a finding. > more /etc/issue The output must display the following DOD-required banner text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the output does not display the correct banner text, this is a finding.
Configure SLEM 5 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system by running the following commands: To configure the system logon banner, edit the "/etc/issue" file. Replace the default text inside with the Standard Mandatory DOD banner text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Verify SLEM 5 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: > systemctl status ctrl-alt-del.target ctrl-alt-del.target Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) Active: inactive (dead) If ctrl-alt-del.target is not masked, this is a finding.
Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: > sudo systemctl disable ctrl-alt-del.target > sudo systemctl mask ctrl-alt-del.target Then, reload the daemon to take effect: > sudo systemctl daemon-reload
Note: If the system does not use a BIOS, this requirement is not applicable. Verify that SLEM 5 has set an encrypted root password with the following command: > sudo cat /boot/grub2/grub.cfg | grep -i password password_pbkdf2 root grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771 If the root password entry does not begin with "password_pbkdf2", this is a finding.
Note: If the system does not use a BIOS, this requirement is not applicable. Configure SLEM 5 to encrypt the boot password. Generate an encrypted GRUB bootloader password for root with the following command: > grub2-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771 Using the hash from the output, modify the "/etc/grub.d/40_custom" file and add the following two lines to add a boot password for the root entry: set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771 Generate an updated "grub.conf" file with the new password using the following commands: > sudo grub2-mkconfig --output=/tmp/grub2.cfg > sudo mv /tmp/grub2.cfg /boot/grub2/grub.cfg
Note: If the system does not use UEFI, this requirement is not applicable. Verify that SLEM 5 has set an encrypted root password with the following command: > sudo cat /boot/efi/EFI/BOOT/grub.cfg | grep -i password password_pbkdf2 root grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771 If the root password entry does not begin with "password_pbkdf2", this is a finding.
Note: If the system does not use UEFI, this requirement is not applicable. Configure SLEM 5 to encrypt the boot password. Generate an encrypted GRUB bootloader password for root with the following command: > grub2-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771 Using the hash from the output, modify the "/etc/grub.d/40_custom" file and add the following two lines to add a boot password for the root entry: set superusers="rooty" password_pbkdf2 root grub.pbkdf2.sha512.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771 Generate an updated "grub.conf" file with the new password using the following commands: > sudo grub2-mkconfig --output=/tmp/grub2.cfg > sudo mv /tmp/grub2.cfg /boot/efi/EFI/BOOT/grub.cfg
Verify SLEM 5 is configured to restrict access to the kernel message buffer with the following commands: > sudo sysctl kernel.dmesg_restrict kernel.dmesg_restrict = 1 If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding. Check that the configuration files are present to enable this kernel parameter: > sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null /etc/sysctl.conf:kernel.dmesg_restrict = 1 /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1 If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure SLEM 5 to restrict access to the kernel message buffer. Set the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory: kernel.dmesg_restrict = 1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/ /etc/sysctl.d/ /usr/local/lib/sysctl.d/ /usr/lib/sysctl.d/ /lib/sysctl.d/ /etc/sysctl.conf Reload settings from all system configuration files with the following command: $ sudo sysctl --system
Verify that SLEM 5 kernel core dumps are disabled unless needed with the following command: > systemctl status kdump.service kdump.service - Load kdump kernel and initrd Loaded: loaded (/usr/lib/systemd/system/kdump.service; disabled; vendor preset: disabled) Active: inactive (dead) If "kdump.service" is active, ask the system administrator if the use of the service is required and documented with the information system security officer (ISSO). If the service is active and is not documented, this is a finding.
If SLEM 5 kernel core dumps are not required, disable the "kdump" service with the following command: > sudo systemctl disable kdump.service If kernel core dumps are required, document the need with the ISSO.
Verify SLEM 5 implements Address space layout randomization (ASLR) with the following command: > sudo sysctl kernel.randomize_va_space kernel.randomize_va_space = 2 If the kernel parameter "randomize_va_space" is not equal to "2", or nothing is returned, this is a finding.
Configure SLEM 5 to implement ASLR by running the following command as an administrator: > sudo sysctl -w kernel.randomize_va_space=2 If "2" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "kernel.randomize_va_space=2" >> /etc/sysctl.d/99-stig.conf' Reload settings from all system configuration files with the following command: > sudo sysctl --system
Verify SLEM 5 prevents leaking of internal kernel addresses with the following command: > sudo sysctl kernel.kptr_restrict kernel.kptr_restrict = 1 If the kernel parameter "kptr_restrict" is not equal to "1", or nothing is returned, this is a finding.
Configure SLEM 5 to prevent leaking of internal kernel addresses by running the following command: > sudo sysctl -w kernel.kptr_restrict=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "kernel.kptr_restrict=1" >> /etc/sysctl.d/99-stig.conf' Reload settings from all system configuration files with the following command: > sudo sysctl --system
Verify SLEM 5 security patches and updates are installed and up to date. Note: Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). Check for required SLEM 5 patches and updates with the following command: > sudo zypper patch-check 0 patches needed (0 security patches) If the patch repository data is corrupt, check that the available package security updates have been installed on the system with the following command: > sudo cut -d "|" -f 1-4 -s --output-delimiter " | " /var/log/zypp/history | grep -v " radd " 2023-09-25 12:23:25 | install | cockpit-ws | 298-150500.1.4 2023-09-25 12:23:26 | install | cockpit-storaged | 298-150500.1.4 2023-09-25 12:23:26 | install | cockpit-selinux | 298-150500.1.4 If SLEM 5 has not been patched within the site or PMO frequency, this is a finding.
Install the applicable SLEM 5 patches available from SUSE by running the following command: > sudo transactional-update patch > sudo reboot
Verify that SLEM 5 tool zypper has gpgcheck enabled with the following command: > grep -i '^gpgcheck' /etc/zypp/zypp.conf gpgcheck = on If "gpgcheck" is not set to "on", is commented out, or missing, this is a finding.
Configure that SLEM 5 tool zypper to enable gpgcheck. Add or modify the following line in the "/etc/zypp/zypp.conf" file: gpgcheck = on
Verify SLEM 5 removes all outdated software components after updated version have been installed by running the following command: > grep -i upgraderemovedroppedpackages /etc/zypp/zypp.conf solver.upgradeRemoveDroppedPackages = true If "solver.upgradeRemoveDroppedPackages" is not set to "true", is commented out, or missing, this is a finding.
Configure SLEM 5 to remove all outdated software components after an update. Add or modify the following line in the "/etc/zypp/zypp.conf" file: solver.upgradeRemoveDroppedPackages = true
Check that SLEM 5 has the "vlock" package installed with the following command: > zypper search --installed-only --match-exact --provides vlock i | kbd | Keyboard and Font Utilities | package If the command outputs "no matching items found", this is a finding.
Allow users to lock the console by installing the "kbd" package using zypper: > sudo transactional-update pkg install kbd > sudo reboot
Verify the telnet-server package is not installed on SLEM 5. Check that the telnet-server package is not installed on SLEM 5 by running the following command: > sudo zypper se telnet-server | grep Installed If the telnet-server package is installed, this is a finding.
Remove the telnet-server package from SLEM 5 by running the following command: > sudo transactional-update pkg remove telnet-server > sudo reboot
Verify that a separate file system/partition has been created for SLEM 5 nonprivileged local interactive users (those with a UID greater than 1000) home directories with the following command: > awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6, $7}' /etc/passwd adamsj 1002 /home/adamsj /bin/bash jacksonm 1003 /home/jacksonm /bin/bash smithj 1001 /home/smithj /bin/bash The output of the command will give the directory/partition that contains the home directories for the nonprivileged users on the system (in this example, /home) and user's shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users. Check that a file system/partition has been created for the nonprivileged interactive users with the following command: Note: The partition of /home is used in the example. > grep /home /etc/fstab UUID=c4e898dd-6cd9-4091-a733-9435e505957a /home btrfs defaults,subvol=@/home 0 0 If a separate entry for the file system/partition that contains the nonprivileged interactive users' home directories does not exist, this is a finding.
Create a separate file system/partition for SLEM 5 nonprivileged local interactive user home directories. Migrate the nonprivileged local interactive user home directories onto the separate file system/partition.
Verify that SLEM 5 has a separate file system/partition for "/var" with the following command: > grep /var /etc/fstab UUID=c4e898dd-6cd9-4091-a733-9435e505957a /var btrfs defaults,subvol=@/var,x-initrd.mount 0 0 If a separate entry for "/var" does not exist, this is a finding.
Create a separate file system/partition on SLEM 5 for "/var". Migrate "/var" onto the separate file system/partition.
Verify that SLEM 5 has a separate file system/partition for the system audit data path with the following command: Note: "/var/log/audit" is used as the example as it is a common location. > grep /var/log/audit /etc/fstab UUID=c4e898dd-6cd9-4091-a733-9435e505957a /var btrfs defaults,subvol=@/var/log/audit 0 0 If a separate entry for the system audit data path (in this example the "/var/log/audit" path) does not exist, ask the system administrator if the system audit logs are being written to a different file system/partition on the system and then grep for that file system/partition. If a separate file system/partition does not exist for the system audit data path, this is a finding.
Migrate SLEM 5 audit data path onto a separate file system or partition.
Verify SLEM 5 file systems that are being NFS exported are mounted with the "nosuid" option with the following command: > grep nfs /etc/fstab UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0 If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.
Configure SLEM 5 "/etc/fstab" file to use the "nosuid" option on file systems that are being exported via NFS.
Verify SLEM 5 file systems that are being NFS exported are mounted with the "noexec" option with the following command: > grep nfs /etc/fstab UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0 If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS exported binaries is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.
Configure SLEM 5 "/etc/fstab" file to use the "noexec" option on file systems that are being exported via NFS.
Verify SLEM 5 file systems used for removable media are mounted with the "nosuid" option with the following command: > more /etc/fstab UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0 If a file system found in "/etc/fstab" refers to removable media and does not have the "nosuid" option set, this is a finding.
Configure SLEM 5 "/etc/fstab" file to use the "nosuid" option on file systems that are associated with removable media.
Verify SLEM 5 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. Verify the system partitions are all encrypted with the following commands: > sudo blkid /dev/sda1: "UUID=26d4a101-7f48-4394-b730-56dc00e65f64" TYPE="crypto_LUKS" /dev/sda2: "UUID=f5b8a790-14cb-4b82-882d-707d52f27765" TYPE="crypto_LUKS" /dev/sda3: "UUID=f2d86128-f975-478d-a5b0-25806c900eac" TYPE="crypto_LUKS" Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) or temporary file systems (that are tmpfs) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding. > sudo more /etc/crypttab cr_root UUID=26d4a101-7f48-4394-b730-56dc00e65f64 cr_home UUID=f5b8a790-14cb-4b82-882d-707d52f27765 cr_swap UUID=f2d86128-f975-478d-a5b0-25806c900eac Every persistent disk partition present on the system must have an entry in the /etc/crypttab file. If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding. Verify the system works in FIPS mode with the following command: > sudo sysctl - a | grep fips crypto.fips_enabled = 1
Configure SLEM 5 to prevent unauthorized modification of all information at rest by using disk encryption. Encrypting a partition in an already-installed system is more difficult because of the need to resize and change existing partitions. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted partition by default. Add it manually in the partitioning dialog. The following set of commands will switch SLEM 5 to work in FIPS mode: >sudo transactional-update pkg install -t pattern microos-fips >reboot Add of modify the following line in the "/etc/default/grub" file to include "fips=1": GRUB_CMDLINE_LINUX_DEFAULT="splash=silent swapaccount=1 apparmor=0 mitigations=auto quiet crashkernel=195M,high crashkernel=72M,low fips=1" >sudo transactional-update grub.cfg >sudo reboot:
Verify that SLEM 5 file systems that contain user home directories are mounted with the "nosuid" option. Print the currently active file system mount options of the file system(s) that contain the user home directories with the following command: > for X in `awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd`; do findmnt -nkT $X; done | sort -r /home /dev/mapper/system-home ext4 rw,nosuid,realtime,data=ordered If a file system containing user home directories is not mounted with the FSTYPE OPTION nosuid, this is a finding. Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.
Configure SLEM 5 "/etc/fstab" file to use the "nosuid" option on file systems that contain user home directories for interactive users. Remount the filesystems. > sudo mount -o remount /home
Verify SLEM 5 disables the ability to automount devices. Verify the automounter service is installed with the following command: > sudo zypper se autofs If it is installed, verify the automounter service is active with the following command: > systemctl status autofs autofs.service - Automounts filesystems on demand Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) Active: inactive (dead) If the "autofs" status is set to "active" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.
Configure SLEM 5 to disable the ability to automount devices. Turn off the automount service with the following command: > sudo systemctl stop autofs > sudo systemctl disable autofs If "autofs" is required for Network File System (NFS), it must be documented with the ISSO.
Verify that the system command directories have mode "755" or less permissive with the following command: > find -L /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c "%n %a" '{}' \; If any directories are found to be group-writable or world-writable, this is a finding.
Configure the system commands to be protected from unauthorized access. Run the following command: > sudo find -L /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \; > sudo transactional-update shell > sudo find -L /bin /sbin /usr/bin /usr/sbin -perm /022 -type f -exec chmod 755 '{}' \; > exit > sudo reboot
Verify that the system command directories have mode "755" or less permissive with the following command: > find -L /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c "%n %a" '{}' \; If any directories are found to be group-writable or world-writable, this is a finding.
Configure the system commands to be protected from unauthorized access. Run the following command: > sudo find -L /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \; > sudo transactional-update shell > sudo find -L /bin /sbin /usr/bin /usr/sbin -perm /022 -type f -exec chmod 755 '{}' \; > exit > sudo reboot
Verify the system-wide shared library directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" have mode "755" or less permissive with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec stat -c "%n %a" '{}' \; If any of the aforementioned directories are found to be group-writable or world-writable, this is a finding.
Configure the library files to be protected from unauthorized access. Run the following command: > sudo transactional-update shell > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec chmod 755 '{}' \; > exit > sudo reboot
Verify the system-wide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" have mode "755" or less permissive with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec stat -c "%n %a" '{}' \; If any files are found to be group-writable or world-writable, this is a finding.
Configure the library files to be protected from unauthorized access. Run the following command: > sudo transactional-update shell > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec chmod 755 '{}' \; > exit > sudo reboot
Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. Verify the assigned home directory of all SLEM 5 local interactive users has a mode of "750" or less permissive with the following command: > ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) -rwxr-x--- 1 smithj users 18 Mar 5 17:6 /home/smithj If home directories referenced in "/etc/passwd" do not have a mode of "750" or less permissive, this is a finding.
Change the mode of SLEM 5 local interactive user's home directories to "750". To change the mode of a local interactive user's home directory, use the following command: Note: The example will be for the user "smithj". > sudo chmod 750 /home/smithj
Verify that all SLEM 5 local initialization files have a mode of "740" or less permissive with the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". > sudo ls -al /home/smithj/.* | more -rw-r-x---- 1 smithj users 896 Mar 10 2011 .profile -rw-r-x---- 1 smithj users 497 Jan 6 27 .login -rw-r-x---- 1 smithj users 886 Jan 6 27 .something If any local initialization files have a mode more permissive than "740", this is a finding.
Set the mode of SLEM 5 local initialization files to "740" with the following command: Note: The example will be for the smithj user, who has a home directory of "/home/smithj". > sudo chmod 740 /home/smithj/.<INIT_FILE>
Verify SLEM 5 SSH daemon public host key files have mode "644" or less permissive with the following command: Note: SSH public key files may be found in other directories on the system depending on the installation. > find /etc/ssh -name 'ssh_host*key.pub' -exec stat -c "%a %n" {} \; 644 /etc/ssh/ssh_host_rsa_key.pub 644 /etc/ssh/ssh_host_dsa_key.pub 644 /etc/ssh/ssh_host_ecdsa_key.pub 644 /etc/ssh/ssh_host_ed25519_key.pub If any file has a mode more permissive than "644", this is a finding.
Configure SLEM 5 SSH daemon public host key files have mode "644" or less permissive. Note: SSH public key files may be found in other directories on the system depending on the installation. Change the mode of public host key files under "/etc/ssh" to "644" with the following command: > sudo chmod 644 /etc/ssh/ssh_host*key.pub
Verify SLEM 5 SSH daemon private host key files have mode "640" or less permissive. The following command will find all SSH private key files on the system with the following command: > sudo find / -name '*ssh_host*key' -exec ls -lL {} \; Check the mode of the private host key files under "/etc/ssh" file with the following command: > find /etc/ssh -name 'ssh_host*key' -exec stat -c "%a %n" {} \; 640 /etc/ssh/ssh_host_rsa_key 640 /etc/ssh/ssh_host_dsa_key 640 /etc/ssh/ssh_host_ecdsa_key 640 /etc/ssh/ssh_host_ed25519_key If any file has a mode more permissive than "640", this is a finding.
Configure the mode of SLEM 5 SSH daemon private host key files under "/etc/ssh" to "640" with the following command: > sudo chmod 640 /etc/ssh/ssh_host*key
Verify the system-wide shared library files contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are owned by root with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type f -exec stat -c "%n %U" '{}' \; If any system wide library file is returned, this is a finding.
Configure the library files to be protected from unauthorized access. Run the following command: > sudo transactional-update shell > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type f -exec chown root '{}' \; > exit > sudo reboot
Verify the system-wide shared library files contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are group-owned by root with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type f -exec stat -c "%n %G" '{}' \; If any system wide library file is returned, this is a finding.
Configure the library files to be protected from unauthorized access. Run the following command: > sudo transactional-update shell > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type f -exec chgrp root '{}' \; > exit > sudo reboot
Verify the system-wide shared library directories contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are owned by root with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; If any system wide library directory is returned, this is a finding.
Configure the library directories to be protected from unauthorized access. Run the following command: > sudo transactional-update shell > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec chown root '{}' \; > exit > sudo reboot
Verify the system-wide shared library directories contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are group-owned by root with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; If any system wide library directory is returned, this is a finding.
Configure the library directories to be protected from unauthorized access. Run the following command: > sudo transactional-update shell > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec chgrp root '{}' \; > exit > sudo reboot
Verify that the system commands are owned by root with the following command: > sudo find -L /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c "%n %U" '{}' \; If any system commands are returned, this is a finding.
Configure the system commands to be protected from unauthorized access. Run the following command: > sudo transactional-update shell > sudo find -L /bin /sbin /usr/bin /usr/sbin ! -user root -type f -exec chown root '{}' \; > exit > sudo reboot
Verify that the system commands are group-owned by root with the following command: > sudo find -L /usr/local/bin /usr/local/sbin! -group root -type f -exec stat -c "%n %G" '{}' \; If any system commands are returned, this is a finding.
Configure the system commands to be protected from unauthorized access. Run the following command: > sudo transactional-update shell > sudo find -L /bin /sbin /usr/bin /usr/sbin ! -user root -type f -exec chown root '{}' \; > exit > sudo reboot
Verify that the system command directories are owned by root with the following command: > find -L /usr/local/bin /usr/local/sbin ! -user root -type d -exec stat -c "%n %U" '{}' \; If any system command directories are returned, this is a finding.
Configure the system commands to be protected from unauthorized access. Run the following command: > sudo transactional-update shell > sudo find -L /bin /sbin /usr/bin /usr/sbin ! -user root -type d -exec chown root '{}' \; > exit > sudo reboot
Verify that the system command directories are group-owned by root with the following command: > find -L /usr/local/bin /usr/local/sbin ! -group root -type d -exec stat -c "%n %G" '{}' \; If any system command directories are returned, this is a finding.
Configure the system commands to be protected from unauthorized access. Run the following command: > sudo transactional-update shell > sudo find -L /bin /sbin /usr/bin /usr/sbin ! -group root -type d -exec chgrp root '{}' \; > exit > sudo reboot
Verify that all SLEM 5 files and directories on the system have a valid owner with the following command: Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example. > sudo find / -fstype xfs -nouser If any files on the system do not have a valid owner, this is a finding.
Either remove all files and directories from SLEM 5 that do not have a valid user or assign a valid user to all unowned files and directories on the system with the "chown" command: > sudo chown <user > <file>
Verify all SLEM 5 files and directories on the system have a valid group with the following command: Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example. > sudo find / -fstype xfs -nogroup If any files on the system do not have a valid group, this is a finding.
Either remove all files and directories from SLEM 5 that do not have a valid group or assign a valid group to all files and directories on the system with the "chgrp" command: > sudo chgrp <group > <file>
Verify the assigned home directory of all SLEM 5 local interactive users is group-owned by that user's primary GID with the following command: Note: This may miss local interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/smithj" is used as an example. > awk -F: '($3>=1000)&&($7 !~ /nologin/){print $4, $6}' /etc/passwd) 250:/home/smithj Check the user's primary group with the following command: > grep users /etc/group users:x:250:smithj,jonesj,jacksons If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.
Change the group owner of a SLEM 5 local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users. > sudo chgrp users /home/smithj
Verify all SLEM 5 world-writable directories are group-owned by root, sys, bin, or an application group with the following command: > sudo find / -perm -002 -type d -exec ls -lLd {} \; drwxrwxrwt. 2 root root 40 Aug 26 13:7 /dev/mqueue drwxrwxrwt. 2 root root 220 Aug 26 13:23 /dev/shm drwxrwxrwt. 14 root root 4096 Aug 26 13:29 /tmp If any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding.
Change the group of SLEM 5 world-writable directories to root with the following command: > sudo chgrp root <directory>
Verify SLEM 5 prevents unauthorized and unintended information transfer via the shared system resources with the following command: > sudo find / \( -path /.snapshots -o -path /sys -o -path /proc \) -prune -o -perm -002 -type d -exec ls -lLd {} \; 256 0 drwxrwxrwt 1 root root 4096 Jun 14 06:45 /tmp If any of the returned directories do not have the sticky bit set, or are not documented as having the write permission for the other class, this is a finding.
Configure SLEM 5 shared system resources to prevent any unauthorized and unintended information transfer by setting the sticky bit for all world-writable directories. An example of a world-writable directory is "/tmp" directory. Set the sticky bit on all of the world-writable directories (using the "/tmp" directory as an example) with the following command: > sudo chmod 1777 /tmp For every world-writable directory, replace "/tmp" in the command above with the world-writable directory that does not have the sticky bit set.
Verify SLEM 5 prevents unauthorized users from accessing system error messages. Check the "/var/log/messages" file permissions with the following command: > sudo stat -c "%n %U:%G %a" /var/log/messages /var/log/messages root:root 640 Check that "permissions.local" file contains the correct permissions rules with the following command: > grep -i messages /etc/permissions.local /var/log/messages root:root 640 If the effective permissions do not match the "permissions.local" file, the command does not return any output, or is commented out, this is a finding.
Configure SLEM 5 to prevent unauthorized users from accessing system error messages. Add or update the following rules in "/etc/permissions.local": /var/log/messages root:root 640 Set the correct permissions with the following command: > sudo chkstat --set --system
Verify SLEM 5 has all system log files under the /var/log directory with a permission set to "640", by using the following command: Note: The btmp, wtmp, and lastlog files are excluded. Refer to the Vulnerability Discussion for details. > sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec stat -c "%n %a" {} \; If command displays any output, this is a finding.
Configure SLEM 5 to set permissions of all log files under /var/log directory to "640" or more restricted, by using the following command: Note: The btmp, wtmp, and lastlog files are excluded. Refer to the Vulnerability Discussion for details. > sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec chmod 640 '{}' \;
Verify SLEM 5 "firewalld.service" is enabled and running with the following command: > systemctl status firewalld.service firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-11-29 08:12:35 MST If the service is not enabled and active, this is a finding. Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command: > sudo firewall-cmd --list-all Ask the system administrator for the site or program PPSM Component Local Services Assessment (Component Local Services Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA. If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.
Configure SLEM 5 is configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments. Add/modify /etc/firewalld configuration files to comply with the PPSM CAL. Enable and start the "firewalld.service" by running the following command: > sudo systemctl enable firewalld.service --now To immediately disable remote access and disconnect all current remote connections, the firewall needs to be set into panic mode. > sudo firewall-cmd --panic-on To allow remote access, panic mode needs to be disabled. > sudo firewall-cmd --panic-off
Verify that SLEM 5 clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second with the following command: > sudo grep maxpoll /etc/chrony.conf server 0.us.pool.ntp.mil maxpoll 16 If the "server" parameter is not set to an authoritative DOD time source, "maxpoll" is greater than "16", the line is commented out, or the line is missing, this is a finding.
SLEM 5 clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second. To configure the system clock to synchronize to an authoritative DOD time source at least every 24 hours, edit the file "/etc/chrony.conf". Add or correct the following lines by replacing "<time_source>" with an authoritative DOD time source: server <time_source> maxpoll 16
Verify SLEM 5 network interfaces are not in promiscuous mode with the following command: > ip link | grep -i promisc If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.
Configure SLEM 5 network interfaces to turn off promiscuous mode unless approved by the ISSO and documented. Set the promiscuous mode of an interface to off with the following command: > sudo ip link set dev <devicename> promisc off
Verify SLEM 5 does not accept IPv4 source-routed packets with the following command: > sudo sysctl net.ipv4.conf.all.accept_source_route net.ipv4.conf.all.accept_source_route = 0 If the network parameter "ipv4.conf.all.accept_source_route" is not equal to "0", or nothing is returned, this is a finding.
Configure SLEM 5 to disable IPv4 source routing by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.all.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
Verify SLEM 5 does not accept IPv4 source-routed packets by default with the following command: > sudo sysctl net.ipv4.conf.default.accept_source_route net.ipv4.conf.default.accept_source_route = 0 If the network parameter "ipv4.conf.default.accept_source_route" is not equal to "0", or nothing is returned, this is a finding.
Configure SLEM 5 to disable IPv4 default source routing by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.default.accept_source_route=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.default.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
Verify SLEM 5 does not accept IPv4 ICMP redirect messages with the following command: > sudo sysctl net.ipv4.conf.all.accept_redirects net.ipv4.conf.all.accept_redirects = 0 If the network parameter "ipv4.conf.all.accept_redirects" is not equal to "0", or nothing is returned, this is a finding.
Configure SLEM 5 to not accept IPv4 ICMP redirect messages by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
Verify SLEM 5 does not accept IPv4 ICMP redirect messages by default with the following command: > sudo sysctl net.ipv4.conf.default.accept_redirects net.ipv4.conf.default.accept_redirects = 0 If the network parameter "ipv4.conf.default.accept_redirects" is not equal to "0", or nothing is returned, this is a finding.
Configure SLEM 5 to not accept IPv4 ICMP redirect messages by default by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.default.accept_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.default.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
Verify SLEM 5 does not allow interfaces to perform IPv4 ICMP redirects with the following command: > sudo sysctl net.ipv4.conf.all.send_redirects net.ipv4.conf.all.send_redirects = 0 If the network parameter "ipv4.conf.all.send_redirects" is not equal to "0", or nothing is returned, this is a finding.
Configure SLEM 5 to not allow interfaces to perform IPv4 ICMP redirects by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.all.send_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
Verify SLEM 5 does not allow interfaces to perform IPv4 ICMP redirects by default with the following command: > sudo sysctl net.ipv4.conf.default.send_redirects net.ipv4.conf.default.send_redirects = 0 If the network parameter "ipv4.conf.default.send_redirects" is not equal to "0", or nothing is returned, this is a finding.
Configure SLEM 5 to not allow interfaces to perform IPv4 ICMP redirects by default by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.default.send_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.default.send_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
Verify SLEM 5 is not performing IPv4 packet forwarding, unless the system is a router with the following command: > sudo sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0 If the network parameter "ipv4.ip_forward" is not equal to "0", or nothing is returned, this is a finding.
Configure SLEM 5 to not performing IPv4 packet forwarding by running the following command as an administrator: > sudo sysctl -w net.ipv4.ip_forward=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.ip_forward=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
Verify SLEM 5 is configured to use IPv4 TCP syncookies with the following command: > sudo sysctl net.ipv4.tcp_syncookies net.ipv4.tcp_syncookies = 1 If the network parameter "ipv4.tcp_syncookies" is not equal to "1", or nothing is returned, this is a finding.
Configure SLEM 5 to use IPv4 TCP syncookies by running the following command as an administrator: > sudo sysctl -w net.ipv4.tcp_syncookies=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
Verify SLEM 5 does not accept IPv6 source-routed packets with the following command: > sudo sysctl net.ipv6.conf.all.accept_source_route net.ipv6.conf.all.accept_source_route = 0 If the network parameter "ipv6.conf.all.accept_source_route" is not equal to "0" or nothing is returned, this is a finding.
Configure SLEM 5 to disable IPv6 source routing by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.all.accept_source_route=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.all.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
Verify SLEM 5 does not accept IPv6 source-routed packets by default with the following command: > sudo sysctl net.ipv6.conf.default.accept_source_route net.ipv6.conf.default.accept_source_route = 0 If the network parameter "ipv6.conf.default.accept_source_route" is not equal to "0", or nothing is returned, this is a finding.
Configure SLEM 5 to disable IPv6 default source routing by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.default.accept_source_route=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.default.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
Verify SLEM 5 does not accept IPv6 ICMP redirect messages with the following command: > sudo sysctl net.ipv6.conf.all.accept_redirects net.ipv6.conf.all.accept_redirects = 0 If the network parameter "ipv6.conf.all.accept_redirects" is not equal to "0", or nothing is returned, this is a finding.
Configure SLEM 5 to not accept IPv6 ICMP redirect messages by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.all.accept_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
Verify SLEM 5 does not allow IPv6 ICMP redirect messages by default with the following command: > sudo sysctl net.ipv6.conf.default.accept_redirects net.ipv6.conf.default.accept_redirects = 0 If the network parameter "ipv6.conf.default.accept_redirects" is not equal to "0", or nothing is returned, this is a finding.
Configure SLEM 5 to not accept IPv6 ICMP redirect messages by default by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.default.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
Verify SLEM 5 is not performing IPv6 packet forwarding, unless the system is a router with the following command: > sudo sysctl net.ipv6.conf.all.forwarding net.ipv6.conf.all.forwarding = 0 If the network parameter "ipv6.conf.all.forwarding" is not equal to "0", or nothing is returned, this is a finding.
Configure SLEM 5 to not performing IPv6 packet forwarding by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.all.forwarding=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.all.forwarding=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
Verify SLEM 5 is not performing IPv6 packet forwarding by default, unless the system is a router with the following command: > sudo sysctl net.ipv6.conf.default.forwarding net.ipv6.conf.default.forwarding = 0 If the network parameter "ipv6.conf.default.forwarding" is not equal to "0", or nothing is returned, this is a finding.
Configure SLEM 5 to not performing IPv6 packet forwarding by default by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.default.forwarding=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.default.forwarding=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system
Verify the SSH package is installed by using the following command: > zypper info openssh | grep -i installed Name : openssh Version : 8.4p1-3.9.1 Arch : X86_64 Vendor : SUSE LLC <https://www.suse.com> Installed Size : 0 B Installed : Yes Status : up-to-date If the "openssh" package is not installed, this is a finding.
Install the "openssh" package on SLEM 5 with the following command: > sudo transactional-update pkg install openssh Reboot the system for the changes to take effect: > sudo reboot
Verify "sshd.service" is enabled and active by using the following command: > systemctl status sshd.service | grep -i active Active: active (running) since Wed 2023-11-29 09:49:45 MST; 2 months 23 days ago If "openssh.service" is not active, this is a finding.
Enable "openssh.service" to start automatically on reboot with the following command: > sudo systemctl enable sshd.service For the changes to take effect immediately, start the service with the following command: > sudo systemctl restart sshd.service
Verify SLEM 5 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via SSH with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*banner' /etc/ssh/sshd_config:Banner /etc/issue If "Banner" is not set to "/etc/issue", is commented out, missing, or conflicting results are returned, this is a finding.
Add or modify the following line in the "/etc/ssh/sshd_config" file: Banner /etc/issue/ Restart the "sshd.service": > sudo systemctl restart sshd.service
Verify SLEM 5 disables unattended or automatic logon via SSH with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iEH '^\s*(permit(.*?)(passwords|environment))' /etc/ssh/sshd_config:PermitEmptyPasswords no /etc/ssh/sshd_config:PermitUserEnvironment no If "PermitEmptyPasswords" or "PermitUserEnvironment" keywords are not set to "no", are commented out, or are missing completely, this is a finding.
Configure SLEM 5 disables unattended or automatic logon via SSH. Add or modify the following lines in the "/etc/ssh/sshd_config" file: PermitEmptyPasswords no PermitUserEnvironment no
Verify the SSH server automatically terminates a user session after the SSH client has become unresponsive by using the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientalivecountmax' /etc/ssh/sshd_config:ClientAliveCountMax 1 If "ClientAliveCountMax" is not set to "1", is commented out, missing, or conflicting results are returned, this is a finding.
Add or modify the following line in the "/etc/ssh/sshd_config" file: ClientAliveCountMax 1 Restart the SSH daemon for the changes to take effect: > sudo systemctl restart sshd.service
Verify the SSH server automatically terminates a user session after the SSH client has been unresponsive for 10 minutes by using the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientaliveinterval' /etc/ssh/sshd_config:ClientAliveInterval 600 If "ClientAliveInterval" is not set to "600" or less, is commented out, missing, or conflicting results are returned, this is a finding.
Configure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes. Add or modify the following line in the "/etc/ssh/sshd_config" file: ClientAliveInterval 600 The SSH daemon must be restarted for any changes to take effect: > systemctl restart sshd.service
Verify SLEM 5 SSH daemon remote X forwarded connections for interactive users are disabled with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*x11forwarding' /etc/ssh/sshd_config:X11Forwarding no If the "X11Forwarding" keyword is set to "yes" and is not documented with the information system security officer (ISSO) as an operational requirement, is commented out, or the line is missing, this is a finding.
Configure SLEM 5 SSH daemon to disable forwarded X connections for interactive users. Add or modify the following line in the "/etc/ssh/sshd_config" file: X11Forwarding no
Verify that SLEM 5 implements DOD-approved encryption to protect the confidentiality of SSH remote connections with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*ciphers' /etc/ssh/sshd_config:Ciphers aes256-ctr,aes192-ctr,aes128-ctr If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the line is commented out, or the "Ciphers" keyword is missing, or conflicting results are returned, this is a finding.
Configure the SSH server to only implement FIPS 140-2/140-3 approved ciphers. Add or modify the following line in the "/etc/ssh/sshd_config" file: Ciphers aes256-ctr,aes192-ctr,aes128-ctr Restart the SSH daemon: > sudo systemctl restart sshd.service
Verify SLEM 5 SSH daemon is configured to only use MACs that employ FIPS 140-2/140-3 approved hashes with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*macs' /etc/ssh/sshd_config:MACs hmac-sha2-512,hmac-sha2-256 If any ciphers other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, is commented out, missing, or conflicting results are returned, this is a finding.
Configure SLEM 5 SSH daemon to only use MACs that employ FIPS 140-2/140-3 approved hashes. Add or modify the following line in the "/etc/ssh/sshd_config" file: MACs hmac-sha2-512,hmac-sha2-256
Verify that the SSH server is configured to use only FIPS 140-2/140-3 validated key exchange algorithms with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*kexalgorithms' KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 If "KexAlgorithms" does not contain the list of algorithms in the exact order, is commented out, missing, or conflicting results are returned, this is a finding.
Configure the SSH server to use only FIPS 140-2/140-3 validated key exchange algorithms. Add or modify the following line in the "/etc/ssh/sshd_config" file: KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 Restart the SSH daemon for changes to take effect: > sudo systemctl restart sshd.service
Verify SLEM 5 denies direct logons to the root account using remote access via SSH with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*permitrootlogin' /etc/ssh/sshd_config:PermitRootLogin no If the "PermitRootLogin" keyword is set to "yes", is commented out, missing, or conflicting results are returned, this is a finding.
Configure SLEM 5 to deny direct logons to the root account using remote access via SSH. Add or modify the following line in the "/etc/ssh/sshd_config" file: PermitRootLogin no
Verify SSH is configured to verbosely log connection attempts and failed logon attempts to SLEM 5 with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*loglevel' /etc/ssh/sshd_config:LogLevel VERBOSE If "LogLevel" is not set to "VERBOSE", is commented out, missing, or conflicting results are returned, this is a finding.
Configure SSH to verbosely log connection attempts and failed logon attempts to SLEM 5. Add or modify the following line in the "/etc/ssh/sshd_config" file: LogLevel VERBOSE Restart the SSH daemon in order for the changes to take effect: > sudo systemctl restart sshd.service
Verify all remote connections via SSH to SLEM 5 display feedback on when account accesses last occurred with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*printlastlog' /etc/ssh/sshd_config:PrintLastLog yes If the "PrintLastLog" is not set to "yes", is commented out, missing, or conflicting results are returned, this is a finding.
Configure SLEM 5 to provide users with feedback on when account accesses last occurred. Add or modify the following lines in the "/etc/ssh/sshd_config" file: PrintLastLog yes Restart the SSH daemon in order for the changes to take effect: > sudo systemctl restart sshd.service
Verify SLEM 5 SSH daemon is configured to not allow authentication using "known hosts" authentication with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*ignoreuserknownhosts' /etc/ssh/sshd_config:IgnoreUserKnownHosts yes If "IgnoreUserKnownHosts" is not set to "no", is commented out, missing, or conflicting results are returned, this is a finding.
Configure SLEM 5 SSH daemon to not allow authentication using "known hosts" authentication. Add or modify the following line in the "/etc/ssh/sshd_config" file: IgnoreUserKnownHosts yes Restart the SSH daemon in order for the changes to take effect: > sudo systemctl restart sshd.service
Verify SLEM 5 SSH daemon performs strict mode checking of home directory configuration files with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*strictmodes' /etc/ssh/sshd_config:StrictModes yes If "StrictModes" is not set to "yes", is commented out, missing, or conflicting results are returned, this is a finding.
Configure SLEM 5 SSH daemon performs strict mode checking of home directory configuration files. Add or modify the following line in the "/etc/ssh/sshd_config" file: StrictModes yes Restart the SSH daemon in order for the changes to take effect: > sudo systemctl restart sshd.service
Verify the SSH private key files have a passcode. For each private key stored on the system, use the following command (with the example of "/etc/ssh/ssh_host_dsa_key"): > ssh-keygen -y -f /etc/ssh/ssh_host_dsa_key Load key "/etc/ssh/ssh_host_dsa_key": Permission denied If the contents of any key are displayed, this is a finding.
Create a new private and public key pair that uses a passcode with the following command: > sudo ssh-keygen -n <passphrase>
Verify there are no ".shosts" files on SLEM 5 with the following command: > sudo find / \( -path /.snapshots -o -path /sys -o -path /proc \) -prune -o -name '.shosts' -print If any ".shosts" files are found on the system, this is a finding.
Remove any ".shosts" files found on SLEM 5. > sudo rm /<path_to_file>/.shosts
Verify there are no "shosts.equiv" files on SLEM 5 with the following command: > sudo find /etc -name shosts.equiv If any "shosts.equiv" files are found on the system, this is a finding.
Remove any "shosts.equiv" files found on SLEM 5. > sudo rm /<path_to_file>/shosts.equiv
Note: If a graphical user interface is not installed, this requirement is not applicable. Verify SLEM 5 does not allow unattended or automatic logon via the GUI. Check that unattended or automatic login is disabled with the following commands: > grep -i ^DISPLAYMANAGER_AUTOLOGIN /etc/sysconfig/displaymanager DISPLAYMANAGER_AUTOLOGIN="" > grep -i ^DISPLAYMANAGER_PASSWORD_LESS_LOGIN /etc/sysconfig/displaymanager DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no" If the "DISPLAYMANAGER_AUTOLOGIN" parameter includes a username or the "DISPLAYMANAGER_PASSWORD_LESS_LOGIN" is not set to "no", this is a finding.
Note: If a graphical user interface is not installed, this requirement is not applicable. Configure SLEM 5 GUI to not allow unattended or automatic logon to the system. Add or modify the following lines in the "/etc/sysconfig/displaymanager" file: DISPLAYMANAGER_AUTOLOGIN="" DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"
Verify that SLEM 5 has no wireless network adapters enabled with the following command: > sudo wicked show all ... wlan0 up link: #3, state up, mtu 1500 type: wireless, hwaddr 06:00:00:00:00:02 config: wicked:xml:/etc/wicked/ifconfig/wlan0.xml leases: ipv4 dhcp granted addr: ipv4 10.0.0.101/16 [dhcp] route: ipv4 default via 10.0.0.1 proto dhcp If a wireless interface is configured and has not been documented and approved by the AO, this is a finding.
Configure SLEM 5 to disable all wireless network interfaces with the following command: For each interface of type wireless, bring the interface into "down" state: > sudo wicked ifdown wlan0 For each interface of type wireless with a configuration type of "compat:suse:", remove the associated file: > sudo rm /etc/sysconfig/network/ifcfg-wlan0 For each interface of type wireless, for each configuration of type "wicked:xml:", remove the associated file or remove the interface configuration from the file. > sudo rm /etc/wicked/ifconfig/wlan0.xml
Verify SLEM 5 does not automount USB mass storage devices when connected to the host with the following command: > grep usb-storage /etc/modprobe.d/50-blacklist.conf blacklist usb-storage If the line is commented out or the line is missing, this is a finding.
Configure SLEM 5 to prevent USB mass storage devices from automounting when connected to the host. Add or modify the following line in the "/etc/modprobe.d/50-blacklist.conf" file: blacklist usb-storage
Verify all SLEM 5 local interactive users on the system are assigned a home directory upon creation with the following command: > grep -i create_home /etc/login.defs CREATE_HOME yes If the "CREATE_HOME" parameter is not set to "yes", the line is commented out, or the line is missing, this is a finding.
Configure SLEM 5 to assign home directories to all new local interactive users. Add or modify the following line in the "/etc/login.defs" file: CREATE_HOME yes
Verify SLEM 5 defines default permissions for all authenticated users in such a way that the users can only read and modify their own files with the following command: > grep -i "^umask" /etc/login.defs UMASK 077 If the "UMASK" variable is set to "000", the severity is raised to a CAT I and this is a finding. If the value of "UMASK" is not set to "077", the line is commented out, or the line is missing, this is a finding.
Configure SLEM 5 to define the default permissions for all authenticated users in such a way that the users can only read and modify their own files. Add or modify the following line in the "/etc/login.defs" file: UMASK 077
Verify SLEM 5 enforces a delay of at least five seconds between logon prompts following a failed logon attempt with the following command: > grep -i fail_delay /etc/login.defs FAIL_DELAY 5 If the value of "FAIL_DELAY" is not set to "5" or greater, the line is commented out, or the line is missing, this is a finding.
Configure SLEM 5 to enforce a delay of at least five seconds between logon prompts following a failed logon attempt. Add or modify the following line in the "/etc/login.defs" file: FAIL_DELAY 5
Verify SLEM 5 local interactive users on the system have a home directory assigned with the following command: > sudo pwck -r user 'smithj': directory '/home/smithj' does not exist Ask the system administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command: > awk -F: '($3>=1000)&&($1!="nobody"){print $1 ":" $3}' /etc/passwd If any interactive users do not have a home directory assigned, this is a finding.
Assign home directories to all SLEM 5 local interactive users that currently do not have a home directory assigned. Assign a home directory to users via the usermod command: > sudo usermod -d /home/smithj smithj
Verify the assigned home directory of all SLEM 5 local interactive users on the system exists. Check the home directory assignment for all local interactive nonprivileged users on the system with the following command: > awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $6}' /etc/passwd smithj /home/smithj Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. Check that all referenced home directories exist with the following command: > sudo pwck -r user 'smithj': directory '/home/smithj' does not exist If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.
Create home directories to all SLEM 5 local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd": Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users assigned" in "/etc/passwd". > sudo mkdir /home/smithj > sudo chown smithj /home/smithj > sudo chgrp users /home/smithj > sudo chmod 0750 /home/smithj
Verify that all SLEM 5 local interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the user's home directory with the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". > sudo grep -i path= /home/smithj/.* /home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, and the additional path statements are not documented with the ISSO as an operational requirement, this is a finding.
Edit SLEM 5 local interactive user initialization files to change any PATH variable statements for executables that reference directories other than their home directory. If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.
Verify that SLEM 5 local initialization files do not execute world-writable programs with the following command: > sudo find / -xdev -perm -002 -type f -exec ls -ld {} \; For all files listed, check for their presence in the local initialization files with the following command: Note: The example will be for a system that is configured to create users' home directories in the "/home" directory. > sudo find /home/* -maxdepth 1 -type f -name \.\* -exec grep -H <file > {} \; If any local initialization files are found to reference world-writable files, this is a finding.
Remove the references to these files in the local initialization scripts or remove the world-writable permission of files referenced by SLEM 5 local initialization scripts with the following command: > sudo chmod 755 <file>
Verify temporary accounts have been provisioned with an expiration date of 72 hours with the following command: > sudo chage -l <temporary_account_name> | grep -E '(Password|Account) expires' If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.
Configure SLEM 5 to expire temporary accounts after 72 hours with the following command: >sudo chage -E $(date -d +3days +%Y-%m-%d) <temporary_account_name>
Verify SLEM 5 is configured such that emergency administrator accounts are never automatically removed or disabled with the following command: Note: Root is typically the "account of last resort" on a system and is also used as the example emergency administrator account. If another account is being used as the emergency administrator account, the command should be used against that account. > sudo chage -l <emergency_administrator_account_name> | grep -E '(Password|Account) expires' Password expires: never Account expires: never If "Password expires" or "Account expires" is set to anything other than "never", this is a finding.
Configure SLEM 5 to never automatically remove or disable emergency administrator accounts. > sudo chage -I -1 -M 99999 <emergency_administrator_account_name>
Verify all SLEM 5 accounts are assigned to an active system, application, or user account with the following command: > more /etc/passwd root:x:0:0:root:/root:/bin/bash ... games:x:12:100:Games account:/var/games:/bin/bash Obtain the list of authorized system accounts from the information system security officer (ISSO). If the accounts on the system do not match the provided documentation, this is a finding.
Configure SLEM 5 so all accounts on the system are assigned to an active system, application, or user account. Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. Document all authorized accounts on the system.
Verify all noninteractive SLEM 5 accounts do not have an interactive shell assigned to them with the following command: Check the system accounts on the system. > awk -F: '($7 !~ "/sbin/nologin" && $7 !~ "/bin/false"){print $1 ":" $3 ":" $7}' /etc/passwd root:0:/bin/bash nobody:65534:/bin/bash Obtain the list of authorized system accounts from the information system security officer (ISSO). If noninteractive accounts such as "games" or "nobody" are listed with an interactive shell, this is a finding.
Configure SLEM 5 so that all noninteractive accounts on the system have no interactive shell assigned to them. Run the following command to disable the interactive shell for a specific noninteractive user account: > sudo usermod --shell /sbin/nologin nobody
Verify that SLEM 5 root account is the only account with unrestricted access to the system with the following command: > awk -F: '$3 == 0 {print $1}' /etc/passwd root If any accounts other than root are listed, this is a finding.
Change the UID of any account on SLEM 5, other than the root account, that has a UID of "0". If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". If the account is not associated with system commands or applications, assign a UID of greater than "1000" that has not already been assigned.
Verify SLEM 5 disables account identifiers after 35 days of inactivity after the password expiration with the following command: > sudo grep -i '^inactive' /etc/default/useradd INACTIVE=35 If the value for "INACTIVE" is not set to a value greater than "0" and less than or equal to "35", if the line is commented out, or the line is missing, this is a finding.
Configure SLEM 5 to disable account identifiers after 35 days of inactivity after the password expiration. Run the following command to change the configuration for "useradd" to disable the account identifier after "35" days: > sudo useradd -D -f 35 DOD recommendation is "35" days, but a lower value greater than "0" is acceptable.
Verify SLEM 5 contains no duplicate UIDs for interactive users with the following command: > awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If output is produced, this is a finding.
Configure SLEM 5 to contain no duplicate UIDs for interactive users. Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.
Verify SLEM 5 users are provided with feedback on when account accesses last occurred with the following command: > grep pam_lastlog /etc/pam.d/login session required pam_lastlog.so showfailed If "pam_lastlog" is missing from "/etc/pam.d/login" file, the "silent" option is present, the second column value different from "requisite", or the returned line is commented out, this is a finding.
Configure SLEM 5 to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/login". Add the following line to the top of "/etc/pam.d/login": session required pam_lastlog.so showfailed
Verify SLEM 5 must initiate a session logout after a 15-minute period of inactivity for all connection type with the following command: > cat /etc/profile.d/autologout.sh TMOUT=900 readonly TMOUT export TMOUT If the file "/etc/profile.d/autologout.sh" does not exist or the output from the function call is not exactly the same, this is a finding.
Configure SLEM 5 to initiate a session lock after a 15-minute period of inactivity. Create or edit the "/etc/profile.d/autologout.sh" file and add or modify the following lines: TMOUT=900 readonly TMOUT export TMOUT Set the proper permissions for the "/etc/profile.d/autologout.sh" file with the following command: > sudo chmod +x /etc/profile.d/autologout.sh
Verify SLEM 5 locks a user account after three consecutive failed access attempts until the locked account is released by an administrator with the following command: > grep pam_tally2.so /etc/pam.d/common-auth auth required pam_tally2.so onerr=fail deny=3 If "deny" set to a value other than "1", "2", or "3", if "onerr=fail" is missing, if the line is commented out, or the line is missing, this is a finding.
Configure SLEM 5 to lock an account when three unsuccessful access attempts occur. Note: Manual changes to the listed files may be overwritten by the "pam-config" program. The "pam-config" program should not be used to update the configurations listed in this requirement. Add or modify the first line of the auth section in the "/etc/pam.d/common-auth" file to match the following line: auth required pam_tally2.so onerr=fail silent audit deny=3 Add or modify the following line in the "/etc/pam.d/common-account" file: account required pam_tally2.so
Verify SLEM 5 enforces a delay of at least five seconds between logon prompts following a failed logon attempt with the following command: > grep pam_faildelay /etc/pam.d/common-auth auth required pam_faildelay.so delay=5000000 If the value of "delay" is not set to "5000000" or greater, "delay" is missing, the line is commented out, or the "pam_faildelay" line is missing completely, this is a finding.
Configure SLEM 5 to enforce a delay of at least five seconds between logon prompts following a failed logon attempt. Add or modify the following line in the "/etc/pam.d/common-auth" file: auth required pam_faildelay.so delay=5000000
Verify the location of the default tallylog file for the pam_tally2 module with the following command: Note: If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_tally2 module is not configured for use, this requirement is not applicable. > sudo grep -R pam_tally2 /etc/pam.d/login | grep "file=" | grep -v "^#" If the command returns any information, this is a finding. Check the security context type of the default tally2 directory with the following command: > sudo ls -Z /var/log/tallylog system_u:object_r:tallylog_t:s0 /var/log/tallylog If the security context type of the tally directory is not "tallylog_t", this is a finding.
Configure SLEM 5 to use the default pam_tally2 tally directory while SELinux enforces a targeted policy. Remove the pam_tallly nondefault tally directory if any, by removing "file=[directory-name]" configuration part from /etc/pam.d/login: > sudo sed -ri 's/\s+file=\S+\s+/ /g' /etc/pam.d/login Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "tallylog_t" context type for the default pam_tally2 tally directory with the following command: > sudo semanage fcontext -a -t tallylog_t "/var/log/tallylog" Next, update the context type of the default tallylog directory/subdirectories and files with the following command: > sudo restorecon -R -v /var/log/tallylog
Verify SLEM 5 limits the number of concurrent sessions to 10 for all accounts and/or account types with the following command: > grep "maxlogins" /etc/security/limits.conf * hard maxlogins 10 If the "maxlogins" does not have a value of "10" or less, is commented out, or is missing, this is a finding.
Configure SLEM 5 to limit the number of concurrent sessions to "10" or less for all accounts and/or account types. Add or modify the following line to the file "/etc/security/limits.conf": * hard maxlogins 10
Verify SLEM 5 has the policycoreutils package installed with the following command: > sudo zypper search -i policycoreutils I | policycoreutils | SELinux policy core utilities | package If the policycoreutils package is not installed, this is a finding.
Configure SLEM 5 to have the policycoreutils package installed with the following command: > sudo transactional-update pkg install policycoreutils > sudo reboot
Verify "SELinux" is active and in "Enforcing" mode with the following command: > sudo getenforce Enforcing If "SELinux" is not in "Enforcing" mode, this is a finding.
Configure SLEM 5 to verify correct operation of all security functions. Add or modify the following line in the "/etc/selinux/config" file: SELINUX=enforcing A reboot is required for the changes to take effect.
Verify "SELinux" is active and enforcing the targeted policy with the following command: > sudo sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 If the "Loaded policy name" is not set to "targeted", this is a finding.
Configure SLEM 5 to verify correct operation of all security functions. Add or modify the following line in the "/etc/selinux/config" file: SELINUXTYPE=targeted A reboot is required for the changes to take effect.
Verify SLEM 5 prevents nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. Obtain a list of authorized users (other than system administrator and guest accounts) for the system. Check the list against the system with the following command: > sudo semanage login -l | more Login Name SELinux User MLS/MCS Range Service __default__ user_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * joe staff_u s0-s0:c0.c1023 * All administrators must be mapped to the "sysadm_u", "staff_u", or an appropriately tailored confined role as defined by the organization. All authorized nonadministrative users must be mapped to the "user_u" role. If any interactive users are not mapped in this way, this is a finding.
Configure SLEM 5 to prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. Use the following command to map a new user to the "sysadm_u" role: > sudo semanage login -a -s sysadm_u <username> Use the following command to map an existing user to the "sysadm_u" role: > sudo semanage login -m -s sysadm_u <username> Use the following command to map a new user to the "staff_u" role: > sudo semanage login -a -s staff_u <username> Use the following command to map an existing user to the "staff_u" role: > sudo semanage login -m -s staff_u <username> Use the following command to map a new user to the "user_u" role: > sudo semanage login -a -s user_u <username> Use the following command to map an existing user to the "user_u" role: > sudo semanage login -m -s user_u <username>
Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation with the following command: > sudo egrep -ir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#' /etc/sudoers:Defaults !targetpw /etc/sudoers:Defaults !rootpw /etc/sudoers:Defaults !runaspw If "Defaults" types are not defined for "!targetpw", "!rootpw", and "!runaspw", there are conflicting results between files, this is a finding.
Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: Defaults !targetpw Defaults !rootpw Defaults !runaspw
Verify that SLEM 5 requires reauthentication when changing authenticators, roles, or escalating privileges with the following command: > sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers If any uncommented lines containing "!authenticate", or "NOPASSWD" are returned and active accounts on the system have valid passwords, this is a finding.
Configure SLEM 5 to remove any occurrence of "NOPASSWD" or "!authenticate" found in the "/etc/sudoers" file. If the system does not use passwords for authentication, the "NOPASSWD" tag may exist in the file.
Verify SLEM 5 requires reauthentication when using the "sudo" command to elevate privileges with the following command: > sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d /etc/sudoers:Defaults timestamp_timeout=0 If "timestamp_timeout" is set to a negative number, is commented out, conflicting results are returned, or no results are returned, this is a finding.
Configure the "sudo" command to require reauthentication. Add or modify the following line in the "/etc/sudoers" file: Defaults timestamp_timeout=<value> Note: The "<value>" must be a number that is greater than or equal to "0".
Verify the "sudoers" file restricts sudo access to authorized personnel with the following command: > sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* root ALL=(ALL) ALL If "ALL ALL=(ALL) ALL" or "ALL ALL=(ALL:ALL) ALL" entries are returned, this is a finding.
Remove the following entries from the "/etc/sudoers" file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL
Verify SLEM 5 specifies only the default "include" directory for the /etc/sudoers file, and does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command: Note: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable. > sudo find /etc/sudoers /etc/sudoers.d -type f -exec grep -H "[#@]include" {} + /etc/sudoers:@includedir /etc/sudoers.d If the results are not "/etc/sudoers.d" or additional files or directories are specified, this is a finding.
Configure the "/etc/sudoers" file to only include the "/etc/sudoers.d" directory. Add or modify the following line: @includedir /etc/sudoers.d Remove any nested includes under the "/etc/sudoers.d" directory.
Verify SLEM 5 enforces password complexity by requiring at least one uppercase character with the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so ucredit=-1 If the value for "ucredit" is not "-1", if "ucredit" is missing from the line, the second column value different from "requisite", the line is commented out, or the line is missing, this is a finding.
Configure SLEM 5 to enforce password complexity by requiring at least one uppercase character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ucredit=-1" after the third column.
Verify SLEM 5 enforces password complexity by requiring at least one lower character with the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so lcredit=-1 If the value for "lcredit" is not "-1", if "lcredit" is missing from the line, the second column value different from "requisite", the line is commented out, or the line is missing, this is a finding.
Configure SLEM 5 to enforce password complexity by requiring at least one lowercase character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "lcredit=-1" after the third column.
Verify SLEM 5 enforces password complexity by requiring at least one numeric character with the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so dcredit=-1 If the value for "dcredit" is not "-1", if "dcredit" is missing from the line, the second column value different from "requisite", the line is commented out, or the line is missing, this is a finding.
Configure SLEM 5 to enforce password complexity by requiring at least one numeric character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "dcredit=-1" after the third column.
Verify SLEM 5 enforces password complexity by requiring at least one special character with the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so ocredit=-1 If the value for "ocredit" is not "-1", if "ucredit" is missing from the line, the second column value different from "requisite", the line is commented out, or the line is missing, this is a finding.
Configure SLEM 5 to enforce password complexity by requiring at least one special character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ocredit=-1" after the third column.
Verify SLEM 5 prevents the use of dictionary words for passwords with the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so If the second column value is different from "requisite", the line is commented out, or the line is missing, this is a finding.
Configure SLEM 5 to prevent the use of dictionary words for passwords. Edit "/etc/pam.d/common-password" and add the following line: password requisite pam_cracklib.so
Verify SLEM 5 enforces a minimum 15-character password length with the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so minlen=15 If the value for "minlen" is not "15" or greater, the "minlen" option is missing from the line, the second column has a value different from "requisite", the line is commented out, or the line is missing, this is a finding.
Configure SLEM 5 to enforce a minimum 15-character password length. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "minlen=15" after the third column. The DOD standard requires a minimum 15-character password length.
Verify SLEM 5 requires at least eight characters be changed between the old and new passwords during a password change with the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so difok=8 If the value for "difok" is not "8" or greater, if "difok" is missing from the line, the second column value different from "requisite", the line is commented out, or the line is missing, this is a finding.
Configure SLEM 5 to require at least eight characters be changed between the old and new passwords during a password change with the following command: Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "difok=8" after the third column.
Verify SLEM 5 prohibits the reuse of a password for a minimum of five generations with the following command: > grep pam_pwhistory.so /etc/pam.d/common-password password requisite pam_pwhistory.so remember=5 use_authtok If the value for "remember" is not "5" or greater, if the "remember" option is missing from the line, if the "use_authtok" option is missing, if the second column has a value different from "requisite", if the line is commented out, or the line is missing, this is a finding.
Configure SLEM 5 password history to prohibit the reuse of a password for a minimum of five generations. Edit "/etc/pam.d/common-password" and edit the line containing "pam_pwhistory.so" to contain the option "remember=5 use_authtok" after the third column.
Verify SLEM 5 configures the Linux PAM to only store encrypted representations of passwords with the following command: > grep pam_unix.so /etc/pam.d/common-password password required pam_unix.so sha512 If the value "sha512" is not present in the line, the second column value is different from "requisite", the line is commented out, or the line is missing, this is a finding.
Configure SLEM 5 Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength. Edit "/etc/pam.d/common-password" and edit the line containing "pam_unix.so" to contain the SHA512 keyword after third column. Remove the "nullok" option if it exists.
Verify SLEM 5 is not configured to allow blank or null passwords with the following command: > grep pam_unix.so /etc/pam.d/* | grep nullok If this produces any output, this is a finding.
Configure SLEM 5 to not allow blank or null passwords. Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" and "/etc/pam.d/common-password" to prevent logons with empty passwords.
Check the "/etc/shadow" file for blank passwords with the following command: > sudo awk -F: '!$2 {print $1}' /etc/shadow If the command returns any results, this is a finding.
Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset: > sudo passwd <username> Lock the account: > sudo passwd -l <username>
Verify SLEM 5 enforces a minimum time period between password changes for each user account of one day or greater with the following command: > sudo awk -F: '$4 < 1 {print $1 ":" $4}' /etc/shadow smithj:1 If any results are returned that are not associated with a system account, this is a finding.
Configure SLEM 5 to enforce 24 hours/one day or greater as the minimum password age for user accounts. Change the minimum time period between password changes for each <username> account to "1" day with the command, replacing <username> with the user account that must be changed: > sudo passwd -n 1 <username>
Verify that SLEM 5 enforces a maximum user password age of 60 days or less with the following command: > sudo awk -F: '$5 > 60 || $5 == "" {print $1 ":" $5}' /etc/shadow If any results are returned that are not associated with a system account, this is a finding.
Configure SLEM 5 to enforce a maximum password age of each <username> account to 60 days. The command in the check text will give a list of users that need to be updated to be in compliance: > sudo passwd -x 60 <username>
Verify the password history file exists on SLEM 5 with the following command: > ls -al /etc/security/opasswd -rw------- 1 root root 82 Dec 7 19:41 /etc/security/opasswd If the "/etc/security/opasswd" file does not exist, this is a finding.
Configure SLEM 5 to create the password history file with the following commands: Create the file: > sudo touch /etc/security/opasswd Set ownership permissions: > sudo chown root:root /etc/security/opasswd Set access permissions: > sudo chmod 0600 /etc/security/opasswd
Verify SLEM 5 shadow password suite is configured to encrypt interactive user passwords using FIPS 140-2/140-3-approved cryptographic hash with the following command: > sudo cut -d: -f2 /etc/shadow $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with "$6", this is a finding.
Configure SLEM 5 to encrypt all stored passwords with FIPS 140-2/140-3-approved cryptographic hash. Add or modify the following line in the "/etc/login.defs" file: ENCRYPT_METHOD SHA512 Lock all interactive user accounts not using SHA512 hashing until the passwords can be regenerated.
Verify SLEM 5 shadow password suite is configured to encrypt passwords using sufficient number of hashing rounds. > egrep "^SHA_CRYPT_" /etc/login.defs SHA_CRYPT_MIN_ROUNDS 5000 SHA_CRYPT_MAX_ROUNDS 5000 If only one of "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is set, and this value is below "5000", this is a finding. If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.
Configure SLEM 5 shadow password suite is configured to encrypt passwords using sufficient number of hashing rounds. Add or modify the following line in the "/etc/login.defs" file: SHA_CRYPT_MIN_ROUNDS 5000
Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2/140-3 approved cryptographic hashing algorithm with the following command: > grep "^ENCRYPT_METHOD " /etc/login.defs ENCRYPT_METHOD SHA512 If "ENCRYPT_METHOD" is not set to "SHA512", if any values other that "SHA512" are configured, or if no output is produced, this is a finding.
Configure SLEM 5 to require "ENCRYPT_METHOD" of "SHA512". Add or modify the following line in the "/etc/login.defs" file: ENCRYPT_METHOD SHA512
Verify SLEM 5 creates or updates passwords with minimum password age of one day or greater with the following command: > grep '^PASS_MIN_DAYS' /etc/login.defs PASS_MIN_DAYS 1 If "PASS_MIN_DAYS" does not have a value of "1" or greater, the line is commented out, or no line is returned, this is a finding.
Configure SLEM 5 to enforce 24 hours/one day or greater as the minimum password age. Add or modify the following line in the "/etc/login.defs" file: PASS_MIN_DAYS <days> The DOD requirement is "1", but a greater value is acceptable.
Verify that SLEM 5 is configured to create or update passwords with a maximum password age of 60 days or less with the following command: > grep '^PASS_MAX_DAYS' /etc/login.defs If "PASS_MAX_DAYS" is not set to a value of "60" or less, but greater than "0", the line is commented out, or no line is returned, this is a finding.
Configure SLEM 5 to enforce a maximum password age of 60 days or less. Add or modify the following line in the "/etc/login.defs" file: PASS_MAX_DAYS <days> The DOD requirement is 60 days or less (but greater than zero, as zero days will lock the account immediately).
Verify SLEM 5 has the packages required for multifactor authentication installed. Check for the presence of the packages required to support multifactor authentication with the following commands: > zypper info pam_pkcs11 | grep -i installed Installed: Yes > zypper info mozilla-nss | grep -i installed Installed: Yes > zypper info mozilla-nss-tools | grep -i installed Installed: Yes > zypper info pcsc-ccid | grep -i installed Installed: Yes > zypper info pcsc-lite | grep -i installed Installed: Yes > zypper info pcsc-tools | grep -i installed Installed: Yes > zypper info opensc | grep -i installed Installed: Yes > zypper info coolkey | grep -i installed Installed: Yes If any of the packages required for multifactor authentication are not installed, this is a finding.
Configure SLEM 5 to implement multifactor authentication by installing the required packages. Install the packages required to support multifactor authentication with the following commands: > sudo transactional-update pkg install pam_pkcs11 > sudo reboot > sudo transactional-update pkg install mozilla-nss > sudo reboot > sudo transactional-update pkg install mozilla-nss-tools > sudo reboot > sudo transactional-update pkg install pcsc-ccid > sudo reboot > sudo transactional-update pkg install pcsc-lite > sudo reboot > sudo transactional-update pkg install pcsc-tools > sudo reboot > sudo transactional-update pkg install opensc > sudo reboot > sudo transactional-update pkg install coolkey > sudo reboot Additional information on the configuration of multifactor authentication on SLEM 5 can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.
Verify SLEM 5 implements multifactor authentication for remote access to privileged accounts via PAM with the following command: > grep pam_pkcs11.so /etc/pam.d/common-auth auth sufficient pam_pkcs11.so If "pam_pkcs11.so" is not set in "/etc/pam.d/common-auth", or the line is commented out, this is a finding.
Configure SLEM 5 to implement multifactor authentication for remote access to privileged accounts via PAM. Add or modify the following line in the "/etc/pam.d/common-auth" file: auth sufficient pam_pkcs11.so
Verify SLEM 5 implements certificate status checking for multifactor authentication with the following command: > grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module coolkey {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy cert_policy = ca,ocsp_on,signature,crl_auto; If "cert_policy" is not set to include "ocsp", this is a finding.
Configure SLEM 5 to certificate status checking for PKI authentication. Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on". Note: OCSP allows sending request for certificate status information. Additional certificate validation polices are permitted. Additional information on the configuration of multifactor authentication on SLEM 5 can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.
If NSS is used by SLEM 5, verify it prohibits the use of cached authentications after one day with the following command: Note: If NSS is not used on the operating system, this is not applicable. > sudo grep -i "memcache_timeout" /etc/sssd/sssd.conf memcache_timeout = 86400 If "memcache_timeout" has a value greater than "86400", the line is commented out, or the line is missing, this is a finding.
Configure NSS, if used by SLEM 5, to prohibit the use of cached authentications after one day. Add or modify the following line in the "/etc/sssd/sssd.conf" file, below the line "[nss]": memcache_timeout = 86400
Verify that SLEM 5 PAM prohibits the use of cached off line authentications after one day with the following command: Note: If SSSD is not being used on the operating system, this is not applicable. > sudo grep "offline_credentials_expiration" /etc/sssd/sssd.conf offline_credentials_expiration = 1 If "offline_credentials_expiration" is not set to a value of "1", the line is commented out, or the line is missing, this is a finding.
Configure SLEM 5 PAM to prohibit the use of cached authentications after one day. Add or modify the following line in the "/etc/sssd/sssd.conf" file, below the line "[pam]": offline_credentials_expiration = 1
Verify SLEM 5 for PKI-based authentication had valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor with the following command: > grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca,oscp_on,signature,crl_auto; If "cert_policy" is not set to include "ca" on all returned lines, this is a finding.
Configure SLEM 5 for PKI-based authentication to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ca": cert_policy = ca,signature,oscp_on; Note: Additional certificate validation polices are permitted. Additional information on the configuration of multifactor authentication on SLEM 5 can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.
Verify SLEM 5 is configured to not overwrite PAM configuration on package changes with the following command: > find /etc/pam.d/ -type l -iname "common-*" If any results are returned, this is a finding.
Copy the PAM configuration files to their static locations and remove SLEM 5 soft links for the PAM configuration files with the following command: > sudo sh -c 'for X in /etc/pam.d/common-*-pc; do cp -ivp --remove-destination $X ${X:0:-3}; done' Additional information on the configuration of multifactor authentication on SLEM 5 can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.
Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions with the following command: > sudo zypper if aide | grep -i installed Installed: Yes If AIDE is not installed, ask the system administrator how file integrity checks are performed on the system. If there is no application installed to perform integrity checks, this is a finding. If AIDE is installed, check if it has been initialized with the following command: > sudo aide --check If the output is "Couldn't open file /var/lib/aide/aide.db for reading", this is a finding.
Install AIDE, initialize it, and perform a manual check by using the following commands: Install AIDE: > sudo transactional-update pkg install aide > sudo reboot Initialize AIDE (this may take a few minutes): > sudo aide -i The new database will need to be renamed to be read by AIDE: > sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db Perform a manual check: > sudo aide --check Example output: Summary: Total number of files: 140621 Added files: 1 Removed files: 1 Changed files: 0
Verify that SLEM 5 file integrity tool is configured to verify extended attributes. > sudo grep acl /etc/aide.conf All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.
Configure SLEM 5 file integrity tool to check file and directory ACLs. If AIDE is installed, ensure the "acl" rule is present on all file and directory selection lists.
Verify that SLEM 5 file integrity tool is configured to verify extended attributes. > sudo grep xattrs /etc/aide.conf All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux If the "xattrs" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.
Configure SLEM 5 file integrity tool to check file and directory extended attributes. If AIDE is installed, ensure the "xattrs" rule is present on all file and directory selection lists.
Verify that SLEM 5 file integrity tool is configured to protect the integrity of the audit tools. Check that AIDE is properly configured to protect the integrity of the audit tools by running the following command: > sudo grep /usr/sbin/au /etc/aide.conf /usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 If any of the seven lines do not appear as shown, are commented out, or are missing, this is a finding.
Configure SLEM 5 file integrity tool to protect the integrity of the audit tools. Add or modify the following lines in the "/etc/aide.conf" file: # audit tools /usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512
Verify SLEM 5 checks the baseline configuration using AIDE for unauthorized changes at least once weekly with the following command: Note: A file integrity tool other than AIDE may be used, but the tool must be executed at least once per week. > sudo grep -R aide /etc/crontab /etc/cron.* /etc/crontab: 30 04 * * * root /usr/sbin/aide If the file integrity application does not exist, or a "crontab" file does not exist in "/etc/crontab", the "/etc/cron.daily" subdirectory, or "/etc/cron.weekly" subdirectory, this is a finding.
Configure SLEM 5 to check the baseline configuration for unauthorized changes at least once weekly. Add or modify the following line in the "/etc/cron.weekly/aide" file: 0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Weekly AIDE integrity check run" root@example_server_name.mil
Verify SLEM 5 notifies the SA when AIDE discovers anomalies in the operation of any security functions. Note: A file integrity tool other than AIDE may be used, but the tool must be configured to notify the system administrator and/or ISSO if there is an anomaly. Verify the aide cron job sends an email when executed with the following command: > sudo grep -i "aide" /etc/cron.*/aide 0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil If the "aide" file does not exist under the "/etc/cron" directory structure or the cron job is not configured to execute a binary to send an email (such as "/bin/mail"), this is a finding.
Configure SLEM 5 to notify the SA when AIDE discovers anomalies in the operation of any security functions. Add or modify the following line in the "/etc/cron.daily/aide" file: 0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil
Verify that SLEM 5 must offload syslog-ng messages for networked systems in real time and offload standalone systems at least weekly. For standalone hosts, verify with the system administrator that the log files are offloaded at least weekly. For networked systems, check that syslog-ng is sending log messages to a remote server with the following command: > sudo egrep "^destination logserver" /etc/syslog-ng/syslog-ng.conf syslog("10.10.10.10" transport("udp") port(514)); }; If any active message labels in the file do not have a line to send log messages to a remote server, this is a finding.
Configure SLEM 5 to offload syslog-ng messages for networked systems in real time. For standalone systems establish a procedure to offload log messages at least once a week. For networked systems add a "UDP_OR_TCP("IP_ADDRESS" port(514)); };" "#log { source(src); destination(logserver); };" in "/etc/syslog-ng/syslog-ng.conf" that does not have one. syslog("10.10.10.10" transport("udp") port(514)); };
Verify SLEM 5 auditing package is installed with the following command: > zypper info audit Name : audit Version : 2.8.5-3.2 Arch : X86_64 Vendor : SUSE LLC <https://www.suse.com> Installed Size : 646.2 KiB Installed : Yes (automatically) Status : up-to-date If the package "audit" is not installed on the system, this is a finding.
Install SLEM 5 auditing package with the following commands: > sudo transactional-update pkg install audit > sudo reboot
Verify SLEM 5 produces audit records with the following commands: > systemctl is-active auditd.service active > systemctl is-enabled auditd.service enabled If the service is not active or not enabled, this is a finding.
Enable SLEM 5 auditd service by using the following commands: > sudo systemctl enable auditd.service > sudo systemctl start auditd.service
Verify that the "audit-audispd-plugins" package is installed on SLEM 5 with the following command: > zypper info audit-audispd-plugins | grep Installed Installed : Yes If the "audit-audispd-plugins" package is not installed, this is a finding. Verify the "au-remote" plugin is enabled with the following command: > sudo grep -i active /etc/audisp/plugins.d/au-remote.conf active = yes If "active" is not set to "yes", is commented out, or is missing, this is a finding.
Install the "audit-audispd-plugins" package on SLEM 5 by running the following command: > sudo transactional-update pkg install audit-audispd-plugins Add or modify the following line in the "/etc/audisp/plugins.d/au-remote.conf" file: active = yes Reboot the system: > sudo reboot
Verify SLEM 5 allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. Determine which partition the audit records are being written to with the following command: > sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition that audit records are written to (with the example being /var/log/audit/) with the following command: > df -h /var/log/audit/ Filesystem Size Used Avail Use% Mounted on /dev/sda2 24G 10.4G 13.6G 43% /var If the audit records are not written to a partition made specifically for audit records (/var/log/audit is a separate partition), determine the amount of space being used by other files in the partition with the following command: > sudo du -sh <audit_partition> 1.8G /var/log/audit The partition size needed to capture a week of audit records is based on the activity level of the system and the total storage capacity available. If the audit record partition is not allocated sufficient storage capacity, this is a finding.
Allocate enough storage capacity for at least one week of SLEM 5 audit records when audit records are not immediately sent to a central audit record storage facility. If audit records are stored on a partition made specifically for audit records, use the "YaST2 - Partitioner" program (installation and configuration tool for Linux) to resize the partition with sufficient space to contain one week of audit records. If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient amount of space will need be to be created. The new partition can be created using the "YaST2 - Partitioner" program on the system.
Determine if SLEM 5 auditd is configured to notify the SA and ISSO when the audit record storage volume reaches 75 percent of the storage capacity with the following command: > sudo grep -iw space_left /etc/audit/auditd.conf space_left = 25% If "space_left" is not set to "25%" or greater, this is a finding.
Configure SLEM 5 auditd service to notify the SA and ISSO immediately when audit storage capacity is 75 percent full. Add or modify the following lines in the "/etc/audit/auditd.conf " file: space_left = 25%
Verify SLEM 5 takes the appropriate action when the audit storage volume is full using the following command: > sudo grep disk_full_action /etc/audit/auditd.conf disk_full_action = HALT If "disk_full_action" is not set to "HALT", "SYSLOG", or "SINGLE", is commented out, or is missing, this is a finding.
Configure SLEM 5 to shut down by default upon audit failure. Add or modify the following line in the "/etc/audit/auditd.conf " file: disk_full_action = HALT Note: If system availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure SLEM 5 to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG" or "SINGLE".
Verify what action the audit system takes if it cannot offload audit records to a different system or storage media from SLEM 5 being audited. Check the action that the audit system takes in the event of a network failure with the following command: > sudo grep -i "network_failure_action" /etc/audisp/audisp-remote.conf network_failure_action = syslog If the "network_failure_action" option is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.
Configure SLEM 5 to take the appropriate action if it cannot offload audit records to a different system or storage media from the system being audited due to a network failure. Add or modify the following line in the "/etc/audisp/audisp-remote.conf" file: network_failure_action = syslog
Verify the audit system offloads audit records if SLEM 5 storage volume becomes full. Check that the records are properly offloaded to a remote server with the following command: > sudo grep -i "disk_full_action" /etc/audisp/audisp-remote.conf disk_full_action = syslog If "disk_full_action" is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.
Configure SLEM 5 to take the appropriate action if the audit storage is full. Add or modify the following line in the "/etc/audisp/audisp-remote.conf" file: disk_full_action = syslog
Verify that SLEM 5 protects audit rules from unauthorized modification with the following command: > grep -i audit /etc/permissions.local /var/log/audit root:root 600 /var/log/audit/audit.log root:root 600 /etc/audit/audit.rules root:root 640 /etc/audit/rules.d/audit.rules root:root 640 If the command does not return any output or all four lines as shown, this is a finding. Check that all of the audit information files and folders have the correct permissions with the following command: > sudo chkstat /etc/permissions.local If the command returns any output, this is a finding.
Configure SLEM 5 to protect audit rules from unauthorized modification. Add or modify the following lines in "/etc/permissions.local": /var/log/audit root:root 600 /var/log/audit/audit.log root:root 600 /etc/audit/audit.rules root:root 640 /etc/audit/rules.d/audit.rules root:root 640 Set the correct permissions with the following command: > sudo chkstat --set /etc/permissions.local
To protect from unauthorized access verify that SLEM 5 audit tools have the proper permissions configured in the permissions profile by using the following command: > grep "^/usr/sbin/au" /etc/permissions.local /usr/sbin/audispd root:root 750 /usr/sbin/auditctl root:root 750 /usr/sbin/auditd root:root 750 /usr/sbin/ausearch root:root 755 /usr/sbin/aureport root:root 755 /usr/sbin/autrace root:root 750 /usr/sbin/augenrules root:root 750 If the command does not return any output, this is a finding.
Configure SLEM 5 audit tools to have proper permissions set in the permissions profile. Add or modify the following lines in the "/etc/permissions.local" file: /usr/sbin/audispd root:root 750 /usr/sbin/auditctl root:root 750 /usr/sbin/auditd root:root 750 /usr/sbin/ausearch root:root 755 /usr/sbin/aureport root:root 755 /usr/sbin/autrace root:root 750 /usr/sbin/augenrules root:root 750
To protect from unauthorized access verify that SLEM 5 audit tools have the proper permissions applied from the permissions profile by using the following command: > sudo chkstat /etc/permissions.local If the command returns any output, this is a finding.
Configure SLEM 5 audit tools to have proper permissions applied from the permissions profile using the following command: > sudo chkstat --set /etc/permissions.local
Determine if SLEM 5 audit event multiplexor is configured to use Kerberos by running the following command: > sudo grep enable_krb5 /etc/audisp/audisp-remote.conf enable_krb5 = yes If "enable_krb5" is not set to "yes", or is commented out, this is a finding.
Configure SLEM 5 audit event multiplexor to use Kerberos. Add or modify the following line in the "/etc/audisp/audisp-remote.conf" file: enable_krb5 = yes
Verify "audispd" offloads audit records onto a different system or media from SLEM 5 being audited with the following command: > sudo grep remote_server /etc/audisp/audisp-remote.conf remote_server = 240.9.19.81 If "remote_server" is not set to an external server or media, or is commented out, this is a finding.
Configure SLEM 5 to offload audit records onto a different system or media. Add or modify the following line in the "/etc/audisp/audisp-remote.conf" file: remote_server = <ip_address>
Verify the administrators are notified in the event of a SLEM 5 audit processing failure with the following commands: > grep -i "^postmaster:" /etc/aliases postmaster: root If the above command does not return a value of "root", or the output is commented out, this is a finding. Verify the alias for root forwards to a monitored e-mail account: > grep -i "^root:" /etc/aliases root: person@server.mil If the alias for root does not forward to a monitored e-mail account, or the output is commented out, this is a finding.
Configure the auditd service to notify the administrators in the event of a SLEM 5 audit processing failure. Configure an alias value for the postmaster with the following command: > sudo sh -c 'echo "postmaster: root" >> /etc/aliases' Configure an alias for root that forwards to a monitored email address with the following command: > sudo sh -c 'echo "root: box@server.mil" >> /etc/aliases' The following command must be run to implement changes to the /etc/aliases file: > sudo newaliases
Verify the system is configured to send email to an account when it needs to notify an administrator with the following command: > sudo grep action_mail /etc/audit/auditd.conf action_mail_acct = root If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the returned line is commented out, or the "action_mail_acct" keyword is missing, this is a finding.
Configure the auditd service to notify the administrators in the event of a SLEM 5 audit processing failure. Add or modify the following lines in the "/etc/audit/auditd.conf " file: action_mail_acct = root
Verify SLEM 5 generates an audit record for all uses of the "chacl" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/chacl' -a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "chacl" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.
Verify SLEM 5 generates an audit record for any use of the "chage" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/chage' -a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-chage If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "chage" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for all uses of the "chcon" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/chcon' -a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "chcon" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for all uses of the "chfn" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/chfn' -a always,exit -S all -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-chfn If the command does not return any output or the returned line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "chfn" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chfn To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for all uses of the "chmod" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/chmod' -a always,exit -S all -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "chmod" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for all uses of the "chsh" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/chsh' -a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-chsh If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "chsh" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for any use of the "crontab" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/crontab' -a always,exit -S all -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-crontab If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "crontab" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for all uses of the "gpasswd" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/gpasswd' -a always,exit -S all -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-gpasswd If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "gpasswd" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 is generates an audit record for all uses of the "insmod" command with the following command: > sudo auditctl -l | grep -w '/sbin/insmod' -w /sbin/insmod -p x -k modules If the system is configured to audit the execution of the module management program "insmod", the command will return a line. If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to audit the execution of the module management program "insmod". Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -w /sbin/insmod -p x -k modules To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for all uses of the "kmod" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/kmod' -w /usr/bin/kmod -p x -k modules If the system is configured to audit the execution of the module management program "kmod", the command will return a line. If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to audit the execution of the module management program "kmod". Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -w /usr/bin/kmod -p x -k modules To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for all uses of the "modprobe" command with the following command: > sudo auditctl -l | grep -w '/sbin/modprobe' -w /sbin/modprobe -p x -k modules If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to audit the execution of the module management program "modprobe". Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -w /sbin/modprobe -p x -k modules To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for all uses of the "newgrp" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/newgrp' -a always,exit -S all -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-newgrp If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "newgrp" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for any use of the "pam_timestamp_check" command with the following command: > sudo auditctl -l | grep -w '/sbin/pam_timestamp_check' -a always,exit -S all -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-pam_timestamp_check If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "pam_timestamp_check" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for all uses of the "passwd" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/passwd' -a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-passwd If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "passwd" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for all uses of the "rm" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/rm' -a always,exit -S all -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "rm" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for all uses of the "rmmod" command with the following command: > sudo auditctl -l | grep -w '/sbin/rmmod' -w /sbin/rmmod -p x -k modules If the system is configured to audit the execution of the module management program "rmmod", the command will return a line. If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to audit the execution of the module management program "rmmod". Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -w /sbin/rmmod -p x -k modules To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for all uses of the "setfacl" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/setfacl' -a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "setfacl" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for all uses of the "ssh-agent" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/ssh-agent' -a always,exit -S all -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-ssh-agent If the command does not return any output or the returned line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "ssh-agent" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for all uses of the "ssh-keysign" command with the following command: > sudo auditctl -l | grep -w '/usr/lib/ssh/ssh-keysign' -a always,exit -S all -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-ssh-keysign If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "ssh-keysign" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for any use of the "su" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/su' -a always,exit -S all -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-priv_change If the command does not return any output or the returned line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "su" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify SLEM 5 generates an audit record for any use of the "sudo" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/sudo' -a always,exit -S all -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-sudo If the command does not return any output, or the returned line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "sudo" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load
Verify an audit record is generated for all uses of the "sudoedit" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/sudoedit' -a always,exit -S all -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-sudoedit If the command does not return any output or the returned line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.
Configure SLEM 5 to generate an audit record for all uses of the "sudoedit" command. Add or modify the following line in the