VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide

Version

VROM-SL-000175

Vuln IDs

V-239461
V-88393

Rule IDs

SV-239461r767694_rule
SV-99043

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-42694r661832_chk

Check the auditing configuration of the system: # cat /etc/audit/audit.rules | grep -i "auditd.conf" If no results are returned, or the line does not start with "-w", this is a finding. Expected Result: -w /etc/audit/auditd.conf

Fix: F-42653r661833_fix

Add the following lines to the "audit.rules" file to enable auditing of administrative, privileged, and security actions: echo '-w /etc/audit/auditd.conf' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize audit system must be configured to audit all attempts to alter system time through adjtimex.

AU-12 - Medium - CCI-000169 - V-239462 - SV-239462r767695_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000180

Vuln IDs

V-239462
V-88395

Rule IDs

SV-239462r767695_rule
SV-99045

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the SLES for vRealize is capable of generating audit records. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-42695r661835_chk

Check if SLES for vRealize system is configured to audit calls to the "adjtimex" system call, run the following command: # grep -w "adjtimex" /etc/audit/audit.rules If SLES for vRealize is configured to audit time changes, it will return at least two lines containing "-S adjtimex" that also contain "arch=b64". If no line is returned, this is a finding.

Fix: F-42654r661836_fix

Run the following command: echo '-a exit,always -F arch=b64 -S adjtimex -F auid=0' >> /etc/audit/audit.rules echo '-a exit,always -F arch=b64 -S adjtimex -F auid>=500 -F auid!=4294967295' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize audit system must be configured to audit all attempts to alter system time through settimeofday.

AU-12 - Medium - CCI-000169 - V-239463 - SV-239463r767696_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000185

Vuln IDs

V-239463
V-88397

Rule IDs

SV-239463r767696_rule
SV-99047

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the SLES for vRealize is capable of generating audit records. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-42696r661838_chk

Check if SLES for vRealize is configured to audit calls to the "settimeofday" system call, run the following command: # grep -w "settimeofday" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return at least two lines containing "-S settimeofday" that also contain "arch=b64". If no line is returned, this is a finding.

Fix: F-42655r661839_fix

Run the following command: echo '-a exit,always -F arch=b64 -S settimeofday -F auid=0' >> /etc/audit/audit.rules echo '-a exit,always -F arch=b64 -S settimeofday -F auid>=500 -F auid!=4294967295' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize audit system must be configured to audit all attempts to alter system time through stime.

AU-12 - Medium - CCI-000169 - V-239464 - SV-239464r767697_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000190

Vuln IDs

V-239464
V-88399

Rule IDs

SV-239464r767697_rule
SV-99049

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the SLES for vRealize is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-42697r661841_chk

Check if SLES for vRealize is configured to audit calls to the "settimeofday" system call, run the following command: # grep -w "stime" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return at least two lines containing "-S settimeofday" that also contain "arch=b64". If no line is returned, this is a finding.

Fix: F-42656r661842_fix

Run the following command: echo '-a exit,always -F arch=b64 -S stime' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize audit system must be configured to audit all attempts to alter system time through clock_settime.

AU-12 - Medium - CCI-000169 - V-239465 - SV-239465r767698_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000195

Vuln IDs

V-239465
V-88401

Rule IDs

SV-239465r767698_rule
SV-99051

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the SLES for vRealize is capable of generating audit records. DoD has defined the list of events for which the operating system will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-42698r661844_chk

Check if SLES for vRealize is configured to audit calls to the "clock_settime" system call, run the following command: # grep -w "clock_settime" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return at least a line containing "-S clock_settime" that also contain "arch=b64". If no line is returned, this is a finding.

Fix: F-42657r661845_fix

Run the following command: echo '-a exit,always -F arch=b64 -S clock_settime' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize audit system must be configured to audit all attempts to alter system time through /etc/localtime.

AU-12 - Medium - CCI-000169 - V-239466 - SV-239466r767699_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000200

Vuln IDs

V-239466
V-88403

Rule IDs

SV-239466r767699_rule
SV-99053

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the SLES for vRealize is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-42699r661847_chk

To determine if SLES for vRealize is configured to audit attempts to alter time via the /etc/localtime file, run the following command: # auditctl -l | grep "watch=/etc/localtime" If SLES for vRealize is configured to audit this activity, it will return a line. LIST_RULES: exit,always watch=/etc/localtime perm=wa key=localtime If no line is returned, this is a finding.

Fix: F-42658r661848_fix

To configure the SLES for vRealize to audit attempts to alter time via the /etc/localtime file, run the following command: echo '-w /etc/localtime -p wa -k localtime' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize audit system must be configured to audit all attempts to alter the system through sethostname.

AU-12 - Medium - CCI-000169 - V-239467 - SV-239467r767700_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000205

Vuln IDs

V-239467
V-88405

Rule IDs

SV-239467r767700_rule
SV-99055

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the SLES for vRealize is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-42700r661850_chk

Check if SLES for vRealize is configured to audit calls to the "sethostname" system call, run the following command: # grep -w "sethostname" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return at least one line. If no line is returned, this is a finding.

Fix: F-42659r661851_fix

Run the following command: # echo '-a exit,always -F arch=b64 -S sethostname' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize audit system must be configured to audit all attempts to alter the system through setdomainname.

AU-12 - Medium - CCI-000169 - V-239468 - SV-239468r767701_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000210

Vuln IDs

V-239468
V-88407

Rule IDs

SV-239468r767701_rule
SV-99057

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-42701r661853_chk

Check if SLES for vRealize is configured to audit calls to the "sethostname" system call, run the following command: # grep -w "setdomainname" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return a line. If no line is returned, this is a finding.

Fix: F-42660r661854_fix

Run the following command: # echo '-a exit,always -F arch=b64 -S setdomainname' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must be configured to audit all attempts to alter the system through sched_setparam.

AU-12 - Medium - CCI-000169 - V-239469 - SV-239469r767702_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000215

Vuln IDs

V-239469
V-88409

Rule IDs

SV-239469r767702_rule
SV-99059

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-42702r661856_chk

Check if SLES for vRealize is configured to audit calls to the "sethostname" system call, run the following command: # grep -w "sched_setparam" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return a line. If no line is returned, this is a finding.

Fix: F-42661r661857_fix

Run the following command: echo '-a exit,always -F arch=b64 -S sched_setparam' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must be configured to audit all attempts to alter the system through sched_setscheduler.

AU-12 - Medium - CCI-000169 - V-239470 - SV-239470r767703_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000220

Vuln IDs

V-239470
V-88411

Rule IDs

SV-239470r767703_rule
SV-99061

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-42703r661859_chk

Check if SLES for vRealize is configured to audit calls to the "sethostname" system call, run the following command: # grep -w "sched_setscheduler" /etc/audit/audit.rules If SLES for vRealize is configured to audit this activity, it will return a line. If no line is returned, this is a finding.

Fix: F-42662r661860_fix

Run the following command: echo '-a exit,always -F arch=b64 -S sched_setscheduler' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must be configured to audit all attempts to alter /var/log/faillog.

AU-12 - Medium - CCI-000169 - V-239471 - SV-239471r767704_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000225

Vuln IDs

V-239471
V-88413

Rule IDs

SV-239471r767704_rule
SV-99063

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-42704r661862_chk

Verify that attempts to alter the log files /var/log/faillog are audited: # egrep "faillog" /etc/audit/audit.rules If "-w /var/log/faillog -p wa" entry does not exist, this is a finding.

Fix: F-42663r661863_fix

Ensure attempts to alter /var/log/faillog are audited by modifying /etc/audit/audit.rules to contain "-w /var/log/faillog -p wa" with the following command: echo '-w /var/log/faillog -p wa' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must be configured to audit all attempts to alter /var/log/lastlog.

AU-12 - Medium - CCI-000169 - V-239472 - SV-239472r767705_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000230

Vuln IDs

V-239472
V-88415

Rule IDs

SV-239472r767705_rule
SV-99065

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-42705r661865_chk

Verify that attempts to alter the log files /var/log/lastlog are audited: # egrep "lastlog" /etc/audit/audit.rules If "-w /var/log/lastlog -p wa" entry does not exist, this is a finding.

Fix: F-42664r661866_fix

Ensure attempts to alter /var/log/lastlog are audited by modifying /etc/audit/audit.rules to contain "-w /var/log/lastlog -p wa" with the following command: echo '-w /var/log/lastlog -p wa' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must be configured to audit all attempts to alter /var/log/tallylog.

AU-12 - Medium - CCI-000169 - V-239473 - SV-239473r767706_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000235

Vuln IDs

V-239473
V-88417

Rule IDs

SV-239473r767706_rule
SV-99067

Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records. DoD has defined the list of events for which the SLES for vRealize will provide an audit record generation capability as the following: 1) Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information (e.g., classification levels); 2) Access actions, such as successful and unsuccessful logon attempts, privileged activities or other system-level access, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, and all direct access to the information system; 3) All account creations, modifications, disabling, and terminations; and 4) All kernel module load, unload, and restart actions.

Checks: C-42706r661868_chk

Verify that attempts to alter the log files /var/log/tallylog are audited: # egrep "tallylog" /etc/audit/audit.rules If "-w /var/log/tallylog -p wa" entry does not exist, this is a finding.

Fix: F-42665r661869_fix

Ensure attempts to alter /var/log/tallylog are audited by modifying /etc/audit/audit.rules to contain "-w /var/log/tallylog -p wa" with the following command: echo '-w /var/log/tallylog -p wa' >> /etc/audit/audit.rules Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - Permissions.

AU-12 - Medium - CCI-000171 - V-239474 - SV-239474r661873_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000171

Version

VROM-SL-000240

Vuln IDs

V-239474
V-88419

Rule IDs

SV-239474r661873_rule
SV-99069

Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Checks: C-42707r661871_chk

Check the permissions of the rules files in /etc/audit: # ls -l /etc/audit/ Note: If /etc/audit/audit.rules is a symbolic link to /etc/audit/audit.rules.STIG, then the check is only applicable to /etc/audit/audit.rules.STIG. If the permissions of the file is not set to "640", this is a finding.

Fix: F-42666r661872_fix

Change the permissions of the /etc/audit/audit.rules.STIG, the /etc/audit/audit.rules.ORIG, and the /etc/audit/audit.rules files (if not a symbolic link): # chmod 640 /etc/audit/audit.rules.STIG # chmod 640 /etc/audit/audit.rules.ORIG # if [ -f /etc/audit/audit.rules ]; then chmod 640 /etc/audit/audit.rules; fi Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - ownership.

AU-12 - Medium - CCI-000171 - V-239475 - SV-239475r661876_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000171

Version

VROM-SL-000245

Vuln IDs

V-239475
V-88421

Rule IDs

SV-239475r661876_rule
SV-99071

Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Checks: C-42708r661874_chk

Check the permissions of the rules files in /etc/audit: # ls -l /etc/audit/ Note: If /etc/audit/audit.rules is a symbolic link to /etc/audit/audit.rules.STIG, then the check is only applicable to /etc/audit/audit.rules.STIG. If the ownership is not set to "root", this is a finding.

Fix: F-42667r661875_fix

Change the ownership of the /etc/audit/audit.rules.STIG, the /etc/audit/audit.rules.ORIG, and the /etc/audit/audit.rules files (if not a symbolic link): # chown root /etc/audit/audit.rules.STIG # chown root /etc/audit/audit.rules.ORIG # if [ -f /etc/audit/audit.rules ]; then chown root /etc/audit/audit.rules; fi Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - group ownership.

AU-12 - Medium - CCI-000171 - V-239476 - SV-239476r661879_rule

RMF Control

AU-12

Severity

M

CCI

CCI-000171

Version

VROM-SL-000250

Vuln IDs

V-239476
V-88423

Rule IDs

SV-239476r661879_rule
SV-99073

Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Checks: C-42709r661877_chk

Check the permissions of the rules files in /etc/audit: # ls -l /etc/audit/ Note: If /etc/audit/audit.rules is a symbolic link to /etc/audit/audit.rules.STIG, then the check is only applicable to /etc/audit/audit.rules.STIG. If the group owner is not set to "root", this is a finding.

Fix: F-42668r661878_fix

Change the group ownership of the /etc/audit/audit.rules.STIG, the /etc/audit/audit.rules.ORIG, and the /etc/audit/audit.rules files (if not a symbolic link): # chgrp root /etc/audit/audit.rules.STIG # chgrp root /etc/audit/audit.rules.ORIG # if [ -f /etc/audit/audit.rules ]; then chgrp root /etc/audit/audit.rules; fi Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The operating system must generate audit records for all discretionary access control permission modifications using chmod.

AU-12 - Medium - CCI-000172 - V-239477 - SV-239477r661882_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000255

Vuln IDs

V-239477
V-88425

Rule IDs

SV-239477r661882_rule
SV-99075

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42710r661880_chk

To determine if the system is configured to audit calls to the "chmod" system call, run the following command: # auditctl -l | grep syscall | grep chmod If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.

Fix: F-42669r661881_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S chmod -F auid=0 -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using chown.

AU-12 - Medium - CCI-000172 - V-239478 - SV-239478r661885_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000260

Vuln IDs

V-239478
V-88427

Rule IDs

SV-239478r661885_rule
SV-99077

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42711r661883_chk

To determine if the SLES for vRealize is configured to audit calls to the "chown" system call, run the following command: # auditctl -l | grep syscall | grep chown If the SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.

Fix: F-42670r661884_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S chown -F auid=0 -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmod.

AU-12 - Medium - CCI-000172 - V-239479 - SV-239479r661888_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000265

Vuln IDs

V-239479
V-88429

Rule IDs

SV-239479r661888_rule
SV-99079

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42712r661886_chk

To determine if SLES for vRealize is configured to audit calls to the "fchmod" system call, run the following command: # auditctl -l | grep syscall | grep fchmod If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.

Fix: F-42671r661887_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchmod -F auid=0 -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmodat.

AU-12 - Medium - CCI-000172 - V-239480 - SV-239480r661891_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000270

Vuln IDs

V-239480
V-88431

Rule IDs

SV-239480r661891_rule
SV-99081

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42713r661889_chk

To determine if SLES for vRealize is configured to audit calls to the "fchmodat" system call, run the following command: # auditctl -l | grep syscall | grep fchmodat If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.

Fix: F-42672r661890_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchmodat -F auid=0 -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchown.

AU-12 - Medium - CCI-000172 - V-239481 - SV-239481r661894_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000275

Vuln IDs

V-239481
V-88433

Rule IDs

SV-239481r661894_rule
SV-99083

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42714r661892_chk

To determine if SLES for vRealize is configured to audit calls to the "fchown" system call, run the following command: # auditctl -l | grep syscall | grep fchown If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.

Fix: F-42673r661893_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchown -F auid=0 -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchownat.

AU-12 - Medium - CCI-000172 - V-239482 - SV-239482r661897_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000280

Vuln IDs

V-239482
V-88435

Rule IDs

SV-239482r661897_rule
SV-99085

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42715r661895_chk

To determine if SLES for vRealize is configured to audit calls to the "fchownat" system call, run the following command: # auditctl -l | grep syscall | grep fchownat If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.

Fix: F-42674r661896_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchownat -F auid=0 -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fremovexattr.

AU-12 - Medium - CCI-000172 - V-239483 - SV-239483r661900_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000285

Vuln IDs

V-239483
V-88437

Rule IDs

SV-239483r661900_rule
SV-99087

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42716r661898_chk

To determine if SLES for vRealize is configured to audit calls to the "fremovexattr" system call, run the following command: # auditctl -l | grep syscall | grep fremovexattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.

Fix: F-42675r661899_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fremovexattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fsetxattr.

AU-12 - Medium - CCI-000172 - V-239484 - SV-239484r661903_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000290

Vuln IDs

V-239484
V-88439

Rule IDs

SV-239484r661903_rule
SV-99089

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42717r661901_chk

To determine if SLES for vRealize is configured to audit calls to the "fsetxattr" system call, run the following command: # auditctl -l | grep syscall | grep fsetxattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.

Fix: F-42676r661902_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fsetxattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lchown.

AU-12 - Medium - CCI-000172 - V-239485 - SV-239485r661906_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000295

Vuln IDs

V-239485
V-88441

Rule IDs

SV-239485r661906_rule
SV-99091

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42718r661904_chk

To determine if SLES for vRealize is configured to audit calls to the "lchown" system call, run the following command: # auditctl -l | grep syscall | grep lchown If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.

Fix: F-42677r661905_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S lchown Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lremovexattr.

AU-12 - Medium - CCI-000172 - V-239486 - SV-239486r661909_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000300

Vuln IDs

V-239486
V-88443

Rule IDs

SV-239486r661909_rule
SV-99093

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42719r661907_chk

To determine if SLES for vRealize is configured to audit calls to the "lremovexattr" system call, run the following command: # auditctl -l | grep syscall | grep lremovexattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.

Fix: F-42678r661908_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S lremovexattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lsetxattr.

AU-12 - Medium - CCI-000172 - V-239487 - SV-239487r661912_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000305

Vuln IDs

V-239487
V-88445

Rule IDs

SV-239487r661912_rule
SV-99095

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42720r661910_chk

To determine if SLES for vRealize is configured to audit calls to the "lsetxattr" system call, run the following command: # auditctl -l | grep syscall | grep lsetxattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.

Fix: F-42679r661911_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S lsetxattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using removexattr.

AU-12 - Medium - CCI-000172 - V-239488 - SV-239488r661915_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000310

Vuln IDs

V-239488
V-88447

Rule IDs

SV-239488r661915_rule
SV-99097

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42721r661913_chk

To determine if SLES for vRealize is configured to audit calls to the "removexattr" system call, run the following command: # auditctl -l | grep syscall | grep removexattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.

Fix: F-42680r661914_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S removexattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using setxattr.

AU-12 - Medium - CCI-000172 - V-239489 - SV-239489r661918_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000315

Vuln IDs

V-239489
V-88449

Rule IDs

SV-239489r661918_rule
SV-99099

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42722r661916_chk

To determine if SLES for vRealize is configured to audit calls to the "setxattr" system call, run the following command: # auditctl -l | grep syscall | grep setxattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.

Fix: F-42681r661917_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S setxattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all failed attempts to access files and programs.

AU-12 - Medium - CCI-000172 - V-239490 - SV-239490r661921_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-000320

Vuln IDs

V-239490
V-88451

Rule IDs

SV-239490r661921_rule
SV-99101

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42723r661919_chk

To check that the SLES for vRealize audit system collects unauthorized file accesses, run the following commands: # grep EACCES /etc/audit/audit.rules -a exit,always -F arch=b64 -S swapon -F exit=-EACCES -a exit,always -F arch=b64 -S creat -F exit=-EACCES -a exit,always -F arch=b64 -S open -F exit=-EACCES # grep EPERM /etc/audit/audit.rules -a exit,always -F arch=b64 -S swapon -F exit=-EPERM -a exit,always -F arch=b64 -S creat -F exit=-EPERM -a exit,always -F arch=b64 -S open -F exit=-EPERM If either command lacks output, this is a finding.

Fix: F-42682r661920_fix

Add the following to "/etc/audit/audit.rules": -a exit,always -F arch=b64 -S swapon -F exit=-EACCES -a exit,always -F arch=b64 -S creat -F exit=-EACCES -a exit,always -F arch=b64 -S open -F exit=-EACCES -a exit,always -F arch=b64 -S swapon -F exit=-EPERM -a exit,always -F arch=b64 -S creat -F exit=-EPERM -a exit,always -F arch=b64 -S open -F exit=-EPERM Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b

The SLES for vRealize must enforce password complexity by requiring that at least one upper-case character be used.

IA-5 - Medium - CCI-000192 - V-239491 - SV-239491r661924_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000192

Version

VROM-SL-000340

Vuln IDs

V-239491
V-88453

Rule IDs

SV-239491r661924_rule
SV-99103

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Checks: C-42724r661922_chk

Check SLES for vRealize enforces password complexity by requiring that at least one upper-case character be used by using the following command: # grep ucredit /etc/pam.d/common-password-vmware.local If "ucredit" is not set to "-1" or not at all, this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=4 retry=3

Fix: F-42683r661923_fix

If ucredit was not set at all in "/etc/pam.d/common-password-vmware.local" file then run the following command: # sed -i '/pam_cracklib.so/ s/$/ ucredit=-1/' /etc/pam.d/common-password-vmware.local If "ucredit" was set incorrectly, run the following command to set it to "-1": # sed -i '/pam_cracklib.so/ s/ucredit=../ucredit=-1/' /etc/pam.d/common-password-vmware.local

b

Global settings defined in common- {account,auth,password,session} must be applied in the pam.d definition files.

IA-5 - Medium - CCI-000192 - V-239492 - SV-239492r661927_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000192

Version

VROM-SL-000345

Vuln IDs

V-239492
V-88455

Rule IDs

SV-239492r661927_rule
SV-99105

Pam global requirements are generally defined in the common-account, common-auth, common- password and common-session files located in the /etc/pam.d directory. In order for the requirements to be applied the file(s) containing them must be included directly or indirectly in each program's definition file in /etc/pam.d.

Checks: C-42725r661925_chk

Verify that common-{account, auth, password, session} settings are being applied: Verify that local customization has occurred in the common- {account,auth,password,session}-pc file(s) by some method other than the use of the pam-config utility. The files "/etc/pam.d/common-{account,auth,password,session} -pc" are autogenerated by "pam-config". Any manual changes made to them will be lost if "pam-config" is allowed to run. # ls -l /etc/pam.d/common-{account,auth,password,session} If the symlinks point to "/etc/pam.d/common- {account,auth,password,session}-pc" and manual updates have been made in these files, the updates cannot be protected if pam-config is enabled. # ls -l /usr/sbin/pam-config If the setting for pam-config is not "000", this is a finding.

Fix: F-42684r661926_fix

In the default distribution of SLES 11 "/etc/pam.d/common- {account,auth,password,session}" are symlinks to their respective "/etc/pam.d/common- {account,auth,password,session}-pc" files. These common- {account,auth,password,session}-pc files are autogenerated by the pam-config utility. Edit /usr/sbin/pam-config permissions to prevent its use: # chmod 000 /usr/sbin/pam-config

b

The SLES for vRealize must enforce password complexity by requiring that at least one lower-case character be used.

IA-5 - Medium - CCI-000193 - V-239493 - SV-239493r661930_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000193

Version

VROM-SL-000350

Vuln IDs

V-239493
V-88457

Rule IDs

SV-239493r661930_rule
SV-99107

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Checks: C-42726r661928_chk

Verify SLES for vRealize enforces password complexity by requiring that at least one lower-case character be used by using the following command: # grep lcredit /etc/pam.d/common-password-vmware.local If "lcredit" is not set to "-1" or not at all, this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=4 retry=3

Fix: F-42685r661929_fix

If lcredit was not set at all in "/etc/pam.d/common-password-vmware.local" then run the following command: # sed -i '/pam_cracklib.so/ s/$/ lcredit=-1/' /etc/pam.d/common-password-vmware.local If "lcredit" was set incorrectly, run the following command to set it to "-1": # sed -i '/pam_cracklib.so/ s/lcredit=../lcredit=-1/' /etc/pam.d/common-password-vmware.local

b

The SLES for vRealize must enforce password complexity by requiring that at least one numeric character be used.

IA-5 - Medium - CCI-000194 - V-239494 - SV-239494r661933_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000194

Version

VROM-SL-000355

Vuln IDs

V-239494
V-88459

Rule IDs

SV-239494r661933_rule
SV-99109

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Checks: C-42727r661931_chk

Check that SLES for vRealize enforces password complexity by requiring that at least one numeric character be used by running the following command: # grep dcredit /etc/pam.d/common-password-vmware.local If "dcredit" is not set to "-1" or not at all, this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=4 retry=3

Fix: F-42686r661932_fix

If dcredit was not set at all in "/etc/pam.d/common-password-vmware.local" then run the following command: # sed -i '/pam_cracklib.so/ s/$/ dcredit=-1/' /etc/pam.d/common-password-vmware.local If "dcredit" was set incorrectly, run the following command to set it to "-1": # sed -i '/pam_cracklib.so/ s/dcredit=../dcredit=-1/' /etc/pam.d/common-password-vmware.local

b

The SLES for vRealize must require the change of at least eight of the total number of characters when passwords are changed.

IA-5 - Medium - CCI-000195 - V-239495 - SV-239495r661936_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000195

Version

VROM-SL-000360

Vuln IDs

V-239495
V-88461

Rule IDs

SV-239495r661936_rule
SV-99111

If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.

Checks: C-42728r661934_chk

Check that at least eight characters need to be changed between old and new passwords during a password change by running the following command: # grep pam_cracklib /etc/pam.d/common-password-vmware.local The "difok" parameter indicates how many characters must be different. The DoD requires at least eight characters to be different during a password change. This would appear as "difok=8". If "difok" is not found or not set to at least "8", this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=8 retry=3

Fix: F-42687r661935_fix

If "difok" was not set at all in "/etc/pam.d/common-password-vmware.local" then run the following command: # sed -i '/pam_cracklib.so/ s/$/ difok-8/' /etc/pam.d/common-password-vmware.local If "difok" was set incorrectly, run the following command to set it to "8": # sed -i '/pam_cracklib.so/ s/difok=./difok=8/' /etc/pam.d/common-password-vmware.local

c

The SLES for vRealize must store only encrypted representations of passwords.

IA-5 - High - CCI-000196 - V-239496 - SV-239496r661939_rule

RMF Control

IA-5

Severity

H

CCI

CCI-000196

Version

VROM-SL-000365

Vuln IDs

V-239496
V-88463

Rule IDs

SV-239496r661939_rule
SV-99113

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.

Checks: C-42729r661937_chk

Check that the user account passwords are stored hashed using sha512 by running the following command: # cat /etc/default/passwd | grep CRYPT=sha512 If "CRYPT=sha512" is not listed, this is a finding.

Fix: F-42688r661938_fix

Ensure password are being encrypted with hash sha512 with the following command: # echo 'CRYPT=sha512'>>/etc/default/passwd

b

SLES for vRealize must enforce 24 hours/1 day as the minimum password lifetime.

IA-5 - Medium - CCI-000198 - V-239497 - SV-239497r661942_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000198

Version

VROM-SL-000375

Vuln IDs

V-239497
V-88465

Rule IDs

SV-239497r661942_rule
SV-99115

Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Checks: C-42730r661940_chk

To check that SLES for vRealize enforces 24 hours/1 day as the minimum password age, run the following command: # grep PASS_MIN_DAYS /etc/login.defs | grep -v '#' The DoD requirement is "1". If "PASS_MIN_DAYS" is not set to the required value, this is a finding.

Fix: F-42689r661941_fix

To configure SLES for vRealize to enforce 24 hours/1 day as the minimum password age, edit the file "/etc/login.defs" with the following command: # sed -i "/^[^#]*PASS_MIN_DAYS/ c\PASS_MIN_DAYS 1" /etc/login.defs

b

Users must not be able to change passwords more than once every 24 hours.

IA-5 - Medium - CCI-000198 - V-239498 - SV-239498r661945_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000198

Version

VROM-SL-000380

Vuln IDs

V-239498
V-88467

Rule IDs

SV-239498r661945_rule
SV-99117

Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Checks: C-42731r661943_chk

Check the minimum time period between password changes for each user account is "1" day. # cat /etc/shadow | cut -d ':' -f1,4 | grep -v 1 | grep -v ":$" If any results are returned, this is a finding.

Fix: F-42690r661944_fix

Change the minimum time period between password changes for each [USER] account to "1" day. The command in the check text will give you a list of users that need to be updated to be in compliance. # passwd -n 1 [USER]

b

SLES for vRealize must enforce a 60-day maximum password lifetime restriction.

IA-5 - Medium - CCI-000199 - V-239499 - SV-239499r661948_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000199

Version

VROM-SL-000385

Vuln IDs

V-239499
V-88469

Rule IDs

SV-239499r661948_rule
SV-99119

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If SLES for vRealize does not limit the lifetime of passwords and force users to change their passwords, there is the risk that SLES for vRealize passwords could be compromised.

Checks: C-42732r661946_chk

To check that SLES for vRealize enforces a "60" days or less maximum password age, run the following command: # grep PASS_MAX_DAYS /etc/login.defs | grep -v "#" The DoD requirement is "60" days or less (Greater than zero, as zero days will lock the account immediately). If "PASS_MAX_DAYS" is not set to the required value, this is a finding.

Fix: F-42691r661947_fix

To configure SLES for vRealize to enforce a "60" day or less maximum password age, edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days. # sed -i "/^[^#]*PASS_MAX_DAYS/ c\PASS_MAX_DAYS 60" /etc/login.defs The DoD requirement is "60" days or less (Greater than zero, as zero days will lock the account immediately).

b

User passwords must be changed at least every 60 days.

IA-5 - Medium - CCI-000199 - V-239500 - SV-239500r661951_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000199

Version

VROM-SL-000390

Vuln IDs

V-239500
V-88471

Rule IDs

SV-239500r661951_rule
SV-99121

Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If SLES for vRealize does not limit the lifetime of passwords and force users to change their passwords, there is the risk that SLES for vRealize passwords could be compromised.

Checks: C-42733r661949_chk

Check the max days field of "/etc/shadow" by running the following command: # cat /etc/shadow | cut -d':' -f1,5 | egrep -v "([0|60])" | grep -v ":$" If any results are returned, this is a finding.

Fix: F-42692r661950_fix

Set the maximum time period between password changes for each [USER] account to "60" days. The command in the check text will give you a list of users that need to be updated to be in compliance. # passwd -x 60 [USER] The DoD requirement is "60" days.

b

The SLES for vRealize must prohibit password reuse for a minimum of five generations.

IA-5 - Medium - CCI-000200 - V-239501 - SV-239501r661954_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000200

Version

VROM-SL-000395

Vuln IDs

V-239501
V-88473

Rule IDs

SV-239501r661954_rule
SV-99123

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.

Checks: C-42734r661952_chk

Verify that SLES for vRealize prohibits the reuse of a password for a minimum of five generations, by running the following commands: # grep pam_pwhistory.so /etc/pam.d/common-password-vmware.local If the "remember" option in "/etc/pam.d/common-password-vmware.local" file is not "5" or greater, this is a finding.

Fix: F-42693r661953_fix

Configure pam to use password history. If the "remember" option was not set at all in "/etc/pam.d/common-password-vmware.local" file then run the following command: # sed -i '/pam_cracklib.so/ s/$/ remember=5/' /etc/pam.d/common-password-vmware.local If "remember" option was set incorrectly, run the following command to set it to "5": # sed -i '/pam_cracklib.so/ s/remember=./remember=5/' /etc/pam.d/common-password-vmware.local

b

The SLES for vRealize must prohibit password reuse for a minimum of five generations. Ensure the old passwords are being stored.

IA-5 - Medium - CCI-000200 - V-239502 - SV-239502r661957_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000200

Version

VROM-SL-000400

Vuln IDs

V-239502
V-88475

Rule IDs

SV-239502r661957_rule
SV-99125

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.

Checks: C-42735r661955_chk

Verify that the old password file, "opasswd", exists, by running the following command: # ls /etc/security/opasswd If "/etc/security/opasswd" file does not exist, this is a finding.

Fix: F-42694r661956_fix

Create the password history file. # touch /etc/security/opasswd # chown root:root /etc/security/opasswd # chmod 0600 /etc/security/opasswd

b

The SLES for vRealize must enforce a minimum 15-character password length.

IA-5 - Medium - CCI-000205 - V-239503 - SV-239503r661960_rule

RMF Control

IA-5

Severity

M

CCI

CCI-000205

Version

VROM-SL-000405

Vuln IDs

V-239503
V-88477

Rule IDs

SV-239503r661960_rule
SV-99127

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

Checks: C-42736r661958_chk

Verify that SLES for vRealize enforces a minimum 15-character password length, by running the following command: # grep pam_cracklib /etc/pam.d/common-password-vmware.local # grep pam_cracklib /etc/pam.d/common-password If the result does not contain "minlen=15" or higher, this is a finding.

Fix: F-42695r661959_fix

If "minlen" was not set at all in "/etc/pam.d/common-password-vmware.local" file then run the following command: # sed -i '/pam_cracklib.so/ s/$/ minlen=15/' /etc/pam.d/common-password-vmware.local If "minlen" was set incorrectly, run the following command to set it to "15": # sed -i '/pam_cracklib.so/ s/minlen=../minlen=15/' /etc/pam.d/common-password-vmware.local

b

The SLES for vRealize must require root password authentication upon booting into single-user mode.

AC-3 - Medium - CCI-000213 - V-239504 - SV-239504r661963_rule

RMF Control

AC-3

Severity

M

CCI

Version

VROM-SL-000415

Vuln IDs

V-239504
V-88479

Rule IDs

SV-239504r661963_rule
SV-99129

To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.

Checks: C-42737r661961_chk

Verify that root password is required for single user mode logon with the following command: # grep sulogin /etc/inittab Expected result: ~~:S:respawn:/sbin/sulogin If the expected result is not displayed, this is a finding.

Fix: F-42696r661962_fix

Configure SLES for vRealize to require root password login with single user mode use the following command: # echo '~~:S:respawn:/sbin/sulogin' >> /etc/inittab

b

Bootloader authentication must be enabled to prevent users without privilege to gain access restricted file system resources.

AC-3 - Medium - CCI-000213 - V-239505 - SV-239505r661966_rule

RMF Control

AC-3

Severity

M

CCI

Version

VROM-SL-000420

Vuln IDs

V-239505
V-88481

Rule IDs

SV-239505r661966_rule
SV-99131

To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.

Checks: C-42738r661964_chk

To verify a boot password exists. In "/boot/grub/menu.lst" run the following command: # grep password /boot/grub/menu.lst The output should show the following: password --encrypted $1$[rest-of-the-password-hash] If it does not, this is a finding.

Fix: F-42697r661965_fix

Run the following command: # /usr/sbin/grub-md5-crypt An MD5 password is generated. After the password is supplied, the command supplies the md5 hash output. Append the password to the menu.lst file by running the following command: echo 'password --md5 <hash from grub-md5-crypt>' >> /boot/grub/menu.lst Or use "yast2" to set the bootloader password: Open the Boot Loader Installation tab. Click Boot Loader Options. Activate the Protect Boot Loader with Password option with a click and type in your Password twice. Click "OK" twice to save the changes.

b

The SLES for the vRealize boot loader configuration file(s) must have mode 0600 or less permissive.

AC-3 - Medium - CCI-000213 - V-239506 - SV-239506r661969_rule

RMF Control

AC-3

Severity

M

CCI

Version

VROM-SL-000425

Vuln IDs

V-239506
V-88483

Rule IDs

SV-239506r661969_rule
SV-99133

File permissions more permissive than 0600 on boot loader configuration files could allow an unauthorized user to view or modify sensitive information pertaining to system boot instructions.

Checks: C-42739r661967_chk

Check the /boot/grub/menu.lst file: # stat /boot/grub/menu.lst If "/boot/grub/menu.lst" has a mode more permissive than "0600", this is a finding.

Fix: F-42698r661968_fix

Change the mode of the "/boot/grub/menu.lst" file to "0600": # chmod 0600 /boot/grub/menu.lst

b

The SLES for the vRealize boot loader configuration files must be owned by root.

AC-3 - Medium - CCI-000213 - V-239507 - SV-239507r661972_rule

RMF Control

AC-3

Severity

M

CCI

Version

VROM-SL-000430

Vuln IDs

V-239507
V-88485

Rule IDs

SV-239507r661972_rule
SV-99135

The SLES for vRealize’s boot loader configuration files are critical to the integrity of the system and must be protected. Unauthorized modification of these files resulting from improper ownership could compromise the system's boot loader configuration.

Checks: C-42740r661970_chk

Check "/boot/grub/menu.lst" file ownership: # stat /boot/grub/menu.lst If the owner of the file is not "root", this is a finding.

Fix: F-42699r661971_fix

Change the ownership of the "/boot/grub/menu.lst" file: # chown root /boot/grub/menu.lst

b

The SLES for the vRealize boot loader configuration file(s) must be group-owned by root, bin, sys, or system.

AC-3 - Medium - CCI-000213 - V-239508 - SV-239508r661975_rule

RMF Control

AC-3

Severity

M

CCI

Version

VROM-SL-000435

Vuln IDs

V-239508
V-88487

Rule IDs

SV-239508r661975_rule
SV-99137

The SLES for vRealize’s boot loader configuration files are critical to the integrity of the system and must be protected. Unauthorized modifications resulting from improper group ownership may compromise the boot loader configuration.

Checks: C-42741r661973_chk

Check "/boot/grub/menu.lst" file ownership: # stat /boot/grub/menu.lst If the group-owner of the file is not "root", "bin", "sys", or "system", this is a finding.

Fix: F-42700r661974_fix

Change the group-ownership of the "/boot/grub/menu.lst" file: # chgrp root /boot/grub/menu.lst

b

The Bluetooth protocol handler must be disabled or not installed.

CM-7 - Medium - CCI-000381 - V-239509 - SV-239509r661978_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000440

Vuln IDs

V-239509
V-88489

Rule IDs

SV-239509r661978_rule
SV-99139

Bluetooth is a personal area network (PAN) technology. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the kernel to dynamically load a protocol handler by opening a socket using the protocol.

Checks: C-42742r661976_chk

Verify the Bluetooth protocol handler is prevented from dynamic loading: # grep "install bluetooth /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.

Fix: F-42701r661977_fix

Prevent the Bluetooth protocol handler for dynamic loading: # echo "install bluetooth /bin/true" >> /etc/modprobe.conf.local

b

The SLES for vRealize must have USB Mass Storage disabled unless needed.

CM-7 - Medium - CCI-000381 - V-239510 - SV-239510r661981_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000445

Vuln IDs

V-239510
V-88491

Rule IDs

SV-239510r661981_rule
SV-99141

USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data.

Checks: C-42743r661979_chk

If SLES for vRealize needs USB storage, this vulnerability is not applicable. Check if the "usb-storage" module is prevented from loading: # grep "install usb-storage /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no results are returned, this is a finding.

Fix: F-42702r661980_fix

Prevent the "usb-storage" module from loading: # echo "install usb-storage /bin/true" >> /etc/modprobe.conf.local

b

The SLES for vRealize must have USB disabled unless needed.

CM-7 - Medium - CCI-000381 - V-239511 - SV-239511r661984_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000450

Vuln IDs

V-239511
V-88493

Rule IDs

SV-239511r661984_rule
SV-99143

USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data.

Checks: C-42744r661982_chk

If SLES for vRealize needs USB, this vulnerability is not applicable. Check if the directory "/proc/bus/usb exists". If the directory "/proc/bus/usb exists", this is a finding.

Fix: F-42703r661983_fix

Edit the grub bootloader file, "/boot/grub/menu.lst" file, by appending the "nousb" parameter to the kernel boot line.

b

The telnet-server package must not be installed.

CM-7 - Medium - CCI-000381 - V-239512 - SV-239512r661987_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000455

Vuln IDs

V-239512
V-88495

Rule IDs

SV-239512r661987_rule
SV-99145

Removing the "telnet-server" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation.

Checks: C-42745r661985_chk

Check if "telnet-server" package is installed: # rpm -q telnet-server If there is a "telnet-server" package listed, this is a finding.

Fix: F-42704r661986_fix

To remove the "telnet-server" package use the following command: rpm -e telnet-server

b

The rsh-server package must not be installed.

CM-7 - Medium - CCI-000381 - V-239513 - SV-239513r661990_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000460

Vuln IDs

V-239513
V-88497

Rule IDs

SV-239513r661990_rule
SV-99147

The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.

Checks: C-42746r661988_chk

Check if "rsh-server" package is installed: # rpm -q rsh-server If there is a "rsh-server" package listed, this is a finding.

Fix: F-42705r661989_fix

To remove the "telnet-server" package use the following command: rpm -e rsh-server

b

The ypserv package must not be installed.

CM-7 - Medium - CCI-000381 - V-239514 - SV-239514r661993_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000465

Vuln IDs

V-239514
V-88499

Rule IDs

SV-239514r661993_rule
SV-99149

Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.

Checks: C-42747r661991_chk

Check if "ypserv" package is installed: # rpm -q ypserv If there is a "ypserv" package listed, this is a finding.

Fix: F-42706r661992_fix

To remove the "ypserv" package use the following command: rpm -e ypserv

b

The yast2-tftp-server package must not be installed.

CM-7 - Medium - CCI-000381 - V-239515 - SV-239515r661996_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000470

Vuln IDs

V-239515
V-88501

Rule IDs

SV-239515r661996_rule
SV-99151

Removing the "yast2-tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.

Checks: C-42748r661994_chk

Check if "yast2-tftp-server" package is installed: # rpm -q yast2-tftp-server If there is a "yast2-tftp-server" package listed, this is a finding.

Fix: F-42707r661995_fix

To remove the "yast2-tftp-server" package use the following command: rpm -e yast2-tftp-server

b

The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.

CM-7 - Medium - CCI-000382 - V-239516 - SV-239516r661999_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000485

Vuln IDs

V-239516
V-88503

Rule IDs

SV-239516r661999_rule
SV-99153

The Datagram Congestion Control Protocol (DCCP) is a proposed transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the kernel to dynamically load a protocol handler by opening a socket using the protocol.

Checks: C-42749r661997_chk

Check that the DCCP protocol handler is prevented from dynamic loading: # grep "install dccp /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding. # grep "install dccp_ipv4 /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding. # grep "install dccp_ipv6" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* | grep ‘bin/true’ If no result is returned, this is a finding.

Fix: F-42708r661998_fix

Prevent the DCCP protocol handler for dynamic loading: # echo "install dccp /bin/true" >> /etc/modprobe.conf.local # echo "install dccp_ipv4 /bin/true" >> /etc/modprobe.conf.local # echo "install dccp_ipv6 /bin/true" >> /etc/modprobe.conf.local

b

The Stream Control Transmission Protocol (SCTP) must be disabled unless required.

CM-7 - Medium - CCI-000382 - V-239517 - SV-239517r662002_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000490

Vuln IDs

V-239517
V-88505

Rule IDs

SV-239517r662002_rule
SV-99155

The Stream Control Transmission Protocol (SCTP) is an IETF-standardized transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the kernel to dynamically load a protocol handler by opening a socket using the protocol.

Checks: C-42750r662000_chk

Verify the SCTP protocol handler is prevented from dynamic loading: # grep "install sctp /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.

Fix: F-42709r662001_fix

Prevent the SCTP protocol handler from dynamic loading: # echo "install sctp /bin/true" >> /etc/modprobe.conf.local

b

The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.

CM-7 - Medium - CCI-000382 - V-239518 - SV-239518r662005_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000495

Vuln IDs

V-239518
V-88507

Rule IDs

SV-239518r662005_rule
SV-99157

The Reliable Datagram Sockets (RDS) protocol is a relatively new protocol developed by Oracle for communication between the nodes of a cluster. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the system to dynamically load a protocol handler by opening a socket using the protocol.

Checks: C-42751r662003_chk

Ask the SA if RDS is required by application software running on the system. If so, this is not applicable. Check that the RDS protocol handler is prevented from dynamic loading: # grep "install rds /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.

Fix: F-42710r662004_fix

Prevent the RDS protocol handler from dynamic loading: # echo "install rds /bin/true" >> /etc/modprobe.conf.local

b

The Transparent Inter-Process Communication (TIPC) must be disabled or not installed.

CM-7 - Medium - CCI-000382 - V-239519 - SV-239519r662008_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000500

Vuln IDs

V-239519
V-88509

Rule IDs

SV-239519r662008_rule
SV-99159

The Transparent Inter-Process Communication (TIPC) protocol is a relatively new cluster communications protocol developed by Ericsson. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the kernel to dynamically load a protocol handler by opening a socket using the protocol.

Checks: C-42752r662006_chk

Verify the TIPC protocol handler is prevented from dynamic loading: # grep "install tipc /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.

Fix: F-42711r662007_fix

Prevent the TIPC protocol handler from dynamic loading: # echo "install tipc /bin/true" >> /etc/modprobe.conf.local

b

The xinetd service must be disabled if no network services utilizing it are enabled.

CM-7 - Medium - CCI-000382 - V-239520 - SV-239520r662011_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000505

Vuln IDs

V-239520
V-88511

Rule IDs

SV-239520r662011_rule
SV-99161

The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.

Checks: C-42753r662009_chk

If network services are using the "xinetd" service, this is not applicable. To check that the "xinetd" service is disabled in system boot configuration, run the following command: # chkconfig "xinetd" --list Output should indicate the "xinetd" service has either not been installed, or has been disabled at all run levels, as shown in the example below: xinetd 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "xinetd" is disabled through current runtime configuration: # service xinetd status If the "xinetd" service is disabled the command will return the following output: Checking for service xinetd: unused If the "xinetd" service is running, this is a finding.

Fix: F-42712r662010_fix

The "xinetd" service can be disabled with the following command: # chkconfig xinetd off

b

The ypbind service must not be running if no network services utilizing it are enabled.

CM-7 - Medium - CCI-000382 - V-239521 - SV-239521r662014_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000510

Vuln IDs

V-239521
V-88513

Rule IDs

SV-239521r662014_rule
SV-99163

Disabling the "ypbind" service ensures the SLES for vRealize is not acting as a client in a NIS or NIS+ domain when not required.

Checks: C-42754r662012_chk

If network services are using the "ypbind" service, this is not applicable. To check that the "ypbind" service is disabled in system boot configuration, run the following command: # chkconfig "ypbind" --list Output should indicate the "ypbind" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "ypbind" is disabled through current runtime configuration: # service ypbind status If the "ypbind" service is disabled the command will return the following output: Checking for service ypbind unused If the "ypbind" service is running, this is a finding.

Fix: F-42713r662013_fix

The "ypbind" service can be disabled with the following command: # chkconfig ypbind off

b

NIS/NIS+/yp files must be owned by root, sys, or bin.

CM-7 - Medium - CCI-000382 - V-239522 - SV-239522r662017_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000515

Vuln IDs

V-239522
V-88515

Rule IDs

SV-239522r662017_rule
SV-99165

NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration, which could weaken the system's security posture.

Checks: C-42755r662015_chk

Perform the following to check NIS file ownership: # ls -la /var/yp/* If the NIS file ownership is not "root", sys, or bin, this is a finding.

Fix: F-42714r662016_fix

Change the ownership of NIS/NIS+/yp files to "root", "sys", "bin", or "system". Consult vendor documentation to determine the location of the files: # chown root <filename>

b

The NIS/NIS+/yp command files must have mode 0755 or less permissive.

CM-7 - Medium - CCI-000382 - V-239523 - SV-239523r662020_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000520

Vuln IDs

V-239523
V-88517

Rule IDs

SV-239523r662020_rule
SV-99167

NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Unauthorized modification of these files could compromise these processes and SLES for vRealize.

Checks: C-42756r662018_chk

Perform the following to check NIS file ownership: # ls -la /var/yp/* If the NIS file's mode is more permissive than "0755", this is a finding.

Fix: F-42715r662019_fix

Change the mode of NIS/NIS+/yp command files to "0755" or less permissive: # chmod 0755 <filename>

b

The SLES for vRealize must not use UDP for NIS/NIS+.

CM-7 - Medium - CCI-000382 - V-239524 - SV-239524r662023_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000525

Vuln IDs

V-239524
V-88519

Rule IDs

SV-239524r662023_rule
SV-99169

Implementing NIS or NIS+ under UDP may make SLES for vRealize more susceptible to a denial of service attack and does not provide the same quality of service as TCP.

Checks: C-42757r662021_chk

If SLES for vRealize does not use NIS or NIS+, this is not applicable. Check if NIS or NIS+ is implemented using UDP: # rpcinfo -p | grep yp | grep udp If NIS or NIS+ is implemented using UDP, this is a finding.

Fix: F-42716r662022_fix

Configure SLES for vRealize to not use UDP for NIS and NIS+. Consult vendor documentation for the required procedure.

b

NIS maps must be protected through hard-to-guess domain names.

CM-7 - Medium - CCI-000382 - V-239525 - SV-239525r662026_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000530

Vuln IDs

V-239525
V-88521

Rule IDs

SV-239525r662026_rule
SV-99171

The use of hard-to-guess NIS domain names provides additional protection from unauthorized access to the NIS directory information.

Checks: C-42758r662024_chk

If SLES for vRealize does not use NIS or NIS+, this is not applicable. Check the domain name for NIS maps: # domainname If the name returned is simple to guess, such as the organization name, building or room name, etc., this is a finding.

Fix: F-42717r662025_fix

Change the NIS domainname to a value difficult to guess. Consult vendor documentation for the required procedure.

b

Mail relaying must be restricted.

CM-7 - Medium - CCI-000382 - V-239526 - SV-239526r662029_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000535

Vuln IDs

V-239526
V-88523

Rule IDs

SV-239526r662029_rule
SV-99173

If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending SPAM or other unauthorized activity.

Checks: C-42759r662027_chk

Determine if Sendmail only binds to loopback addresses by examining the "DaemonPortOptions" configuration options. # grep -i "O DaemonPortOptions" /etc/sendmail.cf If there are uncommented "DaemonPortOptions" lines, and all such lines specify system loopback addresses, this is not a finding. Otherwise, determine if "Sendmail" is configured to allow open relay operation. # grep -i promiscuous_relay /etc/mail/sendmail.mc If the promiscuous relay feature is enabled, this is a finding.

Fix: F-42718r662028_fix

If SLES for vRealize does not need to receive mail from external hosts, add one or more "DaemonPortOptions" lines referencing system loopback addresses (such as "O DaemonPortOptions=Addr=127.0.0.1,Port=smtp,Name=MTA") and remove lines containing non-loopback addresses. # sed -i "s/O DaemonPortOptions=Name=MTA/O DaemonPortOptions=Addr=127.0.0.1,Port=smtp,Name=MTA/" /etc/sendmail.cf Restart the sendmail service: # service sendmail restart

b

The alias files must be owned by root.

CM-7 - Medium - CCI-000382 - V-239527 - SV-239527r662032_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000540

Vuln IDs

V-239527
V-88525

Rule IDs

SV-239527r662032_rule
SV-99175

If the alias and aliases.db files are not owned by root, an unauthorized user may modify the file to add aliases to run malicious code or redirect email.

Checks: C-42760r662030_chk

Check the ownership of the alias file: # ls -lL /etc/aliases # ls -lL /etc/aliases.db If all the files are not owned by "root", this is a finding.

Fix: F-42719r662031_fix

Change the owner of the alias files to "root": # chown root /etc/aliases # chown root /etc/aliases.db

b

The alias files must be group-owned by root, or a system group.

CM-7 - Medium - CCI-000382 - V-239528 - SV-239528r662035_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000545

Vuln IDs

V-239528
V-88527

Rule IDs

SV-239528r662035_rule
SV-99177

If the aliases and aliases.db file are not group-owned by root or a system group, an unauthorized user may modify one or both of the files to add aliases to run malicious code or redirect email.

Checks: C-42761r662033_chk

Check the group ownership of the alias files: # ls -lL /etc/aliases # ls -lL /etc/aliases.db If the files are not group-owned by "root", this is a finding.

Fix: F-42720r662034_fix

Change the group owner of the alias files to "root": # chgrp root /etc/aliases # chgrp root /etc/aliases.db

b

The alias files must have mode 0644 or less permissive.

CM-7 - Medium - CCI-000382 - V-239529 - SV-239529r662038_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000550

Vuln IDs

V-239529
V-88529

Rule IDs

SV-239529r662038_rule
SV-99179

Excessive permissions on the alias files may permit unauthorized modification. If an alias file is modified by an unauthorized user, they may modify the file to run malicious code or redirect email.

Checks: C-42762r662036_chk

Check the permissions of the alias files: # ls -lL /etc/aliases # ls -lL /etc/aliases.db If the alias files have a mode more permissive than "0644", this is a finding.

Fix: F-42721r662037_fix

Change the mode of the alias files to "0644": # chmod 0644 /etc/aliases /etc/aliases.db

b

Files executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.

CM-7 - Medium - CCI-000382 - V-239530 - SV-239530r662041_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000555

Vuln IDs

V-239530
V-88531

Rule IDs

SV-239530r662041_rule
SV-99181

If a file executed through a mail aliases file is not owned and writable only by root, it may be subject to unauthorized modification. Unauthorized modification of files executed through aliases may allow unauthorized users to attain root privileges.

Checks: C-42763r662039_chk

Verify the ownership of files referenced within the sendmail aliases file: # more /etc/aliases Examine the aliases file for any utilized directories or paths: # ls -lL <directory or file path> Check the owner for any paths referenced. Check if the file or parent directory is owned by root. If the file or parent directory is not owned by "root", this is a finding.

Fix: F-42722r662040_fix

Edit the "/etc/aliases" file (alternatively, /usr/lib/sendmail.cf). Locate the entries executing a program. They will appear similar to the following line: Aliasname: : /usr/local/bin/ls (or some other program name) Ensure "root" owns the programs and the directory(ies) they reside in by using the chown command to change owner to "root": # chown root <file or directory name>

b

Files executed through a mail aliases file must be group-owned by root, bin, sys, or system, and must reside within a directory group-owned by root, bin, sys, or system.

CM-7 - Medium - CCI-000382 - V-239531 - SV-239531r662044_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000560

Vuln IDs

V-239531
V-88533

Rule IDs

SV-239531r662044_rule
SV-99183

If a file executed through a mail aliases file is not group-owned by root or a system group, it may be subject to unauthorized modification. Unauthorized modification of files executed through aliases may allow unauthorized users to attain root privileges.

Checks: C-42764r662042_chk

Examine the contents of the "/etc/aliases" file: # more /etc/aliases Examine the aliases file for any directories or paths that may be utilized: # ls -lL <file referenced from aliases> Check the permissions for any paths referenced. If the group owner of any file is not "root", "bin", "sys", or "system", this is a finding.

Fix: F-42723r662043_fix

Change the group ownership of the file referenced from "/etc/mail/aliases": # chgrp root <file referenced from aliases>

b

Files executed through a mail aliases file must have mode 0755 or less permissive.

CM-7 - Medium - CCI-000382 - V-239532 - SV-239532r662047_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000565

Vuln IDs

V-239532
V-88535

Rule IDs

SV-239532r662047_rule
SV-99185

If a file executed through a mail alias file has permissions greater than 0755, it can be modified by an unauthorized user and may contain malicious code or instructions that could compromise the system.

Checks: C-42765r662045_chk

Examine the contents of the "/etc/aliases" file: # more /etc/aliases Examine the aliases file for any directories or paths that may be utilized: # ls -lL <file referenced from aliases> Check the permissions for any paths referenced. If any file referenced from the aliases file has a mode more permissive than "0755", this is a finding.

Fix: F-42724r662046_fix

Use the chmod command to change the access permissions for files executed from the alias file: # chmod 0755 <file referenced from aliases>

b

Sendmail logging must not be set to less than nine in the sendmail.cf file.

CM-7 - Medium - CCI-000382 - V-239533 - SV-239533r662050_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000570

Vuln IDs

V-239533
V-88537

Rule IDs

SV-239533r662050_rule
SV-99187

If Sendmail is not configured to log at level 9, system logs may not contain the information necessary for tracking unauthorized use of the sendmail service.

Checks: C-42766r662048_chk

Check sendmail to determine if the logging level is set to level "9": # grep "O L" /etc/sendmail.cf OR # grep LogLevel /etc/sendmail.cf If logging is set to less than "9", this is a finding.

Fix: F-42725r662049_fix

Edit the "sendmail.cf" file, locate the "O L" or "LogLevel" entry, and change it to "9".

b

The system syslog service must log informational and more severe SMTP service messages.

CM-7 - Medium - CCI-000382 - V-239534 - SV-239534r662053_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000575

Vuln IDs

V-239534
V-88539

Rule IDs

SV-239534r662053_rule
SV-99189

If informational and more severe SMTP service messages are not logged, malicious activity on the system may go unnoticed.

Checks: C-42767r662051_chk

Check the "/etc/syslog-ng/syslog-ng.conf" file for the following log entries: filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; If any of the above log entries are present, this is not a finding.

Fix: F-42726r662052_fix

Edit the "/etc/syslog-ng/syslog-ng.conf" file and add the following log entries: filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; destination mailinfo { file("/var/log/mail.info"); }; log { source(src); filter(f_mailinfo); destination(mailinfo); }; destination mailwarn { file("/var/log/mail.warn"); }; log { source(src); filter(f_mailwarn); destination(mailwarn); }; destination mailerr { file("/var/log/mail.err" fsync(yes)); }; log { source(src); filter(f_mailerr); destination(mailerr); };

b

The SMTP service log files must be owned by root.

CM-7 - Medium - CCI-000382 - V-239535 - SV-239535r662056_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000580

Vuln IDs

V-239535
V-88541

Rule IDs

SV-239535r662056_rule
SV-99191

If the SMTP service log file is not owned by root, then unauthorized personnel may modify or delete the file to hide a system compromise.

Checks: C-42768r662054_chk

Check the permissions on the mail log files: # ls -la /var/log/mail # ls -la /var/log/mail.info # ls -la /var/log/mail.warn # ls -la /var/log/mail.err If any mail log file is not owned by "root", this is a finding.

Fix: F-42727r662055_fix

Change the ownership of the sendmail log files to "root": # chown root <sendmail log file>

b

The SMTP service log file must have mode 0644 or less permissive.

CM-7 - Medium - CCI-000382 - V-239536 - SV-239536r662059_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000585

Vuln IDs

V-239536
V-88543

Rule IDs

SV-239536r662059_rule
SV-99193

If the SMTP service log file is more permissive than 0644, unauthorized users may be allowed to change the log file.

Checks: C-42769r662057_chk

Check the permissions on the mail log files: # ls -la /var/log/mail # ls -la /var/log/mail.info # ls -la /var/log/mail.warn # ls -la /var/log/mail.err If the log file permissions are greater than "0644", this is a finding.

Fix: F-42728r662058_fix

Change the mode of the sendmail log files to "0644": # chmod 0644 <sendmail log file>

b

The SMTP service HELP command must not be enabled.

CM-7 - Medium - CCI-000382 - V-239537 - SV-239537r662062_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000590

Vuln IDs

V-239537
V-88545

Rule IDs

SV-239537r662062_rule
SV-99195

The HELP command should be disabled to mask version information. The version of the SMTP service software could be used by attackers to target vulnerabilities present in specific software versions.

Checks: C-42770r662060_chk

Check the permissions of the sendmail helpfile: ls -al /usr/lib/sendmail.d/helpfile If the permissions are not "0000", this is a finding.

Fix: F-42729r662061_fix

Run the following command to disable the sendmail helpfile: # chmod 0000 /usr/lib/sendmail.d/helpfile

b

The SMTP services SMTP greeting must not provide version information.

CM-7 - Medium - CCI-000382 - V-239538 - SV-239538r662065_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000595

Vuln IDs

V-239538
V-88547

Rule IDs

SV-239538r662065_rule
SV-99197

The version of the SMTP service can be used by attackers to plan an attack based on vulnerabilities present in the specific version.

Checks: C-42771r662063_chk

To check for the sendmail version being displayed in the greeting: # more /etc/sendmail.cf | grep SmtpGreetingMessage If it returns: O SmtpGreetingMessage=$j Sendmail $v/$Z; $b Then sendmail is providing version information, this is a finding.

Fix: F-42730r662064_fix

Change the "O SmtpGreetingMessage" line in the "/etc/sendmail.cf" file to: O SmtpGreetingMessage= Mail Server Ready ; $b

b

The SMTP service must not use .forward files.

CM-7 - Medium - CCI-000382 - V-239539 - SV-239539r662068_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000600

Vuln IDs

V-239539
V-88549

Rule IDs

SV-239539r662068_rule
SV-99199

The .forward file allows users to automatically forward mail to another system. Use of .forward files could allow the unauthorized forwarding of mail and could potentially create mail loops that could degrade system performance.

Checks: C-42772r662066_chk

Check forwarding from sendmail: # grep "0 ForwardPath" /etc/sendmail.cf If the entry contains a file path and is not commented out, this is a finding.

Fix: F-42731r662067_fix

Disable forwarding for sendmail and remove ".forward" files from the system: Remove all ".forward" files on the system. # find / -name .forward -delete Use the following command to disable forwarding: # sed -i "s/O ForwardPath/#O ForwardPath/" /etc/sendmail.cf Restart the sendmail service: # service sendmail restart

b

The SMTP service must not have the EXPN feature active.

CM-7 - Medium - CCI-000382 - V-239540 - SV-239540r662071_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000605

Vuln IDs

V-239540
V-88551

Rule IDs

SV-239540r662071_rule
SV-99201

The SMTP EXPN function allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on user accounts. EXPN may also provide additional information concerning users on the system, such as the full names of account owners.

Checks: C-42773r662069_chk

Use the following command to check if EXPN is disabled: # grep -v "^#" /etc/sendmail.cf |grep -i PrivacyOptions If "noexpn" is not returned, this is a finding.

Fix: F-42732r662070_fix

Add "noexpn" to the "PrivacyOptions" flag in the "/etc/sendmail.cf" file.

b

The SMTP service must not have the VRFY feature active.

CM-7 - Medium - CCI-000382 - V-239541 - SV-239541r662074_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000610

Vuln IDs

V-239541
V-88553

Rule IDs

SV-239541r662074_rule
SV-99203

The VRFY (Verify) command allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on user accounts. VRFY may provide additional information about users on the system, such as the full names of account owners.

Checks: C-42774r662072_chk

Use the following command to check if VRFY is disabled: # grep -v "^#" /etc/sendmail.cf |grep -i PrivacyOptions If "novrfy" is not returned, this is a finding.

Fix: F-42733r662073_fix

Add "novrfy" to the "PrivacyOptions" flag in the "/etc/sendmail.cf" file.

b

The Lightweight User Datagram Protocol (UDP-Lite) must be disabled unless required.

CM-7 - Medium - CCI-000382 - V-239542 - SV-239542r662077_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000615

Vuln IDs

V-239542
V-88555

Rule IDs

SV-239542r662077_rule
SV-99205

The Lightweight User Datagram Protocol (UDP-Lite) is a proposed transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause SLES for vRealize to dynamically load a protocol handler by opening a socket using the protocol.

Checks: C-42775r662075_chk

Run the following command: iptables --list | grep "udplite" If no result is displayed, this is a finding.

Fix: F-42734r662076_fix

Configure SLES for vRealize to prevent the dynamic loading of the "UDP-Lite" protocol handler: Add the following rule to the iptables firewall ruleset: # iptables -A INPUT -p udplite -j DROP

b

The Internetwork Packet Exchange (IPX) protocol must be disabled or not installed.

CM-7 - Medium - CCI-000382 - V-239543 - SV-239543r662080_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000620

Vuln IDs

V-239543
V-88557

Rule IDs

SV-239543r662080_rule
SV-99207

The Internetwork Packet Exchange (IPX) protocol is a network-layer protocol that is no longer in common use. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause SLES for vRealize to dynamically load a protocol handler by opening a socket using the protocol.

Checks: C-42776r662078_chk

Check that the "IPX" protocol handler is prevented from dynamic loading: # grep "install ipx /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.

Fix: F-42735r662079_fix

Prevent the "IPX" protocol handler from dynamic loading: # echo "install ipx /bin/true" >> /etc/modprobe.conf.local

b

The AppleTalk protocol must be disabled or not installed.

CM-7 - Medium - CCI-000382 - V-239544 - SV-239544r662083_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000625

Vuln IDs

V-239544
V-88559

Rule IDs

SV-239544r662083_rule
SV-99209

The AppleTalk suite of protocols is no longer in common use. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause SLES for vRealize to dynamically load a protocol handler by opening a socket using the protocol.

Checks: C-42777r662081_chk

Verify the "AppleTalk" protocol handler is prevented from dynamic loading: # grep "install appletalk /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.

Fix: F-42736r662082_fix

Prevent the "AppleTalk" protocol handler from dynamic loading: # echo "install appletalk /bin/true" >> /etc/modprobe.conf.local

b

The DECnet protocol must be disabled or not installed.

CM-7 - Medium - CCI-000382 - V-239545 - SV-239545r662086_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000630

Vuln IDs

V-239545
V-88561

Rule IDs

SV-239545r662086_rule
SV-99211

The DECnet suite of protocols is no longer in common use. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause SLES for vRealize to dynamically load a protocol handler by opening a socket using the protocol.

Checks: C-42778r662084_chk

Check that the "DECnet" protocol handler is prevented from dynamic loading: # grep "install decnet /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.

Fix: F-42737r662085_fix

Prevent the "DECnet" protocol handler from dynamic loading: # echo "install decnet /bin/true" >> /etc/modprobe.conf.local

b

Proxy Neighbor Discovery Protocol (NDP) must not be enabled on SLES for vRealize.

CM-7 - Medium - CCI-000382 - V-239546 - SV-239546r662089_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000635

Vuln IDs

V-239546
V-88563

Rule IDs

SV-239546r662089_rule
SV-99213

Proxy Neighbor Discovery Protocol (NDP) allows a system to respond to NDP requests on one interface on behalf of hosts connected to another interface. If this function is enabled when not required, addressing information may be leaked between the attached network segments.

Checks: C-42779r662087_chk

Determine if SLES for vRealize has proxy "NDP", and if it is enabled: # more /proc/sys/net/ipv6/conf/*/proxy_ndp If the file is not found, the kernel does not have proxy "NDP", this is not a finding. If the file has a value of "0", proxy "NDP" is not enabled, this is not a finding. If the file has a value of "1", proxy NDP is enabled, this is a finding.

Fix: F-42738r662088_fix

Disable proxy "NDP" on the system. For Appliance OS, "proxy_ndp" is disabled by default.

b

The SLES for vRealize must not have 6to4 enabled.

CM-7 - Medium - CCI-000382 - V-239547 - SV-239547r662092_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000640

Vuln IDs

V-239547
V-88565

Rule IDs

SV-239547r662092_rule
SV-99215

6to4 is an IPv6 transition mechanism that involves tunneling IPv6 packets encapsulated in IPv4 packets on an ad hoc basis. This is not a preferred transition strategy and increases the attack surface of SLES for vRealize.

Checks: C-42780r662090_chk

Check SLES for vRealize for any active "6to4" tunnels without specific remote addresses: # ip tun list | grep "remote any" | grep "ipv6/ip" If any results are returned the "tunnel" is the first field. If any results are returned, this is a finding.

Fix: F-42739r662091_fix

Disable the active "6to4" tunnel: # ip link set <tunnel> down Add this command to a startup script, or remove the configuration creating the tunnel.

b

The SLES for vRealize must not have Teredo enabled.

CM-7 - Medium - CCI-000382 - V-239548 - SV-239548r662095_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000645

Vuln IDs

V-239548
V-88567

Rule IDs

SV-239548r662095_rule
SV-99217

Teredo is an IPv6 transition mechanism that involves tunneling IPv6 packets encapsulated in IPv4 packets. Unauthorized tunneling may circumvent network security.

Checks: C-42781r662093_chk

Verify the "Miredo" service is not running: # ps ax | grep miredo | grep -v grep If the Miredo process is running, this is a finding. Note: For Appliance OS, "Miredo" is not included by default, this is not a finding.

Fix: F-42740r662094_fix

Kill the "Miredo" service. Edit startup scripts to prevent the service from running on startup.

b

The DHCP client must be disabled if not needed.

CM-7 - Medium - CCI-000382 - V-239549 - SV-239549r662098_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000650

Vuln IDs

V-239549
V-88569

Rule IDs

SV-239549r662098_rule
SV-99219

DHCP allows for the unauthenticated configuration of network parameters on SLES for vRealize by exchanging information with a DHCP server.

Checks: C-42782r662096_chk

Check that no interface is configured to use "DHCP": # grep -i bootproto=dhcp4 /etc/sysconfig/network/ifcfg-* If any configuration is found, this is a finding.

Fix: F-42741r662097_fix

Edit the "/etc/sysconfig/network/ifcfg-*" file(s) and change the "bootproto" setting to "static".

b

The SLES for vRealize must have IEEE 1394 (Firewire) disabled unless needed.

CM-7 - Medium - CCI-000382 - V-239550 - SV-239550r662101_rule

RMF Control

CM-7

Severity

M

CCI

Version

VROM-SL-000655

Vuln IDs

V-239550
V-88571

Rule IDs

SV-239550r662101_rule
SV-99221

Firewire is a common computer peripheral interface. Firewire devices may include storage devices that could be used to install malicious software on a system or exfiltrate data.

Checks: C-42783r662099_chk

If SLES for vRealize needs IEEE 1394 (Firewire), this is not applicable. Check if the firewire module is not disabled: # grep "install ieee1394 /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no results are returned, this is a finding.

Fix: F-42742r662100_fix

Prevent SLES for vRealize from loading the firewire module: # echo "install ieee1394 /bin/true" >> /etc/modprobe.conf.local

b

Duplicate User IDs (UIDs) must not exist for users within the organization.

IA-2 - Medium - CCI-000764 - V-239551 - SV-239551r662104_rule

RMF Control

IA-2

Severity

M

CCI

CCI-000764

Version

VROM-SL-000660

Vuln IDs

V-239551
V-88573

Rule IDs

SV-239551r662104_rule
SV-99223

To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of SLES for vRealize. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.

Checks: C-42784r662102_chk

Verify that SLES for vRealize contains no duplicate UIDs for organizational users by running the following command: # awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If output is produced, this is a finding.

Fix: F-42743r662103_fix

Edit the file "/etc/passwd" and provide each organizational user account that has a duplicate UID with a unique UID.

c

The SLES for vRealize must prevent direct logon into the root account.

IA-2 - High - CCI-000770 - V-239552 - SV-239552r662107_rule

RMF Control

IA-2

Severity

H

CCI

CCI-000770

Version

VROM-SL-000685

Vuln IDs

V-239552
V-88575

Rule IDs

SV-239552r662107_rule
SV-99225

To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the UNIX OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account. For example, the UNIX and Windows operating systems offer a 'switch user' capability allowing users to authenticate with their individual credentials and, when needed, 'switch' to the administrator role. This method provides for unique individual authentication prior to using a group authenticator. Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the operating system without identification or authentication. Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.

Checks: C-42785r662105_chk

Verify SLES for vRealize prevents direct logons to the root account by running the following command: # grep root /etc/shadow | cut -d "":"" -f 2 If the returned message contains any text, this is a finding.

Fix: F-42744r662106_fix

Configure SLES for vRealize to prevent direct logins to the root account by performing the following operations: Add this line to the "/etc/group" file: admin:x:[UNIQUE_NUMBER]:[USERNAME] USERNAME is the user you wish to add to the admin group. UNIQUE_NUMBER is a number entered into the ID field of an entry that is unique to all other IDs in the file. Comment out the following lines in "/etc/sudoers" file: Default targetpw ALL ALL=(ALL) ALL Under the line in the "/etc/sudoers" file: root ALL=(ALL) All Add the following line: %admin ALL=(ALL) ALL Run the following command: # passwd -d root

b

The SLES for vRealize must enforce SSHv2 for network access to privileged accounts.

IA-2 - Medium - CCI-001941 - V-239553 - SV-239553r662110_rule

RMF Control

IA-2

Severity

M

CCI

CCI-001941

Version

VROM-SL-000690

Vuln IDs

V-239553
V-88577

Rule IDs

SV-239553r662110_rule
SV-99227

A replay attack may enable an unauthorized user to gain access to SLES for vRealize. Authentication sessions between the authenticator and SLES for vRealize validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A privileged account is any information system account with authorizations of a privileged user. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.

Checks: C-42786r662108_chk

Verify that SLES for vRealize enforces SSHv2 for network access to privileged accounts by running the following command: Replace [ADDRESS] in the following command with the correct IP address based on the current system configuration. # ssh -1 [ADDRESS] An example of the command usage is as follows: # ssh -1 localhost The output must be the following: Protocol major versions differ: 1 vs. 2 If it is not, this is a finding. OR Verify that the ssh is configured to enforce SSHv2 for network access to privileged accounts by running the following command: # grep Protocol /etc/ssh/sshd_config If the result is not "Protocol 2", this is a finding.

Fix: F-42745r662109_fix

Configure SLES for vRealize to enforce SSHv2 for network access to privileged accounts by running the following commands: # sed -i 's/^.*\bProtocol\b.*$/Protocol 2/' /etc/ssh/sshd_config Restart the ssh service. # service sshd restart

b

The SLES for vRealize must enforce SSHv2 for network access to non-privileged accounts.

IA-2 - Medium - CCI-001942 - V-239554 - SV-239554r662113_rule

RMF Control

IA-2

Severity

M

CCI

CCI-001942

Version

VROM-SL-000695

Vuln IDs

V-239554
V-88579

Rule IDs

SV-239554r662113_rule
SV-99229

A replay attack may enable an unauthorized user to gain access to SLES for vRealize. Authentication sessions between the authenticator and SLES for vRealize validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A non-privileged account is any SLES for vRealize account with authorizations of a non-privileged user. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.

Checks: C-42787r662111_chk

Verify that SLES for vRealize enforces SSHv2 for network access to privileged accounts by running the following command: Replace [ADDRESS] in the following command with the correct IP address based on the current system configuration. # ssh -1 [ADDRESS] An example of the command usage is as follows: # ssh -1 localhost The output must be one of the following items: Protocol major versions differ: 1 vs. 2 OR Protocol 1 not allowed in the FIPS mode. If it does not, this is a finding. OR Verify that the ssh is configured to enforce SSHv2 for network access to privileged accounts by running the following command: # grep Protocol /etc/ssh/sshd_config If the result is not "Protocol 2", this is a finding.

Fix: F-42746r662112_fix

Configure SLES for vRealize to enforce SSHv2 for network access to non-privileged accounts by running the following commands: # sed -i 's/^.*\bProtocol\b.*$/Protocol 2/' /etc/ssh/sshd_config Restart the ssh service. # service sshd restart

b

The SLES for vRealize must disable account identifiers of individuals and roles (such as root) after 35 days of inactivity after password expiration.

IA-4 - Medium - CCI-000795 - V-239555 - SV-239555r662116_rule

RMF Control

IA-4

Severity

M

CCI

CCI-000795

Version

VROM-SL-000705

Vuln IDs

V-239555
V-88581

Rule IDs

SV-239555r662116_rule
SV-99231

Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. SLES for vRealize need to track periods of inactivity and disable application identifiers after 35 days of inactivity.

Checks: C-42788r662114_chk

Verify SLES for vRealize disables account identifiers after "35" days of inactivity after the password expiration, by performing the following commands: # grep "INACTIVE" /etc/default/useradd The output must indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below: grep "INACTIVE" /etc/default/useradd INACTIVE=35 If "INACTIVE" is not set to a value 0<[VALUE]<=35, this is a finding.

Fix: F-42747r662115_fix

Configure SLES for vRealize to disable account identifiers after "35" days of inactivity after the password expiration. Run the following command to change the configuration for useradd: Replace [VALUE] in the command with any integer from the range 0<[VALUE]<= 35. # sed -i "s/^.*\bINACTIVE\b.*$/INACTIVE=[VALUE]/" /etc/default/useradd DoD recommendation is "35" days, but a lower value is acceptable. The value "-1" will disable this feature and "0" will disable the account immediately after the password expires.

b

The SLES for vRealize must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.

IA-7 - Medium - CCI-000803 - V-239556 - SV-239556r662119_rule

RMF Control

IA-7

Severity

M

CCI

CCI-000803

Version

VROM-SL-000710

Vuln IDs

V-239556
V-88583

Rule IDs

SV-239556r662119_rule
SV-99233

Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. SLES for vRealize utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.

Checks: C-42789r662117_chk

Check the "/etc/default/passwd" file: # grep CRYPT /etc/default/passwd If the "CRYPT" setting in the "/etc/default/passwd" file is not present, or not set to "SHA256" or "SHA512", this is a finding. If the "CRYPT_FILES" setting in the "/etc/default/passwd" file is not present, or not set to "SHA256" or "SHA512", this is a finding.

Fix: F-42748r662118_fix

Edit the "/etc/default/passwd" file and add or change the "CRYPT" variable setting so that it contains: CRYPT=sha256 OR CRYPT=sha512 Edit the "/etc/default/passwd" file and add or change the "CRYPT_FILES" variable setting so that it contains: CRYPT_FILES=sha256 OR CRYPT_FILES=sha512

b

The SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).

IA-8 - Medium - CCI-000804 - V-239557 - SV-239557r662122_rule

RMF Control

IA-8

Severity

M

CCI

CCI-000804

Version

VROM-SL-000715

Vuln IDs

V-239557
V-88585

Rule IDs

SV-239557r662122_rule
SV-99235

Lack of authentication and identification enables non-organizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compromise resources within the application or information system. Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status of an employee (e.g., contractors and guest researchers). Non-organizational users must be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access.

Checks: C-42790r662120_chk

Run the following command to check for duplicate account names: # pwck -rq If there are no duplicate names, no line will be returned. If a line is returned, this is a finding.

Fix: F-42749r662121_fix

Change usernames, or delete accounts, so each has a unique name.

b

The SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).

IA-8 - Medium - CCI-000804 - V-239558 - SV-239558r662125_rule

RMF Control

IA-8

Severity

M

CCI

CCI-000804

Version

VROM-SL-000720

Vuln IDs

V-239558
V-88587

Rule IDs

SV-239558r662125_rule
SV-99237

Lack of authentication and identification enables non-organizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compromise resources within the application or information system. Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status of an employee (e.g., contractors and guest researchers). Non-organizational users must be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access.

Checks: C-42791r662123_chk

Verify the SLES for vRealize uniquely identifies and authenticates non-organizational users by running the following commands: # awk -F: '{print $3}' /etc/passwd | sort | uniq -d If the output is not blank, this is a finding.

Fix: F-42750r662124_fix

Configure the SLES for vRealize to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). UNIQUE_USER_ID is a unique numerical value that must be non-negative. USERNAME is the username of the user whose user ID you wish to change. # usermod -u [UNIQUE_USER_ID] [USERNAME]

b

The SLES for vRealize must be configured such that emergency administrator accounts are never automatically removed or disabled.

AC-2 - Medium - CCI-001682 - V-239559 - SV-239559r662128_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001682

Version

VROM-SL-000730

Vuln IDs

V-239559
V-88589

Rule IDs

SV-239559r662128_rule
SV-99239

Emergency administrator accounts are privileged accounts which are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account that is created for use by vendors or system maintainers. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.

Checks: C-42792r662126_chk

For each emergency administrator account run the following command: chage -l [user] If the output shows an expiration date for the account, this is a finding.

Fix: F-42751r662127_fix

For each emergency administrator account run the following command to remove the expiration date: chage -E -1 [user]

b

The SLES for vRealize must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

MA-4 - Medium - CCI-000877 - V-239560 - SV-239560r662131_rule

RMF Control

MA-4

Severity

M

CCI

CCI-000877

Version

VROM-SL-000735

Vuln IDs

V-239560
V-88591

Rule IDs

SV-239560r662131_rule
SV-99241

If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data. Some maintenance and test tools are either standalone devices with their own operating systems or are applications bundled with an operating system. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric.

Checks: C-42793r662129_chk

Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the sshd_config file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr

Fix: F-42752r662130_fix

Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart

b

The SLES for vRealize must terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed.

MA-4 - Medium - CCI-000879 - V-239561 - SV-239561r662134_rule

RMF Control

MA-4

Severity

M

CCI

CCI-000879

Version

VROM-SL-000740

Vuln IDs

V-239561
V-88593

Rule IDs

SV-239561r662134_rule
SV-99243

If a maintenance session or connection remains open after maintenance is completed, it may be hijacked by an attacker and used to compromise or damage the system. Some maintenance and test tools are either standalone devices with their own operating systems or are applications bundled with an operating system. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection.

Checks: C-42794r662132_chk

Check for the existence of the "/etc/profile.d/tmout.sh" file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to "900" seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set to "900", this is a finding.

Fix: F-42753r662133_fix

Ensure the file exists and is owned by "root". If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file "/etc/profile.d/tmout.sh", and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null

b

The SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.

SC-5 - Medium - CCI-001095 - V-239562 - SV-239562r662137_rule

RMF Control

SC-5

Severity

M

CCI

CCI-001095

Version

VROM-SL-000760

Vuln IDs

V-239562
V-88595

Rule IDs

SV-239562r662137_rule
SV-99245

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.

Checks: C-42795r662135_chk

Check that SLES for vRealize is configured to use TCP syncookies when experiencing a TCP SYN flood. # cat /proc/sys/net/ipv4/tcp_syncookies If the result is not "1", this is a finding.

Fix: F-42754r662136_fix

Configure SLES for vRealize to use TCP syncookies when experiencing a TCP SYN flood. # sed -i 's/^.*\bnet.ipv4.tcp_syncookies\b.*$/net.ipv4.tcp_syncookies=1/' /etc/sysctl.conf Reload sysctl to verify the new change: # sysctl -p

b

The SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.

SC-5 - Medium - CCI-001095 - V-239563 - SV-239563r662140_rule

RMF Control

SC-5

Severity

M

CCI

CCI-001095

Version

VROM-SL-000765

Vuln IDs

V-239563
V-88597

Rule IDs

SV-239563r662140_rule
SV-99247

DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.

Checks: C-42796r662138_chk

Check that SLES for vRealize has an appropriate TCP backlog queue size to mitigate against TCP SYN flood DOS attacks with the following command: # cat /proc/sys/net/ipv4/tcp_max_syn_backlog The recommended default setting is "1280". If the TCP backlog queue size is not set to "1280", this is a finding.

Fix: F-42755r662139_fix

Configure the TCP backlog queue size with the following command: # sed -i 's/^.*\bnet.ipv4.tcp_max_syn_backlog\b.*$/net.ipv4.tcp_max_syn_backlog=1280/' /etc/sysctl.conf Reload sysctl to verify the new change: # sysctl -p

b

The SLES for vRealize must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.

SC-10 - Medium - CCI-001133 - V-239564 - SV-239564r662405_rule

RMF Control

SC-10

Severity

M

CCI

CCI-001133

Version

VROM-SL-000770

Vuln IDs

V-239564
V-88599

Rule IDs

SV-239564r662405_rule
SV-99249

Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that SLES for vRealize terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.

Checks: C-42797r662141_chk

Check for the existence of the "/etc/profile.d/tmout.sh" file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to "900" seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set to "900", this is a finding.

Fix: F-42756r662142_fix

Ensure the file exists and is owned by "root". If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file "/etc/profile.d/tmout.sh", and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null

b

The /var/log directory must be group-owned by root.

SI-11 - Medium - CCI-001314 - V-239565 - SV-239565r662146_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-SL-000795

Vuln IDs

V-239565
V-88601

Rule IDs

SV-239565r662146_rule
SV-99251

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Checks: C-42798r662144_chk

Verify the "/var/log" directory is group-owned by "root" by running the following command: # ls -lad /var/log | cut -d' ' -f4 The output must look like the following example: ls -lad /var/log | cut -d' ' -f4 root If "root" is not returned as a result, this is a finding.

Fix: F-42757r662145_fix

Change the group of the directory "/var/log" to "root" by running the following command: # chgrp root /var/log

b

The /var/log directory must be owned by root.

SI-11 - Medium - CCI-001314 - V-239566 - SV-239566r662149_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-SL-000800

Vuln IDs

V-239566
V-88603

Rule IDs

SV-239566r662149_rule
SV-99253

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Checks: C-42799r662147_chk

Verify that the "/var/log" directory is owned by "root" by running the following command: # ls -lad /var/log | cut -d' ' -f3 The output must look like the following example: ls -lad /var/log | cut -d' ' -f3 root If "root" is not returned as a result, this is a finding.

Fix: F-42758r662148_fix

Change the owner of the directory "/var/log" to "root" by running the following command: # chown root /var/log

b

The /var/log directory must have mode 0750 or less permissive.

SI-11 - Medium - CCI-001314 - V-239567 - SV-239567r662152_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-SL-000805

Vuln IDs

V-239567
V-88605

Rule IDs

SV-239567r662152_rule
SV-99255

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Checks: C-42800r662150_chk

Verify that the "/var/log" directory is the mode 0750 or less permissive by running the following command: # ls -lad /var/log | cut -d' ' -f1 The output must look like the following example: ls -lad /var/log | cut -d' ' -f1 drwxr-x--- If "drwxr-x---" is not returned as a result, this is a finding.

Fix: F-42759r662151_fix

Change the permissions of the directory "/var/log" to "0750" by running the following command: # chmod 0750 /var/log

b

The /var/log/messages file must be group-owned by root.

SI-11 - Medium - CCI-001314 - V-239568 - SV-239568r662155_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-SL-000810

Vuln IDs

V-239568
V-88607

Rule IDs

SV-239568r662155_rule
SV-99257

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Checks: C-42801r662153_chk

Verify that the "/var/log/messages" file is group-owned by "root" by running the following command: # ls -la /var/log/messages | cut -d' ' -f4 The output must look like the following example: ls -la /var/log/messages | cut -d' ' -f4 root If "root" is not returned as a result, this is a finding.

Fix: F-42760r662154_fix

Change the group of the file "/var/log/messages" to "root" by running the following command: # chgrp root /var/log/messages

b

The /var/log/messages file must be owned by root.

SI-11 - Medium - CCI-001314 - V-239569 - SV-239569r662158_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-SL-000815

Vuln IDs

V-239569
V-88609

Rule IDs

SV-239569r662158_rule
SV-99259

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Checks: C-42802r662156_chk

Verify that the "/var/log/messages" file is owned by "root" by running the following command: # ls -la /var/log/messages | cut -d' ' -f3 The output must look like the following example: ls -la /var/log/messages | cut -d' ' -f3 root If "root" is not returned as a result, this is a finding.

Fix: F-42761r662157_fix

Change the owner of the file "/var/log/messages" to "root" by running the following command: # chown root /var/log/messages

b

The /var/log/messages file must have mode 0640 or less permissive.

SI-11 - Medium - CCI-001314 - V-239570 - SV-239570r662161_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-SL-000820

Vuln IDs

V-239570
V-88611

Rule IDs

SV-239570r662161_rule
SV-99261

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Checks: C-42803r662159_chk

Verify that the "/var/log/messages" file is 0640 or less permissive by running the following command: # ls -lad /var/log/messages | cut -d' ' -f1 The output must look like the following example: ls -lad /var/log/messages | cut -d' ' -f1 -rw-r----- If "-rw-r-----" is not returned as a result, this is a finding.

Fix: F-42762r662160_fix

Change the permissions of the file "/var/log/messages" to "0640" by running the following command: # chmod 0640 /var/log/messages

b

The SLES for vRealize must reveal error messages only to authorized users.

SI-11 - Medium - CCI-001314 - V-239571 - SV-239571r662164_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-SL-000825

Vuln IDs

V-239571
V-88613

Rule IDs

SV-239571r662164_rule
SV-99263

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Checks: C-42804r662162_chk

Check the permissions of the syslog configuration file(s): # ls -lL /etc/syslog-ng/syslog-ng.conf If the mode of the file is more permissive than "0640", this is a finding.

Fix: F-42763r662163_fix

Change the permissions of the syslog configuration file(s): # chmod 640 /etc/syslog-ng/syslog-ng.conf

b

The SLES for vRealize must reveal error messages only to authorized users.

SI-11 - Medium - CCI-001314 - V-239572 - SV-239572r662167_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-SL-000830

Vuln IDs

V-239572
V-88615

Rule IDs

SV-239572r662167_rule
SV-99265

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Checks: C-42805r662165_chk

Check the permissions of the syslog configuration file(s): # ls -lL /etc/syslog-ng/syslog-ng.conf If the file is not owned by "root", this is a finding.

Fix: F-42764r662166_fix

Use the chown command to set the owner to "root": # chown root /etc/syslog-ng/syslog-ng.conf

b

The SLES for vRealize must reveal error messages only to authorized users.

SI-11 - Medium - CCI-001314 - V-239573 - SV-239573r662170_rule

RMF Control

SI-11

Severity

M

CCI

Version

VROM-SL-000835

Vuln IDs

V-239573
V-88617

Rule IDs

SV-239573r662170_rule
SV-99267

Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.

Checks: C-42806r662168_chk

Check the permissions of the syslog configuration file(s): # ls -lL /etc/syslog-ng/syslog-ng.conf If the file is not group owned by "root", this is a finding.

Fix: F-42765r662169_fix

Change the group-owner of the "/etc/rsyslog.conf" file to "root": # chgrp root /etc/syslog-ng/syslog-ng.conf

b

Any publicly accessible connection to the SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.

AC-8 - Medium - CCI-001384 - V-239574 - SV-239574r767707_rule

RMF Control

AC-8

Severity

M

CCI

CCI-001384

Version

VROM-SL-000840

Vuln IDs

V-239574
V-88619

Rule IDs

SV-239574r767707_rule
SV-99269

Display of a standardized and approved use notification before granting access to the publicly accessible SLES for vRealize ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."

Checks: C-42807r662171_chk

Check issue file to verify that it contains one of the DoD required banners. # cat /etc/issue "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't." If it does not, this is a finding.

Fix: F-42766r662172_fix

To configure SLES for vRealize to display the Standard Mandatory DoD Notice and Consent Banner, run the DoD.script with the following command as "root": # /etc/dodscript.sh

b

The SLES for vRealize must audit all account modifications.

AC-2 - Medium - CCI-001403 - V-239575 - SV-239575r662176_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001403

Version

VROM-SL-000845

Vuln IDs

V-239575
V-88621

Rule IDs

SV-239575r662176_rule
SV-99271

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method for mitigating this risk. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-42808r662174_chk

Determine if execution of the "usermod" and "groupmod" executable are audited. # auditctl -l | egrep '(usermod|groupmod)' | grep perm=x If either "usermod" or "groupmod" are not listed with a permissions filter of at least "x", this is a finding.

Fix: F-42767r662175_fix

Configure execute auditing of the "usermod" and "groupmod" executables run the DoD.script with the following command as "root": # /etc/dodscript.sh OR Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the audit.rules file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Restart the auditd service. # service auditd restart

b

The SLES for vRealize must audit all account modifications.

AC-2 - Medium - CCI-001403 - V-239576 - SV-239576r662179_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001403

Version

VROM-SL-000850

Vuln IDs

V-239576
V-88623

Rule IDs

SV-239576r662179_rule
SV-99273

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method for mitigating this risk. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-42809r662177_chk

Determine if "/etc/passwd", "/etc/shadow", "/etc/group", and "/etc/gshadow" are audited for writing. # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow)' | grep perm=w If any of these are not listed with a permissions filter of at least "w", this is a finding.

Fix: F-42768r662178_fix

Configure append auditing of the "passwd", "shadow", "group", and "gshadow" files run the DoD.script with the following command as root: # /etc/dodscript.sh OR Configure append auditing of the "passwd", "shadow", "group", and "gshadow" files. Add the following to the audit.rules file: -w /etc/passwd -p w -k passwd -w /etc/shadow -p w -k shadow -w /etc/group -p w -k group -w /etc/gshadow -p w -k gshadow Restart the auditd service. # service auditd restart

b

The SLES for vRealize must audit all account-disabling actions.

AC-2 - Medium - CCI-001404 - V-239577 - SV-239577r662182_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001404

Version

VROM-SL-000855

Vuln IDs

V-239577
V-88625

Rule IDs

SV-239577r662182_rule
SV-99275

When SLES for vRealize accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the SLES for vRealize processes themselves. In order to detect and respond to events affecting user accessibility and system processing, SLES for vRealize must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that SLES for vRealize accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-42810r662180_chk

Determine if execution of the "passwd" executable is audited: # auditctl -l | grep watch=/usr/bin/passwd If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding.

Fix: F-42769r662181_fix

Configure SLES for vRealize to automatically audit account-disabling actions by running the following command: # /etc/dodscript.sh OR # echo '-w /usr/bin/passwd -p x -k passwd' >> /etc/audit/audit.rules Restart the auditd service. # service auditd restart

b

The SLES for vRealize must audit all account removal actions.

AC-2 - Medium - CCI-001405 - V-239578 - SV-239578r662185_rule

RMF Control

AC-2

Severity

M

CCI

CCI-001405

Version

VROM-SL-000860

Vuln IDs

V-239578
V-88627

Rule IDs

SV-239578r662185_rule
SV-99277

When SLES for vRealize accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the SLES for vRealize processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that SLES for vRealize accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-42811r662183_chk

Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding.

Fix: F-42770r662184_fix

Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel

b

The SLES for vRealize must implement cryptography to protect the integrity of remote access sessions.

AC-17 - Medium - CCI-001453 - V-239579 - SV-239579r662188_rule

RMF Control

AC-17

Severity

M

CCI

CCI-001453

Version

VROM-SL-000865

Vuln IDs

V-239579
V-88629

Rule IDs

SV-239579r662188_rule
SV-99279

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.

Checks: C-42812r662186_chk

Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr

Fix: F-42771r662187_fix

Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart

b

The SLES for vRealize must initiate session audits at system start-up.

AU-14 - Medium - CCI-001464 - V-239580 - SV-239580r662191_rule

RMF Control

AU-14

Severity

M

CCI

CCI-001464

Version

VROM-SL-000870

Vuln IDs

V-239580
V-88631

Rule IDs

SV-239580r662191_rule
SV-99281

If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.

Checks: C-42813r662189_chk

Check for the "audit=1" kernel parameter. # grep "audit=1" /proc/cmdline If no results are returned, this is a finding.

Fix: F-42772r662190_fix

Edit the grub bootloader file "/boot/grub/menu.lst" by appending the "audit=1" parameter to the kernel boot line. Reboot the system for the change to take effect.

b

The SLES for vRealize must produce audit records containing information to establish the identity of any individual or process associated with the event.

AU-3 - Medium - CCI-001487 - V-239581 - SV-239581r662194_rule

RMF Control

AU-3

Severity

M

CCI

CCI-001487

Version

VROM-SL-000875

Vuln IDs

V-239581
V-88633

Rule IDs

SV-239581r662194_rule
SV-99283

Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.

Checks: C-42814r662192_chk

Verify SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.

Fix: F-42773r662193_fix

Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start

b

The SLES for vRealize must protect audit tools from unauthorized access.

AU-9 - Medium - CCI-001493 - V-239582 - SV-239582r662197_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001493

Version

VROM-SL-000880

Vuln IDs

V-239582
V-88635

Rule IDs

SV-239582r662197_rule
SV-99285

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SLES for vRealize systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Checks: C-42815r662195_chk

The following command will list which audit files on the system have permissions different from what is expected by the RPM database: # rpm -V audit | grep '^.M' If there is any output, for each file or directory found, compare the RPM-expected permissions with the permissions on the file or directory: # rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" audit | grep [filename] # ls -lL [filename] If the existing permissions are more permissive than those expected by the RPM database, this is a finding.

Fix: F-42774r662196_fix

For each file that has permissions that are more permissive than those expected by the RPM database, alter the permission of the file with the following command: # chmod <permission> <filename>

b

The SLES for vRealize must protect audit tools from unauthorized modification.

AU-9 - Medium - CCI-001494 - V-239583 - SV-239583r662200_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001494

Version

VROM-SL-000885

Vuln IDs

V-239583
V-88637

Rule IDs

SV-239583r662200_rule
SV-99287

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SLES for vRealize systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user has in order to make access decisions regarding the modification of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Checks: C-42816r662198_chk

The following command will list which audit files on the system where the group ownership has been modified: # rpm -V audit | grep '^......G' If there is output, this is a finding.

Fix: F-42775r662199_fix

For each file that has the incorrect group modification, alter the group ownership of the file with the following command: # chgrp <group> <filename>

b

The SLES for vRealize must protect audit tools from unauthorized deletion.

AU-9 - Medium - CCI-001495 - V-239584 - SV-239584r662203_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001495

Version

VROM-SL-000890

Vuln IDs

V-239584
V-88639

Rule IDs

SV-239584r662203_rule
SV-99289

Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SLES for vRealize systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user has in order to make access decisions regarding the deletion of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.

Checks: C-42817r662201_chk

The following command will list which audit files on the system where the ownership has been modified: # rpm -V audit | grep '^.....U' If there is output, this is a finding.

Fix: F-42776r662202_fix

For each file that has the incorrect owner modification, alter the ownership of the file with the following command: # chown <owner> <filename>

b

The SLES for vRealize must enforce password complexity by requiring that at least one special character be used.

IA-5 - Medium - CCI-001619 - V-239585 - SV-239585r662206_rule

RMF Control

IA-5

Severity

M

CCI

CCI-001619

Version

VROM-SL-000900

Vuln IDs

V-239585
V-88641

Rule IDs

SV-239585r662206_rule
SV-99291

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.

Checks: C-42818r662204_chk

Verify SLES for vRealize enforces password complexity by requiring that at least one special character be used by using the following command: Check the password "ocredit" option: # grep pam_cracklib.so /etc/pam.d/common-password Confirm the "ocredit" option is set to "-1" as in the example: password requisite pam_cracklib.so ocredit=-1 There may be other options on the line. If no such line is found, or the "ocredit" is not "-1", this is a finding.

Fix: F-42777r662205_fix

Configure SLES for vRealize to enforce password complexity by requiring that at least one special character be used by running the following command: If "ocredit" was not set at all in "/etc/pam.d/common-password-vmware.local" file then run the following command: # sed -i '/pam_cracklib.so/ s/$/ ocredit=-1/' /etc/pam.d/common-password-vmware.local If "ocredit" was set incorrectly, run the following command: # sed -i '/pam_cracklib.so/ s/ocredit=../ocredit=-1/' /etc/pam.d/common-password-vmware.local

a

The SLES for vRealize must notify System Administrators and Information Systems Security Officer when accounts are created.

AC-2 - Low - CCI-001683 - V-239586 - SV-239586r662209_rule

RMF Control

AC-2

Severity

L

CCI

CCI-001683

Version

VROM-SL-000910

Vuln IDs

V-239586
V-88643

Rule IDs

SV-239586r662209_rule
SV-99293

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of SLES for vRealize user accounts and notifies System Administrators and Information System Security Officers (ISSO) that it exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-42819r662207_chk

Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.

Fix: F-42778r662208_fix

Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };

a

The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are modified.

AC-2 - Low - CCI-001684 - V-239587 - SV-239587r662212_rule

RMF Control

AC-2

Severity

L

CCI

CCI-001684

Version

VROM-SL-000915

Vuln IDs

V-239587
V-88645

Rule IDs

SV-239587r662212_rule
SV-99295

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Notification of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of SLES for vRealize user accounts and notifies System Administrators and Information System Security Officers (ISSO) that it exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-42820r662210_chk

Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.

Fix: F-42779r662211_fix

Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };

a

The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are disabled.

AC-2 - Low - CCI-001685 - V-239588 - SV-239588r662215_rule

RMF Control

AC-2

Severity

L

CCI

CCI-001685

Version

VROM-SL-000920

Vuln IDs

V-239588
V-88647

Rule IDs

SV-239588r662215_rule
SV-99297

When SLES for vRealize accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual SLES for vRealize users or for identifying the SLES for vRealize processes themselves. In order to detect and respond to events that affect user accessibility and system processing, operating systems must audit account disabling actions and, as required, notify System Administrators and Information System Security Officers (ISSO) so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-42821r662213_chk

Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.

Fix: F-42780r662214_fix

Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };

a

The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are removed.

AC-2 - Low - CCI-001686 - V-239589 - SV-239589r662218_rule

RMF Control

AC-2

Severity

L

CCI

CCI-001686

Version

VROM-SL-000925

Vuln IDs

V-239589
V-88649

Rule IDs

SV-239589r662218_rule
SV-99299

When SLES for vRealize accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual SLES for vRealize users or for identifying the SLES for vRealize processes themselves. In order to detect and respond to events that affect user accessibility and system processing, SLES for vRealize must audit account removal actions and, as required, notify System Administrators and Information System Security Officers (ISSO) so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-42822r662216_chk

Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.

Fix: F-42781r662217_fix

Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };

b

The SLES for vRealize must use cryptographic mechanisms to protect the integrity of audit tools.

AU-9 - Medium - CCI-001496 - V-239590 - SV-239590r662221_rule

RMF Control

AU-9

Severity

M

CCI

CCI-001496

Version

VROM-SL-000930

Vuln IDs

V-239590
V-88651

Rule IDs

SV-239590r662221_rule
SV-99301

Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.

Checks: C-42823r662219_chk

The following command will list which audit files on the system have file hashes different from what is expected by the RPM database: # rpm -V audit | grep '$1 ~ /..5/ && $2 != "c"' If there is output, this is a finding.

Fix: F-42782r662220_fix

The RPM package management system can check the hashes of audit system package files. Run the following command to list which audit files on the system have hashes that differ from what is expected by the RPM database: # rpm -V audit | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to, refresh from distribution media or online repositories. rpm -Uvh [affected_package]

b

The SLES for vRealize must automatically terminate a user session after inactivity time-outs have expired or at shutdown.

AC-12 - Medium - CCI-002361 - V-239591 - SV-239591r662224_rule

RMF Control

AC-12

Severity

M

CCI

CCI-002361

Version

VROM-SL-000935

Vuln IDs

V-239591
V-88653

Rule IDs

SV-239591r662224_rule
SV-99303

Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific operating system functionality where the system owner, data owner, or organization requires additional assurance.

Checks: C-42824r662222_chk

Check for the existence of the "/etc/profile.d/tmout.sh" file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to "900" seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set to "900", this is a finding.

Fix: F-42783r662223_fix

Ensure the file exists and is owned by "root". If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file "/etc/profile.d/tmout.sh", and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null

b

The SLES for vRealize must control remote access methods.

AC-17 - Medium - CCI-002314 - V-239592 - SV-239592r662227_rule

RMF Control

AC-17

Severity

M

CCI

CCI-002314

Version

VROM-SL-000950

Vuln IDs

V-239592
V-88655

Rule IDs

SV-239592r662227_rule
SV-99305

Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. SLES for vRealize functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).

Checks: C-42825r662225_chk

Check the SSH daemon configuration for listening network addresses: # grep -i Listen /etc/ssh/sshd_config | grep -v '^#' If no configuration is returned, or if a returned "Listen" configuration contains addresses not designated for management traffic, this is a finding.

Fix: F-42784r662226_fix

Edit the SSH daemon configuration with the following command: # sed -i "/^[^#]ListenAddress/ c\ListenAddress = 0.0.0.0" /etc/ssh/sshd_config Replace "0.0.0.0" with the listening network addresses designated for management traffic.

b

The SLES for vRealize must audit all account enabling actions.

AC-2 - Medium - CCI-002130 - V-239593 - SV-239593r662230_rule

RMF Control

AC-2

Severity

M

CCI

CCI-002130

Version

VROM-SL-000970

Vuln IDs

V-239593
V-88657

Rule IDs

SV-239593r662230_rule
SV-99307

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of SLES for vRealize user accounts and notifies System Administrators and Information System Security Officers (ISSO) that it exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-42826r662228_chk

Determine if execution of the usermod and groupmod executable are audited: # auditctl -l | egrep '(usermod|groupmod)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of "useradd" and "groupadd" are audited: # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the passwd executable is audited: # auditctl -l | grep "/usr/bin/passwd" If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding. Determine if "/etc/passwd", "/etc/shadow", "etc/group", and "etc/security/opasswd" are audited for writing: # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)' If any of these are not listed with a permissions filter of at least "w", this is a finding.

Fix: F-42785r662229_fix

Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Configure execute auditing of the "passwd" executable. Add the following to the aud.rules: -w /usr/bin/passwd -p x -k passwd Configure write auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the "/etc/audit/audit.rules" file: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/security/opasswd -p wa -k opasswd Restart the auditd service: # service auditd restart

b

The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are created, or enabled when previously disabled.

AC-2 - Medium - CCI-002132 - V-239594 - SV-239594r662233_rule

RMF Control

AC-2

Severity

M

CCI

CCI-002132

Version

VROM-SL-000975

Vuln IDs

V-239594
V-88659

Rule IDs

SV-239594r662233_rule
SV-99309

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of SLES for vRealize user accounts and notifies System Administrators and Information System Security Officers (ISSO) that it exists. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. In order to detect and respond to events that affect user accessibility and application processing, SLES for vRealize systems must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Checks: C-42827r662231_chk

Determine if execution of the "usermod" and "groupmod" executable are audited: # auditctl -l | egrep '(usermod|groupmod)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of "useradd" and "groupadd" are audited: # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "passwd" executable is audited: # auditctl -l | grep "/usr/bin/passwd" If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding. Determine if "/etc/passwd", "/etc/shadow", "/etc/group", and "/etc/security/opasswd" are audited for writing: # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)' If any of these are not listed with a permissions filter of at least "w", this is a finding.

Fix: F-42786r662232_fix

Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Configure execute auditing of the "passwd" executable. Add the following to the aud.rules: -w /usr/bin/passwd -p x -k passwd Configure write auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the "/etc/audit/audit.rules" file: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/security/opasswd -p wa -k opasswd Restart the auditd service: # service auditd restart

a

The SLES for vRealize must audit the execution of privileged functions.

AC-6 - Low - CCI-002234 - V-239595 - SV-239595r662236_rule

RMF Control

AC-6

Severity

L

CCI

CCI-002234

Version

VROM-SL-001005

Vuln IDs

V-239595
V-88661

Rule IDs

SV-239595r662236_rule
SV-99311

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.

Checks: C-42828r662234_chk

To verify that auditing of privileged command use is configured, run the following command to find relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: # grep path /etc/audit/audit.rules It should be the case that all relevant setuid programs have a line in the audit rules. If it is not the case, this is a finding.

Fix: F-42787r662235_fix

At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Then, for each setuid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid program in the list: -a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -k privileged OR # /etc/dodscript.sh

a

The SLES for vRealize must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.

AC-7 - Low - CCI-002238 - V-239596 - SV-239596r662239_rule

RMF Control

AC-7

Severity

L

CCI

CCI-002238

Version

VROM-SL-001010

Vuln IDs

V-239596
V-88663

Rule IDs

SV-239596r662239_rule
SV-99313

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.

Checks: C-42829r662237_chk

Check the "pam_tally2" configuration: # more /etc/pam.d/common-auth Confirm the following line is configured: auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_ti me=86400 root_unlock_time=300 # more /etc/pam.d/common-account Confirm the following line is configured: account required pam_tally2.so If no such lines are found, this is a finding.

Fix: F-42788r662238_fix

Edit "/etc/pam.d/common-auth" file and add the following line: auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300 Edit "/etc/pam.d/common-account" file and add the following line: account required pam_tally2.so

a

The SLES for vRealize must off-load audit records onto a different system or media from the system being audited.

AU-4 - Low - CCI-001851 - V-239597 - SV-239597r662242_rule

RMF Control

AU-4

Severity

L

CCI

CCI-001851

Version

VROM-SL-001035

Vuln IDs

V-239597
V-88665

Rule IDs

SV-239597r662242_rule
SV-99315

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

Checks: C-42830r662240_chk

Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.

Fix: F-42789r662241_fix

Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };

b

The SLES for vRealize must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

AU-5 - Medium - CCI-001855 - V-239598 - SV-239598r662245_rule

RMF Control

AU-5

Severity

M

CCI

CCI-001855

Version

VROM-SL-001040

Vuln IDs

V-239598
V-88667

Rule IDs

SV-239598r662245_rule
SV-99317

If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.

Checks: C-42831r662243_chk

Check "/etc/audit/auditd.conf" file for the "space_left_action" parameter with the following command: # cat /etc/audit/auditd.conf | grep space_left_action If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding Expected Result: space_left_action = SYSLOG Notes: If the "space_left_action" parameter is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding. If the "space_left_action" parameter is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding. The "action_mail_acct" parameter, if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system "sendmail" must be available.

Fix: F-42790r662244_fix

Set the "space_left_action" parameter to the valid setting "SYSLOG", by running the following command: # sed -i "/^[^#]*space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf Restart the audit service: # service auditd restart

b

The SLES for vRealize must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.

AU-5 - Medium - CCI-001858 - V-239599 - SV-239599r662248_rule

RMF Control

AU-5

Severity

M

CCI

CCI-001858

Version

VROM-SL-001045

Vuln IDs

V-239599
V-88669

Rule IDs

SV-239599r662248_rule
SV-99319

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).

Checks: C-42832r662246_chk

Check "/etc/audit/auditd.conf" file for the "space_left_action" parameter with the following command: # cat /etc/audit/auditd.conf | grep space_left_action If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding Expected Result: space_left_action = SYSLOG Notes: If the "space_left_action" parameter is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding. If the "space_left_action" parameter is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding. The "action_mail_acct" parameter, if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system "sendmail" must be available.

Fix: F-42791r662247_fix

Set the "space_left_action" parameter to the valid setting "SYSLOG", by running the following command: # sed -i "/^[^#]*space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf Restart the audit service: # service auditd restart

b

The SLES for vRealize must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).

AU-8 - Medium - CCI-001891 - V-239600 - SV-239600r662406_rule

RMF Control

AU-8

Severity

M

CCI

Version

VROM-SL-001085

Vuln IDs

V-239600
V-88671

Rule IDs

SV-239600r662406_rule
SV-99321

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative timeserver (e.g., mobile, teleworking, and tactical endpoints).

Checks: C-42833r662249_chk

A remote NTP server should be configured for time synchronization. To verify one is configured, open the following files: # cat /etc/ntp.conf | grep server | grep -v '^#' # cat /etc/ntp.conf | grep peer | grep -v '^#' # cat /etc/ntp.conf | grep multicastclient | grep -v '^#' Confirm the servers and peers or multicastclient (as applicable) are local or an authoritative U.S. DoD source. If a non-local/non-authoritative time-server is used, this is a finding.

Fix: F-42792r662250_fix

To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver by using the following command: # echo "server [ntpserver]" >> /etc/ntp.conf Replace [ntpserver] with one of the USNO time servers. This instructs the NTP software to contact that remote server to obtain time data. Restart the service with: # service ntp restart

b

The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.

AU-8 - Medium - CCI-001891 - V-239601 - SV-239601r662254_rule

RMF Control

AU-8

Severity

M

CCI

Version

VROM-SL-001090

Vuln IDs

V-239601
V-88673

Rule IDs

SV-239601r662254_rule
SV-99323

A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system account, unauthorized modifications could result in the failure of time synchronization.

Checks: C-42834r662252_chk

Check the ownership of the NTP configuration file: # ls -l /etc/ntp.conf If the owner is not "root", this is a finding.

Fix: F-42793r662253_fix

Change the owner of the NTP configuration file to "root": # chown root /etc/ntp.conf

b

The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, sys, or system.

AU-8 - Medium - CCI-001891 - V-239602 - SV-239602r662257_rule

RMF Control

AU-8

Severity

M

CCI

Version

VROM-SL-001095

Vuln IDs

V-239602
V-88675

Rule IDs

SV-239602r662257_rule
SV-99325

A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system group, unauthorized modifications could result in the failure of time synchronization.

Checks: C-42835r662255_chk

Check the group ownership of the NTP configuration file: # ls -lL /etc/ntp.conf If the group-owner is not "root", "bin", "sys", or "system", this is a finding.

Fix: F-42794r662256_fix

Change the group-owner of the NTP configuration file: # chgrp root /etc/ntp.conf

b

The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.

AU-8 - Medium - CCI-001891 - V-239603 - SV-239603r662260_rule

RMF Control

AU-8

Severity

M

CCI

Version

VROM-SL-001100

Vuln IDs

V-239603
V-88677

Rule IDs

SV-239603r662260_rule
SV-99327

A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not protected, unauthorized modifications could result in the failure of time synchronization.

Checks: C-42836r662258_chk

Check that the mode for the NTP configuration file is not more permissive than "0640": # ls -l /etc/ntp.conf If the mode is more permissive than "0640", this is a finding.

Fix: F-42795r662259_fix

Change the mode of the NTP configuration file to "0640" or less permissive: # chmod 0640 /etc/ntp.conf

b

The SLES for vRealize must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.

AU-8 - Medium - CCI-002046 - V-239604 - SV-239604r662263_rule

RMF Control

AU-8

Severity

M

CCI

CCI-002046

Version

VROM-SL-001105

Vuln IDs

V-239604
V-88679

Rule IDs

SV-239604r662263_rule
SV-99329

Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems). Organizations should also consider endpoints that may not have regular access to the authoritative timeserver (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the time difference.

Checks: C-42837r662261_chk

Run the following command to determine the current status of the "ntpd" service: # service ntp status If the service is configured, the command should show a list of the ntp servers and the status of the synchronization. If nothing is returned, this is a finding. If the service is configured, but does not show a status of "on", this is a finding.

Fix: F-42796r662262_fix

The "ntp" service can be enabled with the following command: # chkconfig ntp on # service ntp start

b

The SLES for vRealize must notify designated personnel if baseline configurations are changed in an unauthorized manner.

CM-3 - Medium - CCI-001744 - V-239605 - SV-239605r662266_rule

RMF Control

CM-3

Severity

M

CCI

CCI-001744

Version

VROM-SL-001130

Vuln IDs

V-239605
V-88681

Rule IDs

SV-239605r662266_rule
SV-99331

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the SLES for vRealize. SLES for vRealize’s IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

Checks: C-42838r662264_chk

Verify SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.

Fix: F-42797r662265_fix

Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start

b

The SLES for vRealize must audit the enforcement actions used to restrict access associated with changes to the system.

CM-5 - Medium - CCI-001814 - V-239606 - SV-239606r662269_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001814

Version

VROM-SL-001140

Vuln IDs

V-239606
V-88683

Rule IDs

SV-239606r662269_rule
SV-99333

Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.

Checks: C-42839r662267_chk

Verify SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.

Fix: F-42798r662268_fix

Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start

b

The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.

CM-5 - Medium - CCI-001749 - V-239607 - SV-239607r662272_rule

RMF Control

CM-5

Severity

M

CCI

CCI-001749

Version

VROM-SL-001145

Vuln IDs

V-239607
V-88685

Rule IDs

SV-239607r662272_rule
SV-99335

Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or SLES for vRealize components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. SLES for vRealize should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.

Checks: C-42840r662270_chk

Verify RPM signature validation is not disabled: # grep nosignature /usr/lib/rpm/rpmrc ~root/.rpmrc The result should either respond with no such file or directory, or an empty return. If any configuration is found, this is a finding.

Fix: F-42799r662271_fix

Edit the RPM configuration files containing the "nosignature" option and remove the option.

b

The SLES for vRealize must audit all activities performed during nonlocal maintenance and diagnostic sessions.

MA-4 - Medium - CCI-002884 - V-239608 - SV-239608r662275_rule

RMF Control

MA-4

Severity

M

CCI

CCI-002884

Version

VROM-SL-001220

Vuln IDs

V-239608
V-88687

Rule IDs

SV-239608r662275_rule
SV-99337

If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch.

Checks: C-42841r662273_chk

Verify that all commands run by "root" are being audited with the following command: # cat /etc/audit/audit.rules | grep execve If the following lines are not displayed, this is a finding. -a exit,always -F arch=b64 -F euid=0 -S execve -a exit,always -F arch=b32 -F euid=0 -S execve

Fix: F-42800r662274_fix

Configure SLES for vRealize to log all commands run by "root" with the following command: # echo "-a exit,always -F arch=b64 -F euid=0 -S execve" >> /etc/audit/audit.rules # echo "-a exit,always -F arch=b32 -F euid=0 -S execve" >> /etc/audit/audit.rules Restart the audit service: # service auditd restart

b

The SLES for vRealize must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.

MA-4 - Medium - CCI-002890 - V-239609 - SV-239609r662278_rule

RMF Control

MA-4

Severity

M

CCI

CCI-002890

Version

VROM-SL-001225

Vuln IDs

V-239609
V-88689

Rule IDs

SV-239609r662278_rule
SV-99339

Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms, such as a hash function or digital signature, to protect integrity. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. The SLES for vRealize can meet this requirement through leveraging a cryptographic module. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch).

Checks: C-42842r662276_chk

Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr

Fix: F-42801r662277_fix

Update the Ciphers directive with the following command: # sed -i '/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr' /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart

b

The SLES for vRealize must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.

MA-4 - Medium - CCI-003123 - V-239610 - SV-239610r662281_rule

RMF Control

MA-4

Severity

M

CCI

CCI-003123

Version

VROM-SL-001230

Vuln IDs

V-239610
V-88691

Rule IDs

SV-239610r662281_rule
SV-99341

Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms such as encryption to protect confidentiality. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch). The SLES for vRealize can meet this requirement through leveraging a cryptographic module.

Checks: C-42843r662279_chk

Check the SSH daemon configuration for allowed MACs: # grep -i macs /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding.

Fix: F-42802r662280_fix

Edit the SSH daemon configuration and remove any MACs other than "hmac-sha1". If necessary, add a "MACs" line. # sed -i "/^[^#]*MACs/ c\MACs hmac-sha1" /etc/ssh/sshd_config

c

The SLES for vRealize must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

SC-13 - High - CCI-002450 - V-239611 - SV-239611r662284_rule

RMF Control

SC-13

Severity

H

CCI

CCI-002450

Version

VROM-SL-001240

Vuln IDs

V-239611
V-88693

Rule IDs

SV-239611r662284_rule
SV-99343

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The SLES for vRealize must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Checks: C-42844r662282_chk

Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr

Fix: F-42803r662283_fix

Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart

c

The SLES for vRealize must protect the confidentiality and integrity of transmitted information.

SC-8 - High - CCI-002418 - V-239612 - SV-239612r662287_rule

RMF Control

SC-8

Severity

H

CCI

CCI-002418

Version

VROM-SL-001285

Vuln IDs

V-239612
V-88695

Rule IDs

SV-239612r662287_rule
SV-99345

Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.

Checks: C-42845r662285_chk

Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr

Fix: F-42804r662286_fix

Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart

c

The SLES for vRealize must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).

SC-8 - High - CCI-002421 - V-239613 - SV-239613r662407_rule

RMF Control

SC-8

Severity

H

CCI

CCI-002421

Version

VROM-SL-001290

Vuln IDs

V-239613
V-88697

Rule IDs

SV-239613r662407_rule
SV-99347

Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions that have common application in digital signatures, checksums, and message authentication codes. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to leverage transmission protection mechanisms such as TLS, SSL VPNs, or IPsec. Alternative physical protection measures include PDS. PDSs are used to transmit unencrypted classified National Security Information (NSI) through an area of lesser classification or control. Since the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation.

Checks: C-42846r662288_chk

Check the SSH daemon configuration for allowed MACs: # grep -i macs /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding.

Fix: F-42805r662289_fix

Edit the SSH daemon configuration and remove any MACs other than "hmac-sha1". If necessary, add a "MACs" line. # sed -i "/^[^#]*MACs/ c\MACs hmac-sha1" /etc/ssh/sshd_config

b

The SLES for vRealize must implement non-executable data to protect its memory from unauthorized code execution.

SI-16 - Medium - CCI-002824 - V-239614 - SV-239614r662293_rule

RMF Control

SI-16

Severity

M

CCI

CCI-002824

Version

VROM-SL-001310

Vuln IDs

V-239614
V-88699

Rule IDs

SV-239614r662293_rule
SV-99349

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.

Checks: C-42847r662291_chk

The stock kernel has support for non-executable program stacks compiled in by default. Verify that the option was specified when the kernel was built: # grep -i "execute" /var/log/boot.msg The message: "NX (Execute Disable) protection: active" will be written in the boot log when compiled in the kernel. This is the default for x86_64. To activate this support, the "noexec=on" kernel parameter must be specified at boot time. Check for a message with the following command: # grep –i "noexec" /var/log/boot.msg The message: "Kernel command line: <boot parameters> noexec=on" will be written to the boot log when properly appended to the "/boot/grub/menu.lst" file. If non-executable program stacks have not been configured, this is a finding.

Fix: F-42806r662292_fix

Edit the "/boot/grub/menu.lst" file and add "noexec=on" to the end of each kernel line entry. A system restart is required to implement this change.

b

The SLES for vRealize must implement address space layout randomization to protect its memory from unauthorized code execution.

SI-16 - Medium - CCI-002824 - V-239615 - SV-239615r662296_rule

RMF Control

SI-16

Severity

M

CCI

CCI-002824

Version

VROM-SL-001315

Vuln IDs

V-239615
V-88701

Rule IDs

SV-239615r662296_rule
SV-99351

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.

Checks: C-42848r662294_chk

Verify "randomize_va_space" has not been changed from the default "1" setting. # sysctl kernel.randomize_va_space If the return value is not "kernel.randomize_va_space = 1", this is a finding.

Fix: F-42807r662295_fix

Run the following command: #sysctl kernel.randomize_va_space=1

b

The SLES for vRealize must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.

SI-6 - Medium - CCI-002702 - V-239616 - SV-239616r662299_rule

RMF Control

SI-6

Severity

M

CCI

CCI-002702

Version

VROM-SL-001335

Vuln IDs

V-239616
V-88703

Rule IDs

SV-239616r662299_rule
SV-99353

If anomalies are not acted upon, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection.

Checks: C-42849r662297_chk

Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.

Fix: F-42808r662298_fix

Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access security objects occur.

AU-12 - Medium - CCI-000172 - V-239617 - SV-239617r662302_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001340

Vuln IDs

V-239617
V-88705

Rule IDs

SV-239617r662302_rule
SV-99355

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42850r662300_chk

To verify that auditing is configured for system administrator actions, run the following command: # auditctl -l | grep "watch=/etc/sudoers" The result should return a rule for sudoers, such as: LIST_RULES: exit,always watch=/etc/sudoers perm=wa key=sudoers If there is no output, this is a finding.

Fix: F-42809r662301_fix

At a minimum, the audit system should collect administrator actions for all users and "root". Add the following to the "/etc/audit/audit.rules" file: -w /etc/sudoers -p wa -k sudoers OR # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.

AU-12 - Medium - CCI-000172 - V-239618 - SV-239618r662305_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001345

Vuln IDs

V-239618
V-88707

Rule IDs

SV-239618r662305_rule
SV-99357

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42851r662303_chk

Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.

Fix: F-42810r662304_fix

Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify privileges occur.

AU-12 - Medium - CCI-000172 - V-239619 - SV-239619r662308_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001350

Vuln IDs

V-239619
V-88709

Rule IDs

SV-239619r662308_rule
SV-99359

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42852r662306_chk

To determine if SLES for vRealize is configured to audit calls to the "chmod" system call, run the following command: # auditctl -l | grep syscall | grep chmod If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=1073741827 (0x40000003) syscall=chmod,lchown,sethostname,fchmod,fchown,adjtimex,init_module,delete_module,chown,lchown32,fchown32,chown32,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime,fchownat,fchmodat If no lines are returned, this is a finding.

Fix: F-42811r662307_fix

At a minimum, the audit system should collect file permission changes for all users and "root". Add the following to the "/etc/audit/audit.rules" file: -a always,exit -F arch=b64 -S chmod -F auid=0 -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -a always,exit -F arch=b32 -S chmod OR # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify security objects occur.

AU-12 - Medium - CCI-000172 - V-239620 - SV-239620r662311_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001355

Vuln IDs

V-239620
V-88711

Rule IDs

SV-239620r662311_rule
SV-99361

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42853r662309_chk

To verify that auditing is configured for system administrator actions, run the following command: # auditctl -l | grep "watch=/etc/sudoers" The result should return a rule for sudoers, such as: LIST_RULES: exit,always watch=/etc/sudoers perm=wa key=sudoers If there is no output, this is a finding.

Fix: F-42812r662310_fix

At a minimum, the audit system should collect administrator actions for all users and root. Add the following to the "/etc/audit/audit.rules" file: -w /etc/sudoers -p wa -k sudoers OR # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.

AU-12 - Medium - CCI-000172 - V-239621 - SV-239621r662314_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001360

Vuln IDs

V-239621
V-88713

Rule IDs

SV-239621r662314_rule
SV-99363

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42854r662312_chk

Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.

Fix: F-42813r662313_fix

Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete privileges occur.

AU-12 - Medium - CCI-000172 - V-239622 - SV-239622r662317_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001365

Vuln IDs

V-239622
V-88715

Rule IDs

SV-239622r662317_rule
SV-99365

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42855r662315_chk

To determine if SLES for vRealize is configured to audit calls to the "chmod" system call, run the following command: # auditctl -l | grep syscall | grep chmod If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid>=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=1073741827 (0x40000003) syscall=chmod,lchown,sethostname,fchmod,fchown,adjtimex,init_module,delete_module,chown,lchown32,fchown32,chown32,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime,fchownat,fchmodat If no lines are returned, this is a finding.

Fix: F-42814r662316_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and root. Add the following to the "/etc/audit/audit.rules" file: -a always,exit -F arch=b64 -S chmod -F auid=0 -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -a always,exit -F arch=b32 -S chmod OR # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete security levels occur.

AU-12 - Medium - CCI-000172 - V-239623 - SV-239623r662320_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001370

Vuln IDs

V-239623
V-88717

Rule IDs

SV-239623r662320_rule
SV-99367

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42856r662318_chk

Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.

Fix: F-42815r662319_fix

Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start

b

The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete security objects occur.

AU-12 - Medium - CCI-000172 - V-239624 - SV-239624r662323_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001375

Vuln IDs

V-239624
V-88719

Rule IDs

SV-239624r662323_rule
SV-99369

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42857r662321_chk

To verify that auditing is configured for system administrator actions, run the following command: # auditctl -l | grep "watch=/etc/sudoers" The result should return a rule for sudoers, such as: LIST_RULES: exit,always watch=/etc/sudoers perm=wa key=sudoers If there is no output, this is a finding.

Fix: F-42816r662322_fix

At a minimum, the SLES for vRealize audit system should collect administrator actions for all users and root. Add the following to the "/etc/audit/audit.rules" file: -w /etc/sudoers -p wa -k sudoers OR # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful logon attempts occur.

AU-12 - Medium - CCI-000172 - V-239625 - SV-239625r662326_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001380

Vuln IDs

V-239625
V-88721

Rule IDs

SV-239625r662326_rule
SV-99371

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42858r662324_chk

The message types that are always recorded to the "/var/log/audit/audit.log" file include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" must be protected from tampering of the login records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" entries do not exist, this is a finding.

Fix: F-42817r662325_fix

Ensure the auditing of logins by modifying the "/etc/audit/audit.rules" file to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records for privileged activities or other system-level access.

AU-12 - Medium - CCI-000172 - V-239626 - SV-239626r662329_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001385

Vuln IDs

V-239626
V-88723

Rule IDs

SV-239626r662329_rule
SV-99373

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42859r662327_chk

To verify that auditing of privileged command use is configured, run the following command to find relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: # grep path /etc/audit/audit.rules It should be the case that all relevant setuid programs have a line in the audit rules. If it is not the case, this is a finding.

Fix: F-42818r662328_fix

At a minimum, the SLES for vRealize audit system should collect the execution of privileged commands for all users and "root". To find the relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Then, for each setuid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid program in the list: -a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -k privileged OR # /etc/dodscript.sh

b

The SLES for vRealize audit system must be configured to audit the loading and unloading of dynamic kernel modules.

AU-12 - Medium - CCI-000172 - V-239627 - SV-239627r662332_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001390

Vuln IDs

V-239627
V-88725

Rule IDs

SV-239627r662332_rule
SV-99375

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42860r662330_chk

Determine if "/sbin/insmod" is audited: # cat /etc/audit/audit.rules | grep "/sbin/insmod" If the result does not start with "-w" and contain "-p x", this is a finding.

Fix: F-42819r662331_fix

Add the following to the "/etc/audit/audit.rules" file in order to capture kernel module loading and unloading events: -w /sbin/insmod -p x OR # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records showing starting and ending time for user access to the system.

AU-12 - Medium - CCI-000172 - V-239628 - SV-239628r662335_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001395

Vuln IDs

V-239628
V-88727

Rule IDs

SV-239628r662335_rule
SV-99377

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42861r662333_chk

The message types that are always recorded to the "/var/log/audit/audit.log" file include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" must be protected from tampering of the login records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" entries do not exist, this is a finding.

Fix: F-42820r662334_fix

Ensure the auditing of logins by modifying the "/etc/audit/audit.rules" file to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when concurrent logons to the same account occur from different sources.

AU-12 - Medium - CCI-000172 - V-239629 - SV-239629r662338_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001400

Vuln IDs

V-239629
V-88729

Rule IDs

SV-239629r662338_rule
SV-99379

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42862r662336_chk

The message types that are always recorded to the "/var/log/audit/audit.log" file include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" must be protected from tampering of the login records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" entries do not exist, this is a finding.

Fix: F-42821r662337_fix

Ensure the auditing of logins by modifying the "/etc/audit/audit.rules" file to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records when successful/unsuccessful accesses to objects occur.

AU-12 - Medium - CCI-000172 - V-239630 - SV-239630r662341_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001405

Vuln IDs

V-239630
V-88731

Rule IDs

SV-239630r662341_rule
SV-99381

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42863r662339_chk

Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.

Fix: F-42822r662340_fix

Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start

b

The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.

AU-12 - Medium - CCI-000172 - V-239631 - SV-239631r662344_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001410

Vuln IDs

V-239631
V-88733

Rule IDs

SV-239631r662344_rule
SV-99383

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Checks: C-42864r662342_chk

Verify auditd is configured to audit failed file access attempts. There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall: # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S creat" | grep -e "-F exit=-EPERM" # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S creat" | grep -e "-F exit=-EACCES" There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall. If not, this is a finding.

Fix: F-42823r662343_fix

Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S creat -F exit=-EPERM -a exit,always -F arch=b64 -S creat -F exit=-EACCES -a exit,always -F arch=b32 -S creat -F exit=-EPERM -a exit,always -F arch=b32 -S creat -F exit=-EACCES

b

The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.

AU-12 - Medium - CCI-000172 - V-239632 - SV-239632r662347_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001415

Vuln IDs

V-239632
V-88735

Rule IDs

SV-239632r662347_rule
SV-99385

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Checks: C-42865r662345_chk

Verify auditd is configured to audit failed file access attempts. There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall: # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S open" | grep -e "-F exit=-EPERM" # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S open" | grep -e "-F exit=-EACCES" There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall. If not, this is a finding.

Fix: F-42824r662346_fix

Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S open -F exit=-EPERM -a exit,always -F arch=b64 -S open -F exit=-EACCES -a exit,always -F arch=b32 -S open -F exit=-EPERM -a exit,always -F arch=b32 -S open -F exit=-EACCES

b

The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.

AU-12 - Medium - CCI-000172 - V-239633 - SV-239633r662350_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001420

Vuln IDs

V-239633
V-88737

Rule IDs

SV-239633r662350_rule
SV-99387

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Checks: C-42866r662348_chk

Verify auditd is configured to audit failed file access attempts. There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0) # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S openat" | grep -e "-F success=0" There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0). If not, this is a finding.

Fix: F-42825r662349_fix

Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S openat -F success=0 -a exit,always -F arch=b32 -S openat -F success=0

b

The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.

AU-12 - Medium - CCI-000172 - V-239634 - SV-239634r662353_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001425

Vuln IDs

V-239634
V-88739

Rule IDs

SV-239634r662353_rule
SV-99389

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Checks: C-42867r662351_chk

Verify auditd is configured to audit failed file access attempts. There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0) # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S truncate" | grep -e "-F success=0" There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0). If not, this is a finding.

Fix: F-42826r662352_fix

Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S truncate -F success=0 -a exit,always -F arch=b32 -S truncate -F success=0

b

The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.

AU-12 - Medium - CCI-000172 - V-239635 - SV-239635r662356_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001430

Vuln IDs

V-239635
V-88741

Rule IDs

SV-239635r662356_rule
SV-99391

Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.

Checks: C-42868r662354_chk

Verify auditd is configured to audit failed file access attempts. There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0) # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S ftruncate" | grep -e "-F success=0" There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0). If not, this is a finding.

Fix: F-42827r662355_fix

Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S ftruncate -F success=0 -a exit,always -F arch=b32 -S ftruncate -F success=0

b

The SLES for vRealize audit system must be configured to audit user deletions of files and programs.

AU-12 - Medium - CCI-000172 - V-239636 - SV-239636r662359_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001435

Vuln IDs

V-239636
V-88743

Rule IDs

SV-239636r662359_rule
SV-99393

Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.

Checks: C-42869r662357_chk

To determine if SLES for vRealize is configured to audit calls to the "unlink" system call, run the following command: # auditctl -l | grep syscall | grep unlink | grep -v unlinkat If the system is configured to audit this activity, it will return several lines. To determine if the system is configured to audit calls to the "unlinkat" system call, run the following command: # auditctl -l | grep syscall | grep unlinkat If the system is configured to audit this activity, it will return several lines. To determine if the system is configured to audit calls to the "rename" system call, run the following command: # auditctl -l | grep syscall | grep rename | grep -v renameat If the system is configured to audit this activity, it will return several lines. To determine if the system is configured to audit calls to the "renameat" system call, run the following command: # auditctl -l | grep syscall | grep renameat If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding.

Fix: F-42828r662358_fix

Edit the audit.rules file and add the following line(s) to enable auditing of deletions of files and programs: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid=0 -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid=0 -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295

b

The SLES for vRealize audit system must be configured to audit file deletions.

AU-12 - Medium - CCI-000172 - V-239637 - SV-239637r662362_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001440

Vuln IDs

V-239637
V-88745

Rule IDs

SV-239637r662362_rule
SV-99395

If the SLES for vRealize system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.

Checks: C-42870r662360_chk

Check SLES for vRealize audit configuration to determine if file and directory deletions are audited: # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -i "rmdir" If no results are returned or the results do not contain "-S rmdir", this is a finding.

Fix: F-42829r662361_fix

Add the following to the "/etc/audit/audit.rules" file in order to capture file and directory deletion events: -a always,exit -F arch=b64 -S rmdir -S rm -a always,exit -F arch=b32 -S rmdir -S rm

b

Audit logs must be rotated daily.

AU-12 - Medium - CCI-000172 - V-239638 - SV-239638r662365_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001445

Vuln IDs

V-239638
V-88747

Rule IDs

SV-239638r662365_rule
SV-99397

Rotate audit logs daily to preserve audit file system space and to conform to the DISA requirement. If it is not rotated daily and moved to another location, then there is more of a chance for the compromise of audit data by malicious users.

Checks: C-42871r662363_chk

Check for a logrotate entry that rotates audit logs. # ls -l /etc/logrotate.d/audit If it exists, check for the presence of the daily rotate flag: # egrep "daily" /etc/logrotate.d/audit The command should produce a "daily" entry in the logrotate file for the audit daemon. If the daily entry is missing, this is a finding.

Fix: F-42830r662364_fix

Create or edit the "/etc/logrotate.d/audit" file and add the daily entry, such as: /var/log/audit/audit.log { compress dateext rotate 15 daily missingok notifempty create 600 root root sharedscripts postrotate /sbin/service auditd restart 2> /dev/null > /dev/null || true endscript }

b

The SLES for vRealize must generate audit records for all direct access to the information system.

AU-12 - Medium - CCI-000172 - V-239639 - SV-239639r662368_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001450

Vuln IDs

V-239639
V-88749

Rule IDs

SV-239639r662368_rule
SV-99399

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42872r662366_chk

The message types that are always recorded to the "/var/log/audit/audit.log" file include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" must be protected from tampering of the login records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" entries do not exist, this is a finding.

Fix: F-42831r662367_fix

Ensure the auditing of logins by modifying the "/etc/audit/audit.rules" file to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records for all account creations, modifications, disabling, and termination events.

AU-12 - Medium - CCI-000172 - V-239640 - SV-239640r662371_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001455

Vuln IDs

V-239640
V-88751

Rule IDs

SV-239640r662371_rule
SV-99401

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42873r662369_chk

Determine if execution of the "usermod" and "groupmod" executable are audited: # auditctl -l | egrep '(usermod|groupmod)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of "useradd" and "groupadd" are audited: # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the passwd executable is audited: # auditctl -l | grep "/usr/bin/passwd" If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding. Determine if "/etc/passwd", "/etc/shadow", "/etc/group", and "/etc/security/opasswd" are audited for writing: # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)' If any of these are not listed with a permissions filter of at least "w", this is a finding.

Fix: F-42832r662370_fix

Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Configure execute auditing of the "passwd" executable. Add the following to audit.rules: -w /usr/bin/passwd -p x -k passwd Configure write auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the "/etc/audit/audit.rules" file: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/security/opasswd -p wa -k opasswd Restart the auditd service: # service auditd restart OR # /etc/dodscript.sh

b

The SLES for vRealize must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations.

AU-12 - Medium - CCI-000172 - V-239641 - SV-239641r662374_rule

RMF Control

AU-12

Severity

M

CCI

Version

VROM-SL-001460

Vuln IDs

V-239641
V-88753

Rule IDs

SV-239641r662374_rule
SV-99403

Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).

Checks: C-42874r662372_chk

Determine if "/sbin/insmod" is audited: # cat /etc/audit/audit.rules | grep "/sbin/insmod" If the result does not start with "-w" and contain "-p x", this is a finding.

Fix: F-42833r662373_fix

Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events: -w /sbin/insmod -p x OR # /etc/dodscript.sh

b

The SLES for vRealize must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

SC-13 - Medium - CCI-002450 - V-239642 - SV-239642r662408_rule

RMF Control

SC-13

Severity

M

CCI

CCI-002450

Version

VROM-SL-001465

Vuln IDs

V-239642
V-88755

Rule IDs

SV-239642r662408_rule
SV-99405

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The SLES for vRealize must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Checks: C-42875r662375_chk

Check the SSH daemon configuration for allowed MACs: # grep -i macs /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding.

Fix: F-42834r662376_fix

Edit the SSH daemon configuration and remove any MACs other than "hmac-sha1". If necessary, add a "MACs" line. # sed -i "/^[^#]*MACs/ c\MACs hmac-sha1" /etc/ssh/sshd_config

b

The SLES for vRealize must, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly.

AU-4 - Medium - CCI-001851 - V-239643 - SV-239643r662380_rule

RMF Control

AU-4

Severity

M

CCI

CCI-001851

Version

VROM-SL-001470

Vuln IDs

V-239643
V-88757

Rule IDs

SV-239643r662380_rule
SV-99407

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

Checks: C-42876r662378_chk

Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.

Fix: F-42835r662379_fix

Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };

b

The SLES for vRealize must prevent the use of dictionary words for passwords.

CM-6 - Medium - CCI-000366 - V-239644 - SV-239644r662383_rule

RMF Control

CM-6

Severity

M

CCI

Version

VROM-SL-001475

Vuln IDs

V-239644
V-88759

Rule IDs

SV-239644r662383_rule
SV-99409

If SLES for vRealize system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.

Checks: C-42877r662381_chk

Check "/etc/pam.d/common-password" for "pam_cracklib" configuration: # grep pam_cracklib /etc/pam.d/common-password* If "pam_cracklib" is not present, this is a finding. Ensure the passwd command uses the common-password settings. # grep common-password /etc/pam.d/passwd If a line "password include common-password" is not found then the password checks in common-password will not be applied to new passwords, this is a finding.

Fix: F-42836r662382_fix

Edit "/etc/pam.d/common-password" and configure "pam_cracklib" by adding a line such as "password requisite pam_cracklib.so".

b

The SLES for vRealize must prevent the use of dictionary words for passwords.

CM-6 - Medium - CCI-000366 - V-239645 - SV-239645r662386_rule

RMF Control

CM-6

Severity

M

CCI

Version

VROM-SL-001480

Vuln IDs

V-239645
V-88761

Rule IDs

SV-239645r662386_rule
SV-99411

If SLES for vRealize allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.

Checks: C-42878r662384_chk

Verify the module "pam_cracklib.so" is present. Procedure: # ls /lib/security/ Confirm that "pam_cracklib.so" is present in the directory listing. If "pam_cracklib.so" is not present, this is a finding. Verify the file "/etc/pam.d/common-password" is configured. Procedure: # grep pam_cracklib /etc/pam.d/common-password* If a line containing "password required pam_cracklib.so" is not present, this is a finding.

Fix: F-42837r662385_fix

Configure SLES for vRealize to prevent the use of dictionary words for passwords. Edit the file "/etc/pam.d/common-password". Configure "common-password" by adding a line such as: password required pam_cracklib.so Save the changes made to the file "/etc/pam.d/common-password".

b

The SLES for vRealize must prevent the use of dictionary words for passwords.

CM-6 - Medium - CCI-000366 - V-239646 - SV-239646r662389_rule

RMF Control

CM-6

Severity

M

CCI

Version

VROM-SL-001485

Vuln IDs

V-239646
V-88763

Rule IDs

SV-239646r662389_rule
SV-99413

If SLES for vRealize allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.

Checks: C-42879r662387_chk

Verify the "passwd" command uses the "common-password" settings. Procedure: # grep common-password /etc/pam.d/passwd If line "password include common-password" is not found then the password checks in common-password will not be applied to new passwords, and this is a finding.

Fix: F-42838r662388_fix

Configure SLES for vRealize to prevent the use of dictionary words for passwords. Procedure: Edit the file "/etc/pam.d/passwd". Configure "passwd" by adding a line such as: password include common-password Save the changes made to the file.

b

The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.

CM-6 - Medium - CCI-000366 - V-239647 - SV-239647r662392_rule

RMF Control

CM-6

Severity

M

CCI

Version

VROM-SL-001490

Vuln IDs

V-239647
V-88765

Rule IDs

SV-239647r662392_rule
SV-99415

Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.

Checks: C-42880r662390_chk

Check the value of the "FAIL_DELAY" variable and the ability to use it: # grep FAIL_DELAY /etc/login.defs The following result should be displayed: FAIL_DELAY 4 If the value does not exist, or is less than "4", this is a finding. Check for the use of "pam_faildelay": # grep pam_faildelay /etc/pam.d/common-auth* The following result should be displayed: /etc/pam.d/common-auth:auth optional pam_faildelay.so If the "pam_faildelay.so" module is not listed or is commented out, this is a finding.

Fix: F-42839r662391_fix

Add the "pam_faildelay" module and set the "FAIL_DELAY" variable. Edit the "/etc/login.defs" file and set the value of the "FAIL_DELAY" variable to "4" or more. Edit "/etc/pam.d/common-auth" and add a "pam_faildelay" entry if one does not exist, such as: auth optional pam_faildelay.so

b

The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.

CM-6 - Medium - CCI-000366 - V-239648 - SV-239648r662395_rule

RMF Control

CM-6

Severity

M

CCI

Version

VROM-SL-001495

Vuln IDs

V-239648
V-88767

Rule IDs

SV-239648r662395_rule
SV-99417

Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.

Checks: C-42881r662393_chk

Verify the SLES for vRealize enforces a delay of at least "4" seconds between logon prompts following a failed logon attempt. Review the file "/etc/login.defs" and verify the parameter "FAIL_DELAY" is a value of "4" or greater. Procedure: # grep FAIL_DELAY /etc/login.defs The typical configuration looks something like this: FAIL_DELAY 4 If the parameter "FAIL_DELAY" does not exists, or is less than "4", this is a finding.

Fix: F-42840r662394_fix

Configure SLES for vRealize to enforce a delay of at least "4" seconds between logon prompts following a failed logon attempt. Set the parameter "FAIL_DELAY" to a value of "4" or greater. Edit the file "/etc/login.defs". Set the parameter "FAIL_DELAY" to a value of "4" or greater. The typical configuration looks something like this: FAIL_DELAY 4 Save the changes made to the file.

b

The SLES for vRealize must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.

CM-6 - Medium - CCI-000366 - V-239649 - SV-239649r662398_rule

RMF Control

CM-6

Severity

M

CCI

Version

VROM-SL-001500

Vuln IDs

V-239649
V-88769

Rule IDs

SV-239649r662398_rule
SV-99419

Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.

Checks: C-42882r662396_chk

Verify SLES for vRealize enforces a delay of at least "4" seconds between logon prompts following a failed logon attempt. Verify the use of the "pam_faildelay" module. Procedure: # grep pam_faildelay /etc/pam.d/common-auth* The typical configuration looks something like this: #delay is in micro seconds auth required pam_faildelay.so delay=4000000 If the line is not present, this is a finding.

Fix: F-42841r662397_fix

Configure SLES for vRealize to enforce a delay of at least "4" seconds between logon prompts following a failed logon attempt with the following command: # sed -i "/^[^#]*pam_faildelay.so/ c\auth required pam_faildelay.so delay=4000000" /etc/pam.d/common-auth-vmware.local

b

The SLES for vRealize must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.

CM-6 - Medium - CCI-000366 - V-239650 - SV-239650r662401_rule

RMF Control

CM-6

Severity

M

CCI

Version

VROM-SL-001505

Vuln IDs

V-239650
V-88771

Rule IDs

SV-239650r662401_rule
SV-99421

Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.

Checks: C-42883r662399_chk

Verify SLES for vRealize is configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. If it is not, this is a finding.

Fix: F-42842r662400_fix

Configure SLES for vRealize in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.

b

The SLES for vRealize must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

CM-6 - Medium - CCI-000366 - V-239651 - SV-239651r662404_rule

RMF Control

CM-6

Severity

M

CCI