SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide

Version

SLEM-05-211010

Vuln IDs

V-261263

Rule IDs

SV-261263r1155781_rule

A SLEM 5 release is considered supported if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. End Of Life dates for SUSE Linux Micro releases are as follows: Service Pack Release Release Date General Support Ends SUSE Linux Micro 5.0 30 Mar 2021 31 Mar 2022 SUSE Linux Micro 5.1 26 Oct 2021 31 Oct 2025 SUSE Linux Micro 5.2 14 Apr 2022 30 Apr 2026 SUSE Linux Micro 5.3 25 Oct 2022 30 Oct 2026 SUSE Linux Micro 5.4 20 Apr 2023 30 Apr 2027 SUSE Linux Micro 5.5 12 Oct 2023 31 Oct 2027 SUSE Linux Micro 6.0 06 Jun 2024 30 Jun 2028 SUSE Linux Micro 6.1 26 Nov 2024 30 Nov 2028

Checks: C-64992r1155780_chk

Verify the version of SLEM 5 is vendor supported with the following command: > cat /etc/os-release NAME="SLE Micro" VERSION="5.5" ... If the installed version of SLEM 5 is not supported, this is a finding.

Fix: F-64900r996825_fix

Upgrade SLEM 5 to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription. If the system requires Long-Term Service Pack Support (LTSS), obtain the correct LTSS subscription for the system.

b

SLEM 5 must implement an endpoint security tool.

SI-2 - Medium - CCI-001233 - V-261264 - SV-261264r995659_rule

RMF Control

SI-2

Severity

M

CCI

CCI-001233

Version

SLEM-05-211015

Vuln IDs

V-261264

Rule IDs

SV-261264r995659_rule

Adding endpoint security tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.

Checks: C-64993r995657_chk

Verify that SLEM 5 has implemented an endpoint security tool. If no endpoint security tool is present and enabled on the system, this is a finding.

Fix: F-64901r995658_fix

Install and enable an endpoint security tool.

b

SLEM 5 must display the Standard Mandatory DOD Notice and Consent Banner before granting any local or remote connection to the system.

AC-8 - Medium - CCI-000048 - V-261265 - SV-261265r996289_rule

RMF Control

AC-8

Severity

M

CCI

CCI-000048

Version

SLEM-05-211020

Vuln IDs

V-261265

Rule IDs

SV-261265r996289_rule

Display of a standardized and approved use notification before granting access to SLEM 5 ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for SLEM 5 that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

Checks: C-64994r996287_chk

Verify SLEM 5 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via SSH. Check the issue file to verify it contains one of the DOD required banners. If it does not, this is a finding. > more /etc/issue The output must display the following DOD-required banner text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the output does not display the correct banner text, this is a finding.

Fix: F-64902r996288_fix

Configure SLEM 5 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system by running the following commands: To configure the system logon banner, edit the "/etc/issue" file. Replace the default text inside with the Standard Mandatory DOD banner text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

c

SLEM 5 must disable the x86 Ctrl-Alt-Delete key sequence.

CM-6 - High - CCI-000366 - V-261266 - SV-261266r996292_rule

RMF Control

CM-6

Severity

H

CCI

Version

SLEM-05-211025

Vuln IDs

V-261266

Rule IDs

SV-261266r996292_rule

A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical user interface environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.

Checks: C-64995r996290_chk

Verify SLEM 5 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: > systemctl status ctrl-alt-del.target ctrl-alt-del.target Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) Active: inactive (dead) If ctrl-alt-del.target is not masked, this is a finding.

Fix: F-64903r996291_fix

Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: > sudo systemctl disable ctrl-alt-del.target > sudo systemctl mask ctrl-alt-del.target Then, reload the daemon to take effect: > sudo systemctl daemon-reload

c

SLEM 5 with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.

AC-3 - High - CCI-000213 - V-261267 - SV-261267r1137691_rule

RMF Control

AC-3

Severity

H

CCI

CCI-000213

Version

SLEM-05-212010

Vuln IDs

V-261267

Rule IDs

SV-261267r1137691_rule

To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.

Checks: C-64996r996293_chk

Note: If the system does not use a BIOS, this requirement is not applicable. Verify that SLEM 5 has set an encrypted root password with the following command: > sudo cat /boot/grub2/grub.cfg | grep -i password password_pbkdf2 root grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771 If the root password entry does not begin with "password_pbkdf2", this is a finding.

Fix: F-64904r996294_fix

Note: If the system does not use a BIOS, this requirement is not applicable. Configure SLEM 5 to encrypt the boot password. Generate an encrypted GRUB bootloader password for root with the following command: > grub2-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771 Using the hash from the output, modify the "/etc/grub.d/40_custom" file and add the following two lines to add a boot password for the root entry: set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771 Generate an updated "grub.conf" file with the new password using the following commands: > sudo grub2-mkconfig --output=/tmp/grub2.cfg > sudo mv /tmp/grub2.cfg /boot/grub2/grub.cfg

c

SLEM 5 with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.

AC-3 - High - CCI-000213 - V-261268 - SV-261268r1137691_rule

RMF Control

AC-3

Severity

H

CCI

CCI-000213

Version

SLEM-05-212015

Vuln IDs

V-261268

Rule IDs

SV-261268r1137691_rule

If the system allows a user to boot into single-user or maintenance mode without authentication, any user that invokes single-user or maintenance mode is granted privileged access to all system information.

Checks: C-64997r996296_chk

Note: If the system does not use UEFI, this requirement is not applicable. Verify that SLEM 5 has set an encrypted root password with the following command: > sudo cat /boot/efi/EFI/BOOT/grub.cfg | grep -i password password_pbkdf2 root grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771 If the root password entry does not begin with "password_pbkdf2", this is a finding.

Fix: F-64905r996297_fix

Note: If the system does not use UEFI, this requirement is not applicable. Configure SLEM 5 to encrypt the boot password. Generate an encrypted GRUB bootloader password for root with the following command: > grub2-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771 Using the hash from the output, modify the "/etc/grub.d/40_custom" file and add the following two lines to add a boot password for the root entry: set superusers="rooty" password_pbkdf2 root grub.pbkdf2.sha512.03255F190F0E2F7B4F0D1C3216012309162F022A7A636771 Generate an updated "grub.conf" file with the new password using the following commands: > sudo grub2-mkconfig --output=/tmp/grub2.cfg > sudo mv /tmp/grub2.cfg /boot/efi/EFI/BOOT/grub.cfg

b

SLEM 5 must restrict access to the kernel message buffer.

SC-4 - Medium - CCI-001090 - V-261269 - SV-261269r1137695_rule

RMF Control

SC-4

Severity

M

CCI

CCI-001090

Version

SLEM-05-213010

Vuln IDs

V-261269

Rule IDs

SV-261269r1137695_rule

Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a nonprivileged user.

Checks: C-64998r996299_chk

Verify SLEM 5 is configured to restrict access to the kernel message buffer with the following commands: > sudo sysctl kernel.dmesg_restrict kernel.dmesg_restrict = 1 If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding. Check that the configuration files are present to enable this kernel parameter: > sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null /etc/sysctl.conf:kernel.dmesg_restrict = 1 /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1 If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.

Fix: F-64906r996300_fix

Configure SLEM 5 to restrict access to the kernel message buffer. Set the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory: kernel.dmesg_restrict = 1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/ /etc/sysctl.d/ /usr/local/lib/sysctl.d/ /usr/lib/sysctl.d/ /lib/sysctl.d/ /etc/sysctl.conf Reload settings from all system configuration files with the following command: $ sudo sysctl --system

b

SLEM 5 kernel core dumps must be disabled unless needed.

CM-6 - Medium - CCI-000366 - V-261270 - SV-261270r996860_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-213015

Vuln IDs

V-261270

Rule IDs

SV-261270r996860_rule

Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service (DoS) by exhausting the available space on the target file system partition.

Checks: C-64999r996302_chk

Verify that SLEM 5 kernel core dumps are disabled unless needed with the following command: > systemctl status kdump.service kdump.service - Load kdump kernel and initrd Loaded: loaded (/usr/lib/systemd/system/kdump.service; disabled; vendor preset: disabled) Active: inactive (dead) If "kdump.service" is active, ask the system administrator if the use of the service is required and documented with the information system security officer (ISSO). If the service is active and is not documented, this is a finding.

Fix: F-64907r995676_fix

If SLEM 5 kernel core dumps are not required, disable the "kdump" service with the following command: > sudo systemctl disable kdump.service If kernel core dumps are required, document the need with the ISSO.

b

Address space layout randomization (ASLR) must be implemented by SLEM 5 to protect memory from unauthorized code execution.

SI-16 - Medium - CCI-002824 - V-261271 - SV-261271r996306_rule

RMF Control

SI-16

Severity

M

CCI

CCI-002824

Version

SLEM-05-213020

Vuln IDs

V-261271

Rule IDs

SV-261271r996306_rule

Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware enforced or software enforced, with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.

Checks: C-65000r996304_chk

Verify SLEM 5 implements Address space layout randomization (ASLR) with the following command: > sudo sysctl kernel.randomize_va_space kernel.randomize_va_space = 2 If the kernel parameter "randomize_va_space" is not equal to "2", or nothing is returned, this is a finding.

Fix: F-64908r996305_fix

Configure SLEM 5 to implement ASLR by running the following command as an administrator: > sudo sysctl -w kernel.randomize_va_space=2 If "2" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "kernel.randomize_va_space=2" >> /etc/sysctl.d/99-stig.conf' Reload settings from all system configuration files with the following command: > sudo sysctl --system

b

SLEM 5 must implement kptr-restrict to prevent the leaking of internal kernel addresses.

SI-16 - Medium - CCI-002824 - V-261272 - SV-261272r996309_rule

RMF Control

SI-16

Severity

M

CCI

CCI-002824

Version

SLEM-05-213025

Vuln IDs

V-261272

Rule IDs

SV-261272r996309_rule

Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware enforced or software enforced, with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.

Checks: C-65001r996307_chk

Verify SLEM 5 prevents leaking of internal kernel addresses with the following command: > sudo sysctl kernel.kptr_restrict kernel.kptr_restrict = 1 If the kernel parameter "kptr_restrict" is not equal to "1", or nothing is returned, this is a finding.

Fix: F-64909r996308_fix

Configure SLEM 5 to prevent leaking of internal kernel addresses by running the following command: > sudo sysctl -w kernel.kptr_restrict=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "kernel.kptr_restrict=1" >> /etc/sysctl.d/99-stig.conf' Reload settings from all system configuration files with the following command: > sudo sysctl --system

b

Vendor-packaged SLEM 5 security patches and updates must be installed and up to date.

CM-6 - Medium - CCI-000366 - V-261273 - SV-261273r996311_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-214010

Vuln IDs

V-261273

Rule IDs

SV-261273r996311_rule

Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep SLEM 5 and application software patched is a common mistake made by IT professionals. New patches are released frequently, and it is often difficult for even experienced system administrators (SAs) to keep up with of all the new patches. When new weaknesses in a SLEM 5 exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.

Checks: C-65002r996310_chk

Verify SLEM 5 security patches and updates are installed and up to date. Note: Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). Check for required SLEM 5 patches and updates with the following command: > sudo zypper patch-check 0 patches needed (0 security patches) If the patch repository data is corrupt, check that the available package security updates have been installed on the system with the following command: > sudo cut -d "|" -f 1-4 -s --output-delimiter " | " /var/log/zypp/history | grep -v " radd " 2023-09-25 12:23:25 | install | cockpit-ws | 298-150500.1.4 2023-09-25 12:23:26 | install | cockpit-storaged | 298-150500.1.4 2023-09-25 12:23:26 | install | cockpit-selinux | 298-150500.1.4 If SLEM 5 has not been patched within the site or PMO frequency, this is a finding.

Fix: F-64910r995685_fix

Install the applicable SLEM 5 patches available from SUSE by running the following command: > sudo transactional-update patch > sudo reboot

c

The SLEM 5 tool zypper must have gpgcheck enabled.

CM-5 - High - CCI-001749 - V-261274 - SV-261274r996312_rule

RMF Control

CM-5

Severity

H

CCI

CCI-001749

Version

SLEM-05-214015

Vuln IDs

V-261274

Rule IDs

SV-261274r996312_rule

Changes to any software components can have significant effects on the overall security of SLEM 5. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or SLEM 5 components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. SLEM 5 should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certification Authority (CA).

Checks: C-65003r995687_chk

Verify that SLEM 5 tool zypper has gpgcheck enabled with the following command: > grep -i '^gpgcheck' /etc/zypp/zypp.conf gpgcheck = on If "gpgcheck" is not set to "on", is commented out, or missing, this is a finding.

Fix: F-64911r995688_fix

Configure that SLEM 5 tool zypper to enable gpgcheck. Add or modify the following line in the "/etc/zypp/zypp.conf" file: gpgcheck = on

b

SLEM 5 must remove all outdated software components after updated versions have been installed.

SI-2 - Medium - CCI-002617 - V-261275 - SV-261275r996314_rule

RMF Control

SI-2

Severity

M

CCI

CCI-002617

Version

SLEM-05-214020

Vuln IDs

V-261275

Rule IDs

SV-261275r996314_rule

Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.

Checks: C-65004r996313_chk

Verify SLEM 5 removes all outdated software components after updated version have been installed by running the following command: > grep -i upgraderemovedroppedpackages /etc/zypp/zypp.conf solver.upgradeRemoveDroppedPackages = true If "solver.upgradeRemoveDroppedPackages" is not set to "true", is commented out, or missing, this is a finding.

Fix: F-64912r995691_fix

Configure SLEM 5 to remove all outdated software components after an update. Add or modify the following line in the "/etc/zypp/zypp.conf" file: solver.upgradeRemoveDroppedPackages = true

b

SLEM 5 must use vlock to allow for session locking.

AC-11 - Medium - CCI-000056 - V-261276 - SV-261276r996316_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000056

Version

SLEM-05-215010

Vuln IDs

V-261276

Rule IDs

SV-261276r996316_rule

A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.

Checks: C-65005r996315_chk

Check that SLEM 5 has the "vlock" package installed with the following command: > zypper search --installed-only --match-exact --provides vlock i | kbd | Keyboard and Font Utilities | package If the command outputs "no matching items found", this is a finding.

Fix: F-64913r995694_fix

Allow users to lock the console by installing the "kbd" package using zypper: > sudo transactional-update pkg install kbd > sudo reboot

c

SLEM 5 must not have the telnet-server package installed.

IA-5 - High - CCI-000197 - V-261277 - SV-261277r996318_rule

RMF Control

IA-5

Severity

H

CCI

CCI-000197

Version

SLEM-05-215015

Vuln IDs

V-261277

Rule IDs

SV-261277r996318_rule

It is detrimental for SLEM 5 to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked, and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. SLEM 5 is capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions and functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but which cannot be disabled.

Checks: C-65006r996317_chk

Verify the telnet-server package is not installed on SLEM 5. Check that the telnet-server package is not installed on SLEM 5 by running the following command: > sudo zypper se telnet-server | grep Installed If the telnet-server package is installed, this is a finding.

Fix: F-64914r995697_fix

Remove the telnet-server package from SLEM 5 by running the following command: > sudo transactional-update pkg remove telnet-server > sudo reboot

b

A separate file system must be used for SLEM 5 user home directories (such as /home or an equivalent).

CM-6 - Medium - CCI-000366 - V-261278 - SV-261278r996320_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-231010

Vuln IDs

V-261278

Rule IDs

SV-261278r996320_rule

The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.

Checks: C-65007r996319_chk

Verify that a separate file system/partition has been created for SLEM 5 nonprivileged local interactive users (those with a UID greater than 1000) home directories with the following command: > awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6, $7}' /etc/passwd adamsj 1002 /home/adamsj /bin/bash jacksonm 1003 /home/jacksonm /bin/bash smithj 1001 /home/smithj /bin/bash The output of the command will give the directory/partition that contains the home directories for the nonprivileged users on the system (in this example, /home) and user's shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users. Check that a file system/partition has been created for the nonprivileged interactive users with the following command: Note: The partition of /home is used in the example. > grep /home /etc/fstab UUID=c4e898dd-6cd9-4091-a733-9435e505957a /home btrfs defaults,subvol=@/home 0 0 If a separate entry for the file system/partition that contains the nonprivileged interactive users' home directories does not exist, this is a finding.

Fix: F-64915r995700_fix

Create a separate file system/partition for SLEM 5 nonprivileged local interactive user home directories. Migrate the nonprivileged local interactive user home directories onto the separate file system/partition.

b

SLEM 5 must use a separate file system for /var.

CM-6 - Medium - CCI-000366 - V-261279 - SV-261279r996322_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-231015

Vuln IDs

V-261279

Rule IDs

SV-261279r996322_rule

The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.

Checks: C-65008r996321_chk

Verify that SLEM 5 has a separate file system/partition for "/var" with the following command: > grep /var /etc/fstab UUID=c4e898dd-6cd9-4091-a733-9435e505957a /var btrfs defaults,subvol=@/var,x-initrd.mount 0 0 If a separate entry for "/var" does not exist, this is a finding.

Fix: F-64916r995703_fix

Create a separate file system/partition on SLEM 5 for "/var". Migrate "/var" onto the separate file system/partition.

b

SLEM 5 must use a separate file system for the system audit data path.

CM-6 - Medium - CCI-000366 - V-261280 - SV-261280r996324_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-231020

Vuln IDs

V-261280

Rule IDs

SV-261280r996324_rule

The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.

Checks: C-65009r996323_chk

Verify that SLEM 5 has a separate file system/partition for the system audit data path with the following command: Note: "/var/log/audit" is used as the example as it is a common location. > grep /var/log/audit /etc/fstab UUID=c4e898dd-6cd9-4091-a733-9435e505957a /var btrfs defaults,subvol=@/var/log/audit 0 0 If a separate entry for the system audit data path (in this example the "/var/log/audit" path) does not exist, ask the system administrator if the system audit logs are being written to a different file system/partition on the system and then grep for that file system/partition. If a separate file system/partition does not exist for the system audit data path, this is a finding.

Fix: F-64917r995706_fix

Migrate SLEM 5 audit data path onto a separate file system or partition.

b

SLEM 5 file systems that are being imported via Network File System (NFS) must be mounted to prevent files with the setuid and setgid bit set from being executed.

CM-6 - Medium - CCI-000366 - V-261281 - SV-261281r996326_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-231025

Vuln IDs

V-261281

Rule IDs

SV-261281r996326_rule

The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Checks: C-65010r996325_chk

Verify SLEM 5 file systems that are being NFS exported are mounted with the "nosuid" option with the following command: > grep nfs /etc/fstab UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0 If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.

Fix: F-64918r995709_fix

Configure SLEM 5 "/etc/fstab" file to use the "nosuid" option on file systems that are being exported via NFS.

b

SLEM 5 file systems that are being imported via Network File System (NFS) must be mounted to prevent binary files from being executed.

CM-6 - Medium - CCI-000366 - V-261282 - SV-261282r996328_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-231030

Vuln IDs

V-261282

Rule IDs

SV-261282r996328_rule

The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Checks: C-65011r996327_chk

Verify SLEM 5 file systems that are being NFS exported are mounted with the "noexec" option with the following command: > grep nfs /etc/fstab UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0 If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS exported binaries is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix: F-64919r995712_fix

Configure SLEM 5 "/etc/fstab" file to use the "noexec" option on file systems that are being exported via NFS.

b

SLEM 5 file systems that are used with removable media must be mounted to prevent files with the setuid and setgid bit set from being executed.

CM-6 - Medium - CCI-000366 - V-261283 - SV-261283r996330_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-231035

Vuln IDs

V-261283

Rule IDs

SV-261283r996330_rule

The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Checks: C-65012r996329_chk

Verify SLEM 5 file systems used for removable media are mounted with the "nosuid" option with the following command: > more /etc/fstab UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0 If a file system found in "/etc/fstab" refers to removable media and does not have the "nosuid" option set, this is a finding.

Fix: F-64920r995715_fix

Configure SLEM 5 "/etc/fstab" file to use the "nosuid" option on file systems that are associated with removable media.

c

All SLEM 5 persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.

SC-28 - High - CCI-001199 - V-261284 - SV-261284r996864_rule

RMF Control

SC-28

Severity

H

CCI

CCI-001199

Version

SLEM-05-231040

Vuln IDs

V-261284

Rule IDs

SV-261284r996864_rule

SLEM 5 handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).

Checks: C-65013r996864_chk

Verify SLEM 5 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. Verify the system partitions are all encrypted with the following commands: > sudo blkid /dev/sda1: "UUID=26d4a101-7f48-4394-b730-56dc00e65f64" TYPE="crypto_LUKS" /dev/sda2: "UUID=f5b8a790-14cb-4b82-882d-707d52f27765" TYPE="crypto_LUKS" /dev/sda3: "UUID=f2d86128-f975-478d-a5b0-25806c900eac" TYPE="crypto_LUKS" Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) or temporary file systems (that are tmpfs) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding. > sudo more /etc/crypttab cr_root UUID=26d4a101-7f48-4394-b730-56dc00e65f64 cr_home UUID=f5b8a790-14cb-4b82-882d-707d52f27765 cr_swap UUID=f2d86128-f975-478d-a5b0-25806c900eac Every persistent disk partition present on the system must have an entry in the /etc/crypttab file. If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding. Verify the system works in FIPS mode with the following command: > sudo sysctl - a | grep fips crypto.fips_enabled = 1

Fix: F-64921r996332_fix

Configure SLEM 5 to prevent unauthorized modification of all information at rest by using disk encryption. Encrypting a partition in an already-installed system is more difficult because of the need to resize and change existing partitions. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted partition by default. Add it manually in the partitioning dialog. The following set of commands will switch SLEM 5 to work in FIPS mode: >sudo transactional-update pkg install -t pattern microos-fips >reboot Add of modify the following line in the "/etc/default/grub" file to include "fips=1": GRUB_CMDLINE_LINUX_DEFAULT="splash=silent swapaccount=1 apparmor=0 mitigations=auto quiet crashkernel=195M,high crashkernel=72M,low fips=1" >sudo transactional-update grub.cfg >sudo reboot:

b

SLEM 5 file systems that contain user home directories must be mounted to prevent files with the setuid and setgid bit set from being executed.

CM-6 - Medium - CCI-000366 - V-261285 - SV-261285r996838_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-231045

Vuln IDs

V-261285

Rule IDs

SV-261285r996838_rule

The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.

Checks: C-65014r996838_chk

Verify that SLEM 5 file systems that contain user home directories are mounted with the "nosuid" option. Print the currently active file system mount options of the file system(s) that contain the user home directories with the following command: > for X in `awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd`; do findmnt -nkT $X; done | sort -r /home /dev/mapper/system-home ext4 rw,nosuid,realtime,data=ordered If a file system containing user home directories is not mounted with the FSTYPE OPTION nosuid, this is a finding. Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.

Fix: F-64922r995721_fix

Configure SLEM 5 "/etc/fstab" file to use the "nosuid" option on file systems that contain user home directories for interactive users. Remount the filesystems. > sudo mount -o remount /home

b

SLEM 5 must disable the file system automounter.

IA-3 - Medium - CCI-000778 - V-261286 - SV-261286r1155779_rule

RMF Control

IA-3

Severity

M

CCI

CCI-000778

Version

SLEM-05-231050

Vuln IDs

V-261286

Rule IDs

SV-261286r1155779_rule

Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.

Checks: C-65015r1155777_chk

Verify SLEM 5 disables the ability to automount devices. Verify the automounter service is installed with the following command: > sudo zypper se autofs If it is installed, verify the automounter service is active with the following command: > systemctl status autofs autofs.service - Automounts filesystems on demand Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) Active: inactive (dead) If the "autofs" status is set to "active" this is a finding.

Fix: F-64923r1155778_fix

Configure SLEM 5 to disable the ability to automount devices. Turn off the automount service with the following command: > sudo systemctl stop autofs > sudo systemctl disable autofs

b

SLEM 5 must have directories that contain system commands set to a mode of 755 or less permissive.

CM-5 - Medium - CCI-001499 - V-261287 - SV-261287r996341_rule

RMF Control

CM-5

Severity

M

CCI

Version

SLEM-05-232010

Vuln IDs

V-261287

Rule IDs

SV-261287r996341_rule

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Checks: C-65016r996339_chk

Verify that the system command directories have mode "755" or less permissive with the following command: > find -L /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c "%n %a" '{}' \; If any directories are found to be group-writable or world-writable, this is a finding.

Fix: F-64924r996340_fix

Configure the system commands to be protected from unauthorized access. Run the following command: > sudo find -L /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \; > sudo transactional-update shell > sudo find -L /bin /sbin /usr/bin /usr/sbin -perm /022 -type f -exec chmod 755 '{}' \; > exit > sudo reboot

b

SLEM 5 must have system commands set to a mode of 755 or less permissive.

CM-5 - Medium - CCI-001499 - V-261288 - SV-261288r996344_rule

RMF Control

CM-5

Severity

M

CCI

Version

SLEM-05-232015

Vuln IDs

V-261288

Rule IDs

SV-261288r996344_rule

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Checks: C-65017r996342_chk

Verify that the system command directories have mode "755" or less permissive with the following command: > find -L /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c "%n %a" '{}' \; If any directories are found to be group-writable or world-writable, this is a finding.

Fix: F-64925r996343_fix

Configure the system commands to be protected from unauthorized access. Run the following command: > sudo find -L /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \; > sudo transactional-update shell > sudo find -L /bin /sbin /usr/bin /usr/sbin -perm /022 -type f -exec chmod 755 '{}' \; > exit > sudo reboot

b

SLEM 5 library directories must have mode 755 or less permissive.

CM-5 - Medium - CCI-001499 - V-261289 - SV-261289r996347_rule

RMF Control

CM-5

Severity

M

CCI

Version

SLEM-05-232020

Vuln IDs

V-261289

Rule IDs

SV-261289r996347_rule

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Checks: C-65018r996345_chk

Verify the system-wide shared library directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" have mode "755" or less permissive with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec stat -c "%n %a" '{}' \; If any of the aforementioned directories are found to be group-writable or world-writable, this is a finding.

Fix: F-64926r996346_fix

Configure the library files to be protected from unauthorized access. Run the following command: > sudo transactional-update shell > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec chmod 755 '{}' \; > exit > sudo reboot

b

SLEM 5 library files must have mode 755 or less permissive.

CM-5 - Medium - CCI-001499 - V-261290 - SV-261290r1102096_rule

RMF Control

CM-5

Severity

M

CCI

Version

SLEM-05-232025

Vuln IDs

V-261290

Rule IDs

SV-261290r1102096_rule

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Checks: C-65019r1102094_chk

Verify the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" have mode 0755 or less permissive. Check that the systemwide shared library files have mode 0755 or less permissive with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec stat -c "%n %a" {} + If any output is returned, this is a finding.

Fix: F-64927r1102095_fix

Configure the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" have mode 0755 or less permissive with the following command. > sudo transactional-update shell > sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec chmod go-w {} + > exit > sudo reboot

b

All SLEM 5 local interactive user home directories must have mode 750 or less permissive.

CM-6 - Medium - CCI-000366 - V-261291 - SV-261291r996352_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-232030

Vuln IDs

V-261291

Rule IDs

SV-261291r996352_rule

Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.

Checks: C-65020r996351_chk

Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. Verify the assigned home directory of all SLEM 5 local interactive users has a mode of "750" or less permissive with the following command: > ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) -rwxr-x--- 1 smithj users 18 Mar 5 17:6 /home/smithj If home directories referenced in "/etc/passwd" do not have a mode of "750" or less permissive, this is a finding.

Fix: F-64928r995739_fix

Change the mode of SLEM 5 local interactive user's home directories to "750". To change the mode of a local interactive user's home directory, use the following command: Note: The example will be for the user "smithj". > sudo chmod 750 /home/smithj

b

All SLEM 5 local initialization files must have mode 740 or less permissive.

CM-6 - Medium - CCI-000366 - V-261292 - SV-261292r996354_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-232035

Vuln IDs

V-261292

Rule IDs

SV-261292r996354_rule

Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.

Checks: C-65021r996353_chk

Verify that all SLEM 5 local initialization files have a mode of "740" or less permissive with the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". > sudo ls -al /home/smithj/.* | more -rw-r-x---- 1 smithj users 896 Mar 10 2011 .profile -rw-r-x---- 1 smithj users 497 Jan 6 27 .login -rw-r-x---- 1 smithj users 886 Jan 6 27 .something If any local initialization files have a mode more permissive than "740", this is a finding.

Fix: F-64929r995742_fix

Set the mode of SLEM 5 local initialization files to "740" with the following command: Note: The example will be for the smithj user, who has a home directory of "/home/smithj". > sudo chmod 740 /home/smithj/.<INIT_FILE>

b

SLEM 5 SSH daemon public host key files must have mode 644 or less permissive.

CM-6 - Medium - CCI-000366 - V-261293 - SV-261293r996357_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-232040

Vuln IDs

V-261293

Rule IDs

SV-261293r996357_rule

If a public host key file is modified by an unauthorized user, the SSH service may be compromised.

Checks: C-65022r996355_chk

Verify SLEM 5 SSH daemon public host key files have mode "644" or less permissive with the following command: Note: SSH public key files may be found in other directories on the system depending on the installation. > find /etc/ssh -name 'ssh_host*key.pub' -exec stat -c "%a %n" {} \; 644 /etc/ssh/ssh_host_rsa_key.pub 644 /etc/ssh/ssh_host_dsa_key.pub 644 /etc/ssh/ssh_host_ecdsa_key.pub 644 /etc/ssh/ssh_host_ed25519_key.pub If any file has a mode more permissive than "644", this is a finding.

Fix: F-64930r996356_fix

Configure SLEM 5 SSH daemon public host key files have mode "644" or less permissive. Note: SSH public key files may be found in other directories on the system depending on the installation. Change the mode of public host key files under "/etc/ssh" to "644" with the following command: > sudo chmod 644 /etc/ssh/ssh_host*key.pub

b

SLEM 5 SSH daemon private host key files must have mode 640 or less permissive.

CM-6 - Medium - CCI-000366 - V-261294 - SV-261294r996359_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-232045

Vuln IDs

V-261294

Rule IDs

SV-261294r996359_rule

If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

Checks: C-65023r996358_chk

Verify SLEM 5 SSH daemon private host key files have mode "640" or less permissive. The following command will find all SSH private key files on the system with the following command: > sudo find / -name '*ssh_host*key' -exec ls -lL {} \; Check the mode of the private host key files under "/etc/ssh" file with the following command: > find /etc/ssh -name 'ssh_host*key' -exec stat -c "%a %n" {} \; 640 /etc/ssh/ssh_host_rsa_key 640 /etc/ssh/ssh_host_dsa_key 640 /etc/ssh/ssh_host_ecdsa_key 640 /etc/ssh/ssh_host_ed25519_key If any file has a mode more permissive than "640", this is a finding.

Fix: F-64931r995748_fix

Configure the mode of SLEM 5 SSH daemon private host key files under "/etc/ssh" to "640" with the following command: > sudo chmod 640 /etc/ssh/ssh_host*key

b

SLEM 5 library files must be owned by root.

CM-5 - Medium - CCI-001499 - V-261295 - SV-261295r1102099_rule

RMF Control

CM-5

Severity

M

CCI

Version

SLEM-05-232050

Vuln IDs

V-261295

Rule IDs

SV-261295r1102099_rule

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Checks: C-65024r1102097_chk

Verify the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" are owned by root with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec stat -c "%n %U" {} + If any output is returned, this is a finding.

Fix: F-64932r1102098_fix

Configure the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" are owned by root with the following command: > sudo transactional-update shell > sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec chown root {} + > exit > sudo reboot

b

SLEM 5 library files must be group-owned by root.

CM-5 - Medium - CCI-001499 - V-261296 - SV-261296r1102102_rule

RMF Control

CM-5

Severity

M

CCI

Version

SLEM-05-232055

Vuln IDs

V-261296

Rule IDs

SV-261296r1102102_rule

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Checks: C-65025r1102100_chk

Verify the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" are group owned by root with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec stat -c "%n %G" {} + If any output is returned, this is a finding.

Fix: F-64933r1102101_fix

Configure the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" are group owned by root with the following command: > sudo transactional-update shell > sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec chown :root {} + > exit > sudo reboot

b

SLEM 5 library directories must be owned by root.

CM-5 - Medium - CCI-001499 - V-261297 - SV-261297r996368_rule

RMF Control

CM-5

Severity

M

CCI

Version

SLEM-05-232060

Vuln IDs

V-261297

Rule IDs

SV-261297r996368_rule

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Checks: C-65026r996366_chk

Verify the system-wide shared library directories contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are owned by root with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; If any system wide library directory is returned, this is a finding.

Fix: F-64934r996367_fix

Configure the library directories to be protected from unauthorized access. Run the following command: > sudo transactional-update shell > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec chown root '{}' \; > exit > sudo reboot

b

SLEM 5 library directories must be group-owned by root.

CM-5 - Medium - CCI-001499 - V-261298 - SV-261298r996371_rule

RMF Control

CM-5

Severity

M

CCI

Version

SLEM-05-232065

Vuln IDs

V-261298

Rule IDs

SV-261298r996371_rule

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Checks: C-65027r996369_chk

Verify the system-wide shared library directories contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are group-owned by root with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; If any system wide library directory is returned, this is a finding.

Fix: F-64935r996370_fix

Configure the library directories to be protected from unauthorized access. Run the following command: > sudo transactional-update shell > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec chgrp root '{}' \; > exit > sudo reboot

b

SLEM 5 must have system commands owned by root.

CM-5 - Medium - CCI-001499 - V-261299 - SV-261299r996373_rule

RMF Control

CM-5

Severity

M

CCI

Version

SLEM-05-232070

Vuln IDs

V-261299

Rule IDs

SV-261299r996373_rule

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Checks: C-65028r995762_chk

Verify that the system commands are owned by root with the following command: > sudo find -L /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c "%n %U" '{}' \; If any system commands are returned, this is a finding.

Fix: F-64936r996372_fix

Configure the system commands to be protected from unauthorized access. Run the following command: > sudo transactional-update shell > sudo find -L /bin /sbin /usr/bin /usr/sbin ! -user root -type f -exec chown root '{}' \; > exit > sudo reboot

b

SLEM 5 must have system commands group-owned by root or a system account.

CM-5 - Medium - CCI-001499 - V-261300 - SV-261300r996375_rule

RMF Control

CM-5

Severity

M

CCI

Version

SLEM-05-232075

Vuln IDs

V-261300

Rule IDs

SV-261300r996375_rule

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Checks: C-65029r995765_chk

Verify that the system commands are group-owned by root with the following command: > sudo find -L /usr/local/bin /usr/local/sbin! -group root -type f -exec stat -c "%n %G" '{}' \; If any system commands are returned, this is a finding.

Fix: F-64937r996374_fix

Configure the system commands to be protected from unauthorized access. Run the following command: > sudo transactional-update shell > sudo find -L /bin /sbin /usr/bin /usr/sbin ! -user root -type f -exec chown root '{}' \; > exit > sudo reboot

b

SLEM 5 must have directories that contain system commands owned by root.

CM-5 - Medium - CCI-001499 - V-261301 - SV-261301r996377_rule

RMF Control

CM-5

Severity

M

CCI

Version

SLEM-05-232080

Vuln IDs

V-261301

Rule IDs

SV-261301r996377_rule

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Checks: C-65030r995768_chk

Verify that the system command directories are owned by root with the following command: > find -L /usr/local/bin /usr/local/sbin ! -user root -type d -exec stat -c "%n %U" '{}' \; If any system command directories are returned, this is a finding.

Fix: F-64938r996376_fix

Configure the system commands to be protected from unauthorized access. Run the following command: > sudo transactional-update shell > sudo find -L /bin /sbin /usr/bin /usr/sbin ! -user root -type d -exec chown root '{}' \; > exit > sudo reboot

b

SLEM 5 must have directories that contain system commands group-owned by root.

CM-5 - Medium - CCI-001499 - V-261302 - SV-261302r996380_rule

RMF Control

CM-5

Severity

M

CCI

Version

SLEM-05-232085

Vuln IDs

V-261302

Rule IDs

SV-261302r996380_rule

If SLEM 5 were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SLEM 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.

Checks: C-65031r996378_chk

Verify that the system command directories are group-owned by root with the following command: > find -L /usr/local/bin /usr/local/sbin ! -group root -type d -exec stat -c "%n %G" '{}' \; If any system command directories are returned, this is a finding.

Fix: F-64939r996379_fix

Configure the system commands to be protected from unauthorized access. Run the following command: > sudo transactional-update shell > sudo find -L /bin /sbin /usr/bin /usr/sbin ! -group root -type d -exec chgrp root '{}' \; > exit > sudo reboot

b

All SLEM 5 files and directories must have a valid owner.

CM-6 - Medium - CCI-000366 - V-261303 - SV-261303r996382_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-232090

Vuln IDs

V-261303

Rule IDs

SV-261303r996382_rule

Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier (UID) as the UID of the unowned files.

Checks: C-65032r996381_chk

Verify that all SLEM 5 files and directories on the system have a valid owner with the following command: Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example. > sudo find / -fstype xfs -nouser If any files on the system do not have a valid owner, this is a finding.

Fix: F-64940r995775_fix

Either remove all files and directories from SLEM 5 that do not have a valid user or assign a valid user to all unowned files and directories on the system with the "chown" command: > sudo chown <user > <file>

b

All SLEM 5 files and directories must have a valid group owner.

CM-6 - Medium - CCI-000366 - V-261304 - SV-261304r996384_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-232095

Vuln IDs

V-261304

Rule IDs

SV-261304r996384_rule

Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.

Checks: C-65033r996383_chk

Verify all SLEM 5 files and directories on the system have a valid group with the following command: Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example. > sudo find / -fstype xfs -nogroup If any files on the system do not have a valid group, this is a finding.

Fix: F-64941r995778_fix

Either remove all files and directories from SLEM 5 that do not have a valid group or assign a valid group to all files and directories on the system with the "chgrp" command: > sudo chgrp <group > <file>

b

All SLEM 5 local interactive user home directories must be group-owned by the home directory owner's primary group.

CM-6 - Medium - CCI-000366 - V-261305 - SV-261305r996387_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-232100

Vuln IDs

V-261305

Rule IDs

SV-261305r996387_rule

If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.

Checks: C-65034r996385_chk

Verify the assigned home directory of all SLEM 5 local interactive users is group-owned by that user's primary GID with the following command: Note: This may miss local interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/smithj" is used as an example. > awk -F: '($3>=1000)&&($7 !~ /nologin/){print $4, $6}' /etc/passwd) 250:/home/smithj Check the user's primary group with the following command: > grep users /etc/group users:x:250:smithj,jonesj,jacksons If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.

Fix: F-64942r996386_fix

Change the group owner of a SLEM 5 local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users. > sudo chgrp users /home/smithj

b

All SLEM 5 world-writable directories must be group-owned by root, sys, bin, or an application group.

CM-6 - Medium - CCI-000366 - V-261306 - SV-261306r996389_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-232105

Vuln IDs

V-261306

Rule IDs

SV-261306r996389_rule

If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.

Checks: C-65035r996388_chk

Verify all SLEM 5 world-writable directories are group-owned by root, sys, bin, or an application group with the following command: > sudo find / -perm -002 -type d -exec ls -lLd {} \; drwxrwxrwt. 2 root root 40 Aug 26 13:7 /dev/mqueue drwxrwxrwt. 2 root root 220 Aug 26 13:23 /dev/shm drwxrwxrwt. 14 root root 4096 Aug 26 13:29 /tmp If any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding.

Fix: F-64943r995784_fix

Change the group of SLEM 5 world-writable directories to root with the following command: > sudo chgrp root <directory>

b

The sticky bit must be set on all SLEM 5 world-writable directories.

SC-4 - Medium - CCI-001090 - V-261307 - SV-261307r1137695_rule

RMF Control

SC-4

Severity

M

CCI

CCI-001090

Version

SLEM-05-232110

Vuln IDs

V-261307

Rule IDs

SV-261307r1137695_rule

Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, and hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.

Checks: C-65036r996390_chk

Verify SLEM 5 prevents unauthorized and unintended information transfer via the shared system resources with the following command: > sudo find / $ -path /.snapshots -o -path /sys -o -path /proc $ -prune -o -perm -002 -type d -exec ls -lLd {} \; 256 0 drwxrwxrwt 1 root root 4096 Jun 14 06:45 /tmp If any of the returned directories do not have the sticky bit set, or are not documented as having the write permission for the other class, this is a finding.

Fix: F-64944r996391_fix

Configure SLEM 5 shared system resources to prevent any unauthorized and unintended information transfer by setting the sticky bit for all world-writable directories. An example of a world-writable directory is "/tmp" directory. Set the sticky bit on all of the world-writable directories (using the "/tmp" directory as an example) with the following command: > sudo chmod 1777 /tmp For every world-writable directory, replace "/tmp" in the command above with the world-writable directory that does not have the sticky bit set.

b

SLEM 5 must prevent unauthorized users from accessing system error messages.

SI-11 - Medium - CCI-001314 - V-261308 - SV-261308r996395_rule

RMF Control

SI-11

Severity

M

CCI

CCI-001314

Version

SLEM-05-232115

Vuln IDs

V-261308

Rule IDs

SV-261308r996395_rule

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify SLEM 5 or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Checks: C-65037r996393_chk

Verify SLEM 5 prevents unauthorized users from accessing system error messages. Check the "/var/log/messages" file permissions with the following command: > sudo stat -c "%n %U:%G %a" /var/log/messages /var/log/messages root:root 640 Check that "permissions.local" file contains the correct permissions rules with the following command: > grep -i messages /etc/permissions.local /var/log/messages root:root 640 If the effective permissions do not match the "permissions.local" file, the command does not return any output, or is commented out, this is a finding.

Fix: F-64945r996394_fix

Configure SLEM 5 to prevent unauthorized users from accessing system error messages. Add or update the following rules in "/etc/permissions.local": /var/log/messages root:root 640 Set the correct permissions with the following command: > sudo chkstat --set --system

b

SLEM 5 must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

SI-11 - Medium - CCI-001312 - V-261309 - SV-261309r996398_rule

RMF Control

SI-11

Severity

M

CCI

CCI-001312

Version

SLEM-05-232120

Vuln IDs

V-261309

Rule IDs

SV-261309r996398_rule

Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization. Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. The /var/log/btmp, /var/log/wtmp, and /var/log/lastlog files have group write and global read permissions to allow for the lastlog function to perform. Limiting the permissions beyond this configuration will result in the failure of functions that rely on the lastlog database.

Checks: C-65038r996396_chk

Verify SLEM 5 has all system log files under the /var/log directory with a permission set to "640", by using the following command: Note: The btmp, wtmp, and lastlog files are excluded. Refer to the Vulnerability Discussion for details. > sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec stat -c "%n %a" {} \; If command displays any output, this is a finding.

Fix: F-64946r996397_fix

Configure SLEM 5 to set permissions of all log files under /var/log directory to "640" or more restricted, by using the following command: Note: The btmp, wtmp, and lastlog files are excluded. Refer to the Vulnerability Discussion for details. > sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec chmod 640 '{}' \;

b

SLEM 5 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.

CM-7 - Medium - CCI-000382 - V-261310 - SV-261310r996401_rule

RMF Control

CM-7

Severity

M

CCI

CCI-000382

Version

SLEM-05-251010

Vuln IDs

V-261310

Rule IDs

SV-261310r996401_rule

To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Additionally, operating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of mission functions and the need to eliminate immediate or future remote access to organizational information systems.

Checks: C-65039r996399_chk

Verify SLEM 5 "firewalld.service" is enabled and running with the following command: > systemctl status firewalld.service firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2023-11-29 08:12:35 MST If the service is not enabled and active, this is a finding. Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command: > sudo firewall-cmd --list-all Ask the system administrator for the site or program PPSM Component Local Services Assessment (Component Local Services Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA. If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.

Fix: F-64947r996400_fix

Configure SLEM 5 is configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments. Add/modify /etc/firewalld configuration files to comply with the PPSM CAL. Enable and start the "firewalld.service" by running the following command: > sudo systemctl enable firewalld.service --now To immediately disable remote access and disconnect all current remote connections, the firewall needs to be set into panic mode. > sudo firewall-cmd --panic-on To allow remote access, panic mode needs to be disabled. > sudo firewall-cmd --panic-off

b

SLEM 5 clock must, for networked systems, be synchronized to an authoritative DOD time source at least every 24 hours.

AU-8 - Medium - CCI-001891 - V-261311 - SV-261311r1038944_rule

RMF Control

AU-8

Severity

M

CCI

CCI-001891

Version

SLEM-05-252010

Vuln IDs

V-261311

Rule IDs

SV-261311r1038944_rule

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).

Checks: C-65040r996402_chk

Verify that SLEM 5 clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second with the following command: > sudo grep maxpoll /etc/chrony.conf server 0.us.pool.ntp.mil maxpoll 16 If the "server" parameter is not set to an authoritative DOD time source, "maxpoll" is greater than "16", the line is commented out, or the line is missing, this is a finding.

Fix: F-64948r996403_fix

SLEM 5 clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second. To configure the system clock to synchronize to an authoritative DOD time source at least every 24 hours, edit the file "/etc/chrony.conf". Add or correct the following lines by replacing "<time_source>" with an authoritative DOD time source: server <time_source> maxpoll 16

b

SLEM 5 must not have network interfaces in promiscuous mode unless approved and documented.

CM-6 - Medium - CCI-000366 - V-261312 - SV-261312r996406_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-252015

Vuln IDs

V-261312

Rule IDs

SV-261312r996406_rule

Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems. If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the information system security officer (ISSO) and restricted to only authorized personnel.

Checks: C-65041r996405_chk

Verify SLEM 5 network interfaces are not in promiscuous mode with the following command: > ip link | grep -i promisc If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.

Fix: F-64949r995802_fix

Configure SLEM 5 network interfaces to turn off promiscuous mode unless approved by the ISSO and documented. Set the promiscuous mode of an interface to off with the following command: > sudo ip link set dev <devicename> promisc off

b

SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets.

CM-6 - Medium - CCI-000366 - V-261313 - SV-261313r996409_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-253010

Vuln IDs

V-261313

Rule IDs

SV-261313r996409_rule

Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4/IPv6 forwarding is enabled and the system is functioning as a router.

Checks: C-65042r996407_chk

Verify SLEM 5 does not accept IPv4 source-routed packets with the following command: > sudo sysctl net.ipv4.conf.all.accept_source_route net.ipv4.conf.all.accept_source_route = 0 If the network parameter "ipv4.conf.all.accept_source_route" is not equal to "0", or nothing is returned, this is a finding.

Fix: F-64950r996408_fix

Configure SLEM 5 to disable IPv4 source routing by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.all.accept_source_route=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.all.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b

SLEM 5 must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.

CM-6 - Medium - CCI-000366 - V-261314 - SV-261314r996412_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-253015

Vuln IDs

V-261314

Rule IDs

SV-261314r996412_rule

Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Checks: C-65043r996410_chk

Verify SLEM 5 does not accept IPv4 source-routed packets by default with the following command: > sudo sysctl net.ipv4.conf.default.accept_source_route net.ipv4.conf.default.accept_source_route = 0 If the network parameter "ipv4.conf.default.accept_source_route" is not equal to "0", or nothing is returned, this is a finding.

Fix: F-64951r996411_fix

Configure SLEM 5 to disable IPv4 default source routing by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.default.accept_source_route=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.default.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b

SLEM 5 must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.

CM-6 - Medium - CCI-000366 - V-261315 - SV-261315r996415_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-253020

Vuln IDs

V-261315

Rule IDs

SV-261315r996415_rule

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Checks: C-65044r996413_chk

Verify SLEM 5 does not accept IPv4 ICMP redirect messages with the following command: > sudo sysctl net.ipv4.conf.all.accept_redirects net.ipv4.conf.all.accept_redirects = 0 If the network parameter "ipv4.conf.all.accept_redirects" is not equal to "0", or nothing is returned, this is a finding.

Fix: F-64952r996414_fix

Configure SLEM 5 to not accept IPv4 ICMP redirect messages by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b

SLEM 5 must not allow interfaces to accept Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.

CM-6 - Medium - CCI-000366 - V-261316 - SV-261316r996418_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-253025

Vuln IDs

V-261316

Rule IDs

SV-261316r996418_rule

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Checks: C-65045r996416_chk

Verify SLEM 5 does not accept IPv4 ICMP redirect messages by default with the following command: > sudo sysctl net.ipv4.conf.default.accept_redirects net.ipv4.conf.default.accept_redirects = 0 If the network parameter "ipv4.conf.default.accept_redirects" is not equal to "0", or nothing is returned, this is a finding.

Fix: F-64953r996417_fix

Configure SLEM 5 to not accept IPv4 ICMP redirect messages by default by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.default.accept_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.default.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b

SLEM 5 must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.

CM-6 - Medium - CCI-000366 - V-261317 - SV-261317r996421_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-253030

Vuln IDs

V-261317

Rule IDs

SV-261317r996421_rule

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.

Checks: C-65046r996419_chk

Verify SLEM 5 does not allow interfaces to perform IPv4 ICMP redirects with the following command: > sudo sysctl net.ipv4.conf.all.send_redirects net.ipv4.conf.all.send_redirects = 0 If the network parameter "ipv4.conf.all.send_redirects" is not equal to "0", or nothing is returned, this is a finding.

Fix: F-64954r996420_fix

Configure SLEM 5 to not allow interfaces to perform IPv4 ICMP redirects by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.all.send_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b

SLEM 5 must not allow interfaces to send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages by default.

CM-6 - Medium - CCI-000366 - V-261318 - SV-261318r996424_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-253035

Vuln IDs

V-261318

Rule IDs

SV-261318r996424_rule

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.

Checks: C-65047r996422_chk

Verify SLEM 5 does not allow interfaces to perform IPv4 ICMP redirects by default with the following command: > sudo sysctl net.ipv4.conf.default.send_redirects net.ipv4.conf.default.send_redirects = 0 If the network parameter "ipv4.conf.default.send_redirects" is not equal to "0", or nothing is returned, this is a finding.

Fix: F-64955r996423_fix

Configure SLEM 5 to not allow interfaces to perform IPv4 ICMP redirects by default by running the following command as an administrator: > sudo sysctl -w net.ipv4.conf.default.send_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.conf.default.send_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b

SLEM 5 must not be performing Internet Protocol version 4 (IPv4) packet forwarding unless the system is a router.

CM-6 - Medium - CCI-000366 - V-261319 - SV-261319r996427_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-253040

Vuln IDs

V-261319

Rule IDs

SV-261319r996427_rule

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.

Checks: C-65048r996425_chk

Verify SLEM 5 is not performing IPv4 packet forwarding, unless the system is a router with the following command: > sudo sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0 If the network parameter "ipv4.ip_forward" is not equal to "0", or nothing is returned, this is a finding.

Fix: F-64956r996426_fix

Configure SLEM 5 to not performing IPv4 packet forwarding by running the following command as an administrator: > sudo sysctl -w net.ipv4.ip_forward=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.ip_forward=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b

SLEM 5 must be configured to use TCP syncookies.

SC-5 - Medium - CCI-001095 - V-261320 - SV-261320r996861_rule

RMF Control

SC-5

Severity

M

CCI

CCI-001095

Version

SLEM-05-253045

Vuln IDs

V-261320

Rule IDs

SV-261320r996861_rule

Denial of service (DoS) is a condition in which a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.

Checks: C-65049r996428_chk

Verify SLEM 5 is configured to use IPv4 TCP syncookies with the following command: > sudo sysctl net.ipv4.tcp_syncookies net.ipv4.tcp_syncookies = 1 If the network parameter "ipv4.tcp_syncookies" is not equal to "1", or nothing is returned, this is a finding.

Fix: F-64957r996429_fix

Configure SLEM 5 to use IPv4 TCP syncookies by running the following command as an administrator: > sudo sysctl -w net.ipv4.tcp_syncookies=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b

SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets.

CM-6 - Medium - CCI-000366 - V-261321 - SV-261321r996433_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-254010

Vuln IDs

V-261321

Rule IDs

SV-261321r996433_rule

Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Checks: C-65050r996431_chk

Verify SLEM 5 does not accept IPv6 source-routed packets with the following command: > sudo sysctl net.ipv6.conf.all.accept_source_route net.ipv6.conf.all.accept_source_route = 0 If the network parameter "ipv6.conf.all.accept_source_route" is not equal to "0" or nothing is returned, this is a finding.

Fix: F-64958r996432_fix

Configure SLEM 5 to disable IPv6 source routing by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.all.accept_source_route=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.all.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b

SLEM 5 must not forward Internet Protocol version 6 (IPv6) source-routed packets by default.

CM-6 - Medium - CCI-000366 - V-261322 - SV-261322r996436_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-254015

Vuln IDs

V-261322

Rule IDs

SV-261322r996436_rule

Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Checks: C-65051r996434_chk

Verify SLEM 5 does not accept IPv6 source-routed packets by default with the following command: > sudo sysctl net.ipv6.conf.default.accept_source_route net.ipv6.conf.default.accept_source_route = 0 If the network parameter "ipv6.conf.default.accept_source_route" is not equal to "0", or nothing is returned, this is a finding.

Fix: F-64959r996435_fix

Configure SLEM 5 to disable IPv6 default source routing by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.default.accept_source_route=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.default.accept_source_route=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b

SLEM 5 must prevent Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages from being accepted.

CM-6 - Medium - CCI-000366 - V-261323 - SV-261323r996439_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-254020

Vuln IDs

V-261323

Rule IDs

SV-261323r996439_rule

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Checks: C-65052r996437_chk

Verify SLEM 5 does not accept IPv6 ICMP redirect messages with the following command: > sudo sysctl net.ipv6.conf.all.accept_redirects net.ipv6.conf.all.accept_redirects = 0 If the network parameter "ipv6.conf.all.accept_redirects" is not equal to "0", or nothing is returned, this is a finding.

Fix: F-64960r996438_fix

Configure SLEM 5 to not accept IPv6 ICMP redirect messages by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.all.accept_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.all.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b

SLEM 5 must not allow interfaces to accept Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) redirect messages by default.

CM-6 - Medium - CCI-000366 - V-261324 - SV-261324r996442_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-254025

Vuln IDs

V-261324

Rule IDs

SV-261324r996442_rule

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.

Checks: C-65053r996440_chk

Verify SLEM 5 does not allow IPv6 ICMP redirect messages by default with the following command: > sudo sysctl net.ipv6.conf.default.accept_redirects net.ipv6.conf.default.accept_redirects = 0 If the network parameter "ipv6.conf.default.accept_redirects" is not equal to "0", or nothing is returned, this is a finding.

Fix: F-64961r996441_fix

Configure SLEM 5 to not accept IPv6 ICMP redirect messages by default by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.default.accept_redirects=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.default.accept_redirects=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b

SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding unless the system is a router.

CM-6 - Medium - CCI-000366 - V-261325 - SV-261325r996445_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-254030

Vuln IDs

V-261325

Rule IDs

SV-261325r996445_rule

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.

Checks: C-65054r996443_chk

Verify SLEM 5 is not performing IPv6 packet forwarding, unless the system is a router with the following command: > sudo sysctl net.ipv6.conf.all.forwarding net.ipv6.conf.all.forwarding = 0 If the network parameter "ipv6.conf.all.forwarding" is not equal to "0", or nothing is returned, this is a finding.

Fix: F-64962r996444_fix

Configure SLEM 5 to not performing IPv6 packet forwarding by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.all.forwarding=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.all.forwarding=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b

SLEM 5 must not be performing Internet Protocol version 6 (IPv6) packet forwarding by default unless the system is a router.

CM-6 - Medium - CCI-000366 - V-261326 - SV-261326r996448_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-254035

Vuln IDs

V-261326

Rule IDs

SV-261326r996448_rule

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.

Checks: C-65055r996446_chk

Verify SLEM 5 is not performing IPv6 packet forwarding by default, unless the system is a router with the following command: > sudo sysctl net.ipv6.conf.default.forwarding net.ipv6.conf.default.forwarding = 0 If the network parameter "ipv6.conf.default.forwarding" is not equal to "0", or nothing is returned, this is a finding.

Fix: F-64963r996447_fix

Configure SLEM 5 to not performing IPv6 packet forwarding by default by running the following command as an administrator: > sudo sysctl -w net.ipv6.conf.default.forwarding=0 If "0" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv6.conf.default.forwarding=0" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

c

SLEM 5 must have SSH installed to protect the confidentiality and integrity of transmitted information.

SC-8 - High - CCI-002418 - V-261327 - SV-261327r996450_rule

RMF Control

SC-8

Severity

H

CCI

CCI-002418

Version

SLEM-05-255010

Vuln IDs

V-261327

Rule IDs

SV-261327r996450_rule

Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.

Checks: C-65056r996449_chk

Verify the SSH package is installed by using the following command: > zypper info openssh | grep -i installed Name : openssh Version : 8.4p1-3.9.1 Arch : X86_64 Vendor : SUSE LLC <https://www.suse.com> Installed Size : 0 B Installed : Yes Status : up-to-date If the "openssh" package is not installed, this is a finding.

Fix: F-64964r995847_fix

Install the "openssh" package on SLEM 5 with the following command: > sudo transactional-update pkg install openssh Reboot the system for the changes to take effect: > sudo reboot

c

SLEM 5 must use SSH to protect the confidentiality and integrity of transmitted information.

SC-8 - High - CCI-002418 - V-261328 - SV-261328r996453_rule

RMF Control

SC-8

Severity

H

CCI

CCI-002418

Version

SLEM-05-255015

Vuln IDs

V-261328

Rule IDs

SV-261328r996453_rule

Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.

Checks: C-65057r996451_chk

Verify "sshd.service" is enabled and active by using the following command: > systemctl status sshd.service | grep -i active Active: active (running) since Wed 2023-11-29 09:49:45 MST; 2 months 23 days ago If "openssh.service" is not active, this is a finding.

Fix: F-64965r996452_fix

Enable "openssh.service" to start automatically on reboot with the following command: > sudo systemctl enable sshd.service For the changes to take effect immediately, start the service with the following command: > sudo systemctl restart sshd.service

b

SLEM 5 must display the Standard Mandatory DOD Notice and Consent Banner before granting access via SSH.

AC-8 - Medium - CCI-000048 - V-261329 - SV-261329r996455_rule

RMF Control

AC-8

Severity

M

CCI

CCI-000048

Version

SLEM-05-255020

Vuln IDs

V-261329

Rule IDs

SV-261329r996455_rule

Display of a standardized and approved use notification before granting access to SLEM 5 ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for SLEM 5 that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

Checks: C-65058r996454_chk

Verify SLEM 5 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via SSH with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*banner' /etc/ssh/sshd_config:Banner /etc/issue If "Banner" is not set to "/etc/issue", is commented out, missing, or conflicting results are returned, this is a finding.

Fix: F-64966r995853_fix

Add or modify the following line in the "/etc/ssh/sshd_config" file: Banner /etc/issue/ Restart the "sshd.service": > sudo systemctl restart sshd.service

c

SLEM 5 must not allow unattended or automatic logon via SSH.

CM-6 - High - CCI-000366 - V-261330 - SV-261330r996457_rule

RMF Control

CM-6

Severity

H

CCI

Version

SLEM-05-255025

Vuln IDs

V-261330

Rule IDs

SV-261330r996457_rule

Failure to restrict system access via SSH to authenticated users negatively impacts SLEM 5 security.

Checks: C-65059r996456_chk

Verify SLEM 5 disables unattended or automatic logon via SSH with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iEH '^\s*(permit(.*?)(passwords|environment))' /etc/ssh/sshd_config:PermitEmptyPasswords no /etc/ssh/sshd_config:PermitUserEnvironment no If "PermitEmptyPasswords" or "PermitUserEnvironment" keywords are not set to "no", are commented out, or are missing completely, this is a finding.

Fix: F-64967r995856_fix

Configure SLEM 5 disables unattended or automatic logon via SSH. Add or modify the following lines in the "/etc/ssh/sshd_config" file: PermitEmptyPasswords no PermitUserEnvironment no

b

SLEM 5 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.

SC-10 - Medium - CCI-001133 - V-261331 - SV-261331r996459_rule

RMF Control

SC-10

Severity

M

CCI

CCI-001133

Version

SLEM-05-255030

Vuln IDs

V-261331

Rule IDs

SV-261331r996459_rule

Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.

Checks: C-65060r996458_chk

Verify the SSH server automatically terminates a user session after the SSH client has become unresponsive by using the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientalivecountmax' /etc/ssh/sshd_config:ClientAliveCountMax 1 If "ClientAliveCountMax" is not set to "1", is commented out, missing, or conflicting results are returned, this is a finding.

Fix: F-64968r995859_fix

Add or modify the following line in the "/etc/ssh/sshd_config" file: ClientAliveCountMax 1 Restart the SSH daemon for the changes to take effect: > sudo systemctl restart sshd.service

b

SLEM 5 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.

MA-4 - Medium - CCI-000879 - V-261332 - SV-261332r996462_rule

RMF Control

MA-4

Severity

M

CCI

CCI-000879

Version

SLEM-05-255035

Vuln IDs

V-261332

Rule IDs

SV-261332r996462_rule

Terminating an unresponsive SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the operating system level and deallocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the unresponsive session and releases the resources associated with that session.

Checks: C-65061r996460_chk

Verify the SSH server automatically terminates a user session after the SSH client has been unresponsive for 10 minutes by using the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientaliveinterval' /etc/ssh/sshd_config:ClientAliveInterval 600 If "ClientAliveInterval" is not set to "600" or less, is commented out, missing, or conflicting results are returned, this is a finding.

Fix: F-64969r996461_fix

Configure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes. Add or modify the following line in the "/etc/ssh/sshd_config" file: ClientAliveInterval 600 The SSH daemon must be restarted for any changes to take effect: > systemctl restart sshd.service

b

SLEM 5 SSH daemon must disable forwarded remote X connections for interactive users, unless to fulfill documented and validated mission requirements.

CM-6 - Medium - CCI-000366 - V-261333 - SV-261333r996464_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-255040

Vuln IDs

V-261333

Rule IDs

SV-261333r996464_rule

The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system's needs.

Checks: C-65062r996463_chk

Verify SLEM 5 SSH daemon remote X forwarded connections for interactive users are disabled with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*x11forwarding' /etc/ssh/sshd_config:X11Forwarding no If the "X11Forwarding" keyword is set to "yes" and is not documented with the information system security officer (ISSO) as an operational requirement, is commented out, or the line is missing, this is a finding.

Fix: F-64970r995865_fix

Configure SLEM 5 SSH daemon to disable forwarded X connections for interactive users. Add or modify the following line in the "/etc/ssh/sshd_config" file: X11Forwarding no

c

SLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.

AC-17 - High - CCI-000068 - V-261334 - SV-261334r996467_rule

RMF Control

AC-17

Severity

H

CCI

CCI-000068

Version

SLEM-05-255045

Vuln IDs

V-261334

Rule IDs

SV-261334r996467_rule

Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. The system will attempt to use the first cipher presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection.

Checks: C-65063r996465_chk

Verify that SLEM 5 implements DOD-approved encryption to protect the confidentiality of SSH remote connections with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*ciphers' /etc/ssh/sshd_config:Ciphers aes256-ctr,aes192-ctr,aes128-ctr If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the line is commented out, or the "Ciphers" keyword is missing, or conflicting results are returned, this is a finding.

Fix: F-64971r996466_fix

Configure the SSH server to only implement FIPS 140-2/140-3 approved ciphers. Add or modify the following line in the "/etc/ssh/sshd_config" file: Ciphers aes256-ctr,aes192-ctr,aes128-ctr Restart the SSH daemon: > sudo systemctl restart sshd.service

c

SLEM 5 SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2/140-3 approved cryptographic hash algorithms.

MA-4 - High - CCI-000877 - V-261335 - SV-261335r996469_rule

RMF Control

MA-4

Severity

H

CCI

CCI-000877

Version

SLEM-05-255050

Vuln IDs

V-261335

Rule IDs

SV-261335r996469_rule

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection.

Checks: C-65064r996468_chk

Verify SLEM 5 SSH daemon is configured to only use MACs that employ FIPS 140-2/140-3 approved hashes with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*macs' /etc/ssh/sshd_config:MACs hmac-sha2-512,hmac-sha2-256 If any ciphers other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, is commented out, missing, or conflicting results are returned, this is a finding.

Fix: F-64972r995871_fix

Configure SLEM 5 SSH daemon to only use MACs that employ FIPS 140-2/140-3 approved hashes. Add or modify the following line in the "/etc/ssh/sshd_config" file: MACs hmac-sha2-512,hmac-sha2-256

c

SLEM 5 SSH server must be configured to use only FIPS 140-2/140-3 validated key exchange algorithms.

AC-17 - High - CCI-001453 - V-261336 - SV-261336r996472_rule

RMF Control

AC-17

Severity

H

CCI

CCI-001453

Version

SLEM-05-255055

Vuln IDs

V-261336

Rule IDs

SV-261336r996472_rule

Without cryptographic integrity protections provided by FIPS 140-2/140-3 validated cryptographic algorithms, information can be viewed and altered by unauthorized users without detection. The system will attempt to use the first algorithm presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest algorithm available to secure the SSH connection.

Checks: C-65065r996470_chk

Verify that the SSH server is configured to use only FIPS 140-2/140-3 validated key exchange algorithms with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*kexalgorithms' KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 If "KexAlgorithms" does not contain the list of algorithms in the exact order, is commented out, missing, or conflicting results are returned, this is a finding.

Fix: F-64973r996471_fix

Configure the SSH server to use only FIPS 140-2/140-3 validated key exchange algorithms. Add or modify the following line in the "/etc/ssh/sshd_config" file: KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256 Restart the SSH daemon for changes to take effect: > sudo systemctl restart sshd.service

b

SLEM 5 must deny direct logons to the root account using remote access via SSH.

IA-2 - Medium - CCI-000770 - V-261337 - SV-261337r996844_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000770

Version

SLEM-05-255060

Vuln IDs

V-261337

Rule IDs

SV-261337r996844_rule

To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the Unix OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account. For example, the Unix and Windows SLEM 5 offer a "switch user" capability, allowing users to authenticate with their individual credentials and, when needed, "switch" to the administrator role. This method provides for unique individual authentication prior to using a group authenticator. Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on SLEM 5 without identification or authentication. Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.

Checks: C-65066r996473_chk

Verify SLEM 5 denies direct logons to the root account using remote access via SSH with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*permitrootlogin' /etc/ssh/sshd_config:PermitRootLogin no If the "PermitRootLogin" keyword is set to "yes", is commented out, missing, or conflicting results are returned, this is a finding.

Fix: F-64974r995877_fix

Configure SLEM 5 to deny direct logons to the root account using remote access via SSH. Add or modify the following line in the "/etc/ssh/sshd_config" file: PermitRootLogin no

b

SLEM 5 must log SSH connection attempts and failures to the server.

AC-17 - Medium - CCI-000067 - V-261338 - SV-261338r996845_rule

RMF Control

AC-17

Severity

M

CCI

CCI-000067

Version

SLEM-05-255065

Vuln IDs

V-261338

Rule IDs

SV-261338r996845_rule

Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to detect cyberattacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).

Checks: C-65067r996475_chk

Verify SSH is configured to verbosely log connection attempts and failed logon attempts to SLEM 5 with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*loglevel' /etc/ssh/sshd_config:LogLevel VERBOSE If "LogLevel" is not set to "VERBOSE", is commented out, missing, or conflicting results are returned, this is a finding.

Fix: F-64975r996476_fix

Configure SSH to verbosely log connection attempts and failed logon attempts to SLEM 5. Add or modify the following line in the "/etc/ssh/sshd_config" file: LogLevel VERBOSE Restart the SSH daemon in order for the changes to take effect: > sudo systemctl restart sshd.service

b

SLEM 5 must display the date and time of the last successful account logon upon an SSH logon.

CM-6 - Medium - CCI-000366 - V-261339 - SV-261339r996480_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-255070

Vuln IDs

V-261339

Rule IDs

SV-261339r996480_rule

Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.

Checks: C-65068r996478_chk

Verify all remote connections via SSH to SLEM 5 display feedback on when account accesses last occurred with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*printlastlog' /etc/ssh/sshd_config:PrintLastLog yes If the "PrintLastLog" is not set to "yes", is commented out, missing, or conflicting results are returned, this is a finding.

Fix: F-64976r996479_fix

Configure SLEM 5 to provide users with feedback on when account accesses last occurred. Add or modify the following lines in the "/etc/ssh/sshd_config" file: PrintLastLog yes Restart the SSH daemon in order for the changes to take effect: > sudo systemctl restart sshd.service

b

SLEM 5 SSH daemon must be configured to not allow authentication using known hosts authentication.

CM-6 - Medium - CCI-000366 - V-261340 - SV-261340r996483_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-255075

Vuln IDs

V-261340

Rule IDs

SV-261340r996483_rule

Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.

Checks: C-65069r996481_chk

Verify SLEM 5 SSH daemon is configured to not allow authentication using "known hosts" authentication with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*ignoreuserknownhosts' /etc/ssh/sshd_config:IgnoreUserKnownHosts yes If "IgnoreUserKnownHosts" is not set to "no", is commented out, missing, or conflicting results are returned, this is a finding.

Fix: F-64977r996482_fix

Configure SLEM 5 SSH daemon to not allow authentication using "known hosts" authentication. Add or modify the following line in the "/etc/ssh/sshd_config" file: IgnoreUserKnownHosts yes Restart the SSH daemon in order for the changes to take effect: > sudo systemctl restart sshd.service

b

SLEM 5 SSH daemon must perform strict mode checking of home directory configuration files.

CM-6 - Medium - CCI-000366 - V-261341 - SV-261341r996486_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-255080

Vuln IDs

V-261341

Rule IDs

SV-261341r996486_rule

If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.

Checks: C-65070r996484_chk

Verify SLEM 5 SSH daemon performs strict mode checking of home directory configuration files with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*strictmodes' /etc/ssh/sshd_config:StrictModes yes If "StrictModes" is not set to "yes", is commented out, missing, or conflicting results are returned, this is a finding.

Fix: F-64978r996485_fix

Configure SLEM 5 SSH daemon performs strict mode checking of home directory configuration files. Add or modify the following line in the "/etc/ssh/sshd_config" file: StrictModes yes Restart the SSH daemon in order for the changes to take effect: > sudo systemctl restart sshd.service

b

SLEM 5, for PKI-based authentication, must enforce authorized access to the corresponding private key.

IA-5 - Medium - CCI-000186 - V-261342 - SV-261342r996488_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000186

Version

SLEM-05-255085

Vuln IDs

V-261342

Rule IDs

SV-261342r996488_rule

If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and nonrepudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.

Checks: C-65071r996487_chk

Verify the SSH private key files have a passcode. For each private key stored on the system, use the following command (with the example of "/etc/ssh/ssh_host_dsa_key"): > ssh-keygen -y -f /etc/ssh/ssh_host_dsa_key Load key "/etc/ssh/ssh_host_dsa_key": Permission denied If the contents of any key are displayed, this is a finding.

Fix: F-64979r995892_fix

Create a new private and public key pair that uses a passcode with the following command: > sudo ssh-keygen -n <passphrase>

c

There must be no .shosts files on SLEM 5.

CM-6 - High - CCI-000366 - V-261343 - SV-261343r996489_rule

RMF Control

CM-6

Severity

H

CCI

Version

SLEM-05-255090

Vuln IDs

V-261343

Rule IDs

SV-261343r996489_rule

The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system as it does not require interactive identification and authentication of a connection request or for the use of two-factor authentication.

Checks: C-65072r995894_chk

Verify there are no ".shosts" files on SLEM 5 with the following command: > sudo find / $ -path /.snapshots -o -path /sys -o -path /proc $ -prune -o -name '.shosts' -print If any ".shosts" files are found on the system, this is a finding.

Fix: F-64980r995895_fix

Remove any ".shosts" files found on SLEM 5. > sudo rm /<path_to_file>/.shosts

c

There must be no shosts.equiv files on SLEM 5.

CM-6 - High - CCI-000366 - V-261344 - SV-261344r996490_rule

RMF Control

CM-6

Severity

H

CCI

Version

SLEM-05-255095

Vuln IDs

V-261344

Rule IDs

SV-261344r996490_rule

The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.

Checks: C-65073r995897_chk

Verify there are no "shosts.equiv" files on SLEM 5 with the following command: > sudo find /etc -name shosts.equiv If any "shosts.equiv" files are found on the system, this is a finding.

Fix: F-64981r995898_fix

Remove any "shosts.equiv" files found on SLEM 5. > sudo rm /<path_to_file>/shosts.equiv

c

SLEM 5 must not allow unattended or automatic logon via the graphical user interface (GUI).

CM-6 - High - CCI-000366 - V-261345 - SV-261345r996493_rule

RMF Control

CM-6

Severity

H

CCI

Version

SLEM-05-272010

Vuln IDs

V-261345

Rule IDs

SV-261345r996493_rule

Failure to restrict system access to authenticated users negatively impacts SLEM 5 security.

Checks: C-65074r996491_chk

Note: If a graphical user interface is not installed, this requirement is not applicable. Verify SLEM 5 does not allow unattended or automatic logon via the GUI. Check that unattended or automatic login is disabled with the following commands: > grep -i ^DISPLAYMANAGER_AUTOLOGIN /etc/sysconfig/displaymanager DISPLAYMANAGER_AUTOLOGIN="" > grep -i ^DISPLAYMANAGER_PASSWORD_LESS_LOGIN /etc/sysconfig/displaymanager DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no" If the "DISPLAYMANAGER_AUTOLOGIN" parameter includes a username or the "DISPLAYMANAGER_PASSWORD_LESS_LOGIN" is not set to "no", this is a finding.

Fix: F-64982r996492_fix

Note: If a graphical user interface is not installed, this requirement is not applicable. Configure SLEM 5 GUI to not allow unattended or automatic logon to the system. Add or modify the following lines in the "/etc/sysconfig/displaymanager" file: DISPLAYMANAGER_AUTOLOGIN="" DISPLAYMANAGER_PASSWORD_LESS_LOGIN="no"

b

SLEM 5 wireless network adapters must be disabled unless approved and documented.

AC-18 - Medium - CCI-001444 - V-261346 - SV-261346r996496_rule

RMF Control

AC-18

Severity

M

CCI

CCI-001444

Version

SLEM-05-291010

Vuln IDs

V-261346

Rule IDs

SV-261346r996496_rule

Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise SLEM 5. This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with a SLEM 5. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR keyboards, mice, pointing devices, and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DOD requirements for wireless data transmission and be approved for use by the AO. Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise SLEM 5. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.

Checks: C-65075r996494_chk

Verify that SLEM 5 has no wireless network adapters enabled with the following command: > sudo wicked show all ... wlan0 up link: #3, state up, mtu 1500 type: wireless, hwaddr 06:00:00:00:00:02 config: wicked:xml:/etc/wicked/ifconfig/wlan0.xml leases: ipv4 dhcp granted addr: ipv4 10.0.0.101/16 [dhcp] route: ipv4 default via 10.0.0.1 proto dhcp If a wireless interface is configured and has not been documented and approved by the AO, this is a finding.

Fix: F-64983r996495_fix

Configure SLEM 5 to disable all wireless network interfaces with the following command: For each interface of type wireless, bring the interface into "down" state: > sudo wicked ifdown wlan0 For each interface of type wireless with a configuration type of "compat:suse:", remove the associated file: > sudo rm /etc/sysconfig/network/ifcfg-wlan0 For each interface of type wireless, for each configuration of type "wicked:xml:", remove the associated file or remove the interface configuration from the file. > sudo rm /etc/wicked/ifconfig/wlan0.xml

b

SLEM 5 must disable the USB mass storage kernel module.

IA-3 - Medium - CCI-001958 - V-261347 - SV-261347r996498_rule

RMF Control

IA-3

Severity

M

CCI

CCI-001958

Version

SLEM-05-291015

Vuln IDs

V-261347

Rule IDs

SV-261347r996498_rule

Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include but are not limited to such devices as flash drives, external storage, and printers.

Checks: C-65076r996497_chk

Verify SLEM 5 does not automount USB mass storage devices when connected to the host with the following command: > grep usb-storage /etc/modprobe.d/50-blacklist.conf blacklist usb-storage If the line is commented out or the line is missing, this is a finding.

Fix: F-64984r995907_fix

Configure SLEM 5 to prevent USB mass storage devices from automounting when connected to the host. Add or modify the following line in the "/etc/modprobe.d/50-blacklist.conf" file: blacklist usb-storage

b

All SLEM 5 local interactive user accounts, upon creation, must be assigned a home directory.

CM-6 - Medium - CCI-000366 - V-261348 - SV-261348r996500_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-411010

Vuln IDs

V-261348

Rule IDs

SV-261348r996500_rule

If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.

Checks: C-65077r996499_chk

Verify all SLEM 5 local interactive users on the system are assigned a home directory upon creation with the following command: > grep -i create_home /etc/login.defs CREATE_HOME yes If the "CREATE_HOME" parameter is not set to "yes", the line is commented out, or the line is missing, this is a finding.

Fix: F-64985r995910_fix

Configure SLEM 5 to assign home directories to all new local interactive users. Add or modify the following line in the "/etc/login.defs" file: CREATE_HOME yes

b

SLEM 5 default permissions must be defined in such a way that all authenticated users can only read and modify their own files.

CM-6 - Medium - CCI-000366 - V-261349 - SV-261349r996502_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-411015

Vuln IDs

V-261349

Rule IDs

SV-261349r996502_rule

Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.

Checks: C-65078r996501_chk

Verify SLEM 5 defines default permissions for all authenticated users in such a way that the users can only read and modify their own files with the following command: > grep -i "^umask" /etc/login.defs UMASK 077 If the "UMASK" variable is set to "000", the severity is raised to a CAT I and this is a finding. If the value of "UMASK" is not set to "077", the line is commented out, or the line is missing, this is a finding.

Fix: F-64986r995913_fix

Configure SLEM 5 to define the default permissions for all authenticated users in such a way that the users can only read and modify their own files. Add or modify the following line in the "/etc/login.defs" file: UMASK 077

b

SLEM 5 shadow password suite must be configured to enforce a delay of at least five seconds between logon prompts following a failed logon attempt.

CM-6 - Medium - CCI-000366 - V-261350 - SV-261350r996504_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-411020

Vuln IDs

V-261350

Rule IDs

SV-261350r996504_rule

Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.

Checks: C-65079r996503_chk

Verify SLEM 5 enforces a delay of at least five seconds between logon prompts following a failed logon attempt with the following command: > grep -i fail_delay /etc/login.defs FAIL_DELAY 5 If the value of "FAIL_DELAY" is not set to "5" or greater, the line is commented out, or the line is missing, this is a finding.

Fix: F-64987r995916_fix

Configure SLEM 5 to enforce a delay of at least five seconds between logon prompts following a failed logon attempt. Add or modify the following line in the "/etc/login.defs" file: FAIL_DELAY 5

b

All SLEM 5 local interactive users must have a home directory assigned in the /etc/passwd file.

CM-6 - Medium - CCI-000366 - V-261351 - SV-261351r996506_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-411025

Vuln IDs

V-261351

Rule IDs

SV-261351r996506_rule

If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.

Checks: C-65080r996505_chk

Verify SLEM 5 local interactive users on the system have a home directory assigned with the following command: > sudo pwck -r user 'smithj': directory '/home/smithj' does not exist Ask the system administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command: > awk -F: '($3>=1000)&&($1!="nobody"){print $1 ":" $3}' /etc/passwd If any interactive users do not have a home directory assigned, this is a finding.

Fix: F-64988r995919_fix

Assign home directories to all SLEM 5 local interactive users that currently do not have a home directory assigned. Assign a home directory to users via the usermod command: > sudo usermod -d /home/smithj smithj

b

All SLEM 5 local interactive user home directories defined in the /etc/passwd file must exist.

CM-6 - Medium - CCI-000366 - V-261352 - SV-261352r996862_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-411030

Vuln IDs

V-261352

Rule IDs

SV-261352r996862_rule

If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a denial of service (DoS) because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.

Checks: C-65081r996507_chk

Verify the assigned home directory of all SLEM 5 local interactive users on the system exists. Check the home directory assignment for all local interactive nonprivileged users on the system with the following command: > awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $6}' /etc/passwd smithj /home/smithj Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. Check that all referenced home directories exist with the following command: > sudo pwck -r user 'smithj': directory '/home/smithj' does not exist If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.

Fix: F-64989r996508_fix

Create home directories to all SLEM 5 local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd": Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users assigned" in "/etc/passwd". > sudo mkdir /home/smithj > sudo chown smithj /home/smithj > sudo chgrp users /home/smithj > sudo chmod 0750 /home/smithj

b

All SLEM 5 local interactive user initialization files executable search paths must contain only paths that resolve to the users' home directory.

CM-6 - Medium - CCI-000366 - V-261353 - SV-261353r996512_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-411035

Vuln IDs

V-261353

Rule IDs

SV-261353r996512_rule

The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the information system security officer (ISSO).

Checks: C-65082r996510_chk

Verify that all SLEM 5 local interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the user's home directory with the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". > sudo grep -i path= /home/smithj/.* /home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, and the additional path statements are not documented with the ISSO as an operational requirement, this is a finding.

Fix: F-64990r996511_fix

Edit SLEM 5 local interactive user initialization files to change any PATH variable statements for executables that reference directories other than their home directory. If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.

b

All SLEM 5 local initialization files must not execute world-writable programs.

CM-6 - Medium - CCI-000366 - V-261354 - SV-261354r996514_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-411040

Vuln IDs

V-261354

Rule IDs

SV-261354r996514_rule

If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.

Checks: C-65083r996513_chk

Verify that SLEM 5 local initialization files do not execute world-writable programs with the following command: > sudo find / -xdev -perm -002 -type f -exec ls -ld {} \; For all files listed, check for their presence in the local initialization files with the following command: Note: The example will be for a system that is configured to create users' home directories in the "/home" directory. > sudo find /home/* -maxdepth 1 -type f -name \.\* -exec grep -H <file > {} \; If any local initialization files are found to reference world-writable files, this is a finding.

Fix: F-64991r995928_fix

Remove the references to these files in the local initialization scripts or remove the world-writable permission of files referenced by SLEM 5 local initialization scripts with the following command: > sudo chmod 755 <file>

b

SLEM 5 must automatically expire temporary accounts within 72 hours.

AC-2 - Medium - CCI-001682 - V-261355 - SV-261355r996516_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001682

Version

SLEM-05-411045

Vuln IDs

V-261355

Rule IDs

SV-261355r996516_rule

Temporary accounts are privileged or nonprivileged accounts established during pressing circumstances, such as new software or hardware configuration or an incident response, where the need for prompt account activation requires bypassing normal account authorization procedures. If any inactive temporary accounts are left enabled on the system and are not either manually removed or automatically expired within 72 hours, the security posture of the system will be degraded and exposed to exploitation by unauthorized users or insider threat actors. Temporary accounts are different from emergency accounts. Emergency accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements. The automatic expiration of temporary accounts may be extended as needed by the circumstances, but it must not be extended indefinitely. A documented permanent account should be established for privileged users who need long-term maintenance accounts.

Checks: C-65084r996515_chk

Verify temporary accounts have been provisioned with an expiration date of 72 hours with the following command: > sudo chage -l <temporary_account_name> | grep -E '(Password|Account) expires' If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.

Fix: F-64992r995931_fix

Configure SLEM 5 to expire temporary accounts after 72 hours with the following command: >sudo chage -E $(date -d +3days +%Y-%m-%d) <temporary_account_name>

b

SLEM 5 must never automatically remove or disable emergency administrator accounts.

AC-2 - Medium - CCI-001682 - V-261356 - SV-261356r996518_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001682

Version

SLEM-05-411050

Vuln IDs

V-261356

Rule IDs

SV-261356r996518_rule

Emergency administrator accounts, also known as "last resort" or "break glass" accounts, are local logon accounts enabled on the system for emergency use by authorized system administrators to manage a system when standard logon methods are failing or not available. Emergency accounts are not subject to manual removal or scheduled expiration requirements.

Checks: C-65085r996517_chk

Verify SLEM 5 is configured such that emergency administrator accounts are never automatically removed or disabled with the following command: Note: Root is typically the "account of last resort" on a system and is also used as the example emergency administrator account. If another account is being used as the emergency administrator account, the command should be used against that account. > sudo chage -l <emergency_administrator_account_name> | grep -E '(Password|Account) expires' Password expires: never Account expires: never If "Password expires" or "Account expires" is set to anything other than "never", this is a finding.

Fix: F-64993r995934_fix

Configure SLEM 5 to never automatically remove or disable emergency administrator accounts. > sudo chage -I -1 -M 99999 <emergency_administrator_account_name>

b

SLEM 5 must not have unnecessary accounts.

CM-6 - Medium - CCI-000366 - V-261357 - SV-261357r996521_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-411055

Vuln IDs

V-261357

Rule IDs

SV-261357r996521_rule

Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.

Checks: C-65086r996519_chk

Verify all SLEM 5 accounts are assigned to an active system, application, or user account with the following command: > more /etc/passwd root:x:0:0:root:/root:/bin/bash ... games:x:12:100:Games account:/var/games:/bin/bash Obtain the list of authorized system accounts from the information system security officer (ISSO). If the accounts on the system do not match the provided documentation, this is a finding.

Fix: F-64994r996520_fix

Configure SLEM 5 so all accounts on the system are assigned to an active system, application, or user account. Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. Document all authorized accounts on the system.

b

SLEM 5 must not have unnecessary account capabilities.

CM-6 - Medium - CCI-000366 - V-261358 - SV-261358r996829_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-411060

Vuln IDs

V-261358

Rule IDs

SV-261358r996829_rule

Accounts providing no operational purpose provide additional opportunities for system compromise. Therefore all necessary noninteractive accounts should not have an interactive shell assigned to them.

Checks: C-65087r996829_chk

Verify all noninteractive SLEM 5 accounts do not have an interactive shell assigned to them with the following command: Check the system accounts on the system. > awk -F: '($7 !~ "/sbin/nologin" && $7 !~ "/bin/false"){print $1 ":" $3 ":" $7}' /etc/passwd root:0:/bin/bash nobody:65534:/bin/bash Obtain the list of authorized system accounts from the information system security officer (ISSO). If noninteractive accounts such as "games" or "nobody" are listed with an interactive shell, this is a finding.

Fix: F-64995r996523_fix

Configure SLEM 5 so that all noninteractive accounts on the system have no interactive shell assigned to them. Run the following command to disable the interactive shell for a specific noninteractive user account: > sudo usermod --shell /sbin/nologin nobody

c

SLEM 5 root account must be the only account with unrestricted access to the system.

CM-6 - High - CCI-000366 - V-261359 - SV-261359r996526_rule

RMF Control

CM-6

Severity

H

CCI

Version

SLEM-05-411065

Vuln IDs

V-261359

Rule IDs

SV-261359r996526_rule

If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire SLEM 5. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.

Checks: C-65088r995942_chk

Verify that SLEM 5 root account is the only account with unrestricted access to the system with the following command: > awk -F: '$3 == 0 {print $1}' /etc/passwd root If any accounts other than root are listed, this is a finding.

Fix: F-64996r996525_fix

Change the UID of any account on SLEM 5, other than the root account, that has a UID of "0". If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". If the account is not associated with system commands or applications, assign a UID of greater than "1000" that has not already been assigned.

b

SLEM 5 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.

IA-4 - Medium - CCI-000795 - V-261360 - SV-261360r996529_rule

RMF Control

IA-4

Severity

M

CCI

CCI-000795

Version

SLEM-05-411070

Vuln IDs

V-261360

Rule IDs

SV-261360r996529_rule

Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. SLEM 5 must track periods of inactivity and disable application identifiers after 35 days of inactivity.

Checks: C-65089r996527_chk

Verify SLEM 5 disables account identifiers after 35 days of inactivity after the password expiration with the following command: > sudo grep -i '^inactive' /etc/default/useradd INACTIVE=35 If the value for "INACTIVE" is not set to a value greater than "0" and less than or equal to "35", if the line is commented out, or the line is missing, this is a finding.

Fix: F-64997r996528_fix

Configure SLEM 5 to disable account identifiers after 35 days of inactivity after the password expiration. Run the following command to change the configuration for "useradd" to disable the account identifier after "35" days: > sudo useradd -D -f 35 DOD recommendation is "35" days, but a lower value greater than "0" is acceptable.

b

SLEM 5 must not have duplicate User IDs (UIDs) for interactive users.

IA-2 - Medium - CCI-000764 - V-261361 - SV-261361r996530_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000764

Version

SLEM-05-411075

Vuln IDs

V-261361

Rule IDs

SV-261361r996530_rule

To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. Interactive users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Interactive users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.

Checks: C-65090r995948_chk

Verify SLEM 5 contains no duplicate UIDs for interactive users with the following command: > awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If output is produced, this is a finding.

Fix: F-64998r995949_fix

Configure SLEM 5 to contain no duplicate UIDs for interactive users. Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.

b

SLEM 5 must initiate a session lock after a 15-minute period of inactivity.

AC-11 - Medium - CCI-000057 - V-261363 - SV-261363r996536_rule

RMF Control

AC-11

Severity

M

CCI

CCI-000057

Version

SLEM-05-412015

Vuln IDs

V-261363

Rule IDs

SV-261363r996536_rule

A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the users to manually lock their SLEM 5 session prior to vacating the vicinity, SLEM 5 needs to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled.

Checks: C-65092r996534_chk

Verify SLEM 5 must initiate a session logout after a 15-minute period of inactivity for all connection type with the following command: > cat /etc/profile.d/autologout.sh TMOUT=900 readonly TMOUT export TMOUT If the file "/etc/profile.d/autologout.sh" does not exist or the output from the function call is not exactly the same, this is a finding.

Fix: F-65000r996535_fix

Configure SLEM 5 to initiate a session lock after a 15-minute period of inactivity. Create or edit the "/etc/profile.d/autologout.sh" file and add or modify the following lines: TMOUT=900 readonly TMOUT export TMOUT Set the proper permissions for the "/etc/profile.d/autologout.sh" file with the following command: > sudo chmod +x /etc/profile.d/autologout.sh

b

SLEM 5 must lock an account after three consecutive invalid access attempts.

AC-7 - Medium - CCI-000044 - V-261364 - SV-261364r996863_rule

RMF Control

AC-7

Severity

M

CCI

CCI-000044

Version

SLEM-05-412020

Vuln IDs

V-261364

Rule IDs

SV-261364r996863_rule

By limiting the number of failed access attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. The pam_tally2.so module maintains a count of attempted accesses. This includes username entry into a logon field as well as password entry. With counting access attempts, it is possible to lock an account without presenting a password into the password field. This should be taken into consideration as it poses as an avenue for denial of service (DoS).

Checks: C-65093r996537_chk

Verify SLEM 5 locks a user account after three consecutive failed access attempts until the locked account is released by an administrator with the following command: > grep pam_tally2.so /etc/pam.d/common-auth auth required pam_tally2.so onerr=fail deny=3 If "deny" set to a value other than "1", "2", or "3", if "onerr=fail" is missing, if the line is commented out, or the line is missing, this is a finding.

Fix: F-65001r996538_fix

Configure SLEM 5 to lock an account when three unsuccessful access attempts occur. Note: Manual changes to the listed files may be overwritten by the "pam-config" program. The "pam-config" program should not be used to update the configurations listed in this requirement. Add or modify the first line of the auth section in the "/etc/pam.d/common-auth" file to match the following line: auth required pam_tally2.so onerr=fail silent audit deny=3 Add or modify the following line in the "/etc/pam.d/common-account" file: account required pam_tally2.so

b

SLEM 5 must enforce a delay of at least five seconds between logon prompts following a failed logon attempt via pluggable authentication modules (PAM).

CM-6 - Medium - CCI-000366 - V-261365 - SV-261365r996541_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-412025

Vuln IDs

V-261365

Rule IDs

SV-261365r996541_rule

Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.

Checks: C-65094r996540_chk

Verify SLEM 5 enforces a delay of at least five seconds between logon prompts following a failed logon attempt with the following command: > grep pam_faildelay /etc/pam.d/common-auth auth required pam_faildelay.so delay=5000000 If the value of "delay" is not set to "5000000" or greater, "delay" is missing, the line is commented out, or the "pam_faildelay" line is missing completely, this is a finding.

Fix: F-65002r995961_fix

Configure SLEM 5 to enforce a delay of at least five seconds between logon prompts following a failed logon attempt. Add or modify the following line in the "/etc/pam.d/common-auth" file: auth required pam_faildelay.so delay=5000000

a

SLEM 5 must limit the number of concurrent sessions to 10 for all accounts and/or account types.

AC-10 - Low - CCI-000054 - V-261367 - SV-261367r996839_rule

RMF Control

AC-10

Severity

L

CCI

CCI-000054

Version

SLEM-05-412035

Vuln IDs

V-261367

Rule IDs

SV-261367r996839_rule

SLEM 5 management includes the ability to control the number of users and user sessions that use a SLEM 5. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to denial-of-service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.

Checks: C-65096r996545_chk

Verify SLEM 5 limits the number of concurrent sessions to 10 for all accounts and/or account types with the following command: > grep "maxlogins" /etc/security/limits.conf * hard maxlogins 10 If the "maxlogins" does not have a value of "10" or less, is commented out, or is missing, this is a finding.

Fix: F-65004r995967_fix

Configure SLEM 5 to limit the number of concurrent sessions to "10" or less for all accounts and/or account types. Add or modify the following line to the file "/etc/security/limits.conf": * hard maxlogins 10

a

SLEM 5 must have policycoreutils package installed.

SC-3 - Low - CCI-001084 - V-261368 - SV-261368r996548_rule

RMF Control

SC-3

Severity

L

CCI

CCI-001084

Version

SLEM-05-431010

Vuln IDs

V-261368

Rule IDs

SV-261368r996548_rule

Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfile to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context.

Checks: C-65097r996547_chk

Verify SLEM 5 has the policycoreutils package installed with the following command: > sudo zypper search -i policycoreutils I | policycoreutils | SELinux policy core utilities | package If the policycoreutils package is not installed, this is a finding.

Fix: F-65005r995970_fix

Configure SLEM 5 to have the policycoreutils package installed with the following command: > sudo transactional-update pkg install policycoreutils > sudo reboot

c

SLEM 5 must use a Linux Security Module configured to enforce limits on system services.

SC-3 - High - CCI-001084 - V-261369 - SV-261369r996549_rule

RMF Control

SC-3

Severity

H

CCI

CCI-001084

Version

SLEM-05-431015

Vuln IDs

V-261369

Rule IDs

SV-261369r996549_rule

Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.

Checks: C-65098r995972_chk

Verify "SELinux" is active and in "Enforcing" mode with the following command: > sudo getenforce Enforcing If "SELinux" is not in "Enforcing" mode, this is a finding.

Fix: F-65006r995973_fix

Configure SLEM 5 to verify correct operation of all security functions. Add or modify the following line in the "/etc/selinux/config" file: SELINUX=enforcing A reboot is required for the changes to take effect.

b

SLEM 5 must enable the SELinux targeted policy.

SI-6 - Medium - CCI-002696 - V-261370 - SV-261370r996551_rule

RMF Control

SI-6

Severity

M

CCI

CCI-002696

Version

SLEM-05-431020

Vuln IDs

V-261370

Rule IDs

SV-261370r996551_rule

Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.

Checks: C-65099r996550_chk

Verify "SELinux" is active and enforcing the targeted policy with the following command: > sudo sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 If the "Loaded policy name" is not set to "targeted", this is a finding.

Fix: F-65007r995976_fix

Configure SLEM 5 to verify correct operation of all security functions. Add or modify the following line in the "/etc/selinux/config" file: SELINUXTYPE=targeted A reboot is required for the changes to take effect.

b

SLEM 5 must prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures.

AC-16 - Medium - CCI-002265 - V-261371 - SV-261371r996554_rule

RMF Control

AC-16

Severity

M

CCI

CCI-002265

Version

SLEM-05-431025

Vuln IDs

V-261371

Rule IDs

SV-261371r996554_rule

Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.

Checks: C-65100r996552_chk

Verify SLEM 5 prevents nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. Obtain a list of authorized users (other than system administrator and guest accounts) for the system. Check the list against the system with the following command: > sudo semanage login -l | more Login Name SELinux User MLS/MCS Range Service __default__ user_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * joe staff_u s0-s0:c0.c1023 * All administrators must be mapped to the "sysadm_u", "staff_u", or an appropriately tailored confined role as defined by the organization. All authorized nonadministrative users must be mapped to the "user_u" role. If any interactive users are not mapped in this way, this is a finding.

Fix: F-65008r996553_fix

Configure SLEM 5 to prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. Use the following command to map a new user to the "sysadm_u" role: > sudo semanage login -a -s sysadm_u <username> Use the following command to map an existing user to the "sysadm_u" role: > sudo semanage login -m -s sysadm_u <username> Use the following command to map a new user to the "staff_u" role: > sudo semanage login -a -s staff_u <username> Use the following command to map an existing user to the "staff_u" role: > sudo semanage login -m -s staff_u <username> Use the following command to map a new user to the "user_u" role: > sudo semanage login -a -s user_u <username> Use the following command to map an existing user to the "user_u" role: > sudo semanage login -m -s user_u <username>

b

SLEM 5 must use the invoking user's password for privilege escalation when using "sudo".

CM-6 - Medium - CCI-000366 - V-261372 - SV-261372r996556_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-432010

Vuln IDs

V-261372

Rule IDs

SV-261372r996556_rule

The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. For more information on each of the listed configurations, reference the sudoers(5) manual page.

Checks: C-65101r996555_chk

Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation with the following command: > sudo egrep -ir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#' /etc/sudoers:Defaults !targetpw /etc/sudoers:Defaults !rootpw /etc/sudoers:Defaults !runaspw If "Defaults" types are not defined for "!targetpw", "!rootpw", and "!runaspw", there are conflicting results between files, this is a finding.

Fix: F-65009r995982_fix

Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: Defaults !targetpw Defaults !rootpw Defaults !runaspw

b

SLEM 5 must reauthenticate users when changing authenticators, roles, or escalating privileges.

IA-11 - Medium - CCI-002038 - V-261373 - SV-261373r1050789_rule

RMF Control

IA-11

Severity

M

CCI

CCI-002038

Version

SLEM-05-432015

Vuln IDs

V-261373

Rule IDs

SV-261373r1050789_rule

Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When SLEM 5 provides the capability to change user authenticators, change security roles, or escalate a functional capability, it is critical the user reauthenticate.

Checks: C-65102r996557_chk

Verify that SLEM 5 requires reauthentication when changing authenticators, roles, or escalating privileges with the following command: > sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers If any uncommented lines containing "!authenticate", or "NOPASSWD" are returned and active accounts on the system have valid passwords, this is a finding.

Fix: F-65010r995985_fix

Configure SLEM 5 to remove any occurrence of "NOPASSWD" or "!authenticate" found in the "/etc/sudoers" file. If the system does not use passwords for authentication, the "NOPASSWD" tag may exist in the file.

b

SLEM 5 must require reauthentication when using the "sudo" command.

IA-11 - Medium - CCI-002038 - V-261374 - SV-261374r1050789_rule

RMF Control

IA-11

Severity

M

CCI

CCI-002038

Version

SLEM-05-432020

Vuln IDs

V-261374

Rule IDs

SV-261374r1050789_rule

Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to reauthenticate when using the "sudo" command. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to reauthenticate for privileged actions until the user's session is terminated.

Checks: C-65103r996559_chk

Verify SLEM 5 requires reauthentication when using the "sudo" command to elevate privileges with the following command: > sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d /etc/sudoers:Defaults timestamp_timeout=0 If "timestamp_timeout" is set to a negative number, is commented out, conflicting results are returned, or no results are returned, this is a finding.

Fix: F-65011r995988_fix

Configure the "sudo" command to require reauthentication. Add or modify the following line in the "/etc/sudoers" file: Defaults timestamp_timeout=<value> Note: The "<value>" must be a number that is greater than or equal to "0".

b

SLEM 5 must restrict privilege elevation to authorized personnel.

CM-6 - Medium - CCI-000366 - V-261375 - SV-261375r996562_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-432025

Vuln IDs

V-261375

Rule IDs

SV-261375r996562_rule

The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms the request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.

Checks: C-65104r996561_chk

Verify the "sudoers" file restricts sudo access to authorized personnel with the following command: > sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* root ALL=(ALL) ALL If "ALL ALL=(ALL) ALL" or "ALL ALL=(ALL:ALL) ALL" entries are returned, this is a finding.

Fix: F-65012r995991_fix

Remove the following entries from the "/etc/sudoers" file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL

b

SLEM 5 must specify the default "include" directory for the /etc/sudoers file.

CM-6 - Medium - CCI-000366 - V-261376 - SV-261376r996564_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-432030

Vuln IDs

V-261376

Rule IDs

SV-261376r996564_rule

The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without reauthenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. It is possible to include other sudoers files from within the sudoers file currently being parsed using the @include and @includedir directives. For compatibility with sudo versions prior to 1.9.1, #include and #includedir are also accepted. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.

Checks: C-65105r996563_chk

Verify SLEM 5 specifies only the default "include" directory for the /etc/sudoers file, and does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command: Note: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable. > sudo find /etc/sudoers /etc/sudoers.d -type f -exec grep -H "[#@]include" {} + /etc/sudoers:@includedir /etc/sudoers.d If the results are not "/etc/sudoers.d" or additional files or directories are specified, this is a finding.

Fix: F-65013r995994_fix

Configure the "/etc/sudoers" file to only include the "/etc/sudoers.d" directory. Add or modify the following line: @includedir /etc/sudoers.d Remove any nested includes under the "/etc/sudoers.d" directory.

b

SLEM 5 must enforce passwords that contain at least one uppercase character.

IA-5 - Medium - CCI-000192 - V-261377 - SV-261377r996566_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000192

Version

SLEM-05-611010

Vuln IDs

V-261377

Rule IDs

SV-261377r996566_rule

Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Checks: C-65106r996565_chk

Verify SLEM 5 enforces password complexity by requiring at least one uppercase character with the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so ucredit=-1 If the value for "ucredit" is not "-1", if "ucredit" is missing from the line, the second column value different from "requisite", the line is commented out, or the line is missing, this is a finding.

Fix: F-65014r995997_fix

Configure SLEM 5 to enforce password complexity by requiring at least one uppercase character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ucredit=-1" after the third column.

b

SLEM 5 must enforce passwords that contain at least one lowercase character.

IA-5 - Medium - CCI-000193 - V-261378 - SV-261378r996568_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000193

Version

SLEM-05-611015

Vuln IDs

V-261378

Rule IDs

SV-261378r996568_rule

Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Checks: C-65107r996567_chk

Verify SLEM 5 enforces password complexity by requiring at least one lower character with the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so lcredit=-1 If the value for "lcredit" is not "-1", if "lcredit" is missing from the line, the second column value different from "requisite", the line is commented out, or the line is missing, this is a finding.

Fix: F-65015r996000_fix

Configure SLEM 5 to enforce password complexity by requiring at least one lowercase character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "lcredit=-1" after the third column.

b

SLEM 5 must enforce passwords that contain at least one numeric character.

IA-5 - Medium - CCI-000194 - V-261379 - SV-261379r996570_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000194

Version

SLEM-05-611020

Vuln IDs

V-261379

Rule IDs

SV-261379r996570_rule

Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Checks: C-65108r996569_chk

Verify SLEM 5 enforces password complexity by requiring at least one numeric character with the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so dcredit=-1 If the value for "dcredit" is not "-1", if "dcredit" is missing from the line, the second column value different from "requisite", the line is commented out, or the line is missing, this is a finding.

Fix: F-65016r996003_fix

Configure SLEM 5 to enforce password complexity by requiring at least one numeric character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "dcredit=-1" after the third column.

b

SLEM 5 must enforce passwords that contain at least one special character.

IA-5 - Medium - CCI-001619 - V-261380 - SV-261380r996572_rule

RMF Control

IA-5

Severity

M

CCI

CCI-001619

Version

SLEM-05-611025

Vuln IDs

V-261380

Rule IDs

SV-261380r996572_rule

Use of a complex password helps increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.

Checks: C-65109r996571_chk

Verify SLEM 5 enforces password complexity by requiring at least one special character with the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so ocredit=-1 If the value for "ocredit" is not "-1", if "ucredit" is missing from the line, the second column value different from "requisite", the line is commented out, or the line is missing, this is a finding.

Fix: F-65017r996006_fix

Configure SLEM 5 to enforce password complexity by requiring at least one special character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ocredit=-1" after the third column.

b

SLEM 5 must prevent the use of dictionary words for passwords.

CM-6 - Medium - CCI-000366 - V-261381 - SV-261381r996574_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-611030

Vuln IDs

V-261381

Rule IDs

SV-261381r996574_rule

If SLEM 5 allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.

Checks: C-65110r996573_chk

Verify SLEM 5 prevents the use of dictionary words for passwords with the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so If the second column value is different from "requisite", the line is commented out, or the line is missing, this is a finding.

Fix: F-65018r996009_fix

Configure SLEM 5 to prevent the use of dictionary words for passwords. Edit "/etc/pam.d/common-password" and add the following line: password requisite pam_cracklib.so

b

SLEM 5 must employ passwords with a minimum of 15 characters.

IA-5 - Medium - CCI-000205 - V-261382 - SV-261382r996577_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000205

Version

SLEM-05-611035

Vuln IDs

V-261382

Rule IDs

SV-261382r996577_rule

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps determine strength and how long it takes to crack a password. Use of more characters in a password helps exponentially increase the time and/or resources required to compromise the password.

Checks: C-65111r996575_chk

Verify SLEM 5 enforces a minimum 15-character password length with the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so minlen=15 If the value for "minlen" is not "15" or greater, the "minlen" option is missing from the line, the second column has a value different from "requisite", the line is commented out, or the line is missing, this is a finding.

Fix: F-65019r996576_fix

Configure SLEM 5 to enforce a minimum 15-character password length. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "minlen=15" after the third column. The DOD standard requires a minimum 15-character password length.

b

SLEM 5 must require the change of at least eight of the total number of characters when passwords are changed.

IA-5 - Medium - CCI-000195 - V-261383 - SV-261383r996580_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000195

Version

SLEM-05-611040

Vuln IDs

V-261383

Rule IDs

SV-261383r996580_rule

If SLEM 5 allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.

Checks: C-65112r996578_chk

Verify SLEM 5 requires at least eight characters be changed between the old and new passwords during a password change with the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so difok=8 If the value for "difok" is not "8" or greater, if "difok" is missing from the line, the second column value different from "requisite", the line is commented out, or the line is missing, this is a finding.

Fix: F-65020r996579_fix

Configure SLEM 5 to require at least eight characters be changed between the old and new passwords during a password change with the following command: Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "difok=8" after the third column.

b

SLEM 5 must not allow passwords to be reused for a minimum of five generations.

IA-5 - Medium - CCI-000200 - V-261384 - SV-261384r996583_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000200

Version

SLEM-05-611045

Vuln IDs

V-261384

Rule IDs

SV-261384r996583_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.

Checks: C-65113r996581_chk

Verify SLEM 5 prohibits the reuse of a password for a minimum of five generations with the following command: > grep pam_pwhistory.so /etc/pam.d/common-password password requisite pam_pwhistory.so remember=5 use_authtok If the value for "remember" is not "5" or greater, if the "remember" option is missing from the line, if the "use_authtok" option is missing, if the second column has a value different from "requisite", if the line is commented out, or the line is missing, this is a finding.

Fix: F-65021r996582_fix

Configure SLEM 5 password history to prohibit the reuse of a password for a minimum of five generations. Edit "/etc/pam.d/common-password" and edit the line containing "pam_pwhistory.so" to contain the option "remember=5 use_authtok" after the third column.

b

SLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.

IA-5 - Medium - CCI-000196 - V-261385 - SV-261385r996586_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000196

Version

SLEM-05-611050

Vuln IDs

V-261385

Rule IDs

SV-261385r996586_rule

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Checks: C-65114r996584_chk

Verify SLEM 5 configures the Linux PAM to only store encrypted representations of passwords with the following command: > grep pam_unix.so /etc/pam.d/common-password password required pam_unix.so sha512 If the value "sha512" is not present in the line, the second column value is different from "requisite", the line is commented out, or the line is missing, this is a finding.

Fix: F-65022r996585_fix

Configure SLEM 5 Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength. Edit "/etc/pam.d/common-password" and edit the line containing "pam_unix.so" to contain the SHA512 keyword after third column. Remove the "nullok" option if it exists.

c

SLEM 5 must not be configured to allow blank or null passwords.

CM-6 - High - CCI-000366 - V-261386 - SV-261386r996587_rule

RMF Control

CM-6

Severity

H

CCI

Version

SLEM-05-611055

Vuln IDs

V-261386

Rule IDs

SV-261386r996587_rule

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Checks: C-65115r996023_chk

Verify SLEM 5 is not configured to allow blank or null passwords with the following command: > grep pam_unix.so /etc/pam.d/* | grep nullok If this produces any output, this is a finding.

Fix: F-65023r996024_fix

Configure SLEM 5 to not allow blank or null passwords. Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" and "/etc/pam.d/common-password" to prevent logons with empty passwords.

c

SLEM 5 must not have accounts configured with blank or null passwords.

CM-6 - High - CCI-000366 - V-261387 - SV-261387r996588_rule

RMF Control

CM-6

Severity

H

CCI

Version

SLEM-05-611060

Vuln IDs

V-261387

Rule IDs

SV-261387r996588_rule

If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.

Checks: C-65116r996026_chk

Check the "/etc/shadow" file for blank passwords with the following command: > sudo awk -F: '!$2 {print $1}' /etc/shadow If the command returns any results, this is a finding.

Fix: F-65024r996027_fix

Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset: > sudo passwd <username> Lock the account: > sudo passwd -l <username>

b

SLEM 5 must employ user passwords with a minimum lifetime of 24 hours (one day).

IA-5 - Medium - CCI-000198 - V-261388 - SV-261388r996591_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000198

Version

SLEM-05-611065

Vuln IDs

V-261388

Rule IDs

SV-261388r996591_rule

Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Checks: C-65117r996589_chk

Verify SLEM 5 enforces a minimum time period between password changes for each user account of one day or greater with the following command: > sudo awk -F: '$4 < 1 {print $1 ":" $4}' /etc/shadow smithj:1 If any results are returned that are not associated with a system account, this is a finding.

Fix: F-65025r996590_fix

Configure SLEM 5 to enforce 24 hours/one day or greater as the minimum password age for user accounts. Change the minimum time period between password changes for each <username> account to "1" day with the command, replacing <username> with the user account that must be changed: > sudo passwd -n 1 <username>

b

SLEM 5 must employ user passwords with a maximum lifetime of 60 days.

IA-5 - Medium - CCI-000199 - V-261389 - SV-261389r1038967_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000199

Version

SLEM-05-611070

Vuln IDs

V-261389

Rule IDs

SV-261389r1038967_rule

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If SLEM 5 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that SLEM 5 passwords could be compromised.

Checks: C-65118r996592_chk

Verify that SLEM 5 enforces a maximum user password age of 60 days or less with the following command: > sudo awk -F: '$5 > 60 || $5 == "" {print $1 ":" $5}' /etc/shadow If any results are returned that are not associated with a system account, this is a finding.

Fix: F-65026r996033_fix

Configure SLEM 5 to enforce a maximum password age of each <username> account to 60 days. The command in the check text will give a list of users that need to be updated to be in compliance: > sudo passwd -x 60 <username>

b

SLEM 5 must employ a password history file.

IA-5 - Medium - CCI-000200 - V-261390 - SV-261390r996595_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000200

Version

SLEM-05-611075

Vuln IDs

V-261390

Rule IDs

SV-261390r996595_rule

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.

Checks: C-65119r996035_chk

Verify the password history file exists on SLEM 5 with the following command: > ls -al /etc/security/opasswd -rw------- 1 root root 82 Dec 7 19:41 /etc/security/opasswd If the "/etc/security/opasswd" file does not exist, this is a finding.

Fix: F-65027r996594_fix

Configure SLEM 5 to create the password history file with the following commands: Create the file: > sudo touch /etc/security/opasswd Set ownership permissions: > sudo chown root:root /etc/security/opasswd Set access permissions: > sudo chmod 0600 /etc/security/opasswd

c

SLEM 5 must employ FIPS 140-2/140-3-approved cryptographic hashing algorithms for system authentication.

IA-5 - High - CCI-000196 - V-261391 - SV-261391r996598_rule

RMF Control

IA-5

Severity

H

CCI

CCI-000196

Version

SLEM-05-611080

Vuln IDs

V-261391

Rule IDs

SV-261391r996598_rule

The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Checks: C-65120r996596_chk

Verify SLEM 5 shadow password suite is configured to encrypt interactive user passwords using FIPS 140-2/140-3-approved cryptographic hash with the following command: > sudo cut -d: -f2 /etc/shadow $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with "$6", this is a finding.

Fix: F-65028r996597_fix

Configure SLEM 5 to encrypt all stored passwords with FIPS 140-2/140-3-approved cryptographic hash. Add or modify the following line in the "/etc/login.defs" file: ENCRYPT_METHOD SHA512 Lock all interactive user accounts not using SHA512 hashing until the passwords can be regenerated.

c

SLEM 5 shadow password suite must be configured to use a sufficient number of hashing rounds.

IA-5 - High - CCI-000196 - V-261392 - SV-261392r996600_rule

RMF Control

IA-5

Severity

H

CCI

CCI-000196

Version

SLEM-05-611085

Vuln IDs

V-261392

Rule IDs

SV-261392r996600_rule

The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Checks: C-65121r996599_chk

Verify SLEM 5 shadow password suite is configured to encrypt passwords using sufficient number of hashing rounds. > egrep "^SHA_CRYPT_" /etc/login.defs SHA_CRYPT_MIN_ROUNDS 5000 SHA_CRYPT_MAX_ROUNDS 5000 If only one of "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is set, and this value is below "5000", this is a finding. If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.

Fix: F-65029r996042_fix

Configure SLEM 5 shadow password suite is configured to encrypt passwords using sufficient number of hashing rounds. Add or modify the following line in the "/etc/login.defs" file: SHA_CRYPT_MIN_ROUNDS 5000

b

SLEM 5 must employ FIPS 140-2/140-3 approved cryptographic hashing algorithm for system authentication (login.defs).

IA-7 - Medium - CCI-000803 - V-261393 - SV-261393r996602_rule

RMF Control

IA-7

Severity

M

CCI

CCI-000803

Version

SLEM-05-611090

Vuln IDs

V-261393

Rule IDs

SV-261393r996602_rule

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DOD data may be compromised. SLEM 5 using encryption are required to use FIPS 140-2/140-3 compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DOD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.

Checks: C-65122r996601_chk

Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2/140-3 approved cryptographic hashing algorithm with the following command: > grep "^ENCRYPT_METHOD " /etc/login.defs ENCRYPT_METHOD SHA512 If "ENCRYPT_METHOD" is not set to "SHA512", if any values other that "SHA512" are configured, or if no output is produced, this is a finding.

Fix: F-65030r996045_fix

Configure SLEM 5 to require "ENCRYPT_METHOD" of "SHA512". Add or modify the following line in the "/etc/login.defs" file: ENCRYPT_METHOD SHA512

b

SLEM 5 must be configured to create or update passwords with a minimum lifetime of 24 hours (one day).

IA-5 - Medium - CCI-000198 - V-261394 - SV-261394r996604_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000198

Version

SLEM-05-611095

Vuln IDs

V-261394

Rule IDs

SV-261394r996604_rule

Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Checks: C-65123r996603_chk

Verify SLEM 5 creates or updates passwords with minimum password age of one day or greater with the following command: > grep '^PASS_MIN_DAYS' /etc/login.defs PASS_MIN_DAYS 1 If "PASS_MIN_DAYS" does not have a value of "1" or greater, the line is commented out, or no line is returned, this is a finding.

Fix: F-65031r996048_fix

Configure SLEM 5 to enforce 24 hours/one day or greater as the minimum password age. Add or modify the following line in the "/etc/login.defs" file: PASS_MIN_DAYS <days> The DOD requirement is "1", but a greater value is acceptable.

b

SLEM 5 must be configured to create or update passwords with a maximum lifetime of 60 days.

IA-5 - Medium - CCI-000199 - V-261395 - SV-261395r1038967_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000199

Version

SLEM-05-611100

Vuln IDs

V-261395

Rule IDs

SV-261395r1038967_rule

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If SLEM 5 does not limit the lifetime of passwords and force users to change their passwords, there is the risk that SLEM 5 passwords could be compromised.

Checks: C-65124r996605_chk

Verify that SLEM 5 is configured to create or update passwords with a maximum password age of 60 days or less with the following command: > grep '^PASS_MAX_DAYS' /etc/login.defs If "PASS_MAX_DAYS" is not set to a value of "60" or less, but greater than "0", the line is commented out, or no line is returned, this is a finding.

Fix: F-65032r996606_fix

Configure SLEM 5 to enforce a maximum password age of 60 days or less. Add or modify the following line in the "/etc/login.defs" file: PASS_MAX_DAYS <days> The DOD requirement is 60 days or less (but greater than zero, as zero days will lock the account immediately).

b

SLEM 5 must have the packages required for multifactor authentication to be installed.

IA-2 - Medium - CCI-001948 - V-261396 - SV-261396r996610_rule

RMF Control

IA-2

Severity

M

CCI

CCI-001948

Version

SLEM-05-612010

Vuln IDs

V-261396

Rule IDs

SV-261396r996610_rule

Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC. A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).

Checks: C-65125r996608_chk

Verify SLEM 5 has the packages required for multifactor authentication installed. Check for the presence of the packages required to support multifactor authentication with the following commands: > zypper info pam_pkcs11 | grep -i installed Installed: Yes > zypper info mozilla-nss | grep -i installed Installed: Yes > zypper info mozilla-nss-tools | grep -i installed Installed: Yes > zypper info pcsc-ccid | grep -i installed Installed: Yes > zypper info pcsc-lite | grep -i installed Installed: Yes > zypper info pcsc-tools | grep -i installed Installed: Yes > zypper info opensc | grep -i installed Installed: Yes > zypper info coolkey | grep -i installed Installed: Yes If any of the packages required for multifactor authentication are not installed, this is a finding.

Fix: F-65033r996609_fix

Configure SLEM 5 to implement multifactor authentication by installing the required packages. Install the packages required to support multifactor authentication with the following commands: > sudo transactional-update pkg install pam_pkcs11 > sudo reboot > sudo transactional-update pkg install mozilla-nss > sudo reboot > sudo transactional-update pkg install mozilla-nss-tools > sudo reboot > sudo transactional-update pkg install pcsc-ccid > sudo reboot > sudo transactional-update pkg install pcsc-lite > sudo reboot > sudo transactional-update pkg install pcsc-tools > sudo reboot > sudo transactional-update pkg install opensc > sudo reboot > sudo transactional-update pkg install coolkey > sudo reboot Additional information on the configuration of multifactor authentication on SLEM 5 can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.

b

SLEM 5 must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

IA-5 - Medium - CCI-000187 - V-261397 - SV-261397r996612_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000187

Version

SLEM-05-612015

Vuln IDs

V-261397

Rule IDs

SV-261397r996612_rule

Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC. A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).

Checks: C-65126r996611_chk

Verify SLEM 5 implements multifactor authentication for remote access to privileged accounts via PAM with the following command: > grep pam_pkcs11.so /etc/pam.d/common-auth auth sufficient pam_pkcs11.so If "pam_pkcs11.so" is not set in "/etc/pam.d/common-auth", or the line is commented out, this is a finding.

Fix: F-65034r996057_fix

Configure SLEM 5 to implement multifactor authentication for remote access to privileged accounts via PAM. Add or modify the following line in the "/etc/pam.d/common-auth" file: auth sufficient pam_pkcs11.so

b

SLEM 5 must implement certificate status checking for multifactor authentication.

IA-2 - Medium - CCI-001948 - V-261398 - SV-261398r996615_rule

RMF Control

IA-2

Severity

M

CCI

CCI-001948

Version

SLEM-05-612020

Vuln IDs

V-261398

Rule IDs

SV-261398r996615_rule

Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures credentials stored on the authentication device will not be affected if the information system is compromised. Multifactor solutions that require devices separate from information systems to gain access include hardware tokens providing time-based or challenge-response authenticators, and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC. A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. This requirement only applies to components with device-specific functions, or for organizational users (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).

Checks: C-65127r996613_chk

Verify SLEM 5 implements certificate status checking for multifactor authentication with the following command: > grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module coolkey {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy cert_policy = ca,ocsp_on,signature,crl_auto; If "cert_policy" is not set to include "ocsp", this is a finding.

Fix: F-65035r996614_fix

Configure SLEM 5 to certificate status checking for PKI authentication. Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on". Note: OCSP allows sending request for certificate status information. Additional certificate validation polices are permitted. Additional information on the configuration of multifactor authentication on SLEM 5 can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.

b

If Network Security Services (NSS) is being used by SLEM 5 it must prohibit the use of cached authentications after one day.

IA-5 - Medium - CCI-002007 - V-261399 - SV-261399r996617_rule

RMF Control

IA-5

Severity

M

CCI

CCI-002007

Version

SLEM-05-631010

Vuln IDs

V-261399

Rule IDs

SV-261399r996617_rule

If cached authentication information is out of date, the validity of the authentication information may be questionable.

Checks: C-65128r996616_chk

If NSS is used by SLEM 5, verify it prohibits the use of cached authentications after one day with the following command: Note: If NSS is not used on the operating system, this is not applicable. > sudo grep -i "memcache_timeout" /etc/sssd/sssd.conf memcache_timeout = 86400 If "memcache_timeout" has a value greater than "86400", the line is commented out, or the line is missing, this is a finding.

Fix: F-65036r996063_fix

Configure NSS, if used by SLEM 5, to prohibit the use of cached authentications after one day. Add or modify the following line in the "/etc/sssd/sssd.conf" file, below the line "[nss]": memcache_timeout = 86400

b

SLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day.

IA-5 - Medium - CCI-002007 - V-261400 - SV-261400r996619_rule

RMF Control

IA-5

Severity

M

CCI

CCI-002007

Version

SLEM-05-631015

Vuln IDs

V-261400

Rule IDs

SV-261400r996619_rule

If cached authentication information is out of date, the validity of the authentication information may be questionable.

Checks: C-65129r996618_chk

Verify that SLEM 5 PAM prohibits the use of cached off line authentications after one day with the following command: Note: If SSSD is not being used on the operating system, this is not applicable. > sudo grep "offline_credentials_expiration" /etc/sssd/sssd.conf offline_credentials_expiration = 1 If "offline_credentials_expiration" is not set to a value of "1", the line is commented out, or the line is missing, this is a finding.

Fix: F-65037r996066_fix

Configure SLEM 5 PAM to prohibit the use of cached authentications after one day. Add or modify the following line in the "/etc/sssd/sssd.conf" file, below the line "[pam]": offline_credentials_expiration = 1

b

SLEM 5, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

IA-5 - Medium - CCI-000185 - V-261401 - SV-261401r996622_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000185

Version

SLEM-05-631020

Vuln IDs

V-261401

Rule IDs

SV-261401r996622_rule

Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.

Checks: C-65130r996620_chk

Verify SLEM 5 for PKI-based authentication had valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor with the following command: > grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca,oscp_on,signature,crl_auto; If "cert_policy" is not set to include "ca" on all returned lines, this is a finding.

Fix: F-65038r996621_fix

Configure SLEM 5 for PKI-based authentication to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ca": cert_policy = ca,signature,oscp_on; Note: Additional certificate validation polices are permitted. Additional information on the configuration of multifactor authentication on SLEM 5 can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.

b

SLEM 5 must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.

CM-6 - Medium - CCI-000366 - V-261402 - SV-261402r996624_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-631025

Vuln IDs

V-261402

Rule IDs

SV-261402r996624_rule

The "pam-config" command line utility automatically generates a system PAM configuration as packages are installed, updated, or removed from the system. "pam-config" removes configurations for PAM modules and parameters that it does not know about. It may render ineffective PAM configuration by the system administrator and thus impact system security.

Checks: C-65131r996071_chk

Verify SLEM 5 is configured to not overwrite PAM configuration on package changes with the following command: > find /etc/pam.d/ -type l -iname "common-*" If any results are returned, this is a finding.

Fix: F-65039r996623_fix

Copy the PAM configuration files to their static locations and remove SLEM 5 soft links for the PAM configuration files with the following command: > sudo sh -c 'for X in /etc/pam.d/common-*-pc; do cp -ivp --remove-destination $X ${X:0:-3}; done' Additional information on the configuration of multifactor authentication on SLEM 5 can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.

b

SLEM 5 must use a file integrity tool to verify correct operation of all security functions.

CM-3 - Medium - CCI-001744 - V-261403 - SV-261403r996627_rule

RMF Control

CM-3

Severity

M

CCI

CCI-001744

Version

SLEM-05-651010

Vuln IDs

V-261403

Rule IDs

SV-261403r996627_rule

Without verification of the security functions, security functions may not operate correctly, and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. This requirement applies to SLEM 5 performing security function verification/testing and/or systems and environments that require this functionality.

Checks: C-65132r996625_chk

Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions with the following command: > sudo zypper if aide | grep -i installed Installed: Yes If AIDE is not installed, ask the system administrator how file integrity checks are performed on the system. If there is no application installed to perform integrity checks, this is a finding. If AIDE is installed, check if it has been initialized with the following command: > sudo aide --check If the output is "Couldn't open file /var/lib/aide/aide.db for reading", this is a finding.

Fix: F-65040r996626_fix

Install AIDE, initialize it, and perform a manual check by using the following commands: Install AIDE: > sudo transactional-update pkg install aide > sudo reboot Initialize AIDE (this may take a few minutes): > sudo aide -i The new database will need to be renamed to be read by AIDE: > sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db Perform a manual check: > sudo aide --check Example output: Summary: Total number of files: 140621 Added files: 1 Removed files: 1 Changed files: 0

b

SLEM 5 file integrity tool must be configured to verify Access Control Lists (ACLs).

CM-6 - Medium - CCI-000366 - V-261404 - SV-261404r996629_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-651015

Vuln IDs

V-261404

Rule IDs

SV-261404r996629_rule

ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.

Checks: C-65133r996628_chk

Verify that SLEM 5 file integrity tool is configured to verify extended attributes. > sudo grep acl /etc/aide.conf All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.

Fix: F-65041r996078_fix

Configure SLEM 5 file integrity tool to check file and directory ACLs. If AIDE is installed, ensure the "acl" rule is present on all file and directory selection lists.

b

SLEM 5 file integrity tool must be configured to verify extended attributes.

CM-6 - Medium - CCI-000366 - V-261405 - SV-261405r996631_rule

RMF Control

CM-6

Severity

M

CCI

Version

SLEM-05-651020

Vuln IDs

V-261405

Rule IDs

SV-261405r996631_rule

Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.

Checks: C-65134r996630_chk

Verify that SLEM 5 file integrity tool is configured to verify extended attributes. > sudo grep xattrs /etc/aide.conf All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux If the "xattrs" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.

Fix: F-65042r996081_fix

Configure SLEM 5 file integrity tool to check file and directory extended attributes. If AIDE is installed, ensure the "xattrs" rule is present on all file and directory selection lists.

b

SLEM 5 file integrity tool must be configured to protect the integrity of the audit tools.

AU-9 - Medium - CCI-001496 - V-261406 - SV-261406r996634_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001496

Version

SLEM-05-651025

Vuln IDs

V-261406

Rule IDs

SV-261406r996634_rule

Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.

Checks: C-65135r996632_chk

Verify that SLEM 5 file integrity tool is configured to protect the integrity of the audit tools. Check that AIDE is properly configured to protect the integrity of the audit tools by running the following command: > sudo grep /usr/sbin/au /etc/aide.conf /usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 If any of the seven lines do not appear as shown, are commented out, or are missing, this is a finding.

Fix: F-65043r996633_fix

Configure SLEM 5 file integrity tool to protect the integrity of the audit tools. Add or modify the following lines in the "/etc/aide.conf" file: # audit tools /usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

b

Advanced Intrusion Detection Environment (AIDE) must verify the baseline SLEM 5 configuration at least weekly.

CM-3 - Medium - CCI-001744 - V-261407 - SV-261407r996637_rule

RMF Control

CM-3

Severity

M

CCI

CCI-001744

Version

SLEM-05-651030

Vuln IDs

V-261407

Rule IDs

SV-261407r996637_rule

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to SLEM 5. Changes to SLEM 5 configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of SLEM 5. SLEM 5's information system security manager (ISSM)/information system security officer (ISSO) and system administrator (SA) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

Checks: C-65136r996635_chk

Verify SLEM 5 checks the baseline configuration using AIDE for unauthorized changes at least once weekly with the following command: Note: A file integrity tool other than AIDE may be used, but the tool must be executed at least once per week. > sudo grep -R aide /etc/crontab /etc/cron.* /etc/crontab: 30 04 * * * root /usr/sbin/aide If the file integrity application does not exist, or a "crontab" file does not exist in "/etc/crontab", the "/etc/cron.daily" subdirectory, or "/etc/cron.weekly" subdirectory, this is a finding.

Fix: F-65044r996636_fix

Configure SLEM 5 to check the baseline configuration for unauthorized changes at least once weekly. Add or modify the following line in the "/etc/cron.weekly/aide" file: 0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Weekly AIDE integrity check run" root@example_server_name.mil

b

SLEM 5 must notify the system administrator (SA) when Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation of any security functions.

SI-6 - Medium - CCI-002702 - V-261408 - SV-261408r996640_rule

RMF Control

SI-6

Severity

M

CCI

CCI-002702

Version

SLEM-05-651035

Vuln IDs

V-261408

Rule IDs

SV-261408r996640_rule

If anomalies are not acted on, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include messages to local computer consoles and/or hardware indications, such as lights. This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection.

Checks: C-65137r996638_chk

Verify SLEM 5 notifies the SA when AIDE discovers anomalies in the operation of any security functions. Note: A file integrity tool other than AIDE may be used, but the tool must be configured to notify the system administrator and/or ISSO if there is an anomaly. Verify the aide cron job sends an email when executed with the following command: > sudo grep -i "aide" /etc/cron.*/aide 0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil If the "aide" file does not exist under the "/etc/cron" directory structure or the cron job is not configured to execute a binary to send an email (such as "/bin/mail"), this is a finding.

Fix: F-65045r996639_fix

Configure SLEM 5 to notify the SA when AIDE discovers anomalies in the operation of any security functions. Add or modify the following line in the "/etc/cron.daily/aide" file: 0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil

b

SLEM 5 must offload rsyslog messages for networked systems in real time and offload standalone systems at least weekly.

AU-4 - Medium - CCI-001851 - V-261409 - SV-261409r996643_rule

RMF Control

AU-4

Severity

M

CCI

Version

SLEM-05-652010

Vuln IDs

V-261409

Rule IDs

SV-261409r996643_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.

Checks: C-65138r996641_chk

Verify that SLEM 5 must offload syslog-ng messages for networked systems in real time and offload standalone systems at least weekly. For standalone hosts, verify with the system administrator that the log files are offloaded at least weekly. For networked systems, check that syslog-ng is sending log messages to a remote server with the following command: > sudo egrep "^destination logserver" /etc/syslog-ng/syslog-ng.conf syslog("10.10.10.10" transport("udp") port(514)); }; If any active message labels in the file do not have a line to send log messages to a remote server, this is a finding.

Fix: F-65046r996642_fix

Configure SLEM 5 to offload syslog-ng messages for networked systems in real time. For standalone systems establish a procedure to offload log messages at least once a week. For networked systems add a "UDP_OR_TCP("IP_ADDRESS" port(514)); };" "#log { source(src); destination(logserver); };" in "/etc/syslog-ng/syslog-ng.conf" that does not have one. syslog("10.10.10.10" transport("udp") port(514)); };

b

SLEM 5 must have the auditing package installed.

AU-12 - Medium - CCI-001914 - V-261410 - SV-261410r996645_rule

RMF Control

AU-12

Severity

M

CCI

CCI-001914

Version

SLEM-05-653010

Vuln IDs

V-261410

Rule IDs

SV-261410r996645_rule

Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in SLEM 5 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured SLEM 5.

Checks: C-65139r996644_chk

Verify SLEM 5 auditing package is installed with the following command: > zypper info audit Name : audit Version : 2.8.5-3.2 Arch : X86_64 Vendor : SUSE LLC <https://www.suse.com> Installed Size : 646.2 KiB Installed : Yes (automatically) Status : up-to-date If the package "audit" is not installed on the system, this is a finding.

Fix: F-65047r996096_fix

Install SLEM 5 auditing package with the following commands: > sudo transactional-update pkg install audit > sudo reboot

b

SLEM 5 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.

AU-3 - Medium - CCI-000130 - V-261411 - SV-261411r996646_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-653015

Vuln IDs

V-261411

Rule IDs

SV-261411r996646_rule

Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in SLEM 5 audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured SLEM 5.

Checks: C-65140r996098_chk

Verify SLEM 5 produces audit records with the following commands: > systemctl is-active auditd.service active > systemctl is-enabled auditd.service enabled If the service is not active or not enabled, this is a finding.

Fix: F-65048r996099_fix

Enable SLEM 5 auditd service by using the following commands: > sudo systemctl enable auditd.service > sudo systemctl start auditd.service

b

The audit-audispd-plugins package must be installed on SLEM 5.

AU-4 - Medium - CCI-001851 - V-261412 - SV-261412r996649_rule

RMF Control

AU-4

Severity

M

CCI

Version

SLEM-05-653020

Vuln IDs

V-261412

Rule IDs

SV-261412r996649_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. The auditd service does not include the ability to send audit records to a centralized server for management directly. However, it can use a plug-in for audit event multiplexor to pass audit records to a remote server.

Checks: C-65141r996647_chk

Verify that the "audit-audispd-plugins" package is installed on SLEM 5 with the following command: > zypper info audit-audispd-plugins | grep Installed Installed : Yes If the "audit-audispd-plugins" package is not installed, this is a finding. Verify the "au-remote" plugin is enabled with the following command: > sudo grep -i active /etc/audisp/plugins.d/au-remote.conf active = yes If "active" is not set to "yes", is commented out, or is missing, this is a finding.

Fix: F-65049r996648_fix

Install the "audit-audispd-plugins" package on SLEM 5 by running the following command: > sudo transactional-update pkg install audit-audispd-plugins Add or modify the following line in the "/etc/audisp/plugins.d/au-remote.conf" file: active = yes Reboot the system: > sudo reboot

b

SLEM 5 must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.

AU-4 - Medium - CCI-001849 - V-261413 - SV-261413r996652_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001849

Version

SLEM-05-653025

Vuln IDs

V-261413

Rule IDs

SV-261413r996652_rule

To ensure SLEM 5 has a sufficient storage capacity in which to write the audit logs, SLEM 5 must be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial installation of SLEM 5.

Checks: C-65142r996650_chk

Verify SLEM 5 allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. Determine which partition the audit records are being written to with the following command: > sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition that audit records are written to (with the example being /var/log/audit/) with the following command: > df -h /var/log/audit/ Filesystem Size Used Avail Use% Mounted on /dev/sda2 24G 10.4G 13.6G 43% /var If the audit records are not written to a partition made specifically for audit records (/var/log/audit is a separate partition), determine the amount of space being used by other files in the partition with the following command: > sudo du -sh <audit_partition> 1.8G /var/log/audit The partition size needed to capture a week of audit records is based on the activity level of the system and the total storage capacity available. If the audit record partition is not allocated sufficient storage capacity, this is a finding.

Fix: F-65050r996651_fix

Allocate enough storage capacity for at least one week of SLEM 5 audit records when audit records are not immediately sent to a central audit record storage facility. If audit records are stored on a partition made specifically for audit records, use the "YaST2 - Partitioner" program (installation and configuration tool for Linux) to resize the partition with sufficient space to contain one week of audit records. If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient amount of space will need be to be created. The new partition can be created using the "YaST2 - Partitioner" program on the system.

b

SLEM 5 auditd service must notify the system administrator (SA) and information system security officer (ISSO) immediately when audit storage capacity is 75 percent full.

AU-5 - Medium - CCI-001855 - V-261414 - SV-261414r996654_rule

RMF Control

AU-5

Severity

M

CCI

CCI-001855

Version

SLEM-05-653030

Vuln IDs

V-261414

Rule IDs

SV-261414r996654_rule

If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.

Checks: C-65143r996653_chk

Determine if SLEM 5 auditd is configured to notify the SA and ISSO when the audit record storage volume reaches 75 percent of the storage capacity with the following command: > sudo grep -iw space_left /etc/audit/auditd.conf space_left = 25% If "space_left" is not set to "25%" or greater, this is a finding.

Fix: F-65051r996108_fix

Configure SLEM 5 auditd service to notify the SA and ISSO immediately when audit storage capacity is 75 percent full. Add or modify the following lines in the "/etc/audit/auditd.conf " file: space_left = 25%

b

SLEM 5 audit system must take appropriate action when the audit storage volume is full.

AU-5 - Medium - CCI-000140 - V-261415 - SV-261415r1038966_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000140

Version

SLEM-05-653035

Vuln IDs

V-261415

Rule IDs

SV-261415r1038966_rule

It is critical that when SLEM 5 is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend on the nature of the failure mode. When availability is an overriding concern, other approved actions in response to an audit failure are as follows: 1) If the failure was caused by the lack of audit record storage capacity, SLEM 5 must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records in a first-in-first-out manner. 2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, SLEM 5 must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.

Checks: C-65144r996655_chk

Verify SLEM 5 takes the appropriate action when the audit storage volume is full using the following command: > sudo grep disk_full_action /etc/audit/auditd.conf disk_full_action = HALT If "disk_full_action" is not set to "HALT", "SYSLOG", or "SINGLE", is commented out, or is missing, this is a finding.

Fix: F-65052r996656_fix

Configure SLEM 5 to shut down by default upon audit failure. Add or modify the following line in the "/etc/audit/auditd.conf " file: disk_full_action = HALT Note: If system availability has been determined to be more important, and this decision is documented with the information system security officer (ISSO), configure SLEM 5 to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG" or "SINGLE".

b

SLEM 5 must offload audit records onto a different system or media from the system being audited.

AU-4 - Medium - CCI-001851 - V-261416 - SV-261416r996660_rule

RMF Control

AU-4

Severity

M

CCI

Version

SLEM-05-653040

Vuln IDs

V-261416

Rule IDs

SV-261416r996660_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.

Checks: C-65145r996658_chk

Verify what action the audit system takes if it cannot offload audit records to a different system or storage media from SLEM 5 being audited. Check the action that the audit system takes in the event of a network failure with the following command: > sudo grep -i "network_failure_action" /etc/audisp/audisp-remote.conf network_failure_action = syslog If the "network_failure_action" option is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.

Fix: F-65053r996659_fix

Configure SLEM 5 to take the appropriate action if it cannot offload audit records to a different system or storage media from the system being audited due to a network failure. Add or modify the following line in the "/etc/audisp/audisp-remote.conf" file: network_failure_action = syslog

b

Audispd must take appropriate action when SLEM 5 audit storage is full.

AU-4 - Medium - CCI-001851 - V-261417 - SV-261417r996662_rule

RMF Control

AU-4

Severity

M

CCI

Version

SLEM-05-653045

Vuln IDs

V-261417

Rule IDs

SV-261417r996662_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.

Checks: C-65146r996661_chk

Verify the audit system offloads audit records if SLEM 5 storage volume becomes full. Check that the records are properly offloaded to a remote server with the following command: > sudo grep -i "disk_full_action" /etc/audisp/audisp-remote.conf disk_full_action = syslog If "disk_full_action" is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.

Fix: F-65054r996117_fix

Configure SLEM 5 to take the appropriate action if the audit storage is full. Add or modify the following line in the "/etc/audisp/audisp-remote.conf" file: disk_full_action = syslog

b

SLEM 5 must protect audit rules from unauthorized modification.

AU-9 - Medium - CCI-000162 - V-261418 - SV-261418r996665_rule

RMF Control

AU-9

Severity

M

CCI

CCI-000162

Version

SLEM-05-653050

Vuln IDs

V-261418

Rule IDs

SV-261418r996665_rule

Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Checks: C-65147r996663_chk

Verify that SLEM 5 protects audit rules from unauthorized modification with the following command: > grep -i audit /etc/permissions.local /var/log/audit root:root 600 /var/log/audit/audit.log root:root 600 /etc/audit/audit.rules root:root 640 /etc/audit/rules.d/audit.rules root:root 640 If the command does not return any output or all four lines as shown, this is a finding. Check that all of the audit information files and folders have the correct permissions with the following command: > sudo chkstat /etc/permissions.local If the command returns any output, this is a finding.

Fix: F-65055r996664_fix

Configure SLEM 5 to protect audit rules from unauthorized modification. Add or modify the following lines in "/etc/permissions.local": /var/log/audit root:root 600 /var/log/audit/audit.log root:root 600 /etc/audit/audit.rules root:root 640 /etc/audit/rules.d/audit.rules root:root 640 Set the correct permissions with the following command: > sudo chkstat --set /etc/permissions.local

b

SLEM 5 audit tools must have the proper permissions configured to protect against unauthorized access.

AU-9 - Medium - CCI-001493 - V-261419 - SV-261419r996668_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001493

Version

SLEM-05-653055

Vuln IDs

V-261419

Rule IDs

SV-261419r996668_rule

Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information. SLEM 5 providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open-source audit tools needed to view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Checks: C-65148r996666_chk

To protect from unauthorized access verify that SLEM 5 audit tools have the proper permissions configured in the permissions profile by using the following command: > grep "^/usr/sbin/au" /etc/permissions.local /usr/sbin/audispd root:root 750 /usr/sbin/auditctl root:root 750 /usr/sbin/auditd root:root 750 /usr/sbin/ausearch root:root 755 /usr/sbin/aureport root:root 755 /usr/sbin/autrace root:root 750 /usr/sbin/augenrules root:root 750 If the command does not return any output, this is a finding.

Fix: F-65056r996667_fix

Configure SLEM 5 audit tools to have proper permissions set in the permissions profile. Add or modify the following lines in the "/etc/permissions.local" file: /usr/sbin/audispd root:root 750 /usr/sbin/auditctl root:root 750 /usr/sbin/auditd root:root 750 /usr/sbin/ausearch root:root 755 /usr/sbin/aureport root:root 755 /usr/sbin/autrace root:root 750 /usr/sbin/augenrules root:root 750

b

SLEM 5 audit tools must have the proper permissions applied to protect against unauthorized access.

AU-9 - Medium - CCI-001493 - V-261420 - SV-261420r996670_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001493

Version

SLEM-05-653060

Vuln IDs

V-261420

Rule IDs

SV-261420r996670_rule

Protecting audit information includes identifying and protecting the tools used to view and manipulate log data. Protecting audit tools is necessary to prevent unauthorized operation on audit information. SLEM 5 providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Checks: C-65149r996669_chk

To protect from unauthorized access verify that SLEM 5 audit tools have the proper permissions applied from the permissions profile by using the following command: > sudo chkstat /etc/permissions.local If the command returns any output, this is a finding.

Fix: F-65057r996126_fix

Configure SLEM 5 audit tools to have proper permissions applied from the permissions profile using the following command: > sudo chkstat --set /etc/permissions.local

a

SLEM 5 audit event multiplexor must be configured to use Kerberos.

AU-4 - Low - CCI-001851 - V-261421 - SV-261421r996672_rule

RMF Control

AU-4

Severity

L

CCI

Version

SLEM-05-653065

Vuln IDs

V-261421

Rule IDs

SV-261421r996672_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Audit events that may include sensitive data must be encrypted prior to transmission. Kerberos provides a mechanism to provide both authentication and encryption for audit event records.

Checks: C-65150r996671_chk

Determine if SLEM 5 audit event multiplexor is configured to use Kerberos by running the following command: > sudo grep enable_krb5 /etc/audisp/audisp-remote.conf enable_krb5 = yes If "enable_krb5" is not set to "yes", or is commented out, this is a finding.

Fix: F-65058r996129_fix

Configure SLEM 5 audit event multiplexor to use Kerberos. Add or modify the following line in the "/etc/audisp/audisp-remote.conf" file: enable_krb5 = yes

b

Audispd must offload audit records onto a different system or media from SLEM 5 being audited.

AU-4 - Medium - CCI-001851 - V-261422 - SV-261422r996674_rule

RMF Control

AU-4

Severity

M

CCI

Version

SLEM-05-653070

Vuln IDs

V-261422

Rule IDs

SV-261422r996674_rule

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.

Checks: C-65151r996673_chk

Verify "audispd" offloads audit records onto a different system or media from SLEM 5 being audited with the following command: > sudo grep remote_server /etc/audisp/audisp-remote.conf remote_server = 240.9.19.81 If "remote_server" is not set to an external server or media, or is commented out, this is a finding.

Fix: F-65059r996132_fix

Configure SLEM 5 to offload audit records onto a different system or media. Add or modify the following line in the "/etc/audisp/audisp-remote.conf" file: remote_server = <ip_address>

b

The information system security officer (ISSO) and system administrator (SA), at a minimum, must have mail aliases to be notified of a SLEM 5 audit processing failure.

AU-5 - Medium - CCI-000139 - V-261423 - SV-261423r996677_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000139

Version

SLEM-05-653075

Vuln IDs

V-261423

Rule IDs

SV-261423r996677_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

Checks: C-65152r996675_chk

Verify the administrators are notified in the event of a SLEM 5 audit processing failure with the following commands: > grep -i "^postmaster:" /etc/aliases postmaster: root If the above command does not return a value of "root", or the output is commented out, this is a finding. Verify the alias for root forwards to a monitored e-mail account: > grep -i "^root:" /etc/aliases root: person@server.mil If the alias for root does not forward to a monitored e-mail account, or the output is commented out, this is a finding.

Fix: F-65060r996676_fix

Configure the auditd service to notify the administrators in the event of a SLEM 5 audit processing failure. Configure an alias value for the postmaster with the following command: > sudo sh -c 'echo "postmaster: root" >> /etc/aliases' Configure an alias for root that forwards to a monitored email address with the following command: > sudo sh -c 'echo "root: box@server.mil" >> /etc/aliases' The following command must be run to implement changes to the /etc/aliases file: > sudo newaliases

b

The information system security officer (ISSO) and system administrator (SA), at a minimum, must be alerted of a SLEM 5 audit processing failure event.

AU-5 - Medium - CCI-000139 - V-261424 - SV-261424r996679_rule

RMF Control

AU-5

Severity

M

CCI

CCI-000139

Version

SLEM-05-653080

Vuln IDs

V-261424

Rule IDs

SV-261424r996679_rule

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.

Checks: C-65153r996678_chk

Verify the system is configured to send email to an account when it needs to notify an administrator with the following command: > sudo grep action_mail /etc/audit/auditd.conf action_mail_acct = root If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the returned line is commented out, or the "action_mail_acct" keyword is missing, this is a finding.

Fix: F-65061r996138_fix

Configure the auditd service to notify the administrators in the event of a SLEM 5 audit processing failure. Add or modify the following lines in the "/etc/audit/auditd.conf " file: action_mail_acct = root

b

SLEM 5 must generate audit records for all uses of the "chacl" command.

AU-3 - Medium - CCI-000130 - V-261425 - SV-261425r996682_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654010

Vuln IDs

V-261425

Rule IDs

SV-261425r996682_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65154r996680_chk

Verify SLEM 5 generates an audit record for all uses of the "chacl" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/chacl' -a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65062r996681_fix

Configure SLEM 5 to generate an audit record for all uses of the "chacl" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load Note: The "-k <keyname>" at the end of the line gives the rule a unique meaning to help during an audit investigation. The <keyname> does not need to match the example above.

b

SLEM 5 must generate audit records for all uses of the "chage" command.

AU-3 - Medium - CCI-000130 - V-261426 - SV-261426r996685_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654015

Vuln IDs

V-261426

Rule IDs

SV-261426r996685_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65155r996683_chk

Verify SLEM 5 generates an audit record for any use of the "chage" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/chage' -a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-chage If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65063r996684_fix

Configure SLEM 5 to generate an audit record for all uses of the "chage" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "chcon" command.

AU-3 - Medium - CCI-000130 - V-261427 - SV-261427r996688_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654020

Vuln IDs

V-261427

Rule IDs

SV-261427r996688_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65156r996686_chk

Verify SLEM 5 generates an audit record for all uses of the "chcon" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/chcon' -a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65064r996687_fix

Configure SLEM 5 to generate an audit record for all uses of the "chcon" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "chfn" command.

AU-3 - Medium - CCI-000130 - V-261428 - SV-261428r996691_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654025

Vuln IDs

V-261428

Rule IDs

SV-261428r996691_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Checks: C-65157r996689_chk

Verify SLEM 5 generates an audit record for all uses of the "chfn" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/chfn' -a always,exit -S all -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-chfn If the command does not return any output or the returned line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65065r996690_fix

Configure SLEM 5 to generate an audit record for all uses of the "chfn" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chfn To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "chmod" command.

AU-3 - Medium - CCI-000130 - V-261429 - SV-261429r996694_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654030

Vuln IDs

V-261429

Rule IDs

SV-261429r996694_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65158r996692_chk

Verify SLEM 5 generates an audit record for all uses of the "chmod" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/chmod' -a always,exit -S all -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65066r996693_fix

Configure SLEM 5 to generate an audit record for all uses of the "chmod" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for a uses of the "chsh" command.

AU-3 - Medium - CCI-000130 - V-261430 - SV-261430r996697_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654035

Vuln IDs

V-261430

Rule IDs

SV-261430r996697_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Checks: C-65159r996695_chk

Verify SLEM 5 generates an audit record for all uses of the "chsh" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/chsh' -a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-chsh If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65067r996696_fix

Configure SLEM 5 to generate an audit record for all uses of the "chsh" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chsh To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "crontab" command.

AU-3 - Medium - CCI-000130 - V-261431 - SV-261431r996700_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654040

Vuln IDs

V-261431

Rule IDs

SV-261431r996700_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65160r996698_chk

Verify SLEM 5 generates an audit record for any use of the "crontab" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/crontab' -a always,exit -S all -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-crontab If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65068r996699_fix

Configure SLEM 5 to generate an audit record for all uses of the "crontab" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "gpasswd" command.

AU-3 - Medium - CCI-000130 - V-261432 - SV-261432r996703_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654045

Vuln IDs

V-261432

Rule IDs

SV-261432r996703_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Checks: C-65161r996701_chk

Verify SLEM 5 generates an audit record for all uses of the "gpasswd" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/gpasswd' -a always,exit -S all -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-gpasswd If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65069r996702_fix

Configure SLEM 5 to generate an audit record for all uses of the "gpasswd" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "insmod" command.

AU-3 - Medium - CCI-000130 - V-261433 - SV-261433r996706_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654050

Vuln IDs

V-261433

Rule IDs

SV-261433r996706_rule

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DOD has defined the following list of events for which SLEM 5 will provide an audit record generation capability: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-65162r996704_chk

Verify SLEM 5 is generates an audit record for all uses of the "insmod" command with the following command: > sudo auditctl -l | grep -w '/sbin/insmod' -w /sbin/insmod -p x -k modules If the system is configured to audit the execution of the module management program "insmod", the command will return a line. If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65070r996705_fix

Configure SLEM 5 to audit the execution of the module management program "insmod". Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -w /sbin/insmod -p x -k modules To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "kmod" command.

AU-3 - Medium - CCI-000130 - V-261434 - SV-261434r996709_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654055

Vuln IDs

V-261434

Rule IDs

SV-261434r996709_rule

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DOD has defined the following list of events for which SLEM 5 will provide an audit record generation capability: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-65163r996707_chk

Verify SLEM 5 generates an audit record for all uses of the "kmod" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/kmod' -w /usr/bin/kmod -p x -k modules If the system is configured to audit the execution of the module management program "kmod", the command will return a line. If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65071r996708_fix

Configure SLEM 5 to audit the execution of the module management program "kmod". Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -w /usr/bin/kmod -p x -k modules To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "modprobe" command.

AU-3 - Medium - CCI-000130 - V-261435 - SV-261435r996712_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654060

Vuln IDs

V-261435

Rule IDs

SV-261435r996712_rule

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DOD has defined the following list of events for which SLEM 5 will provide an audit record generation capability: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-65164r996710_chk

Verify SLEM 5 generates an audit record for all uses of the "modprobe" command with the following command: > sudo auditctl -l | grep -w '/sbin/modprobe' -w /sbin/modprobe -p x -k modules If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65072r996711_fix

Configure SLEM 5 to audit the execution of the module management program "modprobe". Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -w /sbin/modprobe -p x -k modules To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "newgrp" command.

AU-3 - Medium - CCI-000130 - V-261436 - SV-261436r996715_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654065

Vuln IDs

V-261436

Rule IDs

SV-261436r996715_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Checks: C-65165r996713_chk

Verify SLEM 5 generates an audit record for all uses of the "newgrp" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/newgrp' -a always,exit -S all -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-newgrp If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65073r996714_fix

Configure SLEM 5 to generate an audit record for all uses of the "newgrp" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged-newgrp To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "pam_timestamp_check" command.

AU-3 - Medium - CCI-000130 - V-261437 - SV-261437r996718_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654070

Vuln IDs

V-261437

Rule IDs

SV-261437r996718_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65166r996716_chk

Verify SLEM 5 generates an audit record for any use of the "pam_timestamp_check" command with the following command: > sudo auditctl -l | grep -w '/sbin/pam_timestamp_check' -a always,exit -S all -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-pam_timestamp_check If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65074r996717_fix

Configure SLEM 5 to generate an audit record for all uses of the "pam_timestamp_check" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "passwd" command.

AU-3 - Medium - CCI-000130 - V-261438 - SV-261438r996721_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654075

Vuln IDs

V-261438

Rule IDs

SV-261438r996721_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Checks: C-65167r996719_chk

Verify SLEM 5 generates an audit record for all uses of the "passwd" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/passwd' -a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-passwd If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65075r996720_fix

Configure SLEM 5 to generate an audit record for all uses of the "passwd" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "rm" command.

AU-3 - Medium - CCI-000130 - V-261439 - SV-261439r996724_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654080

Vuln IDs

V-261439

Rule IDs

SV-261439r996724_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65168r996722_chk

Verify SLEM 5 generates an audit record for all uses of the "rm" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/rm' -a always,exit -S all -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65076r996723_fix

Configure SLEM 5 to generate an audit record for all uses of the "rm" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "rmmod" command.

AU-3 - Medium - CCI-000130 - V-261440 - SV-261440r996727_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654085

Vuln IDs

V-261440

Rule IDs

SV-261440r996727_rule

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DOD has defined the following list of events for which SLEM 5 will provide an audit record generation capability: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-65169r996725_chk

Verify SLEM 5 generates an audit record for all uses of the "rmmod" command with the following command: > sudo auditctl -l | grep -w '/sbin/rmmod' -w /sbin/rmmod -p x -k modules If the system is configured to audit the execution of the module management program "rmmod", the command will return a line. If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65077r996726_fix

Configure SLEM 5 to audit the execution of the module management program "rmmod". Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -w /sbin/rmmod -p x -k modules To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "setfacl" command.

AU-3 - Medium - CCI-000130 - V-261441 - SV-261441r996730_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654090

Vuln IDs

V-261441

Rule IDs

SV-261441r996730_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65170r996728_chk

Verify SLEM 5 generates an audit record for all uses of the "setfacl" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/setfacl' -a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -F key=prim_mod If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65078r996729_fix

Configure SLEM 5 to generate an audit record for all uses of the "setfacl" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k prim_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "ssh-agent" command.

AU-3 - Medium - CCI-000130 - V-261442 - SV-261442r996733_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654095

Vuln IDs

V-261442

Rule IDs

SV-261442r996733_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Checks: C-65171r996731_chk

Verify SLEM 5 generates an audit record for all uses of the "ssh-agent" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/ssh-agent' -a always,exit -S all -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-ssh-agent If the command does not return any output or the returned line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65079r996732_fix

Configure SLEM 5 to generate an audit record for all uses of the "ssh-agent" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "ssh-keysign" command.

AU-3 - Medium - CCI-000130 - V-261443 - SV-261443r996736_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654100

Vuln IDs

V-261443

Rule IDs

SV-261443r996736_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Checks: C-65172r996734_chk

Verify SLEM 5 generates an audit record for all uses of the "ssh-keysign" command with the following command: > sudo auditctl -l | grep -w '/usr/lib/ssh/ssh-keysign' -a always,exit -S all -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-ssh-keysign If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65080r996735_fix

Configure SLEM 5 to generate an audit record for all uses of the "ssh-keysign" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-keysign To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "su" command.

AU-3 - Medium - CCI-000130 - V-261444 - SV-261444r996739_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654105

Vuln IDs

V-261444

Rule IDs

SV-261444r996739_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65173r996737_chk

Verify SLEM 5 generates an audit record for any use of the "su" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/su' -a always,exit -S all -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-priv_change If the command does not return any output or the returned line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65081r996738_fix

Configure SLEM 5 to generate an audit record for all uses of the "su" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "sudo" command.

AU-3 - Medium - CCI-000130 - V-261445 - SV-261445r996742_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654110

Vuln IDs

V-261445

Rule IDs

SV-261445r996742_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Checks: C-65174r996740_chk

Verify SLEM 5 generates an audit record for any use of the "sudo" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/sudo' -a always,exit -S all -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-sudo If the command does not return any output, or the returned line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65082r996741_fix

Configure SLEM 5 to generate an audit record for all uses of the "sudo" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudo To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "sudoedit" command.

AU-3 - Medium - CCI-000130 - V-261446 - SV-261446r996745_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654115

Vuln IDs

V-261446

Rule IDs

SV-261446r996745_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65175r996743_chk

Verify an audit record is generated for all uses of the "sudoedit" command with the following command: > sudo auditctl -l | grep -w '/usr/bin/sudoedit' -a always,exit -S all -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-sudoedit If the command does not return any output or the returned line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65083r996744_fix

Configure SLEM 5 to generate an audit record for all uses of the "sudoedit" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=unset -k privileged-sudoedit To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "unix_chkpwd" or "unix2_chkpwd" commands.

AU-3 - Medium - CCI-000130 - V-261447 - SV-261447r996748_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654120

Vuln IDs

V-261447

Rule IDs

SV-261447r996748_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65176r996746_chk

Verify SLEM 5 generates an audit record for any use of the "unix_chkpwd" or "unix2_chkpwd" commands with the following command: > sudo auditctl -l | egrep -w "(unix_chkpwd|unix2_chkpwd)" -a always,exit -S all -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-unix-chkpwd -a always,exit -S all -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-unix2-chkpwd If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65084r996747_fix

Configure SLEM 5 to generate an audit record for all uses of the "unix_chkpwd" and "unix2_chkpwd" commands. Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-chkpwd -a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix2-chkpwd To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "usermod" command.

AU-3 - Medium - CCI-000130 - V-261448 - SV-261448r996751_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654125

Vuln IDs

V-261448

Rule IDs

SV-261448r996751_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65177r996749_chk

Verify SLEM 5 generates an audit record for any use of the "usermod" command with the following command: > sudo auditctl -l | grep -w '/usr/sbin/usermod' -a always,exit -S all -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged-usermod If the command does not return any output, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65085r996750_fix

Configure SLEM 5 to generate an audit record for all uses of the "usermod" command. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.

AC-2 - Medium - CCI-000018 - V-261449 - SV-261449r996754_rule

RMF Control

AC-2

Severity

M

CCI

Version

SLEM-05-654130

Vuln IDs

V-261449

Rule IDs

SV-261449r996754_rule

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing account creation mitigates this risk. To address access requirements, SLEM 5 may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-65178r996752_chk

Verify SLEM 5 generates an audit record when modifications occur to the "/etc/group" file with the following command: > sudo auditctl -l | grep -w '/etc/group' -w /etc/group -p wa -k account_mod If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "-k" value is arbitrary and can be different from the example output above.

Fix: F-65086r996753_fix

Configure SLEM 5 to generate an audit record when all modifications to the "/etc/group" file occur. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -w /etc/group -p wa -k account_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.

AC-2 - Medium - CCI-000018 - V-261450 - SV-261450r996757_rule

RMF Control

AC-2

Severity

M

CCI

Version

SLEM-05-654135

Vuln IDs

V-261450

Rule IDs

SV-261450r996757_rule

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing account creation mitigates this risk. To address access requirements, SLEM 5 may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-65179r996755_chk

Verify SLEM 5 generates an audit record when modifications occur to the "/etc/security/opasswd" file with the following command: > sudo auditctl -l | grep -w '/etc/security/opasswd' -w /etc/security/opasswd -p wa -k account_mod If the command does not return a line that matches the example or the line is commented out, this is a finding. Notes: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-65087r996756_fix

Configure SLEM 5 to generate an audit record when all modifications to the "/etc/security/opasswd" file occur. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -w /etc/security/opasswd -p wa -k account_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.

AC-2 - Medium - CCI-000018 - V-261451 - SV-261451r996760_rule

RMF Control

AC-2

Severity

M

CCI

Version

SLEM-05-654140

Vuln IDs

V-261451

Rule IDs

SV-261451r996760_rule

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing account creation mitigates this risk. To address access requirements, SLEM 5 may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-65180r996758_chk

Verify SLEM 5 generates an audit record when all modifications occur to the "/etc/passwd" file with the following command: > sudo auditctl -l | grep -w '/etc/passwd' -w /etc/passwd -p wa -k account_mod If the command does not return a line that matches the example or the line is commented out, this is a finding. Notes: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-65088r996759_fix

Configure SLEM 5 to generate an audit record when all modifications to the "/etc/passwd" file occur. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -w /etc/passwd -p wa -k account_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

AC-2 - Medium - CCI-000018 - V-261452 - SV-261452r996763_rule

RMF Control

AC-2

Severity

M

CCI

Version

SLEM-05-654145

Vuln IDs

V-261452

Rule IDs

SV-261452r996763_rule

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing account creation mitigates this risk. To address access requirements, SLEM 5 may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-65181r996761_chk

Verify SLEM 5 generates an audit record when modifications occur to the "/etc/shadow" file with the following command: > sudo auditctl -l | grep -w '/etc/shadow' -w /etc/shadow -p wa -k account_mod If the command does not return a line that matches the example or the line is commented out, this is a finding. Notes: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-65089r996762_fix

Configure SLEM 5 to generate an audit record when all modifications to the "/etc/shadow" file occur. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -w /etc/shadow -p wa -k account_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "chmod", "fchmod" and "fchmodat" system calls.

AU-3 - Medium - CCI-000130 - V-261453 - SV-261453r996848_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654150

Vuln IDs

V-261453

Rule IDs

SV-261453r996848_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. However, the performance can be helped by combining syscalls into one rule whenever possible.

Checks: C-65182r996764_chk

Verify SLEM 5 generates an audit record for all uses of the "chmod", "fchmod" and "fchmodat" system calls with the following command: > sudo auditctl -l | grep chmod -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod If both the "b32" and "b64" audit rules are not defined for the "chmod", "fchmod", and "fchmodat" syscalls, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65090r996765_fix

Configure SLEM 5 to generate an audit record for all uses of the "chmod", "fchmod", and "fchmodat" system calls. Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "chown", "fchown", "fchownat", and "lchown" system calls.

AU-3 - Medium - CCI-000130 - V-261454 - SV-261454r996769_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654155

Vuln IDs

V-261454

Rule IDs

SV-261454r996769_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.

Checks: C-65183r996767_chk

Verify SLEM 5 generates an audit record for all uses of the "chown", "fchown", "fchownat", and "lchown" system calls with the following command: > sudo auditctl -l | grep chown -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -F key=perm_mod -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -F key=perm_mod If both the "b32" and "b64" audit rules are not defined for the "chown", "fchown", "fchownat", and "lchown" syscalls, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65091r996768_fix

Configure SLEM 5 to generate an audit record for all uses of the "chown", "fchown", "fchownat", and "lchown" system calls. Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls.

AU-3 - Medium - CCI-000130 - V-261455 - SV-261455r996772_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654160

Vuln IDs

V-261455

Rule IDs

SV-261455r996772_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.

Checks: C-65184r996770_chk

Verify SLEM 5 generates an audit record for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls with the following command: > sudo auditctl -l | grep 'open\|truncate\|creat' -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=perm_access If both the "b32" and "b64" audit rules are not defined for the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls, this is a finding. If the output does not produce rules containing "-F exit=-EPERM", this is a finding. If the output does not produce rules containing "-F exit=-EACCES", this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65092r996771_fix

Configure SLEM 5 to generate an audit record for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls. Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "delete_module" system call.

AU-3 - Medium - CCI-000130 - V-261456 - SV-261456r996775_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654165

Vuln IDs

V-261456

Rule IDs

SV-261456r996775_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65185r996773_chk

Verify SLEM 5 generates an audit record for all uses of the "delete_module" system call with the following command: > sudo auditctl -l | grep -w 'delete_module' -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1 -F key=unload_module -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -F key=unload_module If both the "b32" and "b64" audit rules are not defined for the "unload_module" syscall, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65093r996774_fix

Configure SLEM 5 to generate an audit record for all uses of the "delete_module" system call. Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k unload_module -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k unload_module To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "init_module" and "finit_module" system calls.

AU-3 - Medium - CCI-000130 - V-261457 - SV-261457r996778_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654170

Vuln IDs

V-261457

Rule IDs

SV-261457r996778_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.

Checks: C-65186r996776_chk

Verify SLEM 5 generates an audit record for all uses of the "init_module" and "finit_module" system calls with the following command: > sudo auditctl -l | grep init_module -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -F key=moduleload -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -F key=moduleload If both the "b32" and "b64" audit rules are not defined for the init_module" and "finit_module" syscalls, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65094r996777_fix

Configure SLEM 5 to generate an audit record for all uses of the "init_module" and "finit_module" system calls. Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k moduleload -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k moduleload To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "mount" system call.

AU-3 - Medium - CCI-000130 - V-261458 - SV-261458r996781_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654175

Vuln IDs

V-261458

Rule IDs

SV-261458r996781_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Checks: C-65187r996779_chk

Verify SLEM 5 generates an audit record for all uses of the "mount" system call with the following command: > sudo auditctl -l | grep -w 'mount' -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -F key=privileged-mount If both the "b32" and "b64" audit rules are not defined for the "mount" syscall, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65095r996780_fix

Configure SLEM 5 to generate an audit record for all uses of the "mount" system call. Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls.

AU-3 - Medium - CCI-000130 - V-261459 - SV-261459r996784_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654180

Vuln IDs

V-261459

Rule IDs

SV-261459r996784_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.

Checks: C-65188r996782_chk

Verify SLEM 5 generates an audit record for all uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls with the following command: > sudo auditctl -l | grep xattr -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod If both the "b32" and "b64" audit rules are not defined for the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65096r996783_fix

Configure SLEM 5 to generate an audit record for all uses of the "setxattr", "fsetxattr", "lsetxattr","removexattr", "fremovexattr", and "lremovexattr" system calls. Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "umount" system call.

AU-3 - Medium - CCI-000130 - V-261460 - SV-261460r996787_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654185

Vuln IDs

V-261460

Rule IDs

SV-261460r996787_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Checks: C-65189r996785_chk

Verify SLEM 5 generates an audit record for all uses of the "umount" and "umount2" system calls with the following command: > sudo auditctl -l | grep 'umount' -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=-1 -F key=privileged-umount -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=-1 -F key=privileged-umount -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=-1 -F key=privileged-umount If both the "b32" and "b64" audit rules are not defined for the "umount" syscall, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65097r996786_fix

Configure SLEM 5 to generate an audit record for all uses of the "umount" and "umount2" system calls. Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=unset -k privileged-umount -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=unset -k privileged-umount -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=unset -k privileged-umount To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of the "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls.

AU-12 - Medium - CCI-000172 - V-261461 - SV-261461r996790_rule

RMF Control

AU-12

Severity

M

CCI

Version

SLEM-05-654190

Vuln IDs

V-261461

Rule IDs

SV-261461r996790_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.

Checks: C-65190r996788_chk

Verify SLEM 5 generates an audit record for all uses of the "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls with the following command: > sudo auditctl -l | grep 'unlink\|rename\|rmdir' -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=perm_mod -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -F key=perm_mod If both the "b32" and "b64" audit rules are not defined for the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65098r996789_fix

Configure SLEM 5 to generate an audit record for all uses of the "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls. Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=unset -k perm_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all uses of privileged functions.

AC-6 - Medium - CCI-002234 - V-261462 - SV-261462r996793_rule

RMF Control

AC-6

Severity

M

CCI

CCI-002234

Version

SLEM-05-654195

Vuln IDs

V-261462

Rule IDs

SV-261462r996793_rule

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.

Checks: C-65191r996791_chk

Verify SLEM 5 generates an audit record for any privileged use of the "execve" system call with the following command: > sudo auditctl -l | grep -w 'execve' -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=setgid If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65099r996792_fix

Configure SLEM 5 to generate an audit record for any privileged use of the "execve" system call. Add or modify the following lines in "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all modifications to the "lastlog" file.

AU-3 - Medium - CCI-000130 - V-261463 - SV-261463r996796_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654200

Vuln IDs

V-261463

Rule IDs

SV-261463r996796_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65192r996794_chk

Verify SLEM 5 generates an audit record when all modifications to the "lastlog" file occur with the following command: > sudo auditctl -l | grep -w '/var/log/lastlog' -w /var/log/lastlog -p wa -k logins If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65100r996795_fix

Configure SLEM 5 to generate an audit record for any all modifications to the "lastlog" file occur. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -w /var/log/lastlog -p wa -k logins To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for all modifications to the "tallylog" file must generate an audit record.

AU-3 - Medium - CCI-000130 - V-261464 - SV-261464r996799_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654205

Vuln IDs

V-261464

Rule IDs

SV-261464r996799_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65193r996797_chk

Verify SLEM 5 generates an audit record when all modifications to the "tallylog" file occur with the following command: > sudo auditctl -l | grep -w '/var/log/tallylog' -w /var/log/tallylog -p wa -k logins If the command does not return a line that matches the example or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65101r996798_fix

Configure SLEM 5 to generate an audit record for any all modifications to the "tallylog" file occur. Add or modify the following line in the "/etc/audit/rules.d/audit.rules" file: -w /var/log/tallylog -p wa -k logins To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must audit all uses of the sudoers file and all files in the "/etc/sudoers.d/" directory.

AU-3 - Medium - CCI-000130 - V-261465 - SV-261465r996802_rule

RMF Control

AU-3

Severity

M

CCI

Version

SLEM-05-654210

Vuln IDs

V-261465

Rule IDs

SV-261465r996802_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.

Checks: C-65194r996800_chk

Verify SLEM 5 generates audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory with the following command: > sudo auditctl -l | grep -w '/etc/sudoers' -w /etc/sudoers -p wa -k privileged-actions -w /etc/sudoers.d -p wa -k privileged-actions If the commands do not return output that match the examples, this is a finding. Notes: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-65102r996801_fix

Configure SLEM 5 to generate audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. Add or modify the following lines in "/etc/audit/rules.d/audit.rules" file: -w /etc/sudoers -p wa -k privileged-actions -w /etc/sudoers.d -p wa -k privileged-actions To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

Successful/unsuccessful uses of "setfiles" in SLEM 5 must generate an audit record.

AU-12 - Medium - CCI-000169 - V-261466 - SV-261466r996805_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000169

Version

SLEM-05-654215

Vuln IDs

V-261466

Rule IDs

SV-261466r996805_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setfiles" command is primarily used to initialize the security context fields (extended attributes) on one or more filesystems (or parts of them). Usually it is initially run as part of the SELinux installation process (a step commonly known as labeling). When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.

Checks: C-65195r996803_chk

Verify SLEM 5 generates an audit record for all uses of the "setfiles" command with the following command: > sudo grep -w "setfiles" /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update If the command does not return a line, or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65103r996804_fix

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "setfiles" command. Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

Successful/unsuccessful uses of "semanage" in SLEM 5 must generate an audit record.

AU-12 - Medium - CCI-000169 - V-261467 - SV-261467r996808_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000169

Version

SLEM-05-654220

Vuln IDs

V-261467

Rule IDs

SV-261467r996808_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "semanage" command is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.

Checks: C-65196r996806_chk

Verify SLEM 5 generates an audit record for all uses of the "semanage" command with the following command: > sudo grep -w "semanage" /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update If the command does not return a line, or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65104r996807_fix

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "semanage" command. Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

Successful/unsuccessful uses of "setsebool" in SLEM 5 must generate an audit record.

AU-12 - Medium - CCI-000169 - V-261468 - SV-261468r997405_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000169

Version

SLEM-05-654225

Vuln IDs

V-261468

Rule IDs

SV-261468r997405_rule

Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. The "setsebool" command sets the current state of a particular SELinux Boolean or a list of Booleans to a given value. When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to "-1". The AUID representation is an unsigned 32-bit integer, which equals "4294967295". The audit system interprets "-1", "4294967295", and "unset" in the same way.

Checks: C-65197r996809_chk

Verify SLEM 5 generates an audit record for all uses of the "setsebool" command with the following command: > sudo grep -w "setsebool" /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update If the command does not return a line, or the line is commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65105r996810_fix

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "setsebool" command. Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for the "/run/utmp file".

AU-12 - Medium - CCI-000172 - V-261469 - SV-261469r996814_rule

RMF Control

AU-12

Severity

M

CCI

Version

SLEM-05-654230

Vuln IDs

V-261469

Rule IDs

SV-261469r996814_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65198r996812_chk

Verify SLEM 5 generates an audit record for the "/run/utmp" file with the following command: > sudo auditctl -l | grep -w '/run/utmp' -w /run/utmp -p wa -k login_mod If the command does not return a line that matches the example, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65106r996813_fix

Configure SLEM 5 to generate an audit record for the "/run/utmp" file. Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file: -w /run/utmp -p wa -k login_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for the "/var/log/btmp" file.

AU-12 - Medium - CCI-000172 - V-261470 - SV-261470r996817_rule

RMF Control

AU-12

Severity

M

CCI

Version

SLEM-05-654235

Vuln IDs

V-261470

Rule IDs

SV-261470r996817_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65199r996815_chk

Verify SLEM 5 generates an audit record for the "/var/log/btmp" file with the following command: > sudo auditctl -l | grep -w '/var/log/btmp' -w /var/log/btmp -p wa -k login_mod If the command does not return a line that matches the example, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65107r996816_fix

Configure SLEM 5 to generate an audit record for the "/var/log/btmp" file. Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file: -w /var/log/btmp -p wa -k login_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must generate audit records for the "/var/log/wtmp" file.

AU-12 - Medium - CCI-000172 - V-261471 - SV-261471r996820_rule

RMF Control

AU-12

Severity

M

CCI

Version

SLEM-05-654240

Vuln IDs

V-261471

Rule IDs

SV-261471r996820_rule

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-65200r996818_chk

Verify SLEM 5 generates an audit record for the "/var/log/wtmp" file with the following command: > sudo auditctl -l | grep -w '/var/log/wtmp' -w /var/log/wtmp -p wa -k login_mod If the command does not return a line that matches the example, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Fix: F-65108r996819_fix

Configure SLEM 5 to generate an audit record for the "/var/log/wtmp" file. Add or modify the following lines in the "/etc/audit/rules.d/audit.rules" file: -w /var/log/wtmp -p wa -k login_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b

SLEM 5 must not disable syscall auditing.

CM-6 - Medium - CCI-000366 - V-261472 - SV-261472r996865_rule

RMF Control

CM-6

Severity

M

CCI