SUSE Linux Enterprise Server 15 Security Technical Implementation Guide

  • Version/Release: V2R1
  • Published: 2024-05-30
  • Released: 2024-07-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
c
The SUSE operating system must be a vendor-supported release.
SI-2 - High - CCI-001230 - V-234800 - SV-234800r991589_rule
RMF Control
SI-2
Severity
High
CCI
CCI-001230
Version
SLES-15-010000
Vuln IDs
  • V-234800
Rule IDs
  • SV-234800r991589_rule
A SUSE operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
Checks: C-37988r618669_chk

Verify the SUSE operating system is a vendor-supported release. Use the following command to verify the SUSE operating system is a vendor-supported release: > cat /etc/os-release NAME="SLES" VERSION="15" Or any SUSE Linux Enterprise 15 Service Pack follow up release. NAME="SLES" VERSION="15-SPx" Current End of Life for SLES 15 General Support is 31 Jul 2028 and Long-term Support is until 31 Jul 2031. If the release is not supported by the vendor, this is a finding.

Fix: F-37951r618670_fix

Upgrade the SUSE operating system to a version supported by the vendor. If the system is not registered with the SUSE Customer Center, register the system against the correct subscription. If the system requires Long-Term Service Pack Support (LTSS), obtain the correct LTSS subscription for the system.

b
Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.
SI-2 - Medium - CCI-001227 - V-234802 - SV-234802r991589_rule
RMF Control
SI-2
Severity
Medium
CCI
CCI-001227
Version
SLES-15-010010
Vuln IDs
  • V-234802
Rule IDs
  • SV-234802r991589_rule
Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep SUSE operating system and application software patched is a common mistake made by IT professionals. New patches are released frequently, and it is often difficult for even experienced System Administrators (SAs) to keep abreast of all the new patches. When new weaknesses in a SUSE operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.
Checks: C-37990r618675_chk

Verify the SUSE operating system security patches and updates are installed and up to date. Note: Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). Check for required SUSE operating system patches and updates with the following command: > sudo zypper patch-check 0 patches needed (0 security patches) If the patch repository data is corrupt, check that the available package security updates have been installed on the system with the following command: > cut -d "|" -f 1-4 -s --output-delimiter " | " /var/log/zypp/history | grep -v " radd " 2016-12-14 11:59:36 | install | libapparmor1-32bit | 2.8.0-2.4.1 2016-12-14 11:59:36 | install | pam_apparmor | 2.8.0-2.4.1 2016-12-14 11:59:36 | install | pam_apparmor-32bit | 2.8.0-2.4.1 If the SUSE operating system has not been patched within the site or PMO frequency, this is a finding.

Fix: F-37953r618676_fix

Install the applicable SUSE operating system patches available from SUSE by running the following command: > sudo zypper patch

b
The SUSE operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting access via local console.
AC-8 - Medium - CCI-000048 - V-234803 - SV-234803r958390_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
SLES-15-010020
Vuln IDs
  • V-234803
Rule IDs
  • SV-234803r958390_rule
Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DOD will not be in compliance with system use notifications required by law. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for SUSE operating system: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Checks: C-37991r951621_chk

Verify the SUSE operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via local console. Check the "motd" (message of the day) file to verify that it contains the DOD required banner text: > more /etc/issue The output must display the following DOD-required banner text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the output does not display the correct banner text, this is a finding.

Fix: F-37954r951622_fix

Configure the SUSE operating system to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via local console by performing the following tasks: Edit the "motd" file and replace the default text inside with the Standard Mandatory DOD banner text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

c
The SUSE operating system must not have the vsftpd package installed if not required for operational support.
IA-5 - High - CCI-000197 - V-234804 - SV-234804r987796_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000197
Version
SLES-15-010030
Vuln IDs
  • V-234804
Rule IDs
  • SV-234804r987796_rule
It is detrimental for SUSE operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked, and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. SUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions and functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but which cannot be disabled. Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049
Checks: C-37992r618681_chk

Verify the vsftpd package is not installed on the SUSE operating system. Check that the vsftpd package is not installed on the SUSE operating system by running the following command: > zypper info vsftpd | grep Installed If "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Fix: F-37955r618682_fix

Document the "vsftpd" package with the ISSO as an operational requirement or remove it from the system with the following command: > sudo zypper remove vsftpd

b
The SUSE operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting access via SSH.
AC-8 - Medium - CCI-000048 - V-234805 - SV-234805r958390_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
SLES-15-010040
Vuln IDs
  • V-234805
Rule IDs
  • SV-234805r958390_rule
Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DOD policy. Use the following verbiage for SUSE operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
Checks: C-37993r951624_chk

Verify the SUSE operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via SSH. Check the issue file to verify it contains one of the DOD required banners. If it does not, this is a finding. > more /etc/issue The output must display the following DOD-required banner text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the output does not display the banner text, this is a finding. Check the banner setting for sshd_config: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*banner' Banner /etc/issue If "Banner" is not set to "/etc/issue", this is a finding.

Fix: F-37956r951625_fix

Configure the SUSE operating system to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system by running the following commands: Edit the "sshd_config" file and edit the Banner flag to be the following: Banner /etc/issue/ Restart the sshd daemon: > sudo systemctl restart sshd.service To configure the system logon banner, edit the "/etc/issue" file. Replace the default text inside with the Standard Mandatory DOD banner text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

b
The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI).
AC-8 - Medium - CCI-000048 - V-234806 - SV-234806r958390_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
SLES-15-010050
Vuln IDs
  • V-234806
Rule IDs
  • SV-234806r958390_rule
The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface (GUI). Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007
Checks: C-37994r618687_chk

Verify the SUSE operating system displays the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on via the local GUI. Note: If a graphical user interface is not installed, this requirement is Not Applicable. Check the configuration by running the following command: > more /etc/gdm/Xsession The beginning of the file must contain the following text immediately after (#!/bin/sh): if ! zenity --text-info \ --title "Consent" \ --filename=/etc/gdm/banner \ --no-markup \ --checkbox="Accept." 10 10; then sleep 1; exit 1; fi If the beginning of the file does not contain the above text immediately after the line (#!/bin/sh), this is a finding.

Fix: F-37957r618688_fix

Configure the SUSE operating system to display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access. Note: If a graphical user interface is not installed, this requirement is Not Applicable. Edit the file "/etc/gdm/Xsession". Add the following content to the file "/etc/gdm/Xsession" below the line #!/bin/sh: if ! zenity --text-info \ --title "Consent" \ --filename=/etc/gdm/banner \ --no-markup \ --checkbox="Accept." 10 10; then sleep 1; exit 1; fi Save the file "/etc/gdm/Xsession".

b
The SUSE operating system file /etc/gdm/banner must contain the Standard Mandatory DoD Notice and Consent banner text.
AC-8 - Medium - CCI-000050 - V-234807 - SV-234807r958392_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000050
Version
SLES-15-010060
Vuln IDs
  • V-234807
Rule IDs
  • SV-234807r958392_rule
The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. To establish acceptance of the application usage policy, a click-through banner at system logon is required. The system must prevent further activity until the user executes a positive action to manifest agreement by clicking on a box indicating "OK".
Checks: C-37995r618690_chk

Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. Verify the SUSE operating system file "/etc/gdm/banner" contains the Standard Mandatory DoD Notice and Consent Banner text by running the following command: > more /etc/gdm/banner If the file does not contain the following text, this is a finding. "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

Fix: F-37958r618691_fix

Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. Configure the SUSE operating system file "/etc/gdm/banner" to contain the Standard Mandatory DoD Notice and Consent Banner by running the following commands: > sudo vi /etc/gdm/banner Add the following information to the file: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

b
The SUSE operating system must display a banner before granting local or remote access to the system via a graphical user logon.
AC-8 - Medium - CCI-001384 - V-234808 - SV-234808r958586_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-001384
Version
SLES-15-010080
Vuln IDs
  • V-234808
Rule IDs
  • SV-234808r958586_rule
Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for SUSE operating system: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Checks: C-37996r618693_chk

Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. Verify the SUSE operating system displays a banner before local or remote access to the system via a graphical user logon. Check that the SUSE operating system displays a banner at the logon screen by performing the following command: > grep banner-message-enable /etc/dconf/db/gdm.d/* banner-message-enable=true > cat /etc/dconf/profile/gdm user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults If "banner-message-enable" is set to "false" or is missing completely, this is a finding.

Fix: F-37959r618694_fix

Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. Configure the SUSE operating system to display a banner before local or remote access to the system via a graphical user logon. Create a database that will contain the system-wide graphical user logon settings (if it does not already exist) with the following command: > sudo mkdir -p /etc/dconf/db/gdm.d > sudo touch /etc/dconf/db/gdm.d/01-banner-message Add the following content into /etc/dconf/profile/gdm: user-db:user system-db:gdm file-db:/usr/share/gdm/greeter-dconf-defaults Add the following line to the "[org/gnome/login-screen]" section of the "/etc/dconf/db/gdm.d/01-banner-message" file: [org/gnome/login-screen] banner-message-enable=true Update the system databases: > sudo dconf update Users must log out and back in again before the system-wide settings take effect.

b
The SUSE operating system must display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon.
AC-8 - Medium - CCI-001384 - V-234809 - SV-234809r958586_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-001384
Version
SLES-15-010090
Vuln IDs
  • V-234809
Rule IDs
  • SV-234809r958586_rule
Display of a standardized and approved use notification before granting access to the SUSE operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The banner must be acknowledged by the user prior to allowing the user access to the SUSE operating system. This provides assurance that the user has seen the message and accepted the conditions for access. If the consent banner is not acknowledged by the user, DoD will not be in compliance with system use notifications required by law. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for SUSE operating system: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Checks: C-37997r618696_chk

Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. Verify the SUSE operating system displays the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon. Check that the SUSE operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text by performing the following command: > grep banner-message-text /etc/dconf/db/gdm.d/* banner-message-text= "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Note: The "\n" characters are for formatting only. They will not be displayed on the GUI. If the banner text does not exactly match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.

Fix: F-37960r618697_fix

Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. Configure the SUSE operating system to display the approved Standard Mandatory DoD Notice before granting local or remote access to the system via a graphical user logon. Create a database to contain the system wide graphical user logon settings (if it does not already exist) by performing the following command: > sudo touch /etc/dconf/db/gdm.d/01-banner-message Add the following lines to the "[org/gnome/login-screen]" section of the "dconf/db/gdm.d/01-banner-message" file: [org/gnome/login-screen] banner-message-text="You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Note: The "\n" characters are for formatting only. They will not be displayed on the GUI. Run the following command to update the database: > sudo dconf update

b
The SUSE operating system must be able to lock the graphical user interface (GUI).
AC-11 - Medium - CCI-000056 - V-234810 - SV-234810r986461_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000056
Version
SLES-15-010100
Vuln IDs
  • V-234810
Rule IDs
  • SV-234810r986461_rule
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011
Checks: C-37998r618699_chk

Verify the SUSE operating system allows the user to lock the GUI. Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. Run the following command: > sudo gsettings get org.gnome.desktop.lockdown disable-lock-screen If the result is "true", this is a finding.

Fix: F-37961r618700_fix

Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. This command must be run from an X11 session; otherwise, the command will not work correctly. Configure the SUSE operating system to allow the user to lock the GUI. Run the following command to configure the SUSE operating system to allow the user to lock the GUI: > sudo gsettings set org.gnome.desktop.lockdown disable-lock-screen false

a
The SUSE operating system must utilize vlock to allow for session locking.
AC-11 - Low - CCI-000056 - V-234811 - SV-234811r986462_rule
RMF Control
AC-11
Severity
Low
CCI
CCI-000056
Version
SLES-15-010110
Vuln IDs
  • V-234811
Rule IDs
  • SV-234811r986462_rule
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, SRG-OS-000031-GPOS-00012
Checks: C-37999r618702_chk

Check that the SUSE operating system has the "vlock" package installed by running the following command: > zypper search --installed-only --match-exact --provides vlock If the command outputs "no matching items found", this is a finding.

Fix: F-37962r618703_fix

Allow users to lock the console by installing the "kbd" package using zypper: > sudo zypper install kbd

b
The SUSE operating system must initiate a session lock after a 15-minute period of inactivity for the graphical user interface (GUI).
AC-11 - Medium - CCI-000057 - V-234812 - SV-234812r958402_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
SLES-15-010120
Vuln IDs
  • V-234812
Rule IDs
  • SV-234812r958402_rule
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the users to manually lock their SUSE operating system session prior to vacating the vicinity, the SUSE operating system needs to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled.
Checks: C-38000r618705_chk

Verify the SUSE operating system initiates a session lock after a 15-minute period of inactivity via the GUI by running the following command: Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. > sudo gsettings get org.gnome.desktop.session idle-delay uint32 900 If the command does not return a value less than or equal to "900", this is a finding.

Fix: F-37963r618706_fix

Configure the SUSE operating system to initiate a session lock after a 15-minute period of inactivity of the GUI by running the following command: Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. This command must be run from an X11 session, otherwise the command will not work correctly. > sudo gsettings set org.gnome.desktop.session idle-delay 900

b
The SUSE operating system must initiate a session lock after a 15-minute period of inactivity.
AC-11 - Medium - CCI-000057 - V-234813 - SV-234813r958402_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
SLES-15-010130
Vuln IDs
  • V-234813
Rule IDs
  • SV-234813r958402_rule
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the users to manually lock their SUSE operating system session prior to vacating the vicinity, the SUSE operating system needs to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled.
Checks: C-38001r618708_chk

Verify the SUSE operating system must initiate a session logout after a 15-minute period of inactivity for all connection types. Check the proper script exists to kill an idle session after a 15-minute period of inactivity with the following command: > cat /etc/profile.d/autologout.sh TMOUT=900 readonly TMOUT export TMOUT If the file "/etc/profile.d/autologout.sh" does not exist or the output from the function call is not the same, this is a finding.

Fix: F-37964r618709_fix

Configure the SUSE operating system to initiate a session lock after a 15-minute period of inactivity by modifying or creating (if it does not already exist) the "/etc/profile.d/autologout.sh" file and add the following lines to it: TMOUT=900 readonly TMOUT export TMOUT Set the proper permissions for the "/etc/profile.d/autologout.sh" file with the following command: > sudo chmod +x /etc/profile.d/autologout.sh

a
The SUSE operating system must conceal, via the session lock, information previously visible on the display with a publicly viewable image in the graphical user interface (GUI).
AC-11 - Low - CCI-000060 - V-234814 - SV-234814r958404_rule
RMF Control
AC-11
Severity
Low
CCI
CCI-000060
Version
SLES-15-010140
Vuln IDs
  • V-234814
Rule IDs
  • SV-234814r958404_rule
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. The SUSE operating system session lock event must include an obfuscation of the display screen to prevent other users from reading what was previously displayed. Publicly viewable images can include static or dynamic images, such as patterns used with screen savers, photographic images, solid colors, a clock, a battery life indicator, or a blank screen, with the additional caveat that none of the images conveys sensitive information.
Checks: C-38002r618711_chk

Verify the SUSE operating system conceals via the session lock information previously visible on the display with a publicly viewable image in the GUI. Note: If the system does not have X Windows installed, this requirement is Not Applicable. Check that the lock screen is set to a publicly viewable image by running the following command: > sudo gsettings get org.gnome.desktop.screensaver picture-uri 'file:///usr/share/wallpapers/SLE-default-static.xml' If nothing is returned or "org.gnome.desktop.screensaver" is not set, this is a finding.

Fix: F-37965r618712_fix

Note: If the system does not have X Windows installed, this requirement is Not Applicable. Configure the SUSE operating system to use a publically viewable image by finding the Settings menu and then navigate to the Background selection section: - Click "Activities" on the top left. - Click "Show Applications" at the bottom of the Activities menu. - Click the "Settings" icon. - Click "Background" from left hand menu. - Select image and set the Lock Screen image to the user's choice. - Exit Settings Dialog.

b
The SUSE operating system must log SSH connection attempts and failures to the server.
AC-17 - Medium - CCI-000067 - V-234815 - SV-234815r958406_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
SLES-15-010150
Vuln IDs
  • V-234815
Rule IDs
  • SV-234815r958406_rule
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
Checks: C-38003r951627_chk

Verify SSH is configured to verbosely log connection attempts and failed logon attempts to the SUSE operating system. Check that the SSH daemon configuration verbosely logs connection attempts and failed logon attempts to the server with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*loglevel' The output message must contain the following text: LogLevel VERBOSE If the output message does not contain "VERBOSE", the LogLevel keyword is missing, or the line is commented out, this is a finding.

Fix: F-37966r618715_fix

Configure SSH to verbosely log connection attempts and failed logon attempts to the SUSE operating system. Add or update the following line in the "/etc/ssh/sshd_config" file: LogLevel VERBOSE The SSH service will need to be restarted in order for the changes to take effect.

b
The SUSE operating system must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.
AC-17 - Medium - CCI-000068 - V-234816 - SV-234816r958408_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
SLES-15-010160
Vuln IDs
  • V-234816
Rule IDs
  • SV-234816r958408_rule
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information. The system will attempt to use the first cipher presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest cipher available to secure the SSH connection. Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173
Checks: C-38004r951629_chk

Verify the SUSE operating system implements DOD-approved encryption to protect the confidentiality of SSH remote connections. Check the SSH daemon configuration for allowed ciphers with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*ciphers' Ciphers aes256-ctr,aes192-ctr,aes128-ctr If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, or the "Ciphers" keyword is missing, this is a finding.

Fix: F-37967r618718_fix

Edit the SSH daemon configuration (/etc/ssh/sshd_config) and remove any ciphers not starting with "aes" and remove any ciphers ending with "cbc". If necessary, add a "Ciphers" line: Ciphers aes256-ctr,aes192-ctr,aes128-ctr Restart the SSH daemon: > sudo systemctl restart sshd.service

b
The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
IA-5 - Medium - CCI-000185 - V-234817 - SV-234817r986463_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000185
Version
SLES-15-010170
Vuln IDs
  • V-234817
Rule IDs
  • SV-234817r986463_rule
Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. Satisfies: SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167
Checks: C-38005r618720_chk

Verify the SUSE operating system for PKI-based authentication had valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor. Check that the certification path to an accepted trust anchor for multifactor authentication is implemented with the following command: > grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca,oscp_on,signature,crl_auto; If "cert_policy" is not set to include "ca", this is a finding.

Fix: F-37968r618721_fix

Configure the SUSE operating system for PKI-based authentication to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ca": cert_policy = ca,signature,oscp_on; Note: Additional certificate validation polices are permitted. Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.

c
The SUSE operating system must not have the telnet-server package installed.
IA-5 - High - CCI-000197 - V-234818 - SV-234818r987796_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000197
Version
SLES-15-010180
Vuln IDs
  • V-234818
Rule IDs
  • SV-234818r987796_rule
It is detrimental for SUSE operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked, and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. SUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions and functions). Examples of nonessential capabilities include but are not limited to games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission but which cannot be disabled. Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049
Checks: C-38006r618723_chk

Verify the telnet-server package is not installed on the SUSE operating system. Check that the telnet-server package is not installed on the SUSE operating system by running the following command: > zypper info telnet-server | grep Installed If the telnet-server package is installed, this is a finding.

Fix: F-37969r618724_fix

Remove the telnet-server package from the SUSE operating system by running the following command: > sudo zypper remove telnet-server

c
SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes.
AC-3 - High - CCI-000213 - V-234819 - SV-234819r958472_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
SLES-15-010190
Vuln IDs
  • V-234819
Rule IDs
  • SV-234819r958472_rule
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.
Checks: C-38007r618726_chk

Verify that the SUSE operating system has set an encrypted root password. Note: If the system does not use a BIOS this requirement is Not Applicable. Check that the encrypted password is set for root with the following command: > sudo cat /boot/grub2/grub.cfg | grep -i password password_pbkdf2 root grub.pbkdf2.sha512.10000.VeryLongString If the root password entry does not begin with "password_pbkdf2", this is a finding.

Fix: F-37970r618727_fix

Note: If the system does not use a BIOS this requirement is Not Applicable. Configure the SUSE operating system to encrypt the boot password. Generate an encrypted (GRUB2) password for root with the following command: > grub2-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG Using the hash from the output, modify the "/etc/grub.d/40_custom" file and add the following two lines to add a boot password for the root entry: set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.VeryLongString Generate an updated "grub.conf" file with the new password using the following commands: > sudo grub2-mkconfig --output=/tmp/grub2.cfg > sudo mv /tmp/grub2.cfg /boot/grub2/grub.cfg

c
SUSE operating systems with Unified Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
AC-3 - High - CCI-000213 - V-234820 - SV-234820r958472_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
SLES-15-010200
Vuln IDs
  • V-234820
Rule IDs
  • SV-234820r958472_rule
If the system allows a user to boot into single-user or maintenance mode without authentication, any user that invokes single-user or maintenance mode is granted privileged access to all system information.
Checks: C-38008r618729_chk

Verify that the SUSE operating system has set an encrypted root password. Note: If the system does not use UEFI, this requirement is Not Applicable. Check that the encrypted password is set for root with the following command: > sudo cat /boot/efi/EFI/sles/grub.cfg | grep -i password password_pbkdf2 root grub.pbkdf2.sha512.10000.VeryLongString If the root password entry does not begin with "password_pbkdf2", this is a finding.

Fix: F-37971r618730_fix

Note: If the system does not use UEFI, this requirement is Not Applicable. Configure the SUSE operating system to encrypt the boot password. Generate an encrypted (GRUB2) password for root with the following command: > grub2-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG Using the hash from the output, modify the "/etc/grub.d/40_custom" file and add the following two lines to add a boot password for the root entry: set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.VeryLongString Generate an updated "grub.conf" file with the new password using the following commands: > sudo grub2-mkconfig --output=/tmp/grub2.cfg > sudo mv /tmp/grub2.cfg /boot/efi/EFI/sles/grub.cfg

b
The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
CM-7 - Medium - CCI-000382 - V-234821 - SV-234821r958480_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
SLES-15-010220
Vuln IDs
  • V-234821
Rule IDs
  • SV-234821r958480_rule
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. SUSE operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. To support the requirements and principles of least functionality, the SUSE operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or address authorized quality-of-life issues. Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00232
Checks: C-38009r618732_chk

Verify the SUSE operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments. Check that the "firewalld.service" is enabled and running by running the following command: > systemctl status firewalld.service firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2019-11-06 10:58:11 CET; 24h ago Docs: man:firewalld(1) Main PID: 1105 (firewalld) Tasks: 2 (limit: 4915) CGroup: /system.slice/firewalld.service ??1105 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid If the service is not enabled, this is a finding. If the service is not active, this is a finding. Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command: > sudo firewall-cmd --list-all Ask the System Administrator for the site or program PPSM Component Local Services Assessment (Component Local Services Assessment (CLSA). Verify the services allowed by the firewall match the PPSM CLSA. If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.

Fix: F-37972r618733_fix

Configure the SUSE operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments. Add/modify /etc/firewalld configuration files to comply with the PPSM CAL. Enable the "firewalld.service" by running the following command: > sudo systemctl enable firewalld.service Start the "firewalld.service" by running the following command: > sudo systemctl start firewalld.service

b
The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users.
IA-2 - Medium - CCI-000764 - V-234822 - SV-234822r958482_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
SLES-15-010230
Vuln IDs
  • V-234822
Rule IDs
  • SV-234822r958482_rule
To ensure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. Interactive users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Interactive users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062
Checks: C-38010r618735_chk

Verify the SUSE operating system contains no duplicate UIDs for interactive users. Check that the SUSE operating system contains no duplicate UIDs for interactive users by running the following command: > awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If output is produced, this is a finding.

Fix: F-37973r618736_fix

Configure the SUSE operating system to contain no duplicate UIDs for interactive users. Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.

b
The SUSE operating system must disable the file system automounter unless required.
IA-3 - Medium - CCI-000778 - V-234823 - SV-234823r958498_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-000778
Version
SLES-15-010240
Vuln IDs
  • V-234823
Rule IDs
  • SV-234823r958498_rule
Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163
Checks: C-38011r618738_chk

Verify the SUSE operating system disables the ability to automount devices. Check to see if automounter service is active with the following command: > systemctl status autofs autofs.service - Automounts filesystems on demand Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) Active: inactive (dead) If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.

Fix: F-37974r618739_fix

Configure the SUSE operating system to disable the ability to automount devices. Turn off the automount service with the following command: > systemctl stop autofs > systemctl disable autofs If "autofs" is required for Network File System (NFS), it must be documented with the ISSO.

b
The SUSE operating system must employ FIPS 140-2 approved cryptographic hashing algorithm for system authentication (login.defs).
IA-7 - Medium - CCI-000803 - V-234825 - SV-234825r971535_rule
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
SLES-15-010260
Vuln IDs
  • V-234825
Rule IDs
  • SV-234825r971535_rule
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised. SUSE operating systems using encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules use authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general-purpose computing system.
Checks: C-38013r618744_chk

Verify the SUSE operating system requires that the "ENCRYPT_METHOD" value in "/etc/login.defs" is set to "SHA512". Check the value of "ENCRYPT_METHOD" value in "/etc/login.defs" with the following command: > grep "^ENCRYPT_METHOD " /etc/login.defs ENCRYPT_METHOD SHA512 If "ENCRYPT_METHOD" is not set to "SHA512", if any values other that "SHA512" are configured, or if no output is produced, this is a finding.

Fix: F-37976r618745_fix

Configure the SUSE operating system to require "ENCRYPT_METHOD" of "SHA512". Edit the "/etc/login.defs" file with the following line: ENCRYPT_METHOD SHA512

b
The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
MA-4 - Medium - CCI-000877 - V-234826 - SV-234826r958510_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-000877
Version
SLES-15-010270
Vuln IDs
  • V-234826
Rule IDs
  • SV-234826r958510_rule
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash. The system will attempt to use the first hash presented by the client that matches the server list. Listing the values "strongest to weakest" is a method to ensure the use of the strongest hash available to secure the SSH connection. Satisfies: SRG-OS-000125-GPOS-00065, SRG-OS-000394-GPOS-00174
Checks: C-38014r951631_chk

Verify the SUSE operating system SSH daemon is configured to only use MACs that employ FIPS 140-2 approved hashes. Check that the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved hashes with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*macs' MACs hmac-sha2-512,hmac-sha2-256 If any ciphers other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, they are missing, or the returned line is commented out, this is a finding.

Fix: F-37977r618748_fix

Configure the SUSE operating system SSH daemon to only use MACs that employ FIPS 140-2 approved hashes. Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512" and/or "hmac-sha2-256" (The file might be named differently or be in a different location): MACs hmac-sha2-512,hmac-sha2-256

b
The SUSE operating system SSH daemon must be configured with a timeout interval.
SC-10 - Medium - CCI-001133 - V-234827 - SV-234827r986464_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
SLES-15-010280
Vuln IDs
  • V-234827
Rule IDs
  • SV-234827r986464_rule
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, deallocating associated TCP/IP address/port pairs at the SUSE operating system-level, and deallocating networking assignments at the application level if multiple application sessions are using a single SUSE operating system-level network connection. This does not mean that the SUSE operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session. Satisfies: SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109
Checks: C-38015r951633_chk

Verify the SUSE operating system SSH daemon is configured to timeout idle sessions. Check that the "ClientAliveInterval" parameter is set to a value of "600" with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientaliveinterval' ClientAliveInterval 600 If "ClientAliveInterval" is not set to "600" in "/etc/ssh/sshd_config", this is a finding.

Fix: F-37978r618751_fix

Configure the SUSE operating system SSH daemon to timeout idle sessions. Add or modify (to match exactly) the following line in the "/etc/ssh/sshd_config" file: ClientAliveInterval 600 The SSH daemon must be restarted for any changes to take effect.

b
The sticky bit must be set on all SUSE operating system world-writable directories.
SC-4 - Medium - CCI-001090 - V-234828 - SV-234828r958524_rule
RMF Control
SC-4
Severity
Medium
CCI
CCI-001090
Version
SLES-15-010300
Vuln IDs
  • V-234828
Rule IDs
  • SV-234828r958524_rule
Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, and hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.
Checks: C-38016r618753_chk

Verify the SUSE operating system prevents unauthorized and unintended information transfer via the shared system resources. Check that world-writable directories have the sticky bit set with the following command: > sudo find / \( -path /.snapshots -o -path /sys -o -path /proc \) -prune -o -perm -002 -type d -exec ls -lLd {} \; 256 0 drwxrwxrwt 1 root root 4096 Jun 14 06:45 /tmp If any of the returned directories do not have the sticky bit set, or are not documented as having the write permission for the other class, this is a finding.

Fix: F-37979r618754_fix

Configure the SUSE operating system shared system resources to prevent any unauthorized and unintended information transfer by setting the sticky bit for all world-writable directories. An example of a world-writable directory is "/tmp" directory. Set the sticky bit on all of the world-writable directories (using the "/tmp" directory as an example) with the following command: > sudo chmod 1777 /tmp For every world-writable directory, replace "/tmp" in the command above with the world-writable directory that does not have the sticky bit set.

b
The SUSE operating system must be configured to use TCP syncookies.
SC-5 - Medium - CCI-001095 - V-234829 - SV-234829r958528_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001095
Version
SLES-15-010310
Vuln IDs
  • V-234829
Rule IDs
  • SV-234829r958528_rule
Denial of Service (DoS) is a condition in which a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
Checks: C-38017r618756_chk

Verify the SUSE operating system is configured to use IPv4 TCP syncookies. Check to see if syncookies are used with the following command: > sudo sysctl net.ipv4.tcp_syncookies net.ipv4.tcp_syncookies = 1 If the network parameter "ipv4.tcp_syncookies" is not equal to "1" or nothing is returned, this is a finding.

Fix: F-37980r618757_fix

Configure the SUSE operating system to use IPv4 TCP syncookies by running the following command as an administrator: > sudo sysctl -w net.ipv4.tcp_syncookies=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system for all network connections associated with SSH traffic must immediately terminate at the end of the session or after 10 minutes of inactivity.
SC-10 - Medium - CCI-001133 - V-234830 - SV-234830r986465_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
SLES-15-010320
Vuln IDs
  • V-234830
Rule IDs
  • SV-234830r986465_rule
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific SUSE operating system functionality where the system owner, data owner, or organization requires additional assurance.
Checks: C-38018r951635_chk

Verify that all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity. Check that the "ClientAliveCountMax" variable is set to a value of "0" or less by performing the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientalivecountmax' ClientAliveCountMax 0 If "ClientAliveCountMax" does not exist or "ClientAliveCountMax" is not set to a value of "0" or less in "/etc/ssh/sshd_config", or the line is commented out, this is a finding.

Fix: F-37981r618760_fix

Configure the SUSE operating system to automatically terminate all network connections associated with SSH traffic at the end of a session or after a 10-minute period of inactivity. Modify or append the following lines in the "/etc/ssh/sshd_config" file: ClientAliveCountMax 0 In order for the changes to take effect, the SSH daemon must be restarted. > sudo systemctl restart sshd.service

b
All SUSE operating system persistent disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.
SC-28 - Medium - CCI-001199 - V-234831 - SV-234831r958552_rule
RMF Control
SC-28
Severity
Medium
CCI
CCI-001199
Version
SLES-15-010330
Vuln IDs
  • V-234831
Rule IDs
  • SV-234831r958552_rule
SUSE operating systems handling data requiring data-at-rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Satisfies: SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, SRG-OS-000405-GPOS-00184
Checks: C-38019r618762_chk

Verify the SUSE operating system prevents unauthorized disclosure or modification of all information requiring at rest protection by using disk encryption. Determine the partition layout for the system with the following command: > sudo fdisk -l Device Boot Start End Sectors Size Id Type /dev/sda1 2048 4208639 4206592 2G 82 Linux swap /dev/sda2 * 4208640 53479423 49270784 23.5G 83 Linux /dev/sda3 53479424 125829119 72349696 34.5G 83 Linux Verify the system partitions are all encrypted with the following command: > sudo more /etc/crypttab cr_root UUID=26d4a101-7f48-4394-b730-56dc00e65f64 cr_home UUID=f5b8a790-14cb-4b82-882d-707d52f27765 cr_swap UUID=f2d86128-f975-478d-a5b0-25806c900eac Every persistent disk partition present on the system must have an entry in the file. If any partitions other than pseudo file systems (such as /proc or /sys) are not listed or "/etc/crypttab" does not exist, this is a finding.

Fix: F-37982r618763_fix

Configure the SUSE operating system to prevent unauthorized modification of all information at rest by using disk encryption. Encrypting a partition in an already-installed system is more difficult because of the need to resize and change existing partitions. To encrypt an entire partition, dedicate a partition for encryption in the partition layout. The standard partitioning proposal as suggested by YaST (installation and configuration tool for Linux) does not include an encrypted partition by default. Add it manually in the partitioning dialog. Refer to the document "SUSE Linux Enterprise Server 15 SP1 - Security Guide", Section 12.1.2, for a detailed disk encryption guide: https://documentation.suse.com/sles/15-SP1/html/SLES-all/cha-security-cryptofs.html#sec-security-cryptofs-y2-part-run

b
The SUSE operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
SI-11 - Medium - CCI-001312 - V-234832 - SV-234832r958564_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001312
Version
SLES-15-010340
Vuln IDs
  • V-234832
Rule IDs
  • SV-234832r958564_rule
Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization. Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers. The /var/log/btmp, /var/log/wtmp, and /var/log/lastlog files have group write and global read permissions to allow for the lastlog function to perform. Limiting the permissions beyond this configuration will result in the failure of functions that rely on the lastlog database.
Checks: C-38020r880882_chk

Verify the SUSE operating system has all system log files under the /var/log directory with a permission set to "640", by using the following command: Note: The btmp, wtmp, and lastlog files are excluded. Refer to the Discussion for details. > sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec stat -c "%n %a" {} \; If command displays any output, this is a finding.

Fix: F-37983r880883_fix

Configure the SUSE operating system to set permissions of all log files under /var/log directory to "640" or more restricted, by using the following command: Note: The btmp, wtmp, and lastlog files are excluded. Refer to the Discussion for details. > sudo find /var/log -perm /137 ! -name '*[bw]tmp' ! -name '*lastlog' -type f -exec chmod 640 '{}' \;

b
The SUSE operating system must prevent unauthorized users from accessing system error messages.
SI-11 - Medium - CCI-001314 - V-234833 - SV-234833r958566_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
SLES-15-010350
Vuln IDs
  • V-234833
Rule IDs
  • SV-234833r958566_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SUSE operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Checks: C-38021r618768_chk

Verify the SUSE operating system prevents unauthorized users from accessing system error messages. Check the "/var/log/messages" file permissions with the following command: > sudo stat -c "%n %U:%G %a" /var/log/messages /var/log/messages root:root 640 Check that "permissions.local" file contains the correct permissions rules with the following command: > grep -i messages /etc/permissions.local /var/log/messages root:root 640 If the effective permissions do not match the "permissions.local" file, the command does not return any output, or is commented out, this is a finding.

Fix: F-37984r618769_fix

Configure the SUSE operating system to prevent unauthorized users from accessing system error messages. Add or update the following rules in "/etc/permissions.local": /var/log/messages root:root 640 Set the correct permissions with the following command: > sudo chkstat --set --system

b
The SUSE operating system library files must have mode 0755 or less permissive.
CM-5 - Medium - CCI-001499 - V-234834 - SV-234834r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-15-010351
Vuln IDs
  • V-234834
Rule IDs
  • SV-234834r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Checks: C-38022r618771_chk

Verify the system-wide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" have mode "0755" or less permissive. Check that the system-wide shared library files have mode "0755" or less permissive with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec stat -c "%n %a" '{}' \; If any files are found to be group-writable or world-writable, this is a finding.

Fix: F-37985r618772_fix

Configure the library files to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec chmod 755 '{}' \;

b
The SUSE operating system library directories must have mode 0755 or less permissive.
CM-5 - Medium - CCI-001499 - V-234835 - SV-234835r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-15-010352
Vuln IDs
  • V-234835
Rule IDs
  • SV-234835r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Checks: C-38023r618774_chk

Verify the system-wide shared library directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" have mode "0755" or less permissive. Check that the system-wide shared library directories have mode "0755" or less permissive with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec stat -c "%n %a" '{}' \; If any of the aforementioned directories are found to be group-writable or world-writable, this is a finding.

Fix: F-37986r618775_fix

Configure the shared library directories to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec chmod 755 '{}' \;

b
The SUSE operating system library files must be owned by root.
CM-5 - Medium - CCI-001499 - V-234836 - SV-234836r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-15-010353
Vuln IDs
  • V-234836
Rule IDs
  • SV-234836r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Checks: C-38024r618777_chk

Verify the system-wide shared library files contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are owned by root. Check that the system-wide shared library files are owned by root with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type f -exec stat -c "%n %U" '{}' \; If any system wide library file is returned, this is a finding.

Fix: F-37987r618778_fix

Configure the system library files to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type f -exec chown root '{}' \;

b
The SUSE operating system library directories must be owned by root.
CM-5 - Medium - CCI-001499 - V-234837 - SV-234837r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-15-010354
Vuln IDs
  • V-234837
Rule IDs
  • SV-234837r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Checks: C-38025r618780_chk

Verify the system-wide shared library directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are owned by root. Check that the system-wide shared library directories are owned by root with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; If any system wide library directory is returned, this is a finding.

Fix: F-37988r618781_fix

Configure the library files and their respective parent directories to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec chown root '{}' \;

b
The SUSE operating system library files must be group-owned by root.
CM-5 - Medium - CCI-001499 - V-234838 - SV-234838r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-15-010355
Vuln IDs
  • V-234838
Rule IDs
  • SV-234838r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Checks: C-38026r618783_chk

Verify the system-wide library files contained in the directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are group-owned by root. Check that the system-wide library files are group-owned by root with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type f -exec stat -c "%n %G" '{}' \; If any system wide shared library file is returned, this is a finding.

Fix: F-37989r618784_fix

Configure the system library files to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type f -exec chgrp root '{}' \;

b
The SUSE operating system library directories must be group-owned by root.
CM-5 - Medium - CCI-001499 - V-234839 - SV-234839r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-15-010356
Vuln IDs
  • V-234839
Rule IDs
  • SV-234839r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Checks: C-38027r618786_chk

Verify the system-wide library directories "/lib", "/lib64", "/usr/lib" and "/usr/lib64" are group-owned by root. Check that the system-wide library directories are group-owned by root with the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; If any system wide shared library directory is returned, this is a finding.

Fix: F-37990r618787_fix

Configure the system library directories to be protected from unauthorized access. Run the following command: > sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec chgrp root '{}' \;

b
The SUSE operating system must have system commands set to a mode of 0755 or less permissive.
CM-5 - Medium - CCI-001499 - V-234840 - SV-234840r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-15-010357
Vuln IDs
  • V-234840
Rule IDs
  • SV-234840r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Checks: C-38028r618789_chk

Verify the system commands contained in the following directories have mode "0755" or less permissive: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin Check that the system command files have mode "0755" or less permissive with the following command: > find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec stat -c "%n %a" '{}' \; If any files are found to be group-writable or world-writable, this is a finding.

Fix: F-37991r618790_fix

Configure the system commands to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \;

b
The SUSE operating system must have directories that contain system commands set to a mode of 0755 or less permissive.
CM-5 - Medium - CCI-001499 - V-234841 - SV-234841r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-15-010358
Vuln IDs
  • V-234841
Rule IDs
  • SV-234841r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Checks: C-38029r618792_chk

Verify the system commands directories have mode "0755" or less permissive: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin Check that the system command directories have mode "0755" or less permissive with the following command: > find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c "%n %a" '{}' \; If any directories are found to be group-writable or world-writable, this is a finding.

Fix: F-37992r618793_fix

Configure the system commands directories to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \;

b
The SUSE operating system must have system commands owned by root.
CM-5 - Medium - CCI-001499 - V-234842 - SV-234842r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-15-010359
Vuln IDs
  • V-234842
Rule IDs
  • SV-234842r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Checks: C-38030r618795_chk

Verify the system commands contained in the following directories are owned by root: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin Use the following command for the check: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c "%n %U" '{}' \; If any system commands are returned, this is a finding.

Fix: F-37993r618796_fix

Configure the system commands - and their respective parent directories - to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec chown root '{}' \;

b
The SUSE operating system must have directories that contain system commands owned by root.
CM-5 - Medium - CCI-001499 - V-234843 - SV-234843r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-15-010360
Vuln IDs
  • V-234843
Rule IDs
  • SV-234843r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Checks: C-38031r618798_chk

Verify the system commands directories are owned by root: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin Use the following command for the check: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec stat -c "%n %U" '{}' \; If any system commands directories are returned, this is a finding.

Fix: F-37994r618799_fix

Configure the system commands directories to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec chown root '{}' \;

b
The SUSE operating system must have system commands group-owned by root or a system account.
CM-5 - Medium - CCI-001499 - V-234844 - SV-234844r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-15-010361
Vuln IDs
  • V-234844
Rule IDs
  • SV-234844r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Checks: C-38032r833001_chk

Verify the system commands contained in the following directories are group-owned by root or a system account: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin Run the check with the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f -exec stat -c "%n %G" '{}' \; If any system commands are returned that are not Set Group ID upon execution (SGID) files and group-owned by a required system account, this is a finding.

Fix: F-37995r833002_fix

Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account. > sudo chgrp root [FILE]

b
The SUSE operating system must have directories that contain system commands group-owned by root.
CM-5 - Medium - CCI-001499 - V-234845 - SV-234845r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
SLES-15-010362
Vuln IDs
  • V-234845
Rule IDs
  • SV-234845r991560_rule
If the SUSE operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to SUSE operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.
Checks: C-38033r618804_chk

Verify the system commands directories are group-owned by root: /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin Run the check with the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec stat -c "%n %G" '{}' \; If any system commands directories are returned that are not Set Group ID up on execution (SGID) files and owned by a privileged account, this is a finding.

Fix: F-37996r618805_fix

Configure the system commands directories to be protected from unauthorized access. Run the following command: > sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec chgrp root '{}' \;

b
The SUSE operating system must have a firewall system installed to immediately disconnect or disable remote access to the whole operating system.
AC-17 - Medium - CCI-002322 - V-234846 - SV-234846r958674_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002322
Version
SLES-15-010370
Vuln IDs
  • V-234846
Rule IDs
  • SV-234846r958674_rule
Operating system remote access functionality must have the capability to immediately disconnect current users remotely accessing the information system and/or disable further remote access. The speed of disconnect or disablement varies based on the criticality of mission functions and the need to eliminate immediate or future remote access to organizational information systems. SUSE operating systems are capable to immediately stop remote connections and services by a local system administrator. To immediately disconnect or disable remote access, the firewall needs to be set into panic mode. > sudo firewall-cmd --panic-on To enable remote connection again, panic mode needs to be disabled. > sudo firewall-cmd --panic-off
Checks: C-38034r618807_chk

Verify "firewalld" is configured to protect the SUSE operating system. Run the following command: > systemctl status firewalld.service firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2019-11-06 10:58:11 CET; 24h ago Docs: man:firewalld(1) Main PID: 1105 (firewalld) Tasks: 2 (limit: 4915) CGroup: /system.slice/firewalld.service ??1105 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid If the service is not enabled, this is a finding. If the service is not active, this is a finding.

Fix: F-37997r618808_fix

Configure the SUSE operating system to enable the firewall service. This is needed to be able to immediately disconnect or disable remote access to the whole system. Enable the "firewalld.service" by running the following command: > sudo systemctl enable firewalld.service Start the "firewalld.service" by running the following command: > sudo systemctl start firewalld.service To immediately disconnect or disable remote access the firewall needs to be set into panic mode. > sudo firewall-cmd --panic-on To enable remote connection again, panic mode needs to be disabled. > sudo firewall-cmd --panic-off

b
The SUSE operating system wireless network adapters must be disabled unless approved and documented.
AC-18 - Medium - CCI-001443 - V-234847 - SV-234847r991568_rule
RMF Control
AC-18
Severity
Medium
CCI
CCI-001443
Version
SLES-15-010380
Vuln IDs
  • V-234847
Rule IDs
  • SV-234847r991568_rule
Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the SUSE operating system. This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with a SUSE operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the AO. Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the SUSE operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required. Satisfies: SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000481-GPOS-000481
Checks: C-38035r618810_chk

Verify that the SUSE operating system has no wireless network adapters enabled. Check that there are no wireless interfaces configured on the system with the following command: > sudo wicked show all lo up link: #1, state up type: loopback config: compat:suse:/etc/sysconfig/network/ifcfg-lo leases: ipv4 static granted leases: ipv6 static granted addr: ipv4 127.0.0.1/8 [static] addr: ipv6 ::1/128 [static] eth0 up link: #2, state up, mtu 1500 type: ethernet, hwaddr 06:00:00:00:00:01 config: compat:suse:/etc/sysconfig/network/ifcfg-eth0 leases: ipv4 dhcp granted leases: ipv6 dhcp granted, ipv6 auto granted addr: ipv4 10.0.0.100/16 [dhcp] route: ipv4 default via 10.0.0.1 proto dhcp wlan0 up link: #3, state up, mtu 1500 type: wireless, hwaddr 06:00:00:00:00:02 config: wicked:xml:/etc/wicked/ifconfig/wlan0.xml leases: ipv4 dhcp granted addr: ipv4 10.0.0.101/16 [dhcp] route: ipv4 default via 10.0.0.1 proto dhcp If a wireless interface is configured, it must be documented and approved by the local AO. If a wireless interface is configured and has not been documented and approved, this is a finding.

Fix: F-37998r618811_fix

Configure the SUSE operating system to disable all wireless network interfaces with the following command: For each interface of type wireless, bring the interface into "down" state: > sudo wicked ifdown wlan0 For each interface of type wireless with a configuration type of "compat:suse:", remove the associated file: > sudo rm /etc/sysconfig/network/ifcfg-wlan0 For each interface of type wireless, for each configuration of type "wicked:xml:", remove the associated file or remove the interface configuration from the file. > sudo rm /etc/wicked/ifconfig/wlan0.xml

b
SUSE operating system AppArmor tool must be configured to control whitelisted applications and user home directory access control.
CM-7 - Medium - CCI-001764 - V-234848 - SV-234848r958702_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
SLES-15-010390
Vuln IDs
  • V-234848
Rule IDs
  • SV-234848r958702_rule
Using a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of potential vulnerabilities. The organization must identify authorized software programs and permit execution of authorized software by adding each authorized program to the "pam_apparmor" exception policy. The process used to identify software programs that are authorized to execute on organizational information systems is commonly referred to as whitelisting. Verification of whitelisted software occurs prior to execution or at system startup. Users' home directories/folders may contain information of a sensitive nature. Nonprivileged users should coordinate any sharing of information with a System Administrator (SA) through shared resources. AppArmor can confine users to their home directory, not allowing them to make any changes outside of their own home directories. Confining users to their home directory will minimize the risk of sharing information. Satisfies: SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125, SRG-OS-000326-GPOS-00126, SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00230
Checks: C-38036r618813_chk

Verify that the SUSE operating system AppArmor tool is configured to control whitelisted applications and user home directory access control. Check that "pam_apparmor" is installed on the system with the following command: > zypper info pam_apparmor | grep "Installed" If the package "pam_apparmor" is not installed on the system, this is a finding. Check that the "apparmor" daemon is running with the following command: > systemctl status apparmor.service | grep -i active Active: active (exited) since Fri 2017-01-13 01:01:01 GMT; 1day 1h ago If something other than "Active: active" is returned, this is a finding. Note: "pam_apparmor" must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "pam_apparmor" documentation for more information on configuring profiles.

Fix: F-37999r618814_fix

Configure the SUSE operating system to blacklist all applications by default and permit by whitelist. Install "pam_apparmor" (if it is not installed) with the following command: > sudo zypper in pam_apparmor Enable/activate "Apparmor" (if it is not already active) with the following command: > sudo systemctl enable apparmor.service Start "Apparmor" with the following command: > sudo systemctl start apparmor.service Note: "pam_apparmor" must have properly configured profiles. All configurations will be based on the actual system setup and organization. See the "pam_apparmor" documentation for more information on configuring profiles.

b
The SUSE operating system clock must, for networked systems, be synchronized to an authoritative DOD time source at least every 24 hours.
- Medium - CCI-004923 - V-234849 - SV-234849r986468_rule
RMF Control
Severity
Medium
CCI
CCI-004923
Version
SLES-15-010400
Vuln IDs
  • V-234849
Rule IDs
  • SV-234849r986468_rule
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144
Checks: C-38037r986466_chk

The SUSE operating system clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second. Check that the SUSE operating system clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second with the following command: > sudo grep maxpoll /etc/chrony.conf server 0.us.pool.ntp.mil maxpoll 16 If nothing is returned, "maxpoll" is greater than "16", or is commented out, this is a finding. Verify the "chrony.conf" file is configured to an authoritative DOD time source by running the following command: > sudo grep -i server /etc/chrony.conf server 0.us.pool.ntp.mil If the parameter "server" is not set, is not set to an authoritative DOD time source, or is commented out, this is a finding.

Fix: F-38000r986467_fix

The SUSE operating system clock must be configured to synchronize to an authoritative DOD time source when the time difference is greater than one second. To configure the system clock to synchronize to an authoritative DOD time source at least every 24 hours, edit the file "/etc/chrony.conf". Add or correct the following lines by replacing "[time_source]" with an authoritative DOD time source: server [time_source] maxpoll 16

a
The SUSE operating system must be configured to use Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
AU-8 - Low - CCI-001890 - V-234850 - SV-234850r958788_rule
RMF Control
AU-8
Severity
Low
CCI
CCI-001890
Version
SLES-15-010410
Vuln IDs
  • V-234850
Rule IDs
  • SV-234850r958788_rule
If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. Time stamps generated by the SUSE operating system include date and time. Time is commonly expressed in UTC, a modern continuation of GMT, or local time with an offset from UTC.
Checks: C-38038r618819_chk

Verify the SUSE operating system is configured to use UTC or GMT. Check that the SUSE operating system is configured to use UTC or GMT with the following command: > timedatectl status | grep -i "time zone" Time zone: UTC (UTC, +0000) If "Time zone" is not set to "UTC" or "GMT", this is a finding.

Fix: F-38001r618820_fix

Configure the SUSE operating system is configured to use UTC or GMT. To configure the system time zone to use UTC or GMT, run the following command, replacing [ZONE] with "UTC" or "GMT". > sudo timedatectl set-timezone [ZONE]

b
Advanced Intrusion Detection Environment (AIDE) must verify the baseline SUSE operating system configuration at least weekly.
CM-3 - Medium - CCI-001744 - V-234851 - SV-234851r958794_rule
RMF Control
CM-3
Severity
Medium
CCI
CCI-001744
Version
SLES-15-010420
Vuln IDs
  • V-234851
Rule IDs
  • SV-234851r958794_rule
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the SUSE operating system. Changes to SUSE operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the SUSE operating system. The SUSE operating system's Information System Security Manager (ISSM)/Information System Security Officer (ISSO) and System Administrator (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. Satisfies: SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, SRG-OS-000446-GPOS-00200
Checks: C-38039r880946_chk

Verify the SUSE operating system checks the baseline configuration for unauthorized changes at least once weekly. Note: A file integrity tool other than AIDE may be used, but the tool must be executed at least once per week. Check for the presence of a cron job running daily or weekly on the system that executes AIDE to scan for changes to the system baseline. The command used in the following example looks at the daily cron job: Check the "/etc/cron" subdirectories for a "crontab" file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command: > sudo grep -R aide /etc/crontab /etc/cron.* /etc/crontab: 30 04 * * * /etc/aide If the file integrity application does not exist, or a "crontab" file does not exist in "/etc/crontab", the "/etc/cron.daily" subdirectory, or "/etc/cron.weekly" subdirectory, this is a finding.

Fix: F-38002r902850_fix

Configure the SUSE operating system to check the baseline configuration for unauthorized changes at least once weekly. If the "aide" package is not installed, install it with the following command: > sudo zypper in aide Configure the file integrity tool to automatically run on the system at least weekly. The following example output is generic. It will set cron to run AIDE weekly, but other file integrity tools may be used: > cat /etc/cron.weekly/aide 0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil Note: Per requirement SLES-15-010418, the "mailx" package must be installed on the system to enable email functionality.

c
The SUSE operating system tool zypper must have gpgcheck enabled.
- High - CCI-003992 - V-234852 - SV-234852r986469_rule
RMF Control
Severity
High
CCI
CCI-003992
Version
SLES-15-010430
Vuln IDs
  • V-234852
Rule IDs
  • SV-234852r986469_rule
Changes to any software components can have significant effects on the overall security of the SUSE operating system. This requirement ensures the software has not been tampered with and has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or SUSE operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The SUSE operating system should not have to verify the software again. This requirement does not mandate DOD certificates for this purpose; however, the certificate used to verify the software must be from an approved Certification Authority (CA).
Checks: C-38040r618825_chk

Verify that the SUSE operating system tool zypper has gpgcheck enabled. Check that zypper has gpgcheck enabled with the following command: > grep -i '^gpgcheck' /etc/zypp/zypp.conf gpgcheck = 1 If "gpgcheck" is set to "0", "off", "no", or "false", this is a finding.

Fix: F-38003r618826_fix

Configure that the SUSE operating system tool zypper to enable gpgcheck by editing or adding the following line to "/etc/zypp/zypp.conf": gpgcheck = 1

c
The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.
- High - CCI-004895 - V-234853 - SV-234853r987879_rule
RMF Control
Severity
High
CCI
CCI-004895
Version
SLES-15-010450
Vuln IDs
  • V-234853
Rule IDs
  • SV-234853r987879_rule
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When the SUSE operating system provides the capability to change user authenticators, change security roles, or escalate a functional capability, it is critical the user reauthenticate. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158
Checks: C-38041r618828_chk

Verify that the SUSE operating system requires reauthentication when changing authenticators, roles, or escalating privileges. Check that "/etc/sudoers" has no occurrences of "NOPASSWD" or "!authenticate" with the following command: > sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers If any uncommented lines containing "!authenticate", or "NOPASSWD" are returned and active accounts on the system have valid passwords, this is a finding.

Fix: F-38004r618829_fix

Configure the SUSE operating system to remove any occurrence of "NOPASSWD" or "!authenticate" found in the "/etc/sudoers" file. If the system does not use passwords for authentication, the "NOPASSWD" tag may exist in the file.

b
The SUSE operating system must have the packages required for multifactor authentication to be installed.
- Medium - CCI-004046 - V-234854 - SV-234854r986471_rule
RMF Control
Severity
Medium
CCI
CCI-004046
Version
SLES-15-010460
Vuln IDs
  • V-234854
Rule IDs
  • SV-234854r986471_rule
Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC. A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162
Checks: C-38042r618831_chk

Verify the SUSE operating system has the packages required for multifactor authentication installed. Check for the presence of the packages required to support multifactor authentication with the following commands: > zypper info pam_pkcs11 | grep -i installed > zypper info mozilla-nss | grep -i installed > zypper info mozilla-nss-tools | grep -i installed > zypper info pcsc-ccid | grep -i installed > zypper info pcsc-lite | grep -i installed > zypper info pcsc-tools | grep -i installed > zypper info opensc | grep -i installed > zypper info coolkey | grep -i installed If any of the packages required for multifactor authentication are not installed, this is a finding.

Fix: F-38005r618832_fix

Configure the SUSE operating system to implement multifactor authentication by installing the required packages. Install the packages required to support multifactor authentication with the following commands: > zypper install pam_pkcs11 > zypper install mozilla-nss > zypper install mozilla-nss-tools > zypper install pcsc-ccid > zypper install pcsc-lite > zypper install pcsc-tools > zypper install opensc > zypper install coolkey Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.

b
The SUSE operating system must implement certificate status checking for multifactor authentication.
- Medium - CCI-004046 - V-234855 - SV-234855r986472_rule
RMF Control
Severity
Medium
CCI
CCI-004046
Version
SLES-15-010470
Vuln IDs
  • V-234855
Rule IDs
  • SV-234855r986472_rule
Using an authentication device, such as a Common Access Card (CAC) or token separate from the information system, ensures credentials stored on the authentication device will not be affected if the information system is compromised. Multifactor solutions that require devices separate from information systems to gain access include hardware tokens providing time-based or challenge-response authenticators, and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC. A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. This requirement only applies to components with device-specific functions, or for organizational users (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162
Checks: C-38043r618834_chk

Verify the SUSE operating system implements certificate status checking for multifactor authentication. Check that certificate status checking for multifactor authentication is implemented with the following command: > grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module coolkey {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy cert_policy = ca,ocsp_on,signature,crl_auto; If "cert_policy" is not set to include "ocsp", this is a finding.

Fix: F-38006r618835_fix

Configure the SUSE operating system to certificate status checking for PKI authentication. Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on". Note: OCSP allows sending request for certificate status information. Additional certificate validation polices are permitted. Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.

b
The SUSE operating system must disable the USB mass storage kernel module.
IA-3 - Medium - CCI-001958 - V-234856 - SV-234856r958820_rule
RMF Control
IA-3
Severity
Medium
CCI
CCI-001958
Version
SLES-15-010480
Vuln IDs
  • V-234856
Rule IDs
  • SV-234856r958820_rule
Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Peripherals include but are not limited to such devices as flash drives, external storage, and printers.
Checks: C-38044r618837_chk

Verify the SUSE operating system does not automount USB mass storage devices when connected to the host. Check that "usb-storage" is blacklisted in the "/etc/modprobe.d/50-blacklist.conf" file with the following command: > grep usb-storage /etc/modprobe.d/50-blacklist.conf blacklist usb-storage If nothing is output from the command, this is a finding.

Fix: F-38007r618838_fix

Configure the SUSE operating system to prevent USB mass storage devices from automounting when connected to the host. Add or update the following line to the "/etc/modprobe.d/50-blacklist.conf" file: blacklist usb-storage

b
If Network Security Services (NSS) is being used by the SUSE operating system it must prohibit the use of cached authentications after one day.
IA-5 - Medium - CCI-002007 - V-234857 - SV-234857r958828_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-002007
Version
SLES-15-010490
Vuln IDs
  • V-234857
Rule IDs
  • SV-234857r958828_rule
If cached authentication information is out of date, the validity of the authentication information may be questionable.
Checks: C-38045r618840_chk

If NSS is not used on the operating system, this is Not Applicable. If NSS is used by the SUSE operating system, verify it prohibits the use of cached authentications after one day. Check that cached authentications cannot be used after one day with the following command: > sudo grep -i "memcache_timeout" /etc/sssd/sssd.conf memcache_timeout = 86400 If "memcache_timeout" has a value greater than "86400", or is missing, this is a finding.

Fix: F-38008r618841_fix

Configure NSS, if used by the SUSE operating system, to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[nss]": memcache_timeout = 86400

b
The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to prohibit the use of cached offline authentications after one day.
IA-5 - Medium - CCI-002007 - V-234858 - SV-234858r958828_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-002007
Version
SLES-15-010500
Vuln IDs
  • V-234858
Rule IDs
  • SV-234858r958828_rule
If cached authentication information is out of date, the validity of the authentication information may be questionable.
Checks: C-38046r618843_chk

If SSSD is not being used on the operating system, this is Not Applicable. Verify that the SUSE operating system PAM prohibits the use of cached off line authentications after one day. Check that cached off line authentications cannot be used after one day with the following command: > sudo grep "offline_credentials_expiration" /etc/sssd/sssd.conf offline_credentials_expiration = 1 If "offline_credentials_expiration" is not set to a value of "1", this is a finding.

Fix: F-38009r618844_fix

Configure the SUSE operating system PAM to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]": offline_credentials_expiration = 1

c
FIPS 140-2 mode must be enabled on the SUSE operating system.
SC-13 - High - CCI-002450 - V-234859 - SV-234859r987791_rule
RMF Control
SC-13
Severity
High
CCI
CCI-002450
Version
SLES-15-010510
Vuln IDs
  • V-234859
Rule IDs
  • SV-234859r987791_rule
Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The SUSE operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223
Checks: C-38047r618846_chk

Verify the SUSE operating system is running in FIPS mode by running the following command. > cat /proc/sys/crypto/fips_enabled 1 If nothing is returned, the file does not exist, or the value returned is "0", this is a finding.

Fix: F-38010r618847_fix

To configure the SUSE operating system to run in FIPS mode, add "fips=1" to the kernel parameter during the SUSE operating system install. Enabling FIPS mode on a preexisting system involves a number of modifications to the SUSE operating system. Refer to section 9.1, "Crypto Officer Guidance", of the following document for installation guidance: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2435.pdf

c
All networked SUSE operating systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
SC-8 - High - CCI-002418 - V-234860 - SV-234860r958908_rule
RMF Control
SC-8
Severity
High
CCI
CCI-002418
Version
SLES-15-010530
Vuln IDs
  • V-234860
Rule IDs
  • SV-234860r958908_rule
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa. Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190
Checks: C-38048r618849_chk

Note: If the system is not networked, this requirement is Not Applicable. Verify that the SUSE operating system implements SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. Check that the OpenSSH package is installed on the SUSE operating system with the following command: > zypper info openssh | grep -i installed If the OpenSSH package is not installed, this is a finding. Check that the OpenSSH service active on the SUSE operating system with the following command: > systemctl status sshd.service | grep -i "active:" Active: active (running) since Thu 2017-01-12 15:03:38 UTC; 1 months 4 days ago If OpenSSH service is not active, this is a finding.

Fix: F-38011r618850_fix

Note: If the system is not networked, this requirement is Not Applicable. Configure the SUSE operating system to implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. Install the OpenSSH package on the SUSE operating system with the following command: > sudo zypper in openssh Enable the OpenSSH service to start automatically on reboot with the following command: > sudo systemctl enable sshd.service For the changes to take effect immediately, start the service with the following command: > sudo systemctl restart sshd.service

b
The SUSE operating system must implement kptr-restrict to prevent the leaking of internal kernel addresses.
SI-16 - Medium - CCI-002824 - V-234861 - SV-234861r958928_rule
RMF Control
SI-16
Severity
Medium
CCI
CCI-002824
Version
SLES-15-010540
Vuln IDs
  • V-234861
Rule IDs
  • SV-234861r958928_rule
Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.
Checks: C-38049r618852_chk

Verify the SUSE operating system prevents leaking of internal kernel addresses. Check that the SUSE operating system prevents leaking of internal kernel addresses by running the following command: > sudo sysctl kernel.kptr_restrict kernel.kptr_restrict = 1 If the kernel parameter "kptr_restrict" is not equal to "1" or nothing is returned, this is a finding.

Fix: F-38012r618853_fix

Configure the SUSE operating system to prevent leaking of internal kernel addresses by running the following command: > sudo sysctl -w kernel.kptr_restrict=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "kernel.kptr_restrict=1" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
Address space layout randomization (ASLR) must be implemented by the SUSE operating system to protect memory from unauthorized code execution.
SI-16 - Medium - CCI-002824 - V-234862 - SV-234862r958928_rule
RMF Control
SI-16
Severity
Medium
CCI
CCI-002824
Version
SLES-15-010550
Vuln IDs
  • V-234862
Rule IDs
  • SV-234862r958928_rule
Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced, with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.
Checks: C-38050r618855_chk

Verify the SUSE operating system implements ASLR. Check that the SUSE operating system implements ASLR by running the following command: > sudo sysctl kernel.randomize_va_space Kernel.randomize_va_space = 2 If the kernel parameter "randomize_va_space" is not equal to "2" or nothing is returned, this is a finding.

Fix: F-38013r618856_fix

Configure the SUSE operating system to implement ASLR by running the following command as an administrator: > sudo sysctl -w kernel.randomize_va_space=2 If "2" is not the system's default value, add or update the following line in "/etc/sysctl.d/99-stig.conf": > sudo sh -c 'echo "kernel.randomize_va_space=2" >> /etc/sysctl.d/99-stig.conf' > sudo sysctl --system

b
The SUSE operating system must remove all outdated software components after updated versions have been installed.
SI-2 - Medium - CCI-002617 - V-234863 - SV-234863r958936_rule
RMF Control
SI-2
Severity
Medium
CCI
CCI-002617
Version
SLES-15-010560
Vuln IDs
  • V-234863
Rule IDs
  • SV-234863r958936_rule
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.
Checks: C-38051r618858_chk

Verify the SUSE operating system removes all outdated software components after updated version have been installed by running the following command: > grep -i upgraderemovedroppedpackages /etc/zypp/zypp.conf solver.upgradeRemoveDroppedPackages = true If "solver.upgradeRemoveDroppedPackages" is commented out, is set to "false", or is missing completely, this is a finding.

Fix: F-38014r618859_fix

Configure the SUSE operating system to remove all outdated software components after an update by editing the following line in "/etc/zypp/zypp.conf" to match the one provided below: solver.upgradeRemoveDroppedPackages = true

b
The SUSE operating system must notify the System Administrator (SA) when Advanced Intrusion Detection Environment (AIDE) discovers anomalies in the operation of any security functions.
SI-6 - Medium - CCI-002702 - V-234864 - SV-234864r958948_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-002702
Version
SLES-15-010570
Vuln IDs
  • V-234864
Rule IDs
  • SV-234864r958948_rule
If anomalies are not acted on, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include messages to local computer consoles and/or hardware indications, such as lights. This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection.
Checks: C-38052r902852_chk

Verify the SUSE operating system notifies the SA when AIDE discovers anomalies in the operation of any security functions. Check to see if the aide cron job sends an email when executed with the following command: > grep -i "aide" /etc/cron.*/aide 0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil If the "aide" file does not exist under the "/etc/cron" directory structure or the cron job is not configured to execute a binary to send an email (such as "/bin/mail"), this is a finding.

Fix: F-38015r902853_fix

Configure the SUSE operating system to notify the SA when AIDE discovers anomalies in the operation of any security functions. Create the aide crontab file in "/etc/cron.daily" and add following command replacing the "[E-MAIL]" parameter with a proper email address for the SA: 0 0 * * * /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil Note: Per requirement SLES-15-010418, the "mailx" package must be installed on the system to enable email functionality.

b
The SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly.
AU-4 - Medium - CCI-001851 - V-234865 - SV-234865r959008_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
SLES-15-010580
Vuln IDs
  • V-234865
Rule IDs
  • SV-234865r959008_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Checks: C-38053r618864_chk

Verify that the SUSE operating system must off-load rsyslog messages for networked systems in real time and off-load standalone systems at least weekly. For stand-alone hosts, verify with the System Administrator that the log files are off-loaded at least weekly. For networked systems, check that rsyslog is sending log messages to a remote server with the following command: > sudo grep "\*.\*" /etc/rsyslog.conf | grep "@" | grep -v "^#" *.*;mail.none;news.none @192.168.1.101:514 If any active message labels in the file do not have a line to send log messages to a remote server, this is a finding.

Fix: F-38016r618865_fix

Configure the SUSE operating system to off-load rsyslog messages for networked systems in real time. For stand-alone systems establish a procedure to off-load log messages at least once a week. For networked systems add a "@[Log_Server_IP_Address]" option to every active message label in "/etc/rsyslog.conf" that does not have one. Some examples are listed below: *.*;mail.none;news.none -/var/log/messages *.*;mail.none;news.none @192.168.1.101:514 An additional option is to capture all of the log messages and send them to a remote log host: *.* @@loghost:514

b
The SUSE operating system must provision temporary accounts with an expiration date for 72 hours.
AC-2 - Medium - CCI-000016 - V-234866 - SV-234866r958364_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000016
Version
SLES-15-020000
Vuln IDs
  • V-234866
Rule IDs
  • SV-234866r958364_rule
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. If temporary accounts are used, the SUSE operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.
Checks: C-38054r618867_chk

Verify that the SUSE operating system provisions temporary accounts with an expiration date for "72" hours. Ask the System Administrator if any temporary accounts have been added to the system. For every existing temporary account, run the following command to obtain its account expiration information: > sudo chage -l system_account_name Verify each of these accounts has an expiration date that is within "72" hours of its creation. If any temporary accounts have no expiration date set or do not expire within "72" hours of their creation, this is a finding.

Fix: F-38017r618868_fix

In the event temporary accounts are required, configure the SUSE operating system to terminate them after "72" hours. For every temporary account, run the following command to set an expiration date on it, substituting "system_account_name" with the appropriate value: > sudo chage -E `date -d "+3 days" +%Y-%m-%d` system_account_name `date -d "+3 days" +%Y-%m-%d` sets the 72-hour expiration date for the account at the time the command is run.

b
The SUSE operating system must lock an account after three consecutive invalid access attempts.
AC-7 - Medium - CCI-000044 - V-234867 - SV-234867r958388_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
SLES-15-020010
Vuln IDs
  • V-234867
Rule IDs
  • SV-234867r958388_rule
By limiting the number of failed access attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. The pam_tally2.so module maintains a count of attempted accesses. This includes user name entry into a logon field as well as password entry. With counting access attempts, it is possible to lock an account without presenting a password into the password field. This should be taken into consideration as it poses as an avenue for denial of service. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128
Checks: C-38055r618870_chk

Verify the SUSE operating system locks a user account after three consecutive failed access attempts until the locked account is released by an administrator. Check that the system locks a user account after three consecutive failed login attempts using the following command: > grep pam_tally2.so /etc/pam.d/common-auth auth required pam_tally2.so onerr=fail deny=3 If no line is returned or the line is commented out, this is a finding. If the line is missing "onerr=fail", this is a finding. If the line has "deny" set to a value other than 1, 2, or 3, this is a finding. Check that the system resets the failed login attempts counter after a successful login using the following command: > grep pam_tally2.so /etc/pam.d/common-account account required pam_tally2.so If the account option is missing, or commented out, this is a finding.

Fix: F-38018r618871_fix

Configure the operating system to lock an account when three unsuccessful access attempts occur. Modify the first line of the auth section "/etc/pam.d/common-auth" file to match the following lines: auth required pam_tally2.so onerr=fail silent audit deny=3 Add or modify the following line in the /etc/pam.d/common-account file: account required pam_tally2.so Note: Manual changes to the listed files may be overwritten by the "pam-config" program. The "pam-config" program should not be used to update the configurations listed in this requirement.

a
The SUSE operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
AC-10 - Low - CCI-000054 - V-234868 - SV-234868r958398_rule
RMF Control
AC-10
Severity
Low
CCI
CCI-000054
Version
SLES-15-020020
Vuln IDs
  • V-234868
Rule IDs
  • SV-234868r958398_rule
SUSE operating system management includes the ability to control the number of users and user sessions that utilize a SUSE operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to Denial-of-Service (DoS) attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.
Checks: C-38056r618873_chk

Verify the SUSE operating system limits the number of concurrent sessions to 10 for all accounts and/or account types by running the following command: > grep "maxlogins" /etc/security/limits.conf The result must contain the following line: * hard maxlogins 10 If the "maxlogins" item is missing, the line does not begin with a star symbol, or the value is not set to "10" or less, this is a finding.

Fix: F-38019r618874_fix

Configure the SUSE operating system to limit the number of concurrent sessions to "10" or less for all accounts and/or account types. Add the following line to the file "/etc/security/limits.conf": * hard maxlogins 10

b
The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).
IA-5 - Medium - CCI-000187 - V-234869 - SV-234869r986473_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000187
Version
SLES-15-020030
Vuln IDs
  • V-234869
Rule IDs
  • SV-234869r986473_rule
Using an authentication device, such as a Common Access Card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC. A privileged account is defined as an information system account with authorizations of a privileged user. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management). Satisfies: SRG-OS-000068-GPOS-00036, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162
Checks: C-38057r618876_chk

Verify the SUSE operating system implements multifactor authentication for remote access to privileged accounts via PAM. Check that the "pam_pkcs11.so" option is configured in the "/etc/pam.d/common-auth" file with the following command: > grep pam_pkcs11.so /etc/pam.d/common-auth auth sufficient pam_pkcs11.so If "pam_pkcs11.so" is not set in "/etc/pam.d/common-auth", this is a finding.

Fix: F-38020r618877_fix

Configure the SUSE operating system to implement multifactor authentication for remote access to privileged accounts via PAM. Add or update "pam_pkcs11.so" in "/etc/pam.d/common-auth" to match the following line: auth sufficient pam_pkcs11.so

b
The SUSE operating system must deny direct logons to the root account using remote access via SSH.
- Medium - CCI-004045 - V-234870 - SV-234870r986474_rule
RMF Control
Severity
Medium
CCI
CCI-004045
Version
SLES-15-020040
Vuln IDs
  • V-234870
Rule IDs
  • SV-234870r986474_rule
To ensure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the UNIX OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account. For example, the UNIX and Windows SUSE operating systems offer a "switch user" capability, allowing users to authenticate with their individual credentials and, when needed, "switch" to the administrator role. This method provides for unique individual authentication prior to using a group authenticator. Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the SUSE operating system without identification or authentication. Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.
Checks: C-38058r951637_chk

Verify the SUSE operating system denies direct logons to the root account using remote access via SSH. Check that SSH denies any user trying to log on directly as root with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*permitrootlogin' PermitRootLogin no If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.

Fix: F-38021r618880_fix

Configure the SUSE operating system to deny direct logons to the root account using remote access via SSH. Edit the appropriate "/etc/ssh/sshd_config" file, add or uncomment the line for "PermitRootLogin" and set its value to "no" (this file may be named differently or be in a different location): PermitRootLogin no

b
The SUSE operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity after password expiration.
- Medium - CCI-003627 - V-234871 - SV-234871r986475_rule
RMF Control
Severity
Medium
CCI
CCI-003627
Version
SLES-15-020050
Vuln IDs
  • V-234871
Rule IDs
  • SV-234871r986475_rule
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. The SUSE operating system needs to track periods of inactivity and disable application identifiers after 35 days of inactivity.
Checks: C-38059r928529_chk

Verify the SUSE operating system disables account identifiers after 35 days of inactivity since the password expiration. Check the account inactivity value by performing the following command: > sudo grep -i '^inactive' /etc/default/useradd INACTIVE=35 If no output is produced, or if "INACTIVE" is not set to a value greater than "0" and less than or equal to "35", this is a finding.

Fix: F-38022r928530_fix

Configure the SUSE operating system to disable account identifiers after 35 days of inactivity since the password expiration. Run the following command to change the configuration for "useradd" to disable the account identifier after 35 days: > sudo useradd -D -f 35 DOD recommendation is 35 days, but a lower value greater than "0" is acceptable.

b
The SUSE operating system must never automatically remove or disable emergency administrator accounts.
AC-2 - Medium - CCI-001682 - V-234872 - SV-234872r958508_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001682
Version
SLES-15-020060
Vuln IDs
  • V-234872
Rule IDs
  • SV-234872r958508_rule
Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's system administrators when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts. To address access requirements the SUSE operating system can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.
Checks: C-38060r618885_chk

Verify the SUSE operating system is configured such that emergency administrator accounts are never automatically removed or disabled. Note: Root is typically the "account of last resort" on a system and is also used as the example emergency administrator account. If another account is being used as the emergency administrator account, the command should be used against that account. Check to see if the root account password or account expires with the following command: > sudo chage -l [Emergency_Administrator] Password expires:never If "Password expires" or "Account expires" is set to anything other than "never", this is a finding.

Fix: F-38023r618886_fix

Configure the SUSE operating system to never automatically remove or disable emergency administrator accounts. Replace "[Emergency_Administrator]" in the following command with the correct emergency administrator account. Run the following command as an administrator: > sudo chage -I -1 -M 99999 [Emergency_Administrator]

a
The SUSE operating system must display the date and time of the last successful account logon upon logon.
AC-9 - Low - CCI-000052 - V-234873 - SV-234873r991589_rule
RMF Control
AC-9
Severity
Low
CCI
CCI-000052
Version
SLES-15-020080
Vuln IDs
  • V-234873
Rule IDs
  • SV-234873r991589_rule
Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.
Checks: C-38061r618888_chk

Verify the SUSE operating system users are provided with feedback on when account accesses last occurred. Check that "pam_lastlog" is used and not silent with the following command: > grep pam_lastlog /etc/pam.d/login session required pam_lastlog.so showfailed If "pam_lastlog" is missing from "/etc/pam.d/login" file, the "silent" option is present, or the returned line is commented out, this is a finding.

Fix: F-38024r618889_fix

Configure the SUSE operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/login". Add the following line to the top of "/etc/pam.d/login": session required pam_lastlog.so showfailed

b
The SUSE operating system must not have unnecessary accounts.
CM-6 - Medium - CCI-000366 - V-234874 - SV-234874r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-15-020090
Vuln IDs
  • V-234874
Rule IDs
  • SV-234874r991589_rule
Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.
Checks: C-38062r618891_chk

Verify all SUSE operating system accounts are assigned to an active system, application, or user account. Obtain the list of authorized system accounts from the Information System Security Officer (ISSO). Check the system accounts on the system with the following command: > more /etc/passwd root:x:0:0:root:/root:/bin/bash ... games:x:12:100:Games account:/var/games:/bin/bash Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. If the accounts on the system do not match the provided documentation, this is a finding.

Fix: F-38025r618892_fix

Configure the SUSE operating system so all accounts on the system are assigned to an active system, application, or user account. Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. Document all authorized accounts on the system.

b
The SUSE operating system must not have unnecessary account capabilities.
CM-6 - Medium - CCI-000366 - V-234875 - SV-234875r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-15-020091
Vuln IDs
  • V-234875
Rule IDs
  • SV-234875r991589_rule
Accounts providing no operational purpose provide additional opportunities for system compromise. Therefore all necessary non interactive accounts should not have an interactive shell assigned to them.
Checks: C-38063r618894_chk

Verify all non-interactive SUSE operating system accounts do not have an interactive shell assigned to them. Obtain the list of authorized system accounts from the Information System Security Officer (ISSO). Check the system accounts on the system with the following command: > awk -F: '($7 !~ "/sbin/nologin" && $7 !~ "/bin/false"){print $1 ":" $3 ":" $7}' /etc/passwd root:0:/bin/bash nobody:65534:/bin/bash If a non-interactive accounts such as "games" or "nobody" is listed with an interactive shell, this is a finding.

Fix: F-38026r618895_fix

Configure the SUSE operating system so that all non-interactive accounts on the system have no interactive shell assigned to them. Run the following command to disable the interactive shell for a specific non-interactive user account: > sudo usermod --shell /sbin/nologin nobody

c
The SUSE operating system root account must be the only account with unrestricted access to the system.
CM-6 - High - CCI-000366 - V-234876 - SV-234876r991589_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
SLES-15-020100
Vuln IDs
  • V-234876
Rule IDs
  • SV-234876r991589_rule
If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire SUSE operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.
Checks: C-38064r618897_chk

Verify that the SUSE operating system root account is the only account with unrestricted access to the system. Check the system for duplicate UID "0" assignments with the following command: > awk -F: '$3 == 0 {print $1}' /etc/passwd root If any accounts other than root have a UID of "0", this is a finding.

Fix: F-38027r618898_fix

Change the UID of any account on the SUSE operating system, other than the root account, that has a UID of "0". If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.

b
The SUSE operating system must restrict privilege elevation to authorized personnel.
CM-6 - Medium - CCI-000366 - V-234877 - SV-234877r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-15-020101
Vuln IDs
  • V-234877
Rule IDs
  • SV-234877r991589_rule
The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.
Checks: C-38065r618900_chk

Verify the "sudoers" file restricts sudo access to authorized personnel. > sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* If the either of the following entries are returned, this is a finding: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL

Fix: F-38028r618901_fix

Remove the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL

b
The SUSE operating system must require reauthentication when using the "sudo" command.
- Medium - CCI-004895 - V-234878 - SV-234878r987879_rule
RMF Control
Severity
Medium
CCI
CCI-004895
Version
SLES-15-020102
Vuln IDs
  • V-234878
Rule IDs
  • SV-234878r987879_rule
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the organization requires the user to re-authenticate when using the "sudo" command. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to reauthenticate for privileged actions until the user's session is terminated.
Checks: C-38066r861107_chk

Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. > sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d /etc/sudoers:Defaults timestamp_timeout=0 If conflicting results are returned, this is a finding. If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.

Fix: F-38029r986476_fix

Configure the "sudo" command to require reauthentication. Edit the /etc/sudoers file: > sudo visudo Add or modify the following line: Defaults timestamp_timeout=[value] Note: The "[value]" must be a number that is greater than or equal to "0".

b
The SUSE operating system must use the invoking user's password for privilege escalation when using "sudo".
CM-6 - Medium - CCI-000366 - V-234879 - SV-234879r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-15-020103
Vuln IDs
  • V-234879
Rule IDs
  • SV-234879r991589_rule
The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. For more information on each of the listed configurations, reference the sudoers(5) manual page.
Checks: C-38067r833009_chk

Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. > sudo egrep -ir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#' /etc/sudoers:Defaults !targetpw /etc/sudoers:Defaults !rootpw /etc/sudoers:Defaults !runaspw If conflicting results are returned, this is a finding. If "Defaults !targetpw" is not defined, this is a finding. If "Defaults !rootpw" is not defined, this is a finding. If "Defaults !runaspw" is not defined, this is a finding.

Fix: F-38030r618907_fix

Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: Defaults !targetpw Defaults !rootpw Defaults !runaspw

b
All SUSE operating system local interactive user accounts, upon creation, must be assigned a home directory.
CM-6 - Medium - CCI-000366 - V-234880 - SV-234880r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-15-020110
Vuln IDs
  • V-234880
Rule IDs
  • SV-234880r991589_rule
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
Checks: C-38068r618909_chk

Verify all SUSE operating system local interactive users on the system are assigned a home directory upon creation. Check to see if the system is configured to create home directories for local interactive users with the following command: > grep -i create_home /etc/login.defs CREATE_HOME yes If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.

Fix: F-38031r618910_fix

Configure the SUSE operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows. CREATE_HOME yes

b
The SUSE operating system must display the date and time of the last successful account logon upon an SSH logon.
AC-9 - Medium - CCI-000052 - V-234881 - SV-234881r991589_rule
RMF Control
AC-9
Severity
Medium
CCI
CCI-000052
Version
SLES-15-020120
Vuln IDs
  • V-234881
Rule IDs
  • SV-234881r991589_rule
Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.
Checks: C-38069r951639_chk

Verify all remote connections via SSH to the SUSE operating system display feedback on when account accesses last occurred. Check that "PrintLastLog" keyword in the sshd daemon configuration file is used and set to "yes" with the following command: > sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*printlastlog' PrintLastLog yes If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.

Fix: F-38032r618913_fix

Configure the SUSE operating system to provide users with feedback on when account accesses last occurred. Add or edit the following lines in the "/etc/ssh/sshd_config" file: PrintLastLog yes

b
The SUSE operating system must enforce passwords that contain at least one uppercase character.
- Medium - CCI-004066 - V-234882 - SV-234882r986478_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
SLES-15-020130
Vuln IDs
  • V-234882
Rule IDs
  • SV-234882r986478_rule
Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-38070r618915_chk

Verify the SUSE operating system enforces password complexity by requiring at least one uppercase character. Check that the operating system enforces password complexity by requiring that at least one uppercase character be used by using the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so ucredit=-1 If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "ucredit=-1", this is a finding.

Fix: F-38033r618916_fix

Configure the SUSE operating system to enforce password complexity by requiring at least one uppercase character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ucredit=-1" after the third column.

b
The SUSE operating system must enforce passwords that contain at least one lowercase character.
- Medium - CCI-004066 - V-234883 - SV-234883r986479_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
SLES-15-020140
Vuln IDs
  • V-234883
Rule IDs
  • SV-234883r986479_rule
Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-38071r618918_chk

Verify the SUSE operating system enforces password complexity by requiring that at least one lowercase character. Check that the operating system enforces password complexity by requiring that at least one lowercase character be used by using the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so lcredit=-1 If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "lcredit=-1", this is a finding.

Fix: F-38034r618919_fix

Configure the SUSE operating system to enforce password complexity by requiring at least one lowercase character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "lcredit=-1" after the third column.

b
The SUSE operating system must enforce passwords that contain at least one numeric character.
- Medium - CCI-004066 - V-234884 - SV-234884r986480_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
SLES-15-020150
Vuln IDs
  • V-234884
Rule IDs
  • SV-234884r986480_rule
Use of a complex password helps increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-38072r618921_chk

Verify the SUSE operating system enforces password complexity by requiring that at least one numeric character. Check that the operating system enforces password complexity by requiring that at least one numeric character be used by using the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so dcredit=-1 If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "dcredit=-1", this is a finding.

Fix: F-38035r618922_fix

Configure the SUSE operating system to enforce password complexity by requiring at least one numeric character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "dcredit=-1" after the third column.

b
The SUSE operating system must require the change of at least eight of the total number of characters when passwords are changed.
- Medium - CCI-004066 - V-234885 - SV-234885r986481_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
SLES-15-020160
Vuln IDs
  • V-234885
Rule IDs
  • SV-234885r986481_rule
If the SUSE operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks.
Checks: C-38073r618924_chk

Verify the SUSE operating system requires at least eight characters be changed between the old and new passwords during a password change. Check that the operating system requires at least eight characters be changed between the old and new passwords during a password change by running the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so difok=8 If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "difok", or the value is less than "8", this is a finding.

Fix: F-38036r618925_fix

Configure the SUSE operating system to require at least eight characters be changed between the old and new passwords during a password change with the following command: Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "difok=8" after the third column.

b
The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.
- Medium - CCI-004062 - V-234886 - SV-234886r986482_rule
RMF Control
Severity
Medium
CCI
CCI-004062
Version
SLES-15-020170
Vuln IDs
  • V-234886
Rule IDs
  • SV-234886r986482_rule
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
Checks: C-38074r618927_chk

Verify the SUSE operating system configures the Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength. Check that PAM is configured to create SHA512 hashed passwords by running the following command: > grep pam_unix.so /etc/pam.d/common-password password required pam_unix.so sha512 If the command does not return anything or the returned line is commented out, has a second column value different from "required", or does not contain "sha512", this is a finding.

Fix: F-38037r618928_fix

Configure the SUSE operating system Linux PAM to only store encrypted representations of passwords. All account passwords must be hashed with SHA512 encryption strength. Edit "/etc/pam.d/common-password" and edit the line containing "pam_unix.so" to contain the SHA512 keyword after third column. Remove the "nullok" option.

b
The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
- Medium - CCI-004062 - V-234887 - SV-234887r986483_rule
RMF Control
Severity
Medium
CCI
CCI-004062
Version
SLES-15-020180
Vuln IDs
  • V-234887
Rule IDs
  • SV-234887r986483_rule
The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
Checks: C-38075r618930_chk

Verify the SUSE operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptographic hash. Check that the interactive user account passwords are using a strong password hash with the following command: > sudo cut -d: -f2 /etc/shadow $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with "$6", this is a finding.

Fix: F-38038r618931_fix

Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. Edit/modify the following line in the "/etc/login.defs" file and set "ENCRYPT_METHOD" to have a value of "SHA512". ENCRYPT_METHOD SHA512 Lock all interactive user accounts not using SHA512 hashing until the passwords can be regenerated.

b
The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
- Medium - CCI-004062 - V-234888 - SV-234888r986484_rule
RMF Control
Severity
Medium
CCI
CCI-004062
Version
SLES-15-020190
Vuln IDs
  • V-234888
Rule IDs
  • SV-234888r986484_rule
The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Satisfies: SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061
Checks: C-38076r618933_chk

Verify the SUSE operating system configures the shadow password suite configuration to encrypt passwords using a strong cryptographic hash. Check that a minimum number of hash rounds is configured by running the following command: > egrep "^SHA_CRYPT_" /etc/login.defs If only one of "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is set, and this value is below "5000", this is a finding. If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.

Fix: F-38039r618934_fix

Configure the SUSE operating system to encrypt all stored passwords with a strong cryptographic hash. Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "5000": SHA_CRYPT_MIN_ROUNDS 5000

b
The SUSE operating system must be configured to create or update passwords with a minimum lifetime of 24 hours (one day).
- Medium - CCI-004066 - V-234889 - SV-234889r986486_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
SLES-15-020200
Vuln IDs
  • V-234889
Rule IDs
  • SV-234889r986486_rule
Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Checks: C-38077r618936_chk

Verify the SUSE operating system creates or updates passwords with minimum password age of one day or greater. To check that the SUSE operating system enforces 24 hours/one day as the minimum password age, run the following command: > grep '^PASS_MIN_DAYS' /etc/login.defs PASS_MIN_DAYS 1 If no output is produced, or if "PASS_MIN_DAYS" does not have a value of "1" or greater, this is a finding.

Fix: F-38040r986485_fix

Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age. Edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days: PASS_MIN_DAYS [DAYS] The DOD requirement is "1" but a greater value is acceptable.

b
The SUSE operating system must employ user passwords with a minimum lifetime of 24 hours (one day).
- Medium - CCI-004066 - V-234890 - SV-234890r986487_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
SLES-15-020210
Vuln IDs
  • V-234890
Rule IDs
  • SV-234890r986487_rule
Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Checks: C-38078r618939_chk

Verify the SUSE operating system enforces a minimum time period between password changes for each user account of one day or greater. Check the minimum time period between password changes for each user account with the following command: > sudo awk -F: '$4 < 1 {print $1 ":" $4}' /etc/shadow smithj:1 If any results are returned that are not associated with a system account, this is a finding.

Fix: F-38041r618940_fix

Configure the SUSE operating system to enforce 24 hours/one day or greater as the minimum password age for user accounts. Change the minimum time period between password changes for each [USER] account to "1" day with the command, replacing [USER] with the user account that must be changed: > sudo passwd -n 1 [USER]

b
The SUSE operating system must be configured to create or update passwords with a maximum lifetime of 60 days.
- Medium - CCI-004066 - V-234891 - SV-234891r986490_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
SLES-15-020220
Vuln IDs
  • V-234891
Rule IDs
  • SV-234891r986490_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.
Checks: C-38079r986488_chk

Verify that the SUSE operating system is configured to create or update passwords with a maximum password age of 60 days or less. Check that the SUSE operating system enforces 60 days or less as the maximum password age with the following command: > grep '^PASS_MAX_DAYS' /etc/login.defs The DOD requirement is "60" days or less (greater than zero, as zero days will lock the account immediately). If no output is produced, or if "PASS_MAX_DAYS" is not set to "60" days or less, this is a finding.

Fix: F-38042r986489_fix

Configure the SUSE operating system to enforce a maximum password age of 60 days or less. Edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days: PASS_MAX_DAYS [DAYS] The DOD requirement is 60 days or less (greater than zero, as zero days will lock the account immediately).

b
The SUSE operating system must employ user passwords with a maximum lifetime of 60 days.
- Medium - CCI-004066 - V-234892 - SV-234892r986492_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
SLES-15-020230
Vuln IDs
  • V-234892
Rule IDs
  • SV-234892r986492_rule
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the SUSE operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the SUSE operating system passwords could be compromised.
Checks: C-38080r618945_chk

Verify that the SUSE operating system enforces a maximum user password age of 60 days or less. Check that the SUSE operating system enforces 60 days or less as the maximum user password age with the following command: > sudo awk -F: '$5 > 60 || $5 == "" {print $1 ":" $5}' /etc/shadow If any results are returned that are not associated with a system account, this is a finding.

Fix: F-38043r986491_fix

Configure the SUSE operating system to enforce a maximum password age of each [USER] account to 60 days. The command in the check text will give a list of users that need to be updated to be in compliance: > sudo passwd -x 60 [USER] The DOD requirement is 60 days.

b
The SUSE operating system must employ passwords with a minimum of 15 characters.
- Medium - CCI-004066 - V-234895 - SV-234895r986494_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
SLES-15-020260
Vuln IDs
  • V-234895
Rule IDs
  • SV-234895r986494_rule
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps determine strength and how long it takes to crack a password. Use of more characters in a password helps exponentially increase the time and/or resources required to compromise the password.
Checks: C-38083r618954_chk

Verify the SUSE operating system enforces a minimum 15-character password length. Check that the operating system enforces a minimum 15-character password length with the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so minlen=15 If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "minlen" value, or the value is less than "15", this is a finding.

Fix: F-38046r986493_fix

Configure the SUSE operating system to enforce a minimum 15-character password length. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "minlen=15" after the third column. The DOD standard requires a minimum 15-character password length.

b
The SUSE operating system must enforce passwords that contain at least one special character.
- Medium - CCI-004066 - V-234896 - SV-234896r991561_rule
RMF Control
Severity
Medium
CCI
CCI-004066
Version
SLES-15-020270
Vuln IDs
  • V-234896
Rule IDs
  • SV-234896r991561_rule
Use of a complex password helps increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.
Checks: C-38084r618957_chk

Verify the SUSE operating system enforces password complexity by requiring at least one special character. Check that the operating system enforces password complexity by requiring at least one special character using the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so ocredit=-1 If the command does not return anything, the returned line is commented out, or has a second column value different from "requisite", or does not contain "ocredit=-1", this is a finding.

Fix: F-38047r618958_fix

Configure the SUSE operating system to enforce password complexity by requiring at least one special character. Edit "/etc/pam.d/common-password" and edit the line containing "pam_cracklib.so" to contain the option "ocredit=-1" after the third column.

b
The SUSE operating system must prevent the use of dictionary words for passwords.
CM-6 - Medium - CCI-000366 - V-234897 - SV-234897r991587_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-15-020290
Vuln IDs
  • V-234897
Rule IDs
  • SV-234897r991587_rule
If the SUSE operating system allows the user to select passwords based on dictionary words, this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.
Checks: C-38085r618960_chk

Verify the SUSE operating system prevents the use of dictionary words for passwords. Check that the SUSE operating system prevents the use of dictionary words for passwords with the following command: > grep pam_cracklib.so /etc/pam.d/common-password password requisite pam_cracklib.so If the command does not return anything, or the returned line is commented out, this is a finding.

Fix: F-38048r618961_fix

Configure the SUSE operating system to prevent the use of dictionary words for passwords. Edit "/etc/pam.d/common-password" and add the following line: password requisite pam_cracklib.so

c
The SUSE operating system must not be configured to allow blank or null passwords.
CM-6 - High - CCI-000366 - V-234898 - SV-234898r991589_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
SLES-15-020300
Vuln IDs
  • V-234898
Rule IDs
  • SV-234898r991589_rule
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
Checks: C-38086r618963_chk

Verify the SUSE operating system is not configured to allow blank or null passwords. Check that blank or null passwords cannot be used by running the following command: > grep pam_unix.so /etc/pam.d/* | grep nullok If this produces any output, it may be possible to log on with accounts with empty passwords. If null passwords can be used, this is a finding.

Fix: F-38049r618964_fix

Configure the SUSE operating system to not allow blank or null passwords. Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" and "/etc/pam.d/common-password" to prevent logons with empty passwords.

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
AC-2 - Medium - CCI-000015 - V-234899 - SV-234899r986498_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000015
Version
SLES-15-030000
Vuln IDs
  • V-234899
Rule IDs
  • SV-234899r986498_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000304-GPOS-00121, SRG-OS-000470-GPOS-00214, SRG-OS-000476-GPOS-00221
Checks: C-38087r986496_chk

Verify the SUSE operating system generates an audit record when all modifications occur to the "/etc/passwd" file. Check that the file is being audited by performing the following command: > sudo auditctl -l | grep -w '/etc/passwd' -w /etc/passwd -p wa -k account_mod If the command does not return a line, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38050r986497_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/passwd" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/passwd -p wa -k account_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
AC-2 - Medium - CCI-000018 - V-234900 - SV-234900r986501_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000018
Version
SLES-15-030010
Vuln IDs
  • V-234900
Rule IDs
  • SV-234900r986501_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221
Checks: C-38088r986499_chk

Verify the SUSE operating system generates an audit record when modifications occur to the "/etc/group" file. Check that the file is being audited by performing the following command: > sudo auditctl -l | grep -w '/etc/group' -w /etc/group -p wa -k account_mod If the command does not return a line, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38051r986500_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/group" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/group -p wa -k account_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
AC-2 - Medium - CCI-000018 - V-234901 - SV-234901r986504_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000018
Version
SLES-15-030020
Vuln IDs
  • V-234901
Rule IDs
  • SV-234901r986504_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221
Checks: C-38089r986502_chk

Verify the SUSE operating system generates an audit record when modifications occur to the "/etc/shadow" file. Check that the file is being audited by performing the following command: > sudo auditctl -l | grep -w '/etc/shadow' -w /etc/shadow -p wa -k account_mod If the command does not return a line, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38052r986503_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/shadow" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/shadow -p wa -k account_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
AC-2 - Medium - CCI-000018 - V-234902 - SV-234902r986507_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000018
Version
SLES-15-030030
Vuln IDs
  • V-234902
Rule IDs
  • SV-234902r986507_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221
Checks: C-38090r986505_chk

Verify the SUSE operating system generates an audit record when modifications occur to the "/etc/security/opasswd" file. Check that the file is being audited by performing the following command: > sudo auditctl -l | grep -w '/etc/security/opasswd' -w /etc/security/opasswd -p wa -k account_mod If the command does not return a line, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38053r986506_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/security/opasswd" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/security/opasswd -p wa -k account_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
AC-2 - Medium - CCI-000018 - V-234903 - SV-234903r958368_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000018
Version
SLES-15-030040
Vuln IDs
  • V-234903
Rule IDs
  • SV-234903r958368_rule
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221
Checks: C-38091r618978_chk

Verify the SUSE operating system generates an audit record when all modifications occur to the "/etc/gshadow" file. Check that the file is being audited by performing the following command: > sudo auditctl -l | grep -w '/etc/gshadow' -w /etc/gshadow -p wa -k account_mod If the command does not return a line, this is a finding. Notes: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38054r618979_fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/gshadow" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /etc/gshadow -p wa -k account_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
SUSE operating system audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
AU-3 - Medium - CCI-000130 - V-234904 - SV-234904r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030050
Vuln IDs
  • V-234904
Rule IDs
  • SV-234904r958412_rule
Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the SUSE operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured SUSE operating system. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000392-GPOS-00172
Checks: C-38092r618981_chk

Verify the SUSE operating system produces audit records. Check that the SUSE operating system produces audit records by running the following command to determine the current status of the auditd service: > systemctl is-active auditd.service active > systemctl is-enabled auditd.service enabled If the service is not active or not enabled, this is a finding.

Fix: F-38055r618982_fix

Enable the SUSE operating system auditd service by performing the following commands: > sudo systemctl enable auditd.service > sudo systemctl start auditd.service

a
The SUSE operating system must generate audit records for all uses of the ssh-keysign command.
AU-3 - Low - CCI-000130 - V-234905 - SV-234905r958412_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000130
Version
SLES-15-030060
Vuln IDs
  • V-234905
Rule IDs
  • SV-234905r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38093r618984_chk

Verify the SUSE operating system generates an audit record for all uses of the "ssh-keysign" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/lib/ssh/ssh-keysign' -a always,exit -S all -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh-keysign If the command does not return any output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38056r618985_fix

Configure the SUSE operating system to generate an audit record for all uses of the "ssh-keysign" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/lib/ssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh-keysign To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the passwd command.
AU-3 - Medium - CCI-000130 - V-234906 - SV-234906r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030070
Vuln IDs
  • V-234906
Rule IDs
  • SV-234906r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38094r618987_chk

Verify the SUSE operating system generates an audit record for all uses of the "passwd" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/passwd' -a always,exit -S all -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-passwd If the command does not return any output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38057r618988_fix

Configure the SUSE operating system to generate an audit record for all uses of the "passwd" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

a
The SUSE operating system must generate audit records for all uses of the gpasswd command.
AU-3 - Low - CCI-000130 - V-234907 - SV-234907r958412_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000130
Version
SLES-15-030080
Vuln IDs
  • V-234907
Rule IDs
  • SV-234907r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38095r618990_chk

Verify the SUSE operating system generates an audit record for all uses of the "gpasswd" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/gpasswd' -a always,exit -S all -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-gpasswd If the command does not return any output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38058r618991_fix

Configure the SUSE operating system to generate an audit record for all uses of the "gpasswd" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

a
The SUSE operating system must generate audit records for all uses of the newgrp command.
AU-3 - Low - CCI-000130 - V-234908 - SV-234908r958412_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000130
Version
SLES-15-030090
Vuln IDs
  • V-234908
Rule IDs
  • SV-234908r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38096r618993_chk

Verify the SUSE operating system generates an audit record for all uses of the "newgrp" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/newgrp' -a always,exit -S all -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-newgrp If the command does not return any output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38059r618994_fix

Configure the SUSE operating system to generate an audit record for all uses of the "newgrp" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-newgrp To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

a
The SUSE operating system must generate audit records for a uses of the chsh command.
AU-3 - Low - CCI-000130 - V-234909 - SV-234909r958412_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000130
Version
SLES-15-030100
Vuln IDs
  • V-234909
Rule IDs
  • SV-234909r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38097r618996_chk

Verify the SUSE operating system generates an audit record for all uses of the "chsh" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/chsh' -a always,exit -S all -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chsh If the command does not return any output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38060r618997_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chsh" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chsh To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the unix_chkpwd or unix2_chkpwd commands.
AU-3 - Medium - CCI-000130 - V-234910 - SV-234910r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030110
Vuln IDs
  • V-234910
Rule IDs
  • SV-234910r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38098r618999_chk

Verify the SUSE operating system generates an audit record for any use of the "unix_chkpwd" or "unix2_chkpwd" commands. Check that the commands are being audited by performing the following command: > sudo auditctl -l | egrep -w "(unix_chkpwd|unix2_chkpwd)" -a always,exit -S all -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-chkpwd -a always,exit -S all -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix2-chkpwd If the command does not return any output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38061r619000_fix

Configure the SUSE operating system to generate an audit record for all uses of the "unix_chkpwd" and "unix2_chkpwd" commands. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-chkpwd -a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix2-chkpwd To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the chage command.
AU-3 - Medium - CCI-000130 - V-234911 - SV-234911r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030120
Vuln IDs
  • V-234911
Rule IDs
  • SV-234911r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38099r619002_chk

Verify the SUSE operating system generates an audit record for any use of the "chage" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/chage' -a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage If the command does not return any output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38062r619003_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chage" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the crontab command.
AU-3 - Medium - CCI-000130 - V-234912 - SV-234912r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030130
Vuln IDs
  • V-234912
Rule IDs
  • SV-234912r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38100r619005_chk

Verify the SUSE operating system generates an audit record for any use of the "crontab" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/crontab' -a always,exit -S all -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-crontab If the command does not return any output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38063r619006_fix

Configure the SUSE operating system to generate an audit record for all uses of the "crontab" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.
AU-3 - Medium - CCI-000130 - V-234913 - SV-234913r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030140
Vuln IDs
  • V-234913
Rule IDs
  • SV-234913r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38101r619008_chk

Verify the operating system generates audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. Check that the file and directory is being audited by performing the following command: > sudo auditctl -l | grep -w '/etc/sudoers' -w /etc/sudoers -p wa -k privileged-actions -w /etc/sudoers.d -p wa -k privileged-actions If the commands do not return output that match the examples, this is a finding. Notes: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38064r619009_fix

Configure the SUSE operating system to generate audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. Add or update the following rule in "/etc/audit/rules.d/audit.rules": -w /etc/sudoers -p wa -k privileged-actions -w /etc/sudoers.d -p wa -k privileged-actions To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls.
AU-3 - Medium - CCI-000130 - V-234914 - SV-234914r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030150
Vuln IDs
  • V-234914
Rule IDs
  • SV-234914r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38102r809461_chk

Verify the SUSE operating system generates an audit record for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls. Check that the system calls are being audited by performing the following command: > sudo auditctl -l | grep 'open\|truncate\|creat' -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access If both the "b32" and "b64" audit rules are not defined for the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" syscalls, this is a finding. If the output does not produce rules containing "-F exit=-EPERM", this is a finding. If the output does not produce rules containing "-F exit=-EACCES", this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38065r854231_fix

Configure the SUSE operating system to generate an audit record for all uses of the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
AU-3 - Medium - CCI-000130 - V-234918 - SV-234918r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030190
Vuln IDs
  • V-234918
Rule IDs
  • SV-234918r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215
Checks: C-38106r809464_chk

Verify the SUSE operating system generates an audit record for all uses of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. Check that the system calls are being audited by performing the following command: > sudo auditctl -l | grep xattr -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod If both the "b32" and "b64" audit rules are not defined for the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" syscalls, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38069r854233_fix

Configure the SUSE operating system to generate an audit record for all uses of the "setxattr", "fsetxattr", "lsetxattr","removexattr", "fremovexattr", and "lremovexattr" system calls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the chown, fchown, fchownat, and lchown system calls.
AU-3 - Medium - CCI-000130 - V-234924 - SV-234924r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030250
Vuln IDs
  • V-234924
Rule IDs
  • SV-234924r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38112r809467_chk

Verify the SUSE operating system generates an audit record for all uses of the "chown", "fchown", "fchownat", and "lchown" system calls. Check that the system calls are being audited by performing the following command: > sudo auditctl -l | grep chown -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_mod If both the "b32" and "b64" audit rules are not defined for the "chown", "fchown", "fchownat", and "lchown" syscalls, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38075r854235_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chown", "fchown", "fchownat", and "lchown" system calls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the chmod, fchmod, and fchmodat system calls.
AU-3 - Medium - CCI-000130 - V-234928 - SV-234928r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030290
Vuln IDs
  • V-234928
Rule IDs
  • SV-234928r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38116r809470_chk

Verify the SUSE operating system generates an audit record for all uses of the "chmod", "fchmod" a,nd "fchmodat" system calls. Check that the system calls are being audited by performing the following command: > sudo auditctl -l | grep chmod -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod If both the "b32" and "b64" audit rules are not defined for the "chmod", "fchmod", and "fchmodat" syscalls, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38079r854237_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chmod", "fchmod", and "fchmodat" system calls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the sudoedit command.
AU-3 - Medium - CCI-000130 - V-234932 - SV-234932r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030330
Vuln IDs
  • V-234932
Rule IDs
  • SV-234932r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38120r619065_chk

Verify an audit record is generated for all uses of the "sudoedit" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/sudoedit' -a always,exit -S all -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-sudoedit If the command does not return any output or the returned line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38083r619066_fix

Configure the SUSE operating system to generate an audit record for all uses of the "sudoedit" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-sudoedit To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

a
The SUSE operating system must generate audit records for all uses of the chfn command.
AU-3 - Low - CCI-000130 - V-234933 - SV-234933r958412_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000130
Version
SLES-15-030340
Vuln IDs
  • V-234933
Rule IDs
  • SV-234933r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38121r619068_chk

Verify the SUSE operating system generates an audit record for all uses of the "chfn" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/chfn' -a always,exit -S all -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn If the command does not return any output or the returned line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38084r619069_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chfn" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

a
The SUSE operating system must generate audit records for all uses of the mount system call.
AU-3 - Low - CCI-000130 - V-234934 - SV-234934r958412_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000130
Version
SLES-15-030350
Vuln IDs
  • V-234934
Rule IDs
  • SV-234934r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38122r619071_chk

Verify the SUSE operating system generates an audit record for all uses of the "mount" system call. Check that the system call is being audited by performing the following command: > sudo auditctl -l | grep -w 'mount' -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -k privileged-mount If both the "b32" and "b64" audit rules are not defined for the "mount" syscall, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38085r619072_fix

Configure the SUSE operating system to generate an audit record for all uses of the "mount" system call. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

a
The SUSE operating system must generate audit records for all uses of the umount system call.
AU-3 - Low - CCI-000130 - V-234935 - SV-234935r958412_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000130
Version
SLES-15-030360
Vuln IDs
  • V-234935
Rule IDs
  • SV-234935r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38123r619074_chk

Verify the SUSE operating system generates an audit record for all uses of the "umount" and "umount2" system calls. Check that the system calls are being audited by performing the following command: > sudo auditctl -l | grep 'umount' -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=-1 -k privileged-umount -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=-1 -k privileged-umount -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=-1 -k privileged-umount If both the "b32" and "b64" audit rules are not defined for the "umount" syscall, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38086r619075_fix

Configure the SUSE operating system to generate an audit record for all uses of the "umount" and "umount2" system calls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S umount -F auid>=1000 -F auid!=4294967295 -k privileged-umount -a always,exit -F arch=b32 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount -a always,exit -F arch=b64 -S umount2 -F auid>=1000 -F auid!=4294967295 -k privileged-umount To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

a
The SUSE operating system must generate audit records for all uses of the ssh-agent command.
AU-3 - Low - CCI-000130 - V-234936 - SV-234936r958412_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000130
Version
SLES-15-030370
Vuln IDs
  • V-234936
Rule IDs
  • SV-234936r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38124r619077_chk

Verify the SUSE operating system generates an audit record for all uses of the "ssh-agent" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/ssh-agent' -a always,exit -S all -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh-agent If the command does not return any output or the returned line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38087r619078_fix

Configure the SUSE operating system to generate an audit record for all uses of the "ssh-agent" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh-agent To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the insmod command.
AU-3 - Medium - CCI-000130 - V-234937 - SV-234937r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030380
Vuln IDs
  • V-234937
Rule IDs
  • SV-234937r958412_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the following list of events for which the SUSE operating system will provide an audit record generation capability: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38125r619080_chk

Verify the SUSE operating system is generates an audit record for all uses of the "insmod" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/sbin/insmod' -w /sbin/insmod -p x -k modules If the system is configured to audit the execution of the module management program "insmod", the command will return a line. If the command does not return a line, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38088r619081_fix

Configure the SUSE operating system to audit the execution of the module management program "insmod" by adding the following line to "/etc/audit/rules.d/audit.rules": -w /sbin/insmod -p x -k modules To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the rmmod command.
AU-3 - Medium - CCI-000130 - V-234938 - SV-234938r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030390
Vuln IDs
  • V-234938
Rule IDs
  • SV-234938r958412_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the following list of events for which the SUSE operating system will provide an audit record generation capability: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38126r619083_chk

Verify the SUSE operating system generates an audit record for all uses of the "rmmod" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/sbin/rmmod' -w /sbin/rmmod -p x -k modules If the system is configured to audit the execution of the module management program "rmmod", the command will return a line. If the command does not return a line, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38089r619084_fix

Configure the SUSE operating system to audit the execution of the module management program "rmmod" by adding the following line to "/etc/audit/rules.d/audit.rules": -w /sbin/rmmod -p x -k modules To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the modprobe command.
AU-3 - Medium - CCI-000130 - V-234939 - SV-234939r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030400
Vuln IDs
  • V-234939
Rule IDs
  • SV-234939r958412_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the following list of events for which the SUSE operating system will provide an audit record generation capability: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38127r619086_chk

Verify the SUSE operating system generates an audit record for all uses of the "modprobe" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/sbin/modprobe' -w /sbin/modprobe -p x -k modules If the system is configured to audit the execution of the module management program "modprobe", the command will return a line. If the command does not return a line, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38090r619087_fix

Configure the SUSE operating system to audit the execution of the module management program "modprobe" by adding the following line to "/etc/audit/rules.d/audit.rules": -w /sbin/modprobe -p x -k modules To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the kmod command.
AU-3 - Medium - CCI-000130 - V-234940 - SV-234940r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030410
Vuln IDs
  • V-234940
Rule IDs
  • SV-234940r958412_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the following list of events for which the SUSE operating system will provide an audit record generation capability: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
Checks: C-38128r619089_chk

Verify the SUSE operating system generates an audit record for all uses of the "kmod" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/kmod' -w /usr/bin/kmod -p x -k modules If the system is configured to audit the execution of the module management program "kmod", the command will return a line. If the command does not return a line, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38091r619090_fix

Configure the SUSE operating system to audit the execution of the module management program "kmod" by adding the following line to "/etc/audit/rules.d/audit.rules": -w /usr/bin/kmod -p x -k modules To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the chmod command.
AU-3 - Medium - CCI-000130 - V-234941 - SV-234941r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030420
Vuln IDs
  • V-234941
Rule IDs
  • SV-234941r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38129r619092_chk

Verify the SUSE operating system generates an audit record for all uses of the "chmod" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/chmod' -a always,exit -S all -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=-1 -k prim_mod If the command does not return any output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38092r619093_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chmod" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chmod -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the setfacl command.
AU-3 - Medium - CCI-000130 - V-234942 - SV-234942r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030430
Vuln IDs
  • V-234942
Rule IDs
  • SV-234942r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38130r619095_chk

Verify the SUSE operating system generates an audit record for all uses of the "setfacl" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/setfacl' -a always,exit -S all -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k prim_mod If the command does not return any output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38093r619096_fix

Configure the SUSE operating system to generate an audit record for all uses of the "setfacl" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the chacl command.
AU-3 - Medium - CCI-000130 - V-234943 - SV-234943r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030440
Vuln IDs
  • V-234943
Rule IDs
  • SV-234943r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38131r619098_chk

Verify the SUSE operating system generates an audit record for all uses of the "chacl" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/chacl' -a always,exit -S all -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k prim_mod If the command does not return any output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38094r619099_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chacl" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the chcon command.
AU-3 - Medium - CCI-000130 - V-234944 - SV-234944r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030450
Vuln IDs
  • V-234944
Rule IDs
  • SV-234944r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38132r619101_chk

Verify the SUSE operating system generates an audit record for all uses of the "chcon" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/chcon' -a always,exit -S all -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k prim_mod If the command does not return any output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38095r619102_fix

Configure the SUSE operating system to generate an audit record for all uses of the "chcon" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the rm command.
AU-3 - Medium - CCI-000130 - V-234945 - SV-234945r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030460
Vuln IDs
  • V-234945
Rule IDs
  • SV-234945r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38133r619104_chk

Verify the SUSE operating system generates an audit record for all uses of the "rm" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/rm' -a always,exit -S all -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=-1 -k prim_mod If the command does not return any output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38096r619105_fix

Configure the SUSE operating system to generate an audit record for all uses of the "rm" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/rm -F perm=x -F auid>=1000 -F auid!=4294967295 -k prim_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all modifications to the tallylog file must generate an audit record.
AU-3 - Medium - CCI-000130 - V-234946 - SV-234946r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030470
Vuln IDs
  • V-234946
Rule IDs
  • SV-234946r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218
Checks: C-38134r619107_chk

Verify the SUSE operating system generates an audit record when all modifications to the "tallylog" file occur. Check that the file is being audited by performing the following command: > sudo auditctl -l | grep -w '/var/log/tallylog' -w /var/log/tallylog -p wa -k logins If the command does not return a line, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38097r619108_fix

Configure the SUSE operating system to generate an audit record for any all modifications to the "tallylog" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /var/log/tallylog -p wa -k logins To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all modifications to the lastlog file.
AU-3 - Medium - CCI-000130 - V-234947 - SV-234947r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030480
Vuln IDs
  • V-234947
Rule IDs
  • SV-234947r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218
Checks: C-38135r619110_chk

Verify the SUSE operating system generates an audit record when all modifications to the "lastlog" file occur. Check that the file is being audited by performing the following command: > sudo auditctl -l | grep -w '/var/log/lastlog' -w /var/log/lastlog -p wa -k logins If the command does not return a line, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38098r619111_fix

Configure the SUSE operating system to generate an audit record for any all modifications to the "lastlog" file occur. Add or update the following rule to "/etc/audit/rules.d/audit.rules": -w /var/log/lastlog -p wa -k logins To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the passmass command.
AU-3 - Medium - CCI-000130 - V-234948 - SV-234948r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030490
Vuln IDs
  • V-234948
Rule IDs
  • SV-234948r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38136r619113_chk

Verify the SUSE operating system generates an audit record for all uses of the "passmass" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/passmass' -a always,exit -S all -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-passmass If the command does not return any output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38099r619114_fix

Configure the SUSE operating system to generate an audit record for all uses of the "passmass" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/passmass -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passmass To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the usermod command.
AU-3 - Medium - CCI-000130 - V-234949 - SV-234949r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030500
Vuln IDs
  • V-234949
Rule IDs
  • SV-234949r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38137r619116_chk

Verify the SUSE operating system generates an audit record for any use of the "usermod" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/sbin/usermod' -a always,exit -S all -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod If the command does not return any output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38100r619117_fix

Configure the SUSE operating system to generate an audit record for all uses of the "usermod" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the pam_timestamp_check command.
AU-3 - Medium - CCI-000130 - V-234950 - SV-234950r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030510
Vuln IDs
  • V-234950
Rule IDs
  • SV-234950r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Checks: C-38138r619119_chk

Verify the SUSE operating system generates an audit record for any use of the "pam_timestamp_check" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/sbin/pam_timestamp_check' -a always,exit -S all -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-pam_timestamp_check If the command does not return any output, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38101r619120_fix

Configure the SUSE operating system to generate an audit record for all uses of the "pam_timestamp_check" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the delete_module system call.
AU-3 - Medium - CCI-000130 - V-234951 - SV-234951r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030520
Vuln IDs
  • V-234951
Rule IDs
  • SV-234951r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
Checks: C-38139r619122_chk

Verify the SUSE operating system generates an audit record for all uses of the "delete_module" system call. Check that the system call is being audited by performing the following command: > sudo auditctl -l | grep -w 'delete_module' -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=-1 -k unload_module -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=-1 -k unload_module If both the "b32" and "b64" audit rules are not defined for the "unload_module" syscall, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38102r619123_fix

Configure the SUSE operating system to generate an audit record for all uses of the "delete_module" system call. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=4294967295 -k unload_module To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the init_module and finit_module system calls.
AU-3 - Medium - CCI-000130 - V-234952 - SV-234952r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030530
Vuln IDs
  • V-234952
Rule IDs
  • SV-234952r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222
Checks: C-38140r809473_chk

Verify the SUSE operating system generates an audit record for all uses of the "init_module" and "finit_module" system calls. Check that the system calls are being audited by performing the following command: > sudo auditctl -l | grep init_module -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -k moduleload -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=-1 -k moduleload If both the "b32" and "b64" audit rules are not defined for the init_module" and "finit_module" syscalls, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38103r854259_fix

Configure the SUSE operating system to generate an audit record for all uses of the "init_module" and "finit_module" system calls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k moduleload -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=4294967295 -k moduleload To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for all uses of the su command.
AU-3 - Medium - CCI-000130 - V-234954 - SV-234954r958412_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
SLES-15-030550
Vuln IDs
  • V-234954
Rule IDs
  • SV-234954r958412_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000042-GPOS-00020
Checks: C-38142r619131_chk

Verify the SUSE operating system generates an audit record for any use of the "su" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/su' -a always,exit -S all -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-priv_change If the command does not return any output or the returned line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38105r619132_fix

Configure the SUSE operating system to generate an audit record for all uses of the "su" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

a
The SUSE operating system must generate audit records for all uses of the sudo command.
AU-3 - Low - CCI-000130 - V-234955 - SV-234955r958412_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000130
Version
SLES-15-030560
Vuln IDs
  • V-234955
Rule IDs
  • SV-234955r958412_rule
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000042-GPOS-00020
Checks: C-38143r619134_chk

Verify the SUSE operating system generates an audit record for any use of the "sudo" command. Check that the command is being audited by performing the following command: > sudo auditctl -l | grep -w '/usr/bin/sudo' -a always,exit -S all -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-sudo If the command does not return any output, or the returned line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38106r619135_fix

Configure the SUSE operating system to generate an audit record for all uses of the "sudo" command. Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-sudo To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must be alerted of a SUSE operating system audit processing failure event.
AU-5 - Medium - CCI-000139 - V-234956 - SV-234956r958424_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
SLES-15-030570
Vuln IDs
  • V-234956
Rule IDs
  • SV-234956r958424_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
Checks: C-38144r619137_chk

Verify the administrators are notified in the event of a SUSE operating system audit processing failure by inspecting "/etc/audit/auditd.conf". Check if the system is configured to send email to an account when it needs to notify an administrator with the following command: > sudo grep action_mail /etc/audit/auditd.conf action_mail_acct = root If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, this is a finding.

Fix: F-38107r619138_fix

Configure the auditd service to notify the administrators in the event of a SUSE operating system audit processing failure. Edit the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: action_mail_acct = root

b
The Information System Security Officer (ISSO) and System Administrator (SA), at a minimum, must have mail aliases to be notified of a SUSE operating system audit processing failure.
AU-5 - Medium - CCI-000139 - V-234957 - SV-234957r958424_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
SLES-15-030580
Vuln IDs
  • V-234957
Rule IDs
  • SV-234957r958424_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
Checks: C-38145r619140_chk

Verify the administrators are notified in the event of a SUSE operating system audit processing failure by checking that "/etc/aliases" has a defined value for root. > grep -i "^postmaster:" /etc/aliases postmaster: root If the above command does not return a value of "root", or the output is commented out, this is a finding Verify the alias for root forwards to a monitored e-mail account: > grep -i "^root:" /etc/aliases root: person@server.mil If the alias for root does not forward to a monitored e-mail account, or the output is commented out, this is a finding.

Fix: F-38108r619141_fix

Configure the auditd service to notify the administrators in the event of a SUSE operating system audit processing failure. Configure an alias value for the postmaster with the following command: > sudo sh -c 'echo "postmaster: root" >> /etc/aliases' Configure an alias for root that forwards to a monitored email address with the following command: > sudo sh -c 'echo "root: box@server.mil" >> /etc/aliases' The following command must be run to implement changes to the /etc/aliases file: > sudo newaliases

b
The SUSE operating system audit system must take appropriate action when the audit storage volume is full.
AU-5 - Medium - CCI-000140 - V-234958 - SV-234958r958426_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000140
Version
SLES-15-030590
Vuln IDs
  • V-234958
Rule IDs
  • SV-234958r958426_rule
It is critical that when the SUSE operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Responses to audit failure depend on the nature of the failure mode. When availability is an overriding concern, other approved actions in response to an audit failure are as follows: 1) If the failure was caused by the lack of audit record storage capacity, the SUSE operating system must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records in a first-in-first-out manner. 2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the SUSE operating system must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.
Checks: C-38146r619143_chk

Verify the SUSE operating system takes the appropriate action when the audit storage volume is full. Check that the SUSE operating system takes the appropriate action when the audit storage volume is full with the following command: > sudo grep disk_full_action /etc/audit/auditd.conf disk_full_action = SYSLOG If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding.

Fix: F-38109r619144_fix

Configure the SUSE operating system to shut down by default upon audit failure (unless availability is an overriding concern). Add or update the following line (depending on configuration "disk_full_action" can be set to "SYSLOG", "SINGLE", or "HALT" depending on configuration) in "/etc/audit/auditd.conf" file: disk_full_action = HALT

b
The SUSE operating system must protect audit rules from unauthorized modification.
AU-9 - Medium - CCI-000162 - V-234959 - SV-234959r958434_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
SLES-15-030600
Vuln IDs
  • V-234959
Rule IDs
  • SV-234959r958434_rule
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029
Checks: C-38147r619146_chk

Verify that the SUSE operating system protects audit rules from unauthorized modification. Check that "permissions.local" file contains the correct permissions rules with the following command: > grep -i audit /etc/permissions.local /var/log/audit root:root 600 /var/log/audit/audit.log root:root 600 /etc/audit/audit.rules root:root 640 /etc/audit/rules.d/audit.rules root:root 640 If the command does not return any output, this is a finding. Check that all of the audit information files and folders have the correct permissions with the following command: > sudo chkstat /etc/permissions.local If the command returns any output, this is a finding.

Fix: F-38110r619147_fix

Configure the SUSE operating system to protect audit rules from unauthorized modification. Add or update the following rules in "/etc/permissions.local": /var/log/audit root:root 600 /var/log/audit/audit.log root:root 600 /etc/audit/audit.rules root:root 640 /etc/audit/rules.d/audit.rules root:root 640 Set the correct permissions with the following command: > sudo chkstat --set /etc/permissions.local

b
The SUSE operating system audit tools must have the proper permissions configured to protect against unauthorized access.
AU-9 - Medium - CCI-001493 - V-234961 - SV-234961r991557_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001493
Version
SLES-15-030620
Vuln IDs
  • V-234961
Rule IDs
  • SV-234961r991557_rule
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SUSE operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys to make access decisions regarding the access to audit tools. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099
Checks: C-38149r619152_chk

Verify that the SUSE operating system audit tools have the proper permissions configured in the permissions profile to protect from unauthorized access. Check that "permissions.local" file contains the correct permissions rules with the following command: > grep "^/usr/sbin/au" /etc/permissions.local /usr/sbin/audispd root:root 0750 /usr/sbin/auditctl root:root 0750 /usr/sbin/auditd root:root 0750 /usr/sbin/ausearch root:root 0755 /usr/sbin/aureport root:root 0755 /usr/sbin/autrace root:root 0750 /usr/sbin/augenrules root:root 0750 If the command does not return any output, this is a finding. Check that all of the audit information files and folders have the correct permissions with the following command: > sudo chkstat /etc/permissions.local If the command returns any output, this is a finding.

Fix: F-38112r619153_fix

Configure the SUSE operating system audit tools to have proper permissions set in the permissions profile to protect from unauthorized access. Edit the file "/etc/permissions.local" and insert the following text: /usr/sbin/audispd root:root 0750 /usr/sbin/auditctl root:root 0750 /usr/sbin/auditd root:root 0750 /usr/sbin/ausearch root:root 0755 /usr/sbin/aureport root:root 0755 /usr/sbin/autrace root:root 0750 /usr/sbin/augenrules root:root 0750 Set the correct permissions with the following command: > sudo chkstat --set /etc/permissions.local

b
The SUSE operating system file integrity tool must be configured to protect the integrity of the audit tools.
AU-9 - Medium - CCI-001496 - V-234962 - SV-234962r991567_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001496
Version
SLES-15-030630
Vuln IDs
  • V-234962
Rule IDs
  • SV-234962r991567_rule
Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.
Checks: C-38150r619155_chk

Verify that the SUSE operating system file integrity tool is configured to protect the integrity of the audit tools. Check that AIDE is properly configured to protect the integrity of the audit tools by running the following command: > sudo grep /usr/sbin/au /etc/aide.conf /usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 If AIDE is properly configured to protect the integrity of the audit tools, all lines listed above will be returned from the command. If one or more lines are missing, or is commented out, this is a finding.

Fix: F-38113r619156_fix

Configure the SUSE operating system file integrity tool to protect the integrity of the audit tools. Add or update the following lines to "/etc/aide.conf" to protect the integrity of the audit tools: # audit tools /usr/sbin/auditctl p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/audispd p+i+n+u+g+s+b+acl+selinux+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+selinux+xattrs+sha512

a
The SUSE operating system must generate audit records for all uses of the privileged functions.
- Low - CCI-003938 - V-234963 - SV-234963r986510_rule
RMF Control
Severity
Low
CCI
CCI-003938
Version
SLES-15-030640
Vuln IDs
  • V-234963
Rule IDs
  • SV-234963r986510_rule
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152
Checks: C-38151r986508_chk

Verify the SUSE operating system generates an audit record for any privileged use of the "execve" system call. > sudo auditctl -l | grep -w 'execve' -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38114r986509_fix

Configure the SUSE operating system to generate an audit record for any privileged use of the "execve" system call. Add or update the following rules in "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must have the auditing package installed.
AU-12 - Medium - CCI-000172 - V-234964 - SV-234964r986511_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SLES-15-030650
Vuln IDs
  • V-234964
Rule IDs
  • SV-234964r986511_rule
Without establishing what type of events occurred, the source of events, where events occurred, and the outcome of events, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the SUSE operating system audit logs provides a means of investigating an attack, recognizing resource utilization or capacity thresholds, or identifying an improperly configured SUSE operating system. Satisfies: SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220
Checks: C-38152r619161_chk

Verify the SUSE operating system auditing package is installed. Check that the "audit" package is installed by performing the following command: > zypper info audit | grep Installed i | audit | User Space Tools for 2.6 Kernel Auditing If the package "audit" is not installed on the system, then this is a finding.

Fix: F-38115r619162_fix

The SUSE operating system auditd package must be installed on the system. If it is not installed, use the following command to install it: > sudo zypper in audit

b
The SUSE operating system must allocate audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.
AU-4 - Medium - CCI-001849 - V-234965 - SV-234965r958752_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001849
Version
SLES-15-030660
Vuln IDs
  • V-234965
Rule IDs
  • SV-234965r958752_rule
To ensure SUSE operating systems have a sufficient storage capacity in which to write the audit logs, SUSE operating systems need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial installation of the SUSE operating system.
Checks: C-38153r619164_chk

Verify the SUSE operating system allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. Determine to which partition the audit records are being written with the following command: > sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition that audit records are written to (with the example being /var/log/audit/) with the following command: > df -h /var/log/audit/ /dev/sda2 24G 10.4G 13.6G 43% /var If the audit records are not written to a partition made specifically for audit records (/var/log/audit is a separate partition), determine the amount of space being used by other files in the partition with the following command: > sudo du -sh [audit_partition] 1.8G /var/log/audit The partition size needed to capture a week of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. If the audit record partition is not allocated sufficient storage capacity, this is a finding.

Fix: F-38116r619165_fix

Allocate enough storage capacity for at least one week of SUSE operating system audit records when audit records are not immediately sent to a central audit record storage facility. If audit records are stored on a partition made specifically for audit records, use the "YaST2 - Partitioner" program (installation and configuration tool for Linux) to resize the partition with sufficient space to contain one week of audit records. If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient amount of space will need be to be created. The new partition can be created using the "YaST2 - Partitioner" program on the system.

b
The audit-audispd-plugins must be installed on the SUSE operating system.
AU-4 - Medium - CCI-001851 - V-234966 - SV-234966r958754_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
SLES-15-030670
Vuln IDs
  • V-234966
Rule IDs
  • SV-234966r958754_rule
The audit-audispd-plugins must be installed on the SUSE operating system.
Checks: C-38154r619167_chk

Verify that the "audit-audispd-plugins" package is installed on the SUSE operating system. Check that the "audit-audispd-plugins" package is installed on the SUSE operating system with the following command: > zypper info audit-audispd-plugins | grep Installed If the "audit-audispd-plugins" package is not installed, this is a finding. Verify the "au-remote" plugin is enabled with the following command: > sudo grep -i active /etc/audisp/plugins.d/au-remote.conf active = yes If "active" is missing, commented out, or is not set to "yes", this is a finding.

Fix: F-38117r619168_fix

Install the "audit-audispd-plugins" package on the SUSE operating system by running the following command: > sudo zypper install audit-audispd-plugins In "/etc/audisp/plugins.d/au-remote.conf", change the value of "active" to "yes", or add "active = yes" if no such setting exists in the file.

a
The SUSE operating system audit event multiplexor must be configured to use Kerberos.
AU-4 - Low - CCI-001851 - V-234967 - SV-234967r958754_rule
RMF Control
AU-4
Severity
Low
CCI
CCI-001851
Version
SLES-15-030680
Vuln IDs
  • V-234967
Rule IDs
  • SV-234967r958754_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Allowing devices and users to connect to or from the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Audit events that may include sensitive data must be encrypted prior to transmission. Kerberos provides a mechanism to provide both authentication and encryption for audit event records.
Checks: C-38155r619170_chk

Determine if the SUSE operating system audit event multiplexor is configured to use Kerberos by running the following command: > sudo grep enable_krb5 /etc/audisp/audisp-remote.conf enable_krb5 = yes If "enable_krb5" is not set to "yes", or is commented out, this is a finding.

Fix: F-38118r619171_fix

Configure the SUSE operating system audit event multiplexor to use Kerberos by editing the "/etc/audisp/audisp-remote.conf" file. Edit or add the following line to match the text below: enable_krb5 = yes

a
Audispd must off-load audit records onto a different system or media from the SUSE operating system being audited.
AU-4 - Low - CCI-001851 - V-234968 - SV-234968r958754_rule
RMF Control
AU-4
Severity
Low
CCI
CCI-001851
Version
SLES-15-030690
Vuln IDs
  • V-234968
Rule IDs
  • SV-234968r958754_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Checks: C-38156r619173_chk

Verify "audispd" off-loads audit records onto a different system or media from the SUSE operating system being audited. Check if "audispd" is configured to off-load audit records onto a different system or media from the SUSE operating system by running the following command: > sudo grep remote_server /etc/audisp/audisp-remote.conf remote_server = 192.168.1.101 If "remote_server" is not set to an external server or media, or is commented out, this is a finding.

Fix: F-38119r619174_fix

Configure the SUSE operating system "/etc/audisp/audisp-remote.conf" file to off-load audit records onto a different system or media by adding or editing the following line with the correct IP address: remote_server = [IP ADDRESS]

b
The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full.
AU-5 - Medium - CCI-001855 - V-234969 - SV-234969r971542_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-001855
Version
SLES-15-030700
Vuln IDs
  • V-234969
Rule IDs
  • SV-234969r971542_rule
If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.
Checks: C-38157r619176_chk

Determine if the SUSE operating system auditd is configured to notify the SA and ISSO when the audit record storage volume reaches 75 percent of the storage capacity. Check the system configuration to determine the partition to which audit records are written using the following command: > sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition to which audit records are written (e.g., "/var/log/audit/"): > df -h /var/log/audit/ /dev/sda2 24G 10.4G 13.6G 43% /var If the audit records are not being written to a partition specifically created for audit records (in this example "/var/log/audit" is a separate partition), use the following command to determine the amount of space other files in the partition currently occupy: > sudo du -sh <partition> 1.8G /var/log/audit Determine the threshold for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached: > sudo grep -iw space_left /etc/audit/auditd.conf space_left = 225 If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.

Fix: F-38120r619177_fix

Check the system configuration to determine the partition to which the audit records are written: > sudo grep -iw log_file /etc/audit/auditd.conf Determine the size of the partition to which audit records are written (e.g., "/var/log/audit/"): > df -h /var/log/audit/ Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size.

b
The SUSE operating system must generate audit records for all uses of the unlink, unlinkat, rename, renameat, and rmdir system calls.
AU-12 - Medium - CCI-000172 - V-234973 - SV-234973r991577_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SLES-15-030740
Vuln IDs
  • V-234973
Rule IDs
  • SV-234973r991577_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary, since these affect performance. The more rules, the bigger the performance hit. The performance can be helped, however, by combining syscalls into one rule whenever possible.
Checks: C-38161r809476_chk

Verify the SUSE operating system generates an audit record for all uses of the "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls. Check that the system calls are being audited by performing the following command: > sudo auditctl -l | grep 'unlink\|rename\|rmdir' -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k perm_mod If both the "b32" and "b64" audit rules are not defined for the "unlink", "unlinkat", "rename", "renameat", and "rmdir" syscalls, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38124r809558_fix

Configure the SUSE operating system to generate an audit record for all uses of the "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k perm_mod To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for the /run/utmp file.
AU-12 - Medium - CCI-000172 - V-234975 - SV-234975r991581_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SLES-15-030760
Vuln IDs
  • V-234975
Rule IDs
  • SV-234975r991581_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-38163r619194_chk

Verify the SUSE operating system generates an audit record for the "/run/utmp" file. Check that the file is being audited by performing the following command: > sudo auditctl -l | grep -w '/run/utmp' -w /run/utmp -p wa -k login_mod If the command does not return a line that match the example, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38126r619195_fix

Configure the SUSE operating system to generate an audit record for the "/run/utmp" file. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -w /run/utmp -p wa -k login_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for the /var/log/wtmp file.
AU-12 - Medium - CCI-000172 - V-234976 - SV-234976r991581_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SLES-15-030770
Vuln IDs
  • V-234976
Rule IDs
  • SV-234976r991581_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-38164r619197_chk

Verify the SUSE operating system generates an audit record for the "/var/log/wtmp" file. Check that the file is being audited by performing the following command: > sudo auditctl -l | grep -w '/var/log/wtmp' -w /var/log/wtmp -p wa -k login_mod If the command does not return a line that matches the example, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38127r619198_fix

Configure the SUSE operating system to generate an audit record for the "/var/log/wtmp" file. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -w /var/log/wtmp -p wa -k login_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must generate audit records for the /var/log/btmp file.
AU-12 - Medium - CCI-000172 - V-234977 - SV-234977r991581_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
SLES-15-030780
Vuln IDs
  • V-234977
Rule IDs
  • SV-234977r991581_rule
Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-38165r619200_chk

Verify the SUSE operating system generates an audit record for the "/var/log/btmp" file. Check that the file is being audited by performing the following command: > sudo auditctl -l | grep -w '/var/log/btmp' -w /var/log/btmp -p wa -k login_mod If the command does not return a line that matches the example, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix: F-38128r619201_fix

Configure the SUSE operating system to generate an audit record for the "/var/log/btmp" file. Add or update the following rules to "/etc/audit/rules.d/audit.rules": -w /var/log/btmp -p wa -k login_mod To reload the rules file, restart the audit daemon > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

b
The SUSE operating system must off-load audit records onto a different system or media from the system being audited.
AU-4 - Medium - CCI-001851 - V-234978 - SV-234978r959008_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
SLES-15-030790
Vuln IDs
  • V-234978
Rule IDs
  • SV-234978r959008_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Checks: C-38166r619203_chk

Verify what action the audit system takes if it cannot off-load audit records to a different system or storage media from the SUSE operating system being audited. Check the action that the audit system takes in the event of a network failure with the following command: > sudo grep -i "network_failure_action" /etc/audisp/audisp-remote.conf network_failure_action = syslog If the "network_failure_action" option is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.

Fix: F-38129r619204_fix

Configure the SUSE operating system to take the appropriate action if it cannot off-load audit records to a different system or storage media from the system being audited due to a network failure. Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt". See the example below: network_failure_action = syslog

b
Audispd must take appropriate action when the SUSE operating system audit storage is full.
AU-4 - Medium - CCI-001851 - V-234979 - SV-234979r959008_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
SLES-15-030800
Vuln IDs
  • V-234979
Rule IDs
  • SV-234979r959008_rule
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Checks: C-38167r619206_chk

Verify the audit system off-loads audit records if the SUSE operating system storage volume becomes full. Check that the records are properly off-loaded to a remote server with the following command: > sudo grep -i "disk_full_action" /etc/audisp/audisp-remote.conf disk_full_action = syslog If "disk_full_action" is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.

Fix: F-38130r619207_fix

Configure the SUSE operating system to take the appropriate action if the audit storage is full. Add, edit, or uncomment the "disk_full_action" option in "/etc/audisp/audisp-remote.conf". Set it to "syslog", "single" or "halt" as in the example below: disk_full_action = syslog

a
The SUSE operating system must use a separate file system for the system audit data path.
CM-6 - Low - CCI-000366 - V-234980 - SV-234980r991589_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
SLES-15-030810
Vuln IDs
  • V-234980
Rule IDs
  • SV-234980r991589_rule
The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.
Checks: C-38168r619209_chk

Verify that the SUSE operating system has a separate file system/partition for the system audit data path. Check that a file system/partition has been created for the system audit data path with the following command: Note: "/var/log/audit" is used as the example as it is a common location. > grep /var/log/audit /etc/fstab UUID=3645951a /var/log/audit ext4 defaults 1 2 If a separate entry for the system audit data path (in this example the "/var/log/audit" path) does not exist, ask the System Administrator if the system audit logs are being written to a different file system/partition on the system and then grep for that file system/partition. If a separate file system/partition does not exist for the system audit data path, this is a finding.

Fix: F-38131r619210_fix

Migrate the SUSE operating system audit data path onto a separate file system.

b
The SUSE operating system must not disable syscall auditing.
CM-6 - Medium - CCI-000366 - V-234981 - SV-234981r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-15-030820
Vuln IDs
  • V-234981
Rule IDs
  • SV-234981r991589_rule
By default, the SUSE operating system includes the "-a task,never" audit rule as a default. This rule suppresses syscall auditing for all tasks started with this rule in effect. Because the audit daemon processes the "audit.rules" file from the top down, this rule supersedes all other defined syscall rules; therefore no syscall auditing can take place on the operating system.
Checks: C-38169r619212_chk

Verify syscall auditing has not been disabled: > auditctl -l | grep -i "a task,never" If any results are returned, this is a finding. Verify the default rule "-a task,never" is not statically defined : > grep -rv "^#" /etc/audit/rules.d/ | grep -i "a task,never" If any results are returned, this is a finding.

Fix: F-38132r619213_fix

Remove the "-a task,never" rule from the /etc/audit/rules.d/audit.rules file. The audit daemon must be restarted for the changes to take effect. > sudo systemctl restart auditd.service

b
The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
CM-6 - Medium - CCI-000366 - V-234982 - SV-234982r991588_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-15-040000
Vuln IDs
  • V-234982
Rule IDs
  • SV-234982r991588_rule
Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.
Checks: C-38170r619215_chk

Verify the SUSE operating system enforces a delay of at least four seconds between logon prompts following a failed logon attempt. Check that the SUSE operating system enforces a delay of at least four seconds between logon prompts following a failed logon attempt with the following command: > grep FAIL_DELAY /etc/login.defs FAIL_DELAY 4 If the value of "FAIL_DELAY" is not set to "4", "FAIL_DELAY" is commented out, or "FAIL_DELAY" is missing, then this is a finding.

Fix: F-38133r619216_fix

Configure the SUSE operating system to enforce a delay of at least four seconds between logon prompts following a failed logon attempt. Add or update the following variable in "/etc/login.defs" to match the line below ("FAIL_DELAY" must have a value of "4" or higher): FAIL_DELAY 4

b
The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
CM-6 - Medium - CCI-000366 - V-234983 - SV-234983r991588_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-15-040010
Vuln IDs
  • V-234983
Rule IDs
  • SV-234983r991588_rule
The SUSE operating system must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
Checks: C-38171r619218_chk

Verify the SUSE operating system enforces a delay of at least four seconds between logon prompts following a failed logon attempt. > grep pam_faildelay /etc/pam.d/common-auth auth required pam_faildelay.so delay=4000000 If the value of "delay" is not set to "4000000", "delay" is commented out, "delay" is missing, or the "pam_faildelay" line is missing completely, this is a finding.

Fix: F-38134r619219_fix

Configure the SUSE operating system to enforce a delay of at least four seconds between logon prompts following a failed logon attempt. Edit the file "/etc/pam.d/common-auth". Add a parameter "pam_faildelay" and set it to: > delay is in micro seconds auth required pam_faildelay.so delay=4000000

c
There must be no .shosts files on the SUSE operating system.
CM-6 - High - CCI-000366 - V-234984 - SV-234984r991589_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
SLES-15-040020
Vuln IDs
  • V-234984
Rule IDs
  • SV-234984r991589_rule
The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Checks: C-38172r619221_chk

Text: Verify there are no ".shosts" files on the SUSE operating system. Check the system for the existence of these files with the following command: > sudo find / \( -path /.snapshots -o -path /sys -o -path /proc \) -prune -o -name '.shosts' -print If any ".shosts" files are found on the system, this is a finding.

Fix: F-38135r619222_fix

Remove any ".shosts" files found on the SUSE operating system. > sudo rm /[path]/[to]/[file]/.shosts

c
There must be no shosts.equiv files on the SUSE operating system.
CM-6 - High - CCI-000366 - V-234985 - SV-234985r991589_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
SLES-15-040030
Vuln IDs
  • V-234985
Rule IDs
  • SV-234985r991589_rule
The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Checks: C-38173r619224_chk

Verify there are no "shosts.equiv" files on the SUSE operating system. Check the system for the existence of these files with the following command: > sudo find /etc -name shosts.equiv If any "shosts.equiv" files are found on the system, this is a finding.

Fix: F-38136r619225_fix

Remove any "shosts.equiv" files found on the SUSE operating system. > sudo rm /[path]/[to]/[file]/shosts.equiv

a
The SUSE operating system file integrity tool must be configured to verify Access Control Lists (ACLs).
CM-6 - Low - CCI-000366 - V-234986 - SV-234986r991589_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
SLES-15-040040
Vuln IDs
  • V-234986
Rule IDs
  • SV-234986r991589_rule
ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.
Checks: C-38174r880968_chk

Verify that the SUSE operating system file integrity tool is configured to verify extended attributes. If there is no application installed to perform integrity checks, this is a finding. Check the "/etc/aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists. An example rule that includes the "acl" rule follows: All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux /bin All > apply the custom rule to the files in bin /sbin All > apply the same custom rule to the files in sbin If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.

Fix: F-38137r619228_fix

Configure the SUSE operating system file integrity tool to check file and directory ACLs. If AIDE is installed, ensure the "acl" rule is present on all file and directory selection lists.

a
The SUSE operating system file integrity tool must be configured to verify extended attributes.
CM-6 - Low - CCI-000366 - V-234987 - SV-234987r991589_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
SLES-15-040050
Vuln IDs
  • V-234987
Rule IDs
  • SV-234987r991589_rule
Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.
Checks: C-38175r880969_chk

Verify that the SUSE operating system file integrity tool is configured to verify extended attributes. If there is no application installed to perform integrity checks, this is a finding. Check the "/etc/aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists. An example rule that includes the "xattrs" rule follows: All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux /bin All > apply the custom rule to the files in bin /sbin All > apply the same custom rule to the files in sbin If the "xattrs" rule is not being used on all selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.

Fix: F-38138r619231_fix

Configure the SUSE operating system file integrity tool to check file and directory extended attributes. If AIDE is installed, ensure the "xattrs" rule is present on all file and directory selection lists.

c
The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence.
CM-6 - High - CCI-000366 - V-234988 - SV-234988r991589_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
SLES-15-040060
Vuln IDs
  • V-234988
Rule IDs
  • SV-234988r991589_rule
A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical user interface environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
Checks: C-38176r619233_chk

Verify the SUSE operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed. Check that the ctrl-alt-del.target is masked with the following command: > systemctl status ctrl-alt-del.target ctrl-alt-del.target Loaded: masked (/dev/null; maksed) Active: inactive (dead) If the ctrl-alt-del.target is not masked, this is a finding.

Fix: F-38139r619234_fix

Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: > sudo systemctl disable ctrl-alt-del.target > sudo systemctl mask ctrl-alt-del.target And reload the daemon to take effect > sudo systemctl daemon-reload

c
The SUSE operating system must disable the x86 Ctrl-Alt-Delete key sequence for Graphical User Interfaces.
CM-6 - High - CCI-000366 - V-234989 - SV-234989r991589_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
SLES-15-040061
Vuln IDs
  • V-234989
Rule IDs
  • SV-234989r991589_rule
A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical user interface environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
Checks: C-38177r619236_chk

Note: If a graphical user interface is not installed, this requirement is Not Applicable. Verify the SUSE operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed in the graphical user interface. Check that the dconf setting was disabled to allow the Ctrl-Alt-Delete sequence in the graphical user interface with the following command: Check the default logout key sequence: > sudo gsettings get org.gnome.settings-daemon.plugins.media-keys logout [''] Check that the value is not writable and cannot be changed by the user: > sudo gsettings writable org.gnome.settings-daemon.plugins.media-keys logout false If the logout value is not [''] and the writable status is not false, this is a finding.

Fix: F-38140r619237_fix

Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface. Create a database to contain the system-wide setting (if it does not already exist) with the following steps: 1. Create a user profile and with the listed content: /etc/dconf/profile/user user-db:user system-db:local 2. Create the following directories: > sudo mkdir -p /etc/dconf/db/local.d/ > sudo mkdir -p /etc/dconf/db/local.d/locks/ 3. Add the following files with the listed content: /etc/dconf/db/local.d/01-fips-settings [org/gnome/settings-daemon/plugins/media-keys] logout=[''] /etc/dconf/db/local.d/locks/01-fips-locks /org/gnome/settings-daemon/plugins/media-keys/logout 4. Update the dconf database: > sudo dconf update

c
The SUSE operating system must disable the systemd Ctrl-Alt-Delete burst key sequence.
CM-6 - High - CCI-000366 - V-234990 - SV-234990r991589_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
SLES-15-040062
Vuln IDs
  • V-234990
Rule IDs
  • SV-234990r991589_rule
A locally logged-on user, who presses Ctrl-Alt-Delete when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical user interface environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.
Checks: C-38178r619239_chk

Verify the SUSE operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command: > sudo grep -i ctrl /etc/systemd/system.conf CtrlAltDelBurstAction=none If the "CtrlAltDelBurstAction" is not set to "none", commented out, or is missing, this is a finding.

Fix: F-38141r619240_fix

Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file: CtrlAltDelBurstAction=none Reload the daemon for this change to take effect > sudo systemctl daemon-reload

b
All SUSE operating system local interactive users must have a home directory assigned in the /etc/passwd file.
CM-6 - Medium - CCI-000366 - V-234991 - SV-234991r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-15-040070
Vuln IDs
  • V-234991
Rule IDs
  • SV-234991r991589_rule
If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
Checks: C-38179r619242_chk

Verify SUSE operating system local interactive users on the system have a home directory assigned. Check for missing local interactive user home directories with the following command: > sudo pwck -r user 'smithj': directory '/home/smithj' does not exist Ask the System Administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command: > awk -F: '($3>=1000)&&($1!="nobody"){print $1 ":" $3}' /etc/passwd If any interactive users do not have a home directory assigned, this is a finding.

Fix: F-38142r619243_fix

Assign home directories to all SUSE operating system local interactive users that currently do not have a home directory assigned. Assign a home directory to users via the usermod command: > sudo usermod -d /home/smithj smithj

b
All SUSE operating system local interactive user home directories defined in the /etc/passwd file must exist.
CM-6 - Medium - CCI-000366 - V-234992 - SV-234992r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-15-040080
Vuln IDs
  • V-234992
Rule IDs
  • SV-234992r991589_rule
If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.
Checks: C-38180r619245_chk

Verify the assigned home directory of all SUSE operating system local interactive users on the system exists. Check the home directory assignment for all local interactive non-privileged users on the system with the following command: > awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $6}' /etc/passwd smithj /home/smithj Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. Check that all referenced home directories exist with the following command: > sudo pwck -r user 'smithj': directory '/home/smithj' does not exist If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.

Fix: F-38143r619246_fix

Create home directories to all SUSE operating system local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd": Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users assigned" in "/etc/passwd". > sudo mkdir /home/smithj > sudo chown smithj /home/smithj > sudo chgrp users /home/smithj > sudo chmod 0750 /home/smithj

b
All SUSE operating system local interactive user home directories must have mode 0750 or less permissive.
CM-6 - Medium - CCI-000366 - V-234993 - SV-234993r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-15-040090
Vuln IDs
  • V-234993
Rule IDs
  • SV-234993r991589_rule
Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.
Checks: C-38181r619248_chk

Verify the assigned home directory of all SUSE operating system local interactive users has a mode of "0750" or less permissive. Check the home directory assignment for all non-privileged users on the system with the following command: Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. > ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.

Fix: F-38144r619249_fix

Change the mode of SUSE operating system local interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command: Note: The example will be for the user "smithj". > sudo chmod 0750 /home/smithj

b
All SUSE operating system local interactive user home directories must be group-owned by the home directory owner's primary group.
CM-6 - Medium - CCI-000366 - V-234994 - SV-234994r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-15-040100
Vuln IDs
  • V-234994
Rule IDs
  • SV-234994r991589_rule
If the Group Identifier (GID) of a local interactive user’s home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user’s files, and users that share the same group may not be able to access files that they legitimately should.
Checks: C-38182r619251_chk

Verify the assigned home directory of all SUSE operating system local interactive users is group-owned by that user's primary GID. Check the home directory assignment for all non-privileged users on the system with the following command: Note: This may miss local interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/smithj" is used as an example. > awk -F: '($3>=1000)&&($7 !~ /nologin/){print $4, $6}' /etc/passwd) 250:/home/smithj Check the user's primary group with the following command: > grep users /etc/group users:x:250:smithj,jonesj,jacksons If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.

Fix: F-38145r619252_fix

Change the group owner of a SUSE operating system local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users. > sudo chgrp users /home/smithj

b
All SUSE operating system local initialization files must have mode 0740 or less permissive.
CM-6 - Medium - CCI-000366 - V-234995 - SV-234995r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
SLES-15-040110
Vuln IDs
  • V-234995
Rule IDs
  • SV-234995r991589_rule
Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
Checks: C-38183r619254_chk

Verify that all SUSE operating system local initialization files have a mode of "0740" or less permissive. Check the mode on all SUSE operating system local initialization files with the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". > sudo ls -al /home/smithj/.* | more -rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile -rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login -rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something If any local initialization files have a mode more permissive than "0740", this is a finding.

Fix: F-38146r619255_fix

Set the mode of SUSE operating system local initialization files to "0740" with the following command: Note: The example will be for the smithj user, who has a home directory of "/home/smithj". > sudo chmod 0740 /home/smithj/.<INIT_FILE>

b
All SUSE operating system local interactive user initialization files executable search paths must contain only paths that resolve to the users home directory.