VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide

  • Version/Release: V2R2
  • Published: 2023-09-21
  • Released: 2023-10-25
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
The SLES for vRealize must provide automated mechanisms for supporting account management functions.
AC-2 - Medium - CCI-000015 - V-239441 - SV-239441r661774_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000015
Version
VROM-SL-000005
Vuln IDs
  • V-239441
  • V-88353
Rule IDs
  • SV-239441r661774_rule
  • SV-99003
Enterprise environments make account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other errors. A comprehensive account management process that includes automation helps to ensure accounts designated as requiring attention are consistently and promptly addressed. Examples include, but are not limited to, using automation to take action on multiple accounts designated as inactive, suspended, or terminated, or by disabling accounts located in non-centralized account stores such as multiple servers. This requirement applies to all account types, including individual/user, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. The automated mechanisms may reside within the SLES for vRealize itself or may be offered by other infrastructure providing automated account management capabilities. Automated mechanisms may be composed of differing technologies that, when placed together, contain an overall automated mechanism supporting an organization's automated account management requirements. Account management functions include: assigning group or role membership; identifying account type; specifying user access authorizations (i.e., privileges); account removal, update, or termination; and administrative alerts. The use of automated mechanisms can include, for example: using email or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using automated telephonic notification to report atypical system account usage.
Checks: C-42674r661772_chk

Interview the server admin to determine if there is automated mechanisms for managing user accounts. If there is not, this is a finding.

Fix: F-42633r661773_fix

Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate. If possible, this system should integrate with an existing enterprise user management system, such as, one based Active Directory or Kerberos.

b
The SLES for vRealize must automatically remove or disable temporary user accounts after 72 hours.
AC-2 - Medium - CCI-000016 - V-239442 - SV-239442r661777_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000016
Version
VROM-SL-000010
Vuln IDs
  • V-239442
  • V-88355
Rule IDs
  • SV-239442r661777_rule
  • SV-99005
If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. If temporary accounts are used, the SLES for vRealize must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. To address access requirements, many SLES for vRealize operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.
Checks: C-42675r661775_chk

For every existing temporary account, run the following command to obtain its account expiration information. # chage -l system_account_name Verify each of these accounts has an expiration date set within "72" hours. If any temporary accounts have no expiration date set or do not expire within "72" hours, this is a finding.

Fix: F-42634r661776_fix

In the event temporary accounts are required, configure the system to terminate them after "72" hours. For every temporary account, run the following command to set an expiration date on it, substituting "system_account_name" for the appropriate value. # chage -E `date -d "+3 days" +%Y-%m-%d` system_account_name `date -d "+3 days" +%Y-%m-%d` gets the expiration date for the account at the time of running the command.

b
The SLES for vRealize must audit all account creations.
AC-2 - Medium - CCI-000018 - V-239443 - SV-239443r661780_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000018
Version
VROM-SL-000015
Vuln IDs
  • V-239443
  • V-88357
Rule IDs
  • SV-239443r661780_rule
  • SV-99007
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SLES for vRealize operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
Checks: C-42676r661778_chk

Determine if execution of the useradd and groupadd executable are audited. # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Expected result: LIST_RULES: exit,always watch=/usr/sbin/useradd perm=x key=useradd LIST_RULES: exit,always watch=/usr/sbin/groupadd perm=x key=groupadd

Fix: F-42635r661779_fix

Configure execute auditing of the "useradd" and "groupadd" executables run the DoD.script with the following command as root: # /etc/dodscript.sh OR Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to /etc/audit/audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Restart the auditd service. # service auditd restart

b
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications, any unexpected users, groups, or modifications must be investigated for legitimacy.
AC-2 - Medium - CCI-000018 - V-239444 - SV-239444r661783_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-000018
Version
VROM-SL-000020
Vuln IDs
  • V-239444
  • V-88359
Rule IDs
  • SV-239444r661783_rule
  • SV-99009
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SLES for vRealize operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
Checks: C-42677r661781_chk

Determine if /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow are audited for appending. # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow)' | grep perm=a If the "passwd", "shadow", "group", and "gshadow" files are not listed with a permissions filter of at least "a", this is a finding. Expected result: LIST_RULES: exit,always watch=/etc/passwd perm=a key=passwd LIST_RULES: exit,always watch=/etc/shadow perm=a key=shadow LIST_RULES: exit,always watch=/etc/group perm=a key=group LIST_RULES: exit,always watch=/etc/gshadow perm=a key=gshadow

Fix: F-42636r661782_fix

Configure append auditing of the "passwd", "shadow", "group", and "gshadow" files run the DoD.script with the following command as root: # /etc/dodscript.sh # echo '-w /etc/gshadow -p a -k gshadow' >> /etc/audit/audit.rules Restart the auditd service. # service auditd restart OR Configure append auditing of the passwd, shadow, group, and gshadow files by running the following commands: # echo '-w /etc/passwd -p a -k passwd' >> /etc/audit/audit.rules # echo '-w /etc/shadow -p a -k shadow' >> /etc/audit/audit.rules # echo '-w /etc/group -p a -k group' >> /etc/audit/audit.rules # echo '-w /etc/gshadow -p a -k gshadow' >> /etc/audit/audit.rules Restart the auditd service. # service auditd restart

b
The SLES for vRealize must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period.
AC-7 - Medium - CCI-000044 - V-239445 - SV-239445r661786_rule
RMF Control
AC-7
Severity
Medium
CCI
CCI-000044
Version
VROM-SL-000025
Vuln IDs
  • V-239445
  • V-88361
Rule IDs
  • SV-239445r661786_rule
  • SV-99011
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
Checks: C-42678r661784_chk

Run the following command to ensure that the SLES for vRealize enforces the limit of "3" consecutive invalid logon attempts by a user: # grep pam_tally2.so /etc/pam.d/common-auth The output should contain "deny=3" in the returned line. If the output does not contain "deny=3", this is a finding. Expected Result: auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300

Fix: F-42637r661785_fix

To configure the SLES for vRealize to enforce the limit of "3" consecutive invalid attempts using "pam_tally2.so", modify the content of the /etc/pam.d/common-auth-vmware.local by running the following command: # sed -i "/^[^#]*pam_tally2.so/ c\auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300" /etc/pam.d/common-auth-vmware.local

b
The SLES for vRealize must display the Standard Mandatory DoD Notice and Consent Banner before granting access via SSH.
AC-8 - Medium - CCI-000048 - V-239446 - SV-239446r661789_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
VROM-SL-000030
Vuln IDs
  • V-239446
  • V-88363
Rule IDs
  • SV-239446r661789_rule
  • SV-99013
Display of a standardized and approved use notification before granting access to the SLES for vRealize ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for SLES for vRealize systems that can accommodate banners of 1300 characters: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." Use the following verbiage for SLES for vRealize systems that have severe limitations on the number of characters that can be displayed in the banner: "I've read & consent to terms in IS user agreem't."
Checks: C-42679r661787_chk

Check that the SSH daemon is configured for logon warning banners: # grep -i banner /etc/ssh/sshd_config | grep -v '#' The output should contain "Banner /etc/issue". If the output does not contain "Banner /etc/issue", this is a finding.

Fix: F-42638r661788_fix

To configure the SSH daemon with the logon warning banners, modify /etc/ssh/sshd_config execute the following command: # sed -i "/^[^#]*Banner/ c\Banner /etc/issue" /etc/ssh/sshd_config The SSH service will need to be restarted after the above change has been made to SSH. This can be done by running the following command: # service sshd restart

a
The SLES for vRealize must limit the number of concurrent sessions to ten for all accounts and/or account types.
AC-10 - Low - CCI-000054 - V-239447 - SV-239447r877399_rule
RMF Control
AC-10
Severity
Low
CCI
CCI-000054
Version
VROM-SL-000040
Vuln IDs
  • V-239447
  • V-88365
Rule IDs
  • SV-239447r877399_rule
  • SV-99015
Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.
Checks: C-42680r661790_chk

Verify the SLES for vRealize limits the number of concurrent sessions to "10" for all accounts and/or account types with the following command: # grep maxlogins /etc/security/limits.conf | grep -v '#' The default maxlimits should be set to a max of "10" or a documented site defined number: * hard maxlogins 10 If the default maxlimits is not set to "10" or the documented site defined number, this is a finding.

Fix: F-42639r661791_fix

Configure the SLES for vRealize to limit the number of concurrent sessions to "10" for all accounts and/or account types by using the following command: sed -i 's/\(^* *hard *maxlogins\).*/* hard maxlogins 10/g' /etc/security/limits.conf

b
The SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for all connection types.
AC-11 - Medium - CCI-000057 - V-239448 - SV-239448r661795_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
VROM-SL-000050
Vuln IDs
  • V-239448
  • V-88367
Rule IDs
  • SV-239448r661795_rule
  • SV-99017
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, SLES for vRealize needs to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled.
Checks: C-42681r661793_chk

Check for the existence of the /etc/profile.d/tmout.sh file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to 900 seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set, this is a finding.

Fix: F-42640r661794_fix

Ensure the file exists and is owned by root. If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file "/etc/profile.d/tmout.sh", and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null

b
The SLES for vRealize must initiate a session lock after a 15-minute period of inactivity for an SSH connection.
AC-11 - Medium - CCI-000057 - V-239449 - SV-239449r661798_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
VROM-SL-000055
Vuln IDs
  • V-239449
  • V-88369
Rule IDs
  • SV-239449r661798_rule
  • SV-99019
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, SLES for vRealize needs to be able to identify when a user's session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled.
Checks: C-42682r661796_chk

Verify SLES for vRealize initiates a session lock after a 15-minute period of inactivity for SSH. Execute the following command: # grep ClientAliveInterval /etc/ssh/sshd_config; grep ClientAliveCountMax /etc/ssh/sshd_config Verify the following result: ClientAliveInterval 900 ClientAliveCountMax 0 If the session lock is not set to a 15-minute period, this is a finding.

Fix: F-42641r661797_fix

Configure SLES for vRealize to initiate a session lock after a 15-minute period of inactivity for SSH. Set the session lock after a 15-minute period by executing the following command: # sed -i 's/^.*\bClientAliveInterval\b.*$/ClientAliveInterval 900/' /etc/ssh/sshd_config; sed -i 's/^.*\bClientAliveCountMax\b.*$/ClientAliveCountMax 0/' /etc/ssh/sshd_config

b
The SLES for vRealize must monitor remote access methods - SSH Daemon.
AC-17 - Medium - CCI-000067 - V-239450 - SV-239450r661801_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000067
Version
VROM-SL-000070
Vuln IDs
  • V-239450
  • V-88371
Rule IDs
  • SV-239450r661801_rule
  • SV-99021
Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
Checks: C-42683r661799_chk

Verify that SSH is configured to verbosely log connection attempts and failed logon attempts to the server by running the following command: # grep LogLevel /etc/ssh/sshd_config | grep -v '#' The output message must contain the following text: LogLevel VERBOSE If it is not set to "VERBOSE", this is a finding.

Fix: F-42642r661800_fix

To configure SSH to verbosely log connection attempts and failed logon attempts to the server, run the following command: # sed -i 's/^.*\bLogLevel\b.*$/LogLevel VERBOSE/' /etc/ssh/sshd_config The SSH service will need to be restarted after the above change has been made to SSH. This can be done by running the following command: # service sshd restart

b
The SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions - SSH Daemon.
AC-17 - Medium - CCI-000068 - V-239451 - SV-239451r877398_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
VROM-SL-000075
Vuln IDs
  • V-239451
  • V-88373
Rule IDs
  • SV-239451r877398_rule
  • SV-99023
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.
Checks: C-42684r661802_chk

Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the sshd_config file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr

Fix: F-42643r661803_fix

Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart

b
The SLES for vRealize must implement DoD-approved encryption to protect the confidentiality of remote access sessions - SSH Client.
AC-17 - Medium - CCI-000068 - V-239452 - SV-239452r877398_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-000068
Version
VROM-SL-000080
Vuln IDs
  • V-239452
  • V-88375
Rule IDs
  • SV-239452r877398_rule
  • SV-99025
Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Encryption provides a means to secure the remote connection to prevent unauthorized access to the data traversing the remote access connection (e.g., RDP), thereby providing a degree of confidentiality. The encryption strength of a mechanism is selected based on the security categorization of the information.
Checks: C-42685r766910_chk

Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the ssh_config file. # grep -i Ciphers /etc/ssh/ssh_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes256-ctr,aes128-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr

Fix: F-42644r661806_fix

Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/ssh_config Save and close the file.

b
The SLES for vRealize must produce audit records.
AU-3 - Medium - CCI-000130 - V-239453 - SV-239453r661810_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-000130
Version
VROM-SL-000085
Vuln IDs
  • V-239453
  • V-88377
Rule IDs
  • SV-239453r661810_rule
  • SV-99027
Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in the SLES for vRealize audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.
Checks: C-42686r661808_chk

Verify SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for: service auditd running If the service is not running, this is a finding.

Fix: F-42645r661809_fix

Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start

b
The SLES for vRealize must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
AU-5 - Medium - CCI-000139 - V-239454 - SV-239454r661813_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
VROM-SL-000125
Vuln IDs
  • V-239454
  • V-88379
Rule IDs
  • SV-239454r661813_rule
  • SV-99029
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
Checks: C-42687r661811_chk

Check /etc/audit/auditd.conf for the "space_left_action" with the following command: # cat /etc/audit/auditd.conf | grep space_left_action If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding. Expected Result: space_left_action = SYSLOG Notes: If the space_left_action is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding. If the space_left_action is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding. The "action_mail_acct" parameter, if missing, defaults to "root". Note: If the email address of the system administrator is on a remote system "sendmail" must be available.

Fix: F-42646r661812_fix

Set the "space_left_action" parameter to the valid setting "SYSLOG", by running the following command: # sed -i "/^[^#]*space_left_action/ c\space_left_action = SYSLOG" /etc/audit/auditd.conf Restart the audit service: # service auditd restart

b
The SLES for vRealize must shut down by default upon audit failure (unless availability is an overriding concern).
AU-5 - Medium - CCI-000140 - V-239455 - SV-239455r661816_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000140
Version
VROM-SL-000130
Vuln IDs
  • V-239455
  • V-88381
Rule IDs
  • SV-239455r661816_rule
  • SV-99031
It is critical that when the SLES for vRealize is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. When availability is an overriding concern, other approved actions in response to an audit failure are as follows: 1) If the failure was caused by the lack of audit record storage capacity, the operating system must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records in a first-in-first-out manner. 2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, SLES for vRealize must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.
Checks: C-42688r661814_chk

Verify the /etc/audit/auditd.conf has the "disk_full_action", "disk_error_action", and "admin_disk_space_left" parameters set. # grep disk_full_action /etc/audit/auditd.conf If the "disk_full_action" parameter is missing or set to "suspend" or "ignore", this is a finding. # grep disk_error_action /etc/audit/auditd.conf If the "disk_error_action" parameter is missing or set to "suspend" or "ignore", this is a finding. # grep admin_space_left_action /etc/audit/auditd.conf If the "admin_space_left_action" parameter is missing or set to "suspend" or "ignore", this is a finding.

Fix: F-42647r661815_fix

Edit /etc/audit/auditd.conf and set the "disk_full_action", "disk_error_action", and "admin_space_left_action" parameters to "syslog" with the following commands: # sed -i "/^[^#]*disk_full_action/ c\disk_full_action = SYSLOG" /etc/audit/auditd.conf # sed -i "/^[^#]*disk_error_action/ c\disk_error_action = SYSLOG" /etc/audit/auditd.conf # sed -i "/^[^#]*admin_space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined.

b
The SLES for vRealize must protect audit information from unauthorized read access - ownership.
AU-9 - Medium - CCI-000162 - V-239456 - SV-239456r661819_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
VROM-SL-000150
Vuln IDs
  • V-239456
  • V-88383
Rule IDs
  • SV-239456r661819_rule
  • SV-99033
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit SLES for vRealize activity.
Checks: C-42689r661817_chk

Verify that the SLES for vRealize audit logs are owned by "root". # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) && if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file is not owned by "root" or "admin", this is a finding.

Fix: F-42648r661818_fix

Change the ownership of the audit log file(s). Procedure: # chown root <audit log file> # chown root /var/log/audit/audit.log

b
The SLES for vRealize must protect audit information from unauthorized read access - group ownership.
AU-9 - Medium - CCI-000162 - V-239457 - SV-239457r661822_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000162
Version
VROM-SL-000155
Vuln IDs
  • V-239457
  • V-88385
Rule IDs
  • SV-239457r661822_rule
  • SV-99035
Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit SLES for vRealize activity.
Checks: C-42690r661820_chk

Verify that the SLES for vRealize audit logs are group-owned by "root". # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) &amp;&amp; if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file is not group-owned by "root" or "admin", this is a finding.

Fix: F-42649r661821_fix

Change the group ownership of the audit log file(s). Procedure: # chgrp root <audit log file> # chgrp root /var/log/audit/audit.log

b
The SLES for vRealize must protect audit information from unauthorized modification.
AU-9 - Medium - CCI-000163 - V-239458 - SV-239458r661825_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000163
Version
VROM-SL-000160
Vuln IDs
  • V-239458
  • V-88387
Rule IDs
  • SV-239458r661825_rule
  • SV-99037
If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit information, the SLES for vRealize must protect audit information from unauthorized modification. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.
Checks: C-42691r661823_chk

Check that the SLES for vRealize audit logs with the following command: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) &amp;&amp; if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file has a mode more permissive than "0640", this is a finding.

Fix: F-42650r661824_fix

Change the mode of the audit log file(s): # chmod 0640 <audit log file>

b
The SLES for vRealize must protect audit information from unauthorized deletion.
AU-9 - Medium - CCI-000164 - V-239459 - SV-239459r661828_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
VROM-SL-000165
Vuln IDs
  • V-239459
  • V-88389
Rule IDs
  • SV-239459r661828_rule
  • SV-99039
If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit information, the SLES for vRealize must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.
Checks: C-42692r661826_chk

Check that the SLES for vRealize audit logs with the following command: # (audit_log_file=$(grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//) &amp;&amp; if [ -f "${audit_log_file}" ] ; then printf "Log(s) found in "${audit_log_file%/*}":\n"; ls -l ${audit_log_file%/*}; else printf "audit log file(s) not found\n"; fi) If any audit log file has a mode more permissive than "0640", this is a finding.

Fix: F-42651r661827_fix

Change the mode of the audit log file(s): # chmod 0640 <audit log file>

b
The SLES for vRealize must protect audit information from unauthorized deletion - log directories.
AU-9 - Medium - CCI-000164 - V-239460 - SV-239460r661831_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-000164
Version
VROM-SL-000170
Vuln IDs
  • V-239460
  • V-88391
Rule IDs
  • SV-239460r661831_rule
  • SV-99041
If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit information, the SLES for vRealize must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.
Checks: C-42693r661829_chk

Run the following command to check the mode of the system audit directories: # grep "^log_file" /etc/audit/auditd.conf|sed 's/^[^/]*//; s/[^/]*$//'|xargs stat -c %a:%n Audit directories must be mode "0700". If the audit directories is not set to mode "0700", this is a finding.

Fix: F-42652r661830_fix

Change the mode of the audit log directories with the following command: # chmod 700 <audit log directory>

b
The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - Permissions.
AU-12 - Medium - CCI-000171 - V-239474 - SV-239474r661873_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000171
Version
VROM-SL-000240
Vuln IDs
  • V-239474
  • V-88419
Rule IDs
  • SV-239474r661873_rule
  • SV-99069
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Checks: C-42707r661871_chk

Check the permissions of the rules files in /etc/audit: # ls -l /etc/audit/ Note: If /etc/audit/audit.rules is a symbolic link to /etc/audit/audit.rules.STIG, then the check is only applicable to /etc/audit/audit.rules.STIG. If the permissions of the file is not set to "640", this is a finding.

Fix: F-42666r661872_fix

Change the permissions of the /etc/audit/audit.rules.STIG, the /etc/audit/audit.rules.ORIG, and the /etc/audit/audit.rules files (if not a symbolic link): # chmod 640 /etc/audit/audit.rules.STIG # chmod 640 /etc/audit/audit.rules.ORIG # if [ -f /etc/audit/audit.rules ]; then chmod 640 /etc/audit/audit.rules; fi Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b
The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - ownership.
AU-12 - Medium - CCI-000171 - V-239475 - SV-239475r661876_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000171
Version
VROM-SL-000245
Vuln IDs
  • V-239475
  • V-88421
Rule IDs
  • SV-239475r661876_rule
  • SV-99071
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Checks: C-42708r661874_chk

Check the permissions of the rules files in /etc/audit: # ls -l /etc/audit/ Note: If /etc/audit/audit.rules is a symbolic link to /etc/audit/audit.rules.STIG, then the check is only applicable to /etc/audit/audit.rules.STIG. If the ownership is not set to "root", this is a finding.

Fix: F-42667r661875_fix

Change the ownership of the /etc/audit/audit.rules.STIG, the /etc/audit/audit.rules.ORIG, and the /etc/audit/audit.rules files (if not a symbolic link): # chown root /etc/audit/audit.rules.STIG # chown root /etc/audit/audit.rules.ORIG # if [ -f /etc/audit/audit.rules ]; then chown root /etc/audit/audit.rules; fi Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b
The SLES for vRealize must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited - group ownership.
AU-12 - Medium - CCI-000171 - V-239476 - SV-239476r661879_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000171
Version
VROM-SL-000250
Vuln IDs
  • V-239476
  • V-88423
Rule IDs
  • SV-239476r661879_rule
  • SV-99073
Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
Checks: C-42709r661877_chk

Check the permissions of the rules files in /etc/audit: # ls -l /etc/audit/ Note: If /etc/audit/audit.rules is a symbolic link to /etc/audit/audit.rules.STIG, then the check is only applicable to /etc/audit/audit.rules.STIG. If the group owner is not set to "root", this is a finding.

Fix: F-42668r661878_fix

Change the group ownership of the /etc/audit/audit.rules.STIG, the /etc/audit/audit.rules.ORIG, and the /etc/audit/audit.rules files (if not a symbolic link): # chgrp root /etc/audit/audit.rules.STIG # chgrp root /etc/audit/audit.rules.ORIG # if [ -f /etc/audit/audit.rules ]; then chgrp root /etc/audit/audit.rules; fi Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The operating system must generate audit records for all discretionary access control permission modifications using chmod.
AU-12 - Medium - CCI-000172 - V-239477 - SV-239477r661882_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-000255
Vuln IDs
  • V-239477
  • V-88425
Rule IDs
  • SV-239477r661882_rule
  • SV-99075
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42710r661880_chk

To determine if the system is configured to audit calls to the "chmod" system call, run the following command: # auditctl -l | grep syscall | grep chmod If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid&gt;=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.

Fix: F-42669r661881_fix

At a minimum, the audit system should collect file permission changes for all users and root. Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S chmod -F auid=0 -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using chown.
AU-12 - Medium - CCI-000172 - V-239478 - SV-239478r661885_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-000260
Vuln IDs
  • V-239478
  • V-88427
Rule IDs
  • SV-239478r661885_rule
  • SV-99077
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42711r661883_chk

To determine if the SLES for vRealize is configured to audit calls to the "chown" system call, run the following command: # auditctl -l | grep syscall | grep chown If the SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid&gt;=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.

Fix: F-42670r661884_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S chown -F auid=0 -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmod.
AU-12 - Medium - CCI-000172 - V-239479 - SV-239479r661888_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-000265
Vuln IDs
  • V-239479
  • V-88429
Rule IDs
  • SV-239479r661888_rule
  • SV-99079
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42712r661886_chk

To determine if SLES for vRealize is configured to audit calls to the "fchmod" system call, run the following command: # auditctl -l | grep syscall | grep fchmod If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid&gt;=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.

Fix: F-42671r661887_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchmod -F auid=0 -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchmodat.
AU-12 - Medium - CCI-000172 - V-239480 - SV-239480r661891_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-000270
Vuln IDs
  • V-239480
  • V-88431
Rule IDs
  • SV-239480r661891_rule
  • SV-99081
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42713r661889_chk

To determine if SLES for vRealize is configured to audit calls to the "fchmodat" system call, run the following command: # auditctl -l | grep syscall | grep fchmodat If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid&gt;=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.

Fix: F-42672r661890_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchmodat -F auid=0 -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchown.
AU-12 - Medium - CCI-000172 - V-239481 - SV-239481r661894_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-000275
Vuln IDs
  • V-239481
  • V-88433
Rule IDs
  • SV-239481r661894_rule
  • SV-99083
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42714r661892_chk

To determine if SLES for vRealize is configured to audit calls to the "fchown" system call, run the following command: # auditctl -l | grep syscall | grep fchown If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid&gt;=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.

Fix: F-42673r661893_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchown -F auid=0 -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fchownat.
AU-12 - Medium - CCI-000172 - V-239482 - SV-239482r661897_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-000280
Vuln IDs
  • V-239482
  • V-88435
Rule IDs
  • SV-239482r661897_rule
  • SV-99085
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42715r661895_chk

To determine if SLES for vRealize is configured to audit calls to the "fchownat" system call, run the following command: # auditctl -l | grep syscall | grep fchownat If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid&gt;=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat If no lines are returned, this is a finding.

Fix: F-42674r661896_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fchownat -F auid=0 -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fremovexattr.
AU-12 - Medium - CCI-000172 - V-239483 - SV-239483r661900_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-000285
Vuln IDs
  • V-239483
  • V-88437
Rule IDs
  • SV-239483r661900_rule
  • SV-99087
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42716r661898_chk

To determine if SLES for vRealize is configured to audit calls to the "fremovexattr" system call, run the following command: # auditctl -l | grep syscall | grep fremovexattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.

Fix: F-42675r661899_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fremovexattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using fsetxattr.
AU-12 - Medium - CCI-000172 - V-239484 - SV-239484r661903_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-000290
Vuln IDs
  • V-239484
  • V-88439
Rule IDs
  • SV-239484r661903_rule
  • SV-99089
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42717r661901_chk

To determine if SLES for vRealize is configured to audit calls to the "fsetxattr" system call, run the following command: # auditctl -l | grep syscall | grep fsetxattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.

Fix: F-42676r661902_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S fsetxattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lchown.
AU-12 - Medium - CCI-000172 - V-239485 - SV-239485r661906_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-000295
Vuln IDs
  • V-239485
  • V-88441
Rule IDs
  • SV-239485r661906_rule
  • SV-99091
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42718r661904_chk

To determine if SLES for vRealize is configured to audit calls to the "lchown" system call, run the following command: # auditctl -l | grep syscall | grep lchown If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.

Fix: F-42677r661905_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S lchown Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lremovexattr.
AU-12 - Medium - CCI-000172 - V-239486 - SV-239486r661909_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-000300
Vuln IDs
  • V-239486
  • V-88443
Rule IDs
  • SV-239486r661909_rule
  • SV-99093
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42719r661907_chk

To determine if SLES for vRealize is configured to audit calls to the "lremovexattr" system call, run the following command: # auditctl -l | grep syscall | grep lremovexattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.

Fix: F-42678r661908_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S lremovexattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using lsetxattr.
AU-12 - Medium - CCI-000172 - V-239487 - SV-239487r661912_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-000305
Vuln IDs
  • V-239487
  • V-88445
Rule IDs
  • SV-239487r661912_rule
  • SV-99095
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42720r661910_chk

To determine if SLES for vRealize is configured to audit calls to the "lsetxattr" system call, run the following command: # auditctl -l | grep syscall | grep lsetxattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.

Fix: F-42679r661911_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S lsetxattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using removexattr.
AU-12 - Medium - CCI-000172 - V-239488 - SV-239488r661915_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-000310
Vuln IDs
  • V-239488
  • V-88447
Rule IDs
  • SV-239488r661915_rule
  • SV-99097
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42721r661913_chk

To determine if SLES for vRealize is configured to audit calls to the "removexattr" system call, run the following command: # auditctl -l | grep syscall | grep removexattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.

Fix: F-42680r661914_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S removexattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all discretionary access control permission modifications using setxattr.
AU-12 - Medium - CCI-000172 - V-239489 - SV-239489r661918_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-000315
Vuln IDs
  • V-239489
  • V-88449
Rule IDs
  • SV-239489r661918_rule
  • SV-99099
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42722r661916_chk

To determine if SLES for vRealize is configured to audit calls to the "setxattr" system call, run the following command: # auditctl -l | grep syscall | grep setxattr If SLES for vRealize is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=lchown,sethostname,init_module,delete_module,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime If no lines are returned, this is a finding.

Fix: F-42681r661917_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and "root". Add the following to "/etc/audit/audit.rules": -a always,exit -F arch=b64 -S setxattr Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access privileges occur. The SLES for vRealize must generate audit records for all failed attempts to access files and programs.
AU-12 - Medium - CCI-000172 - V-239490 - SV-239490r661921_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-000320
Vuln IDs
  • V-239490
  • V-88451
Rule IDs
  • SV-239490r661921_rule
  • SV-99101
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42723r661919_chk

To check that the SLES for vRealize audit system collects unauthorized file accesses, run the following commands: # grep EACCES /etc/audit/audit.rules -a exit,always -F arch=b64 -S swapon -F exit=-EACCES -a exit,always -F arch=b64 -S creat -F exit=-EACCES -a exit,always -F arch=b64 -S open -F exit=-EACCES # grep EPERM /etc/audit/audit.rules -a exit,always -F arch=b64 -S swapon -F exit=-EPERM -a exit,always -F arch=b64 -S creat -F exit=-EPERM -a exit,always -F arch=b64 -S open -F exit=-EPERM If either command lacks output, this is a finding.

Fix: F-42682r661920_fix

Add the following to "/etc/audit/audit.rules": -a exit,always -F arch=b64 -S swapon -F exit=-EACCES -a exit,always -F arch=b64 -S creat -F exit=-EACCES -a exit,always -F arch=b64 -S open -F exit=-EACCES -a exit,always -F arch=b64 -S swapon -F exit=-EPERM -a exit,always -F arch=b64 -S creat -F exit=-EPERM -a exit,always -F arch=b64 -S open -F exit=-EPERM Or run the following command to implement all logging requirements: # /etc/dodscript.sh

b
The SLES for vRealize must enforce password complexity by requiring that at least one upper-case character be used.
IA-5 - Medium - CCI-000192 - V-239491 - SV-239491r661924_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
VROM-SL-000340
Vuln IDs
  • V-239491
  • V-88453
Rule IDs
  • SV-239491r661924_rule
  • SV-99103
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-42724r661922_chk

Check SLES for vRealize enforces password complexity by requiring that at least one upper-case character be used by using the following command: # grep ucredit /etc/pam.d/common-password-vmware.local If "ucredit" is not set to "-1" or not at all, this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=4 retry=3

Fix: F-42683r661923_fix

If ucredit was not set at all in "/etc/pam.d/common-password-vmware.local" file then run the following command: # sed -i '/pam_cracklib.so/ s/$/ ucredit=-1/' /etc/pam.d/common-password-vmware.local If "ucredit" was set incorrectly, run the following command to set it to "-1": # sed -i '/pam_cracklib.so/ s/ucredit=../ucredit=-1/' /etc/pam.d/common-password-vmware.local

b
Global settings defined in common- {account,auth,password,session} must be applied in the pam.d definition files.
IA-5 - Medium - CCI-000192 - V-239492 - SV-239492r661927_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000192
Version
VROM-SL-000345
Vuln IDs
  • V-239492
  • V-88455
Rule IDs
  • SV-239492r661927_rule
  • SV-99105
Pam global requirements are generally defined in the common-account, common-auth, common- password and common-session files located in the /etc/pam.d directory. In order for the requirements to be applied the file(s) containing them must be included directly or indirectly in each program's definition file in /etc/pam.d.
Checks: C-42725r661925_chk

Verify that common-{account, auth, password, session} settings are being applied: Verify that local customization has occurred in the common- {account,auth,password,session}-pc file(s) by some method other than the use of the pam-config utility. The files "/etc/pam.d/common-{account,auth,password,session} -pc" are autogenerated by "pam-config". Any manual changes made to them will be lost if "pam-config" is allowed to run. # ls -l /etc/pam.d/common-{account,auth,password,session} If the symlinks point to "/etc/pam.d/common- {account,auth,password,session}-pc" and manual updates have been made in these files, the updates cannot be protected if pam-config is enabled. # ls -l /usr/sbin/pam-config If the setting for pam-config is not "000", this is a finding.

Fix: F-42684r661926_fix

In the default distribution of SLES 11 "/etc/pam.d/common- {account,auth,password,session}" are symlinks to their respective "/etc/pam.d/common- {account,auth,password,session}-pc" files. These common- {account,auth,password,session}-pc files are autogenerated by the pam-config utility. Edit /usr/sbin/pam-config permissions to prevent its use: # chmod 000 /usr/sbin/pam-config

b
The SLES for vRealize must enforce password complexity by requiring that at least one lower-case character be used.
IA-5 - Medium - CCI-000193 - V-239493 - SV-239493r661930_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000193
Version
VROM-SL-000350
Vuln IDs
  • V-239493
  • V-88457
Rule IDs
  • SV-239493r661930_rule
  • SV-99107
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-42726r661928_chk

Verify SLES for vRealize enforces password complexity by requiring that at least one lower-case character be used by using the following command: # grep lcredit /etc/pam.d/common-password-vmware.local If "lcredit" is not set to "-1" or not at all, this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=4 retry=3

Fix: F-42685r661929_fix

If lcredit was not set at all in "/etc/pam.d/common-password-vmware.local" then run the following command: # sed -i '/pam_cracklib.so/ s/$/ lcredit=-1/' /etc/pam.d/common-password-vmware.local If "lcredit" was set incorrectly, run the following command to set it to "-1": # sed -i '/pam_cracklib.so/ s/lcredit=../lcredit=-1/' /etc/pam.d/common-password-vmware.local

b
The SLES for vRealize must enforce password complexity by requiring that at least one numeric character be used.
IA-5 - Medium - CCI-000194 - V-239494 - SV-239494r661933_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000194
Version
VROM-SL-000355
Vuln IDs
  • V-239494
  • V-88459
Rule IDs
  • SV-239494r661933_rule
  • SV-99109
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
Checks: C-42727r661931_chk

Check that SLES for vRealize enforces password complexity by requiring that at least one numeric character be used by running the following command: # grep dcredit /etc/pam.d/common-password-vmware.local If "dcredit" is not set to "-1" or not at all, this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=4 retry=3

Fix: F-42686r661932_fix

If dcredit was not set at all in "/etc/pam.d/common-password-vmware.local" then run the following command: # sed -i '/pam_cracklib.so/ s/$/ dcredit=-1/' /etc/pam.d/common-password-vmware.local If "dcredit" was set incorrectly, run the following command to set it to "-1": # sed -i '/pam_cracklib.so/ s/dcredit=../dcredit=-1/' /etc/pam.d/common-password-vmware.local

b
The SLES for vRealize must require the change of at least eight of the total number of characters when passwords are changed.
IA-5 - Medium - CCI-000195 - V-239495 - SV-239495r661936_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000195
Version
VROM-SL-000360
Vuln IDs
  • V-239495
  • V-88461
Rule IDs
  • SV-239495r661936_rule
  • SV-99111
If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different.
Checks: C-42728r661934_chk

Check that at least eight characters need to be changed between old and new passwords during a password change by running the following command: # grep pam_cracklib /etc/pam.d/common-password-vmware.local The "difok" parameter indicates how many characters must be different. The DoD requires at least eight characters to be different during a password change. This would appear as "difok=8". If "difok" is not found or not set to at least "8", this is a finding. Expected Result: password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=14 difok=8 retry=3

Fix: F-42687r661935_fix

If "difok" was not set at all in "/etc/pam.d/common-password-vmware.local" then run the following command: # sed -i '/pam_cracklib.so/ s/$/ difok-8/' /etc/pam.d/common-password-vmware.local If "difok" was set incorrectly, run the following command to set it to "8": # sed -i '/pam_cracklib.so/ s/difok=./difok=8/' /etc/pam.d/common-password-vmware.local

c
The SLES for vRealize must store only encrypted representations of passwords.
IA-5 - High - CCI-000196 - V-239496 - SV-239496r877397_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000196
Version
VROM-SL-000365
Vuln IDs
  • V-239496
  • V-88463
Rule IDs
  • SV-239496r877397_rule
  • SV-99113
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
Checks: C-42729r661937_chk

Check that the user account passwords are stored hashed using sha512 by running the following command: # cat /etc/default/passwd | grep CRYPT=sha512 If "CRYPT=sha512" is not listed, this is a finding.

Fix: F-42688r661938_fix

Ensure password are being encrypted with hash sha512 with the following command: # echo 'CRYPT=sha512'>>/etc/default/passwd

b
SLES for vRealize must enforce 24 hours/1 day as the minimum password lifetime.
IA-5 - Medium - CCI-000198 - V-239497 - SV-239497r661942_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000198
Version
VROM-SL-000375
Vuln IDs
  • V-239497
  • V-88465
Rule IDs
  • SV-239497r661942_rule
  • SV-99115
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Checks: C-42730r661940_chk

To check that SLES for vRealize enforces 24 hours/1 day as the minimum password age, run the following command: # grep PASS_MIN_DAYS /etc/login.defs | grep -v '#' The DoD requirement is "1". If "PASS_MIN_DAYS" is not set to the required value, this is a finding.

Fix: F-42689r661941_fix

To configure SLES for vRealize to enforce 24 hours/1 day as the minimum password age, edit the file "/etc/login.defs" with the following command: # sed -i "/^[^#]*PASS_MIN_DAYS/ c\PASS_MIN_DAYS 1" /etc/login.defs

b
Users must not be able to change passwords more than once every 24 hours.
IA-5 - Medium - CCI-000198 - V-239498 - SV-239498r661945_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000198
Version
VROM-SL-000380
Vuln IDs
  • V-239498
  • V-88467
Rule IDs
  • SV-239498r661945_rule
  • SV-99117
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.
Checks: C-42731r661943_chk

Check the minimum time period between password changes for each user account is "1" day. # cat /etc/shadow | cut -d ':' -f1,4 | grep -v 1 | grep -v ":$" If any results are returned, this is a finding.

Fix: F-42690r661944_fix

Change the minimum time period between password changes for each [USER] account to "1" day. The command in the check text will give you a list of users that need to be updated to be in compliance. # passwd -n 1 [USER]

b
SLES for vRealize must enforce a 60-day maximum password lifetime restriction.
IA-5 - Medium - CCI-000199 - V-239499 - SV-239499r661948_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
VROM-SL-000385
Vuln IDs
  • V-239499
  • V-88469
Rule IDs
  • SV-239499r661948_rule
  • SV-99119
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If SLES for vRealize does not limit the lifetime of passwords and force users to change their passwords, there is the risk that SLES for vRealize passwords could be compromised.
Checks: C-42732r661946_chk

To check that SLES for vRealize enforces a "60" days or less maximum password age, run the following command: # grep PASS_MAX_DAYS /etc/login.defs | grep -v "#" The DoD requirement is "60" days or less (Greater than zero, as zero days will lock the account immediately). If "PASS_MAX_DAYS" is not set to the required value, this is a finding.

Fix: F-42691r661947_fix

To configure SLES for vRealize to enforce a "60" day or less maximum password age, edit the file "/etc/login.defs" and add or correct the following line. Replace [DAYS] with the appropriate amount of days. # sed -i "/^[^#]*PASS_MAX_DAYS/ c\PASS_MAX_DAYS 60" /etc/login.defs The DoD requirement is "60" days or less (Greater than zero, as zero days will lock the account immediately).

b
User passwords must be changed at least every 60 days.
IA-5 - Medium - CCI-000199 - V-239500 - SV-239500r661951_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000199
Version
VROM-SL-000390
Vuln IDs
  • V-239500
  • V-88471
Rule IDs
  • SV-239500r661951_rule
  • SV-99121
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If SLES for vRealize does not limit the lifetime of passwords and force users to change their passwords, there is the risk that SLES for vRealize passwords could be compromised.
Checks: C-42733r661949_chk

Check the max days field of "/etc/shadow" by running the following command: # cat /etc/shadow | cut -d':' -f1,5 | egrep -v "([0|60])" | grep -v ":$" If any results are returned, this is a finding.

Fix: F-42692r661950_fix

Set the maximum time period between password changes for each [USER] account to "60" days. The command in the check text will give you a list of users that need to be updated to be in compliance. # passwd -x 60 [USER] The DoD requirement is "60" days.

b
The SLES for vRealize must prohibit password reuse for a minimum of five generations.
IA-5 - Medium - CCI-000200 - V-239501 - SV-239501r661954_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000200
Version
VROM-SL-000395
Vuln IDs
  • V-239501
  • V-88473
Rule IDs
  • SV-239501r661954_rule
  • SV-99123
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.
Checks: C-42734r661952_chk

Verify that SLES for vRealize prohibits the reuse of a password for a minimum of five generations, by running the following commands: # grep pam_pwhistory.so /etc/pam.d/common-password-vmware.local If the "remember" option in "/etc/pam.d/common-password-vmware.local" file is not "5" or greater, this is a finding.

Fix: F-42693r661953_fix

Configure pam to use password history. If the "remember" option was not set at all in "/etc/pam.d/common-password-vmware.local" file then run the following command: # sed -i '/pam_cracklib.so/ s/$/ remember=5/' /etc/pam.d/common-password-vmware.local If "remember" option was set incorrectly, run the following command to set it to "5": # sed -i '/pam_cracklib.so/ s/remember=./remember=5/' /etc/pam.d/common-password-vmware.local

b
The SLES for vRealize must prohibit password reuse for a minimum of five generations. Ensure the old passwords are being stored.
IA-5 - Medium - CCI-000200 - V-239502 - SV-239502r661957_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000200
Version
VROM-SL-000400
Vuln IDs
  • V-239502
  • V-88475
Rule IDs
  • SV-239502r661957_rule
  • SV-99125
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.
Checks: C-42735r661955_chk

Verify that the old password file, "opasswd", exists, by running the following command: # ls /etc/security/opasswd If "/etc/security/opasswd" file does not exist, this is a finding.

Fix: F-42694r661956_fix

Create the password history file. # touch /etc/security/opasswd # chown root:root /etc/security/opasswd # chmod 0600 /etc/security/opasswd

b
The SLES for vRealize must enforce a minimum 15-character password length.
IA-5 - Medium - CCI-000205 - V-239503 - SV-239503r661960_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-000205
Version
VROM-SL-000405
Vuln IDs
  • V-239503
  • V-88477
Rule IDs
  • SV-239503r661960_rule
  • SV-99127
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
Checks: C-42736r661958_chk

Verify that SLES for vRealize enforces a minimum 15-character password length, by running the following command: # grep pam_cracklib /etc/pam.d/common-password-vmware.local # grep pam_cracklib /etc/pam.d/common-password If the result does not contain "minlen=15" or higher, this is a finding.

Fix: F-42695r661959_fix

If "minlen" was not set at all in "/etc/pam.d/common-password-vmware.local" file then run the following command: # sed -i '/pam_cracklib.so/ s/$/ minlen=15/' /etc/pam.d/common-password-vmware.local If "minlen" was set incorrectly, run the following command to set it to "15": # sed -i '/pam_cracklib.so/ s/minlen=../minlen=15/' /etc/pam.d/common-password-vmware.local

b
The SLES for vRealize must require root password authentication upon booting into single-user mode.
AC-3 - Medium - CCI-000213 - V-239504 - SV-239504r661963_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
VROM-SL-000415
Vuln IDs
  • V-239504
  • V-88479
Rule IDs
  • SV-239504r661963_rule
  • SV-99129
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.
Checks: C-42737r661961_chk

Verify that root password is required for single user mode logon with the following command: # grep sulogin /etc/inittab Expected result: ~~:S:respawn:/sbin/sulogin If the expected result is not displayed, this is a finding.

Fix: F-42696r661962_fix

Configure SLES for vRealize to require root password login with single user mode use the following command: # echo '~~:S:respawn:/sbin/sulogin' >> /etc/inittab

b
Bootloader authentication must be enabled to prevent users without privilege to gain access restricted file system resources.
AC-3 - Medium - CCI-000213 - V-239505 - SV-239505r661966_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
VROM-SL-000420
Vuln IDs
  • V-239505
  • V-88481
Rule IDs
  • SV-239505r661966_rule
  • SV-99131
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.
Checks: C-42738r661964_chk

To verify a boot password exists. In "/boot/grub/menu.lst" run the following command: # grep password /boot/grub/menu.lst The output should show the following: password --encrypted $1$[rest-of-the-password-hash] If it does not, this is a finding.

Fix: F-42697r661965_fix

Run the following command: # /usr/sbin/grub-md5-crypt An MD5 password is generated. After the password is supplied, the command supplies the md5 hash output. Append the password to the menu.lst file by running the following command: echo 'password --md5 <hash from grub-md5-crypt>' >> /boot/grub/menu.lst Or use "yast2" to set the bootloader password: Open the Boot Loader Installation tab. Click Boot Loader Options. Activate the Protect Boot Loader with Password option with a click and type in your Password twice. Click "OK" twice to save the changes.

b
The SLES for the vRealize boot loader configuration file(s) must have mode 0600 or less permissive.
AC-3 - Medium - CCI-000213 - V-239506 - SV-239506r661969_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
VROM-SL-000425
Vuln IDs
  • V-239506
  • V-88483
Rule IDs
  • SV-239506r661969_rule
  • SV-99133
File permissions more permissive than 0600 on boot loader configuration files could allow an unauthorized user to view or modify sensitive information pertaining to system boot instructions.
Checks: C-42739r661967_chk

Check the /boot/grub/menu.lst file: # stat /boot/grub/menu.lst If "/boot/grub/menu.lst" has a mode more permissive than "0600", this is a finding.

Fix: F-42698r661968_fix

Change the mode of the "/boot/grub/menu.lst" file to "0600": # chmod 0600 /boot/grub/menu.lst

b
The SLES for the vRealize boot loader configuration files must be owned by root.
AC-3 - Medium - CCI-000213 - V-239507 - SV-239507r661972_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
VROM-SL-000430
Vuln IDs
  • V-239507
  • V-88485
Rule IDs
  • SV-239507r661972_rule
  • SV-99135
The SLES for vRealize’s boot loader configuration files are critical to the integrity of the system and must be protected. Unauthorized modification of these files resulting from improper ownership could compromise the system's boot loader configuration.
Checks: C-42740r661970_chk

Check "/boot/grub/menu.lst" file ownership: # stat /boot/grub/menu.lst If the owner of the file is not "root", this is a finding.

Fix: F-42699r661971_fix

Change the ownership of the "/boot/grub/menu.lst" file: # chown root /boot/grub/menu.lst

b
The SLES for the vRealize boot loader configuration file(s) must be group-owned by root, bin, sys, or system.
AC-3 - Medium - CCI-000213 - V-239508 - SV-239508r661975_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
VROM-SL-000435
Vuln IDs
  • V-239508
  • V-88487
Rule IDs
  • SV-239508r661975_rule
  • SV-99137
The SLES for vRealize’s boot loader configuration files are critical to the integrity of the system and must be protected. Unauthorized modifications resulting from improper group ownership may compromise the boot loader configuration.
Checks: C-42741r661973_chk

Check "/boot/grub/menu.lst" file ownership: # stat /boot/grub/menu.lst If the group-owner of the file is not "root", "bin", "sys", or "system", this is a finding.

Fix: F-42700r661974_fix

Change the group-ownership of the "/boot/grub/menu.lst" file: # chgrp root /boot/grub/menu.lst

b
The Bluetooth protocol handler must be disabled or not installed.
CM-7 - Medium - CCI-000381 - V-239509 - SV-239509r661978_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VROM-SL-000440
Vuln IDs
  • V-239509
  • V-88489
Rule IDs
  • SV-239509r661978_rule
  • SV-99139
Bluetooth is a personal area network (PAN) technology. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the kernel to dynamically load a protocol handler by opening a socket using the protocol.
Checks: C-42742r661976_chk

Verify the Bluetooth protocol handler is prevented from dynamic loading: # grep "install bluetooth /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.

Fix: F-42701r661977_fix

Prevent the Bluetooth protocol handler for dynamic loading: # echo "install bluetooth /bin/true" >> /etc/modprobe.conf.local

b
The SLES for vRealize must have USB Mass Storage disabled unless needed.
CM-7 - Medium - CCI-000381 - V-239510 - SV-239510r661981_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VROM-SL-000445
Vuln IDs
  • V-239510
  • V-88491
Rule IDs
  • SV-239510r661981_rule
  • SV-99141
USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data.
Checks: C-42743r661979_chk

If SLES for vRealize needs USB storage, this vulnerability is not applicable. Check if the "usb-storage" module is prevented from loading: # grep "install usb-storage /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no results are returned, this is a finding.

Fix: F-42702r661980_fix

Prevent the "usb-storage" module from loading: # echo "install usb-storage /bin/true" >> /etc/modprobe.conf.local

b
The SLES for vRealize must have USB disabled unless needed.
CM-7 - Medium - CCI-000381 - V-239511 - SV-239511r661984_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VROM-SL-000450
Vuln IDs
  • V-239511
  • V-88493
Rule IDs
  • SV-239511r661984_rule
  • SV-99143
USB is a common computer peripheral interface. USB devices may include storage devices that could be used to install malicious software on a system or exfiltrate data.
Checks: C-42744r661982_chk

If SLES for vRealize needs USB, this vulnerability is not applicable. Check if the directory "/proc/bus/usb exists". If the directory "/proc/bus/usb exists", this is a finding.

Fix: F-42703r661983_fix

Edit the grub bootloader file, "/boot/grub/menu.lst" file, by appending the "nousb" parameter to the kernel boot line.

b
The telnet-server package must not be installed.
CM-7 - Medium - CCI-000381 - V-239512 - SV-239512r661987_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VROM-SL-000455
Vuln IDs
  • V-239512
  • V-88495
Rule IDs
  • SV-239512r661987_rule
  • SV-99145
Removing the "telnet-server" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation.
Checks: C-42745r661985_chk

Check if "telnet-server" package is installed: # rpm -q telnet-server If there is a "telnet-server" package listed, this is a finding.

Fix: F-42704r661986_fix

To remove the "telnet-server" package use the following command: rpm -e telnet-server

b
The rsh-server package must not be installed.
CM-7 - Medium - CCI-000381 - V-239513 - SV-239513r661990_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VROM-SL-000460
Vuln IDs
  • V-239513
  • V-88497
Rule IDs
  • SV-239513r661990_rule
  • SV-99147
The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation.
Checks: C-42746r661988_chk

Check if "rsh-server" package is installed: # rpm -q rsh-server If there is a "rsh-server" package listed, this is a finding.

Fix: F-42705r661989_fix

To remove the "telnet-server" package use the following command: rpm -e rsh-server

b
The ypserv package must not be installed.
CM-7 - Medium - CCI-000381 - V-239514 - SV-239514r661993_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VROM-SL-000465
Vuln IDs
  • V-239514
  • V-88499
Rule IDs
  • SV-239514r661993_rule
  • SV-99149
Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.
Checks: C-42747r661991_chk

Check if "ypserv" package is installed: # rpm -q ypserv If there is a "ypserv" package listed, this is a finding.

Fix: F-42706r661992_fix

To remove the "ypserv" package use the following command: rpm -e ypserv

b
The yast2-tftp-server package must not be installed.
CM-7 - Medium - CCI-000381 - V-239515 - SV-239515r661996_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
VROM-SL-000470
Vuln IDs
  • V-239515
  • V-88501
Rule IDs
  • SV-239515r661996_rule
  • SV-99151
Removing the "yast2-tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services.
Checks: C-42748r661994_chk

Check if "yast2-tftp-server" package is installed: # rpm -q yast2-tftp-server If there is a "yast2-tftp-server" package listed, this is a finding.

Fix: F-42707r661995_fix

To remove the "yast2-tftp-server" package use the following command: rpm -e yast2-tftp-server

b
The Datagram Congestion Control Protocol (DCCP) must be disabled unless required.
CM-7 - Medium - CCI-000382 - V-239516 - SV-239516r661999_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000485
Vuln IDs
  • V-239516
  • V-88503
Rule IDs
  • SV-239516r661999_rule
  • SV-99153
The Datagram Congestion Control Protocol (DCCP) is a proposed transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the kernel to dynamically load a protocol handler by opening a socket using the protocol.
Checks: C-42749r661997_chk

Check that the DCCP protocol handler is prevented from dynamic loading: # grep "install dccp /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding. # grep "install dccp_ipv4 /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding. # grep "install dccp_ipv6" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* | grep ‘bin/true’ If no result is returned, this is a finding.

Fix: F-42708r661998_fix

Prevent the DCCP protocol handler for dynamic loading: # echo "install dccp /bin/true" >> /etc/modprobe.conf.local # echo "install dccp_ipv4 /bin/true" >> /etc/modprobe.conf.local # echo "install dccp_ipv6 /bin/true" >> /etc/modprobe.conf.local

b
The Stream Control Transmission Protocol (SCTP) must be disabled unless required.
CM-7 - Medium - CCI-000382 - V-239517 - SV-239517r662002_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000490
Vuln IDs
  • V-239517
  • V-88505
Rule IDs
  • SV-239517r662002_rule
  • SV-99155
The Stream Control Transmission Protocol (SCTP) is an IETF-standardized transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the kernel to dynamically load a protocol handler by opening a socket using the protocol.
Checks: C-42750r662000_chk

Verify the SCTP protocol handler is prevented from dynamic loading: # grep "install sctp /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.

Fix: F-42709r662001_fix

Prevent the SCTP protocol handler from dynamic loading: # echo "install sctp /bin/true" >> /etc/modprobe.conf.local

b
The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required.
CM-7 - Medium - CCI-000382 - V-239518 - SV-239518r662005_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000495
Vuln IDs
  • V-239518
  • V-88507
Rule IDs
  • SV-239518r662005_rule
  • SV-99157
The Reliable Datagram Sockets (RDS) protocol is a relatively new protocol developed by Oracle for communication between the nodes of a cluster. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the system to dynamically load a protocol handler by opening a socket using the protocol.
Checks: C-42751r662003_chk

Ask the SA if RDS is required by application software running on the system. If so, this is not applicable. Check that the RDS protocol handler is prevented from dynamic loading: # grep "install rds /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.

Fix: F-42710r662004_fix

Prevent the RDS protocol handler from dynamic loading: # echo "install rds /bin/true" >> /etc/modprobe.conf.local

b
The Transparent Inter-Process Communication (TIPC) must be disabled or not installed.
CM-7 - Medium - CCI-000382 - V-239519 - SV-239519r662008_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000500
Vuln IDs
  • V-239519
  • V-88509
Rule IDs
  • SV-239519r662008_rule
  • SV-99159
The Transparent Inter-Process Communication (TIPC) protocol is a relatively new cluster communications protocol developed by Ericsson. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause the kernel to dynamically load a protocol handler by opening a socket using the protocol.
Checks: C-42752r662006_chk

Verify the TIPC protocol handler is prevented from dynamic loading: # grep "install tipc /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.

Fix: F-42711r662007_fix

Prevent the TIPC protocol handler from dynamic loading: # echo "install tipc /bin/true" >> /etc/modprobe.conf.local

b
The xinetd service must be disabled if no network services utilizing it are enabled.
CM-7 - Medium - CCI-000382 - V-239520 - SV-239520r662011_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000505
Vuln IDs
  • V-239520
  • V-88511
Rule IDs
  • SV-239520r662011_rule
  • SV-99161
The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.
Checks: C-42753r662009_chk

If network services are using the "xinetd" service, this is not applicable. To check that the "xinetd" service is disabled in system boot configuration, run the following command: # chkconfig "xinetd" --list Output should indicate the "xinetd" service has either not been installed, or has been disabled at all run levels, as shown in the example below: xinetd 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "xinetd" is disabled through current runtime configuration: # service xinetd status If the "xinetd" service is disabled the command will return the following output: Checking for service xinetd: unused If the "xinetd" service is running, this is a finding.

Fix: F-42712r662010_fix

The "xinetd" service can be disabled with the following command: # chkconfig xinetd off

b
The ypbind service must not be running if no network services utilizing it are enabled.
CM-7 - Medium - CCI-000382 - V-239521 - SV-239521r662014_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000510
Vuln IDs
  • V-239521
  • V-88513
Rule IDs
  • SV-239521r662014_rule
  • SV-99163
Disabling the "ypbind" service ensures the SLES for vRealize is not acting as a client in a NIS or NIS+ domain when not required.
Checks: C-42754r662012_chk

If network services are using the "ypbind" service, this is not applicable. To check that the "ypbind" service is disabled in system boot configuration, run the following command: # chkconfig "ypbind" --list Output should indicate the "ypbind" service has either not been installed, or has been disabled at all runlevels, as shown in the example below: ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off Run the following command to verify "ypbind" is disabled through current runtime configuration: # service ypbind status If the "ypbind" service is disabled the command will return the following output: Checking for service ypbind unused If the "ypbind" service is running, this is a finding.

Fix: F-42713r662013_fix

The "ypbind" service can be disabled with the following command: # chkconfig ypbind off

b
NIS/NIS+/yp files must be owned by root, sys, or bin.
CM-7 - Medium - CCI-000382 - V-239522 - SV-239522r662017_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000515
Vuln IDs
  • V-239522
  • V-88515
Rule IDs
  • SV-239522r662017_rule
  • SV-99165
NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Failure to give ownership of sensitive files or utilities to root or bin provides the designated owner and unauthorized users with the potential to access sensitive information or change the system configuration, which could weaken the system's security posture.
Checks: C-42755r662015_chk

Perform the following to check NIS file ownership: # ls -la /var/yp/* If the NIS file ownership is not "root", sys, or bin, this is a finding.

Fix: F-42714r662016_fix

Change the ownership of NIS/NIS+/yp files to "root", "sys", "bin", or "system". Consult vendor documentation to determine the location of the files: # chown root <filename>

b
The NIS/NIS+/yp command files must have mode 0755 or less permissive.
CM-7 - Medium - CCI-000382 - V-239523 - SV-239523r662020_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000520
Vuln IDs
  • V-239523
  • V-88517
Rule IDs
  • SV-239523r662020_rule
  • SV-99167
NIS/NIS+/yp files are part of the system's identification and authentication processes and are, therefore, critical to system security. Unauthorized modification of these files could compromise these processes and SLES for vRealize.
Checks: C-42756r662018_chk

Perform the following to check NIS file ownership: # ls -la /var/yp/* If the NIS file's mode is more permissive than "0755", this is a finding.

Fix: F-42715r662019_fix

Change the mode of NIS/NIS+/yp command files to "0755" or less permissive: # chmod 0755 <filename>

b
The SLES for vRealize must not use UDP for NIS/NIS+.
CM-7 - Medium - CCI-000382 - V-239524 - SV-239524r662023_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000525
Vuln IDs
  • V-239524
  • V-88519
Rule IDs
  • SV-239524r662023_rule
  • SV-99169
Implementing NIS or NIS+ under UDP may make SLES for vRealize more susceptible to a denial of service attack and does not provide the same quality of service as TCP.
Checks: C-42757r662021_chk

If SLES for vRealize does not use NIS or NIS+, this is not applicable. Check if NIS or NIS+ is implemented using UDP: # rpcinfo -p | grep yp | grep udp If NIS or NIS+ is implemented using UDP, this is a finding.

Fix: F-42716r662022_fix

Configure SLES for vRealize to not use UDP for NIS and NIS+. Consult vendor documentation for the required procedure.

b
NIS maps must be protected through hard-to-guess domain names.
CM-7 - Medium - CCI-000382 - V-239525 - SV-239525r662026_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000530
Vuln IDs
  • V-239525
  • V-88521
Rule IDs
  • SV-239525r662026_rule
  • SV-99171
The use of hard-to-guess NIS domain names provides additional protection from unauthorized access to the NIS directory information.
Checks: C-42758r662024_chk

If SLES for vRealize does not use NIS or NIS+, this is not applicable. Check the domain name for NIS maps: # domainname If the name returned is simple to guess, such as the organization name, building or room name, etc., this is a finding.

Fix: F-42717r662025_fix

Change the NIS domainname to a value difficult to guess. Consult vendor documentation for the required procedure.

b
Mail relaying must be restricted.
CM-7 - Medium - CCI-000382 - V-239526 - SV-239526r662029_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000535
Vuln IDs
  • V-239526
  • V-88523
Rule IDs
  • SV-239526r662029_rule
  • SV-99173
If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending SPAM or other unauthorized activity.
Checks: C-42759r662027_chk

Determine if Sendmail only binds to loopback addresses by examining the "DaemonPortOptions" configuration options. # grep -i "O DaemonPortOptions" /etc/sendmail.cf If there are uncommented "DaemonPortOptions" lines, and all such lines specify system loopback addresses, this is not a finding. Otherwise, determine if "Sendmail" is configured to allow open relay operation. # grep -i promiscuous_relay /etc/mail/sendmail.mc If the promiscuous relay feature is enabled, this is a finding.

Fix: F-42718r662028_fix

If SLES for vRealize does not need to receive mail from external hosts, add one or more "DaemonPortOptions" lines referencing system loopback addresses (such as "O DaemonPortOptions=Addr=127.0.0.1,Port=smtp,Name=MTA") and remove lines containing non-loopback addresses. # sed -i "s/O DaemonPortOptions=Name=MTA/O DaemonPortOptions=Addr=127.0.0.1,Port=smtp,Name=MTA/" /etc/sendmail.cf Restart the sendmail service: # service sendmail restart

b
The alias files must be owned by root.
CM-7 - Medium - CCI-000382 - V-239527 - SV-239527r662032_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000540
Vuln IDs
  • V-239527
  • V-88525
Rule IDs
  • SV-239527r662032_rule
  • SV-99175
If the alias and aliases.db files are not owned by root, an unauthorized user may modify the file to add aliases to run malicious code or redirect email.
Checks: C-42760r662030_chk

Check the ownership of the alias file: # ls -lL /etc/aliases # ls -lL /etc/aliases.db If all the files are not owned by "root", this is a finding.

Fix: F-42719r662031_fix

Change the owner of the alias files to "root": # chown root /etc/aliases # chown root /etc/aliases.db

b
The alias files must be group-owned by root, or a system group.
CM-7 - Medium - CCI-000382 - V-239528 - SV-239528r662035_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000545
Vuln IDs
  • V-239528
  • V-88527
Rule IDs
  • SV-239528r662035_rule
  • SV-99177
If the aliases and aliases.db file are not group-owned by root or a system group, an unauthorized user may modify one or both of the files to add aliases to run malicious code or redirect email.
Checks: C-42761r662033_chk

Check the group ownership of the alias files: # ls -lL /etc/aliases # ls -lL /etc/aliases.db If the files are not group-owned by "root", this is a finding.

Fix: F-42720r662034_fix

Change the group owner of the alias files to "root": # chgrp root /etc/aliases # chgrp root /etc/aliases.db

b
The alias files must have mode 0644 or less permissive.
CM-7 - Medium - CCI-000382 - V-239529 - SV-239529r662038_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000550
Vuln IDs
  • V-239529
  • V-88529
Rule IDs
  • SV-239529r662038_rule
  • SV-99179
Excessive permissions on the alias files may permit unauthorized modification. If an alias file is modified by an unauthorized user, they may modify the file to run malicious code or redirect email.
Checks: C-42762r662036_chk

Check the permissions of the alias files: # ls -lL /etc/aliases # ls -lL /etc/aliases.db If the alias files have a mode more permissive than "0644", this is a finding.

Fix: F-42721r662037_fix

Change the mode of the alias files to "0644": # chmod 0644 /etc/aliases /etc/aliases.db

b
Files executed through a mail aliases file must be owned by root and must reside within a directory owned and writable only by root.
CM-7 - Medium - CCI-000382 - V-239530 - SV-239530r662041_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000555
Vuln IDs
  • V-239530
  • V-88531
Rule IDs
  • SV-239530r662041_rule
  • SV-99181
If a file executed through a mail aliases file is not owned and writable only by root, it may be subject to unauthorized modification. Unauthorized modification of files executed through aliases may allow unauthorized users to attain root privileges.
Checks: C-42763r662039_chk

Verify the ownership of files referenced within the sendmail aliases file: # more /etc/aliases Examine the aliases file for any utilized directories or paths: # ls -lL &lt;directory or file path&gt; Check the owner for any paths referenced. Check if the file or parent directory is owned by root. If the file or parent directory is not owned by "root", this is a finding.

Fix: F-42722r662040_fix

Edit the "/etc/aliases" file (alternatively, /usr/lib/sendmail.cf). Locate the entries executing a program. They will appear similar to the following line: Aliasname: : /usr/local/bin/ls (or some other program name) Ensure "root" owns the programs and the directory(ies) they reside in by using the chown command to change owner to "root": # chown root <file or directory name>

b
Files executed through a mail aliases file must be group-owned by root, bin, sys, or system, and must reside within a directory group-owned by root, bin, sys, or system.
CM-7 - Medium - CCI-000382 - V-239531 - SV-239531r662044_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000560
Vuln IDs
  • V-239531
  • V-88533
Rule IDs
  • SV-239531r662044_rule
  • SV-99183
If a file executed through a mail aliases file is not group-owned by root or a system group, it may be subject to unauthorized modification. Unauthorized modification of files executed through aliases may allow unauthorized users to attain root privileges.
Checks: C-42764r662042_chk

Examine the contents of the "/etc/aliases" file: # more /etc/aliases Examine the aliases file for any directories or paths that may be utilized: # ls -lL &lt;file referenced from aliases&gt; Check the permissions for any paths referenced. If the group owner of any file is not "root", "bin", "sys", or "system", this is a finding.

Fix: F-42723r662043_fix

Change the group ownership of the file referenced from "/etc/mail/aliases": # chgrp root <file referenced from aliases>

b
Files executed through a mail aliases file must have mode 0755 or less permissive.
CM-7 - Medium - CCI-000382 - V-239532 - SV-239532r662047_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000565
Vuln IDs
  • V-239532
  • V-88535
Rule IDs
  • SV-239532r662047_rule
  • SV-99185
If a file executed through a mail alias file has permissions greater than 0755, it can be modified by an unauthorized user and may contain malicious code or instructions that could compromise the system.
Checks: C-42765r662045_chk

Examine the contents of the "/etc/aliases" file: # more /etc/aliases Examine the aliases file for any directories or paths that may be utilized: # ls -lL &lt;file referenced from aliases&gt; Check the permissions for any paths referenced. If any file referenced from the aliases file has a mode more permissive than "0755", this is a finding.

Fix: F-42724r662046_fix

Use the chmod command to change the access permissions for files executed from the alias file: # chmod 0755 <file referenced from aliases>

b
Sendmail logging must not be set to less than nine in the sendmail.cf file.
CM-7 - Medium - CCI-000382 - V-239533 - SV-239533r662050_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000570
Vuln IDs
  • V-239533
  • V-88537
Rule IDs
  • SV-239533r662050_rule
  • SV-99187
If Sendmail is not configured to log at level 9, system logs may not contain the information necessary for tracking unauthorized use of the sendmail service.
Checks: C-42766r662048_chk

Check sendmail to determine if the logging level is set to level "9": # grep "O L" /etc/sendmail.cf OR # grep LogLevel /etc/sendmail.cf If logging is set to less than "9", this is a finding.

Fix: F-42725r662049_fix

Edit the "sendmail.cf" file, locate the "O L" or "LogLevel" entry, and change it to "9".

b
The system syslog service must log informational and more severe SMTP service messages.
CM-7 - Medium - CCI-000382 - V-239534 - SV-239534r662053_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000575
Vuln IDs
  • V-239534
  • V-88539
Rule IDs
  • SV-239534r662053_rule
  • SV-99189
If informational and more severe SMTP service messages are not logged, malicious activity on the system may go unnoticed.
Checks: C-42767r662051_chk

Check the "/etc/syslog-ng/syslog-ng.conf" file for the following log entries: filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; If any of the above log entries are present, this is not a finding.

Fix: F-42726r662052_fix

Edit the "/etc/syslog-ng/syslog-ng.conf" file and add the following log entries: filter f_mailinfo { level(info) and facility(mail); }; filter f_mailwarn { level(warn) and facility(mail); }; filter f_mailerr { level(err, crit) and facility(mail); }; filter f_mail { facility(mail); }; destination mailinfo { file("/var/log/mail.info"); }; log { source(src); filter(f_mailinfo); destination(mailinfo); }; destination mailwarn { file("/var/log/mail.warn"); }; log { source(src); filter(f_mailwarn); destination(mailwarn); }; destination mailerr { file("/var/log/mail.err" fsync(yes)); }; log { source(src); filter(f_mailerr); destination(mailerr); };

b
The SMTP service log files must be owned by root.
CM-7 - Medium - CCI-000382 - V-239535 - SV-239535r662056_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000580
Vuln IDs
  • V-239535
  • V-88541
Rule IDs
  • SV-239535r662056_rule
  • SV-99191
If the SMTP service log file is not owned by root, then unauthorized personnel may modify or delete the file to hide a system compromise.
Checks: C-42768r662054_chk

Check the permissions on the mail log files: # ls -la /var/log/mail # ls -la /var/log/mail.info # ls -la /var/log/mail.warn # ls -la /var/log/mail.err If any mail log file is not owned by "root", this is a finding.

Fix: F-42727r662055_fix

Change the ownership of the sendmail log files to "root": # chown root <sendmail log file>

b
The SMTP service log file must have mode 0644 or less permissive.
CM-7 - Medium - CCI-000382 - V-239536 - SV-239536r662059_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000585
Vuln IDs
  • V-239536
  • V-88543
Rule IDs
  • SV-239536r662059_rule
  • SV-99193
If the SMTP service log file is more permissive than 0644, unauthorized users may be allowed to change the log file.
Checks: C-42769r662057_chk

Check the permissions on the mail log files: # ls -la /var/log/mail # ls -la /var/log/mail.info # ls -la /var/log/mail.warn # ls -la /var/log/mail.err If the log file permissions are greater than "0644", this is a finding.

Fix: F-42728r662058_fix

Change the mode of the sendmail log files to "0644": # chmod 0644 <sendmail log file>

b
The SMTP service HELP command must not be enabled.
CM-7 - Medium - CCI-000382 - V-239537 - SV-239537r662062_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000590
Vuln IDs
  • V-239537
  • V-88545
Rule IDs
  • SV-239537r662062_rule
  • SV-99195
The HELP command should be disabled to mask version information. The version of the SMTP service software could be used by attackers to target vulnerabilities present in specific software versions.
Checks: C-42770r662060_chk

Check the permissions of the sendmail helpfile: ls -al /usr/lib/sendmail.d/helpfile If the permissions are not "0000", this is a finding.

Fix: F-42729r662061_fix

Run the following command to disable the sendmail helpfile: # chmod 0000 /usr/lib/sendmail.d/helpfile

b
The SMTP services SMTP greeting must not provide version information.
CM-7 - Medium - CCI-000382 - V-239538 - SV-239538r662065_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000595
Vuln IDs
  • V-239538
  • V-88547
Rule IDs
  • SV-239538r662065_rule
  • SV-99197
The version of the SMTP service can be used by attackers to plan an attack based on vulnerabilities present in the specific version.
Checks: C-42771r662063_chk

To check for the sendmail version being displayed in the greeting: # more /etc/sendmail.cf | grep SmtpGreetingMessage If it returns: O SmtpGreetingMessage=$j Sendmail $v/$Z; $b Then sendmail is providing version information, this is a finding.

Fix: F-42730r662064_fix

Change the "O SmtpGreetingMessage" line in the "/etc/sendmail.cf" file to: O SmtpGreetingMessage= Mail Server Ready ; $b

b
The SMTP service must not use .forward files.
CM-7 - Medium - CCI-000382 - V-239539 - SV-239539r662068_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000600
Vuln IDs
  • V-239539
  • V-88549
Rule IDs
  • SV-239539r662068_rule
  • SV-99199
The .forward file allows users to automatically forward mail to another system. Use of .forward files could allow the unauthorized forwarding of mail and could potentially create mail loops that could degrade system performance.
Checks: C-42772r662066_chk

Check forwarding from sendmail: # grep "0 ForwardPath" /etc/sendmail.cf If the entry contains a file path and is not commented out, this is a finding.

Fix: F-42731r662067_fix

Disable forwarding for sendmail and remove ".forward" files from the system: Remove all ".forward" files on the system. # find / -name .forward -delete Use the following command to disable forwarding: # sed -i "s/O ForwardPath/#O ForwardPath/" /etc/sendmail.cf Restart the sendmail service: # service sendmail restart

b
The SMTP service must not have the EXPN feature active.
CM-7 - Medium - CCI-000382 - V-239540 - SV-239540r662071_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000605
Vuln IDs
  • V-239540
  • V-88551
Rule IDs
  • SV-239540r662071_rule
  • SV-99201
The SMTP EXPN function allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on user accounts. EXPN may also provide additional information concerning users on the system, such as the full names of account owners.
Checks: C-42773r662069_chk

Use the following command to check if EXPN is disabled: # grep -v "^#" /etc/sendmail.cf |grep -i PrivacyOptions If "noexpn" is not returned, this is a finding.

Fix: F-42732r662070_fix

Add "noexpn" to the "PrivacyOptions" flag in the "/etc/sendmail.cf" file.

b
The SMTP service must not have the VRFY feature active.
CM-7 - Medium - CCI-000382 - V-239541 - SV-239541r662074_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000610
Vuln IDs
  • V-239541
  • V-88553
Rule IDs
  • SV-239541r662074_rule
  • SV-99203
The VRFY (Verify) command allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on user accounts. VRFY may provide additional information about users on the system, such as the full names of account owners.
Checks: C-42774r662072_chk

Use the following command to check if VRFY is disabled: # grep -v "^#" /etc/sendmail.cf |grep -i PrivacyOptions If "novrfy" is not returned, this is a finding.

Fix: F-42733r662073_fix

Add "novrfy" to the "PrivacyOptions" flag in the "/etc/sendmail.cf" file.

b
The Lightweight User Datagram Protocol (UDP-Lite) must be disabled unless required.
CM-7 - Medium - CCI-000382 - V-239542 - SV-239542r662077_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000615
Vuln IDs
  • V-239542
  • V-88555
Rule IDs
  • SV-239542r662077_rule
  • SV-99205
The Lightweight User Datagram Protocol (UDP-Lite) is a proposed transport layer protocol. This protocol is not yet widely used. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause SLES for vRealize to dynamically load a protocol handler by opening a socket using the protocol.
Checks: C-42775r662075_chk

Run the following command: iptables --list | grep "udplite" If no result is displayed, this is a finding.

Fix: F-42734r662076_fix

Configure SLES for vRealize to prevent the dynamic loading of the "UDP-Lite" protocol handler: Add the following rule to the iptables firewall ruleset: # iptables -A INPUT -p udplite -j DROP

b
The Internetwork Packet Exchange (IPX) protocol must be disabled or not installed.
CM-7 - Medium - CCI-000382 - V-239543 - SV-239543r662080_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000620
Vuln IDs
  • V-239543
  • V-88557
Rule IDs
  • SV-239543r662080_rule
  • SV-99207
The Internetwork Packet Exchange (IPX) protocol is a network-layer protocol that is no longer in common use. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause SLES for vRealize to dynamically load a protocol handler by opening a socket using the protocol.
Checks: C-42776r662078_chk

Check that the "IPX" protocol handler is prevented from dynamic loading: # grep "install ipx /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.

Fix: F-42735r662079_fix

Prevent the "IPX" protocol handler from dynamic loading: # echo "install ipx /bin/true" >> /etc/modprobe.conf.local

b
The AppleTalk protocol must be disabled or not installed.
CM-7 - Medium - CCI-000382 - V-239544 - SV-239544r662083_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000625
Vuln IDs
  • V-239544
  • V-88559
Rule IDs
  • SV-239544r662083_rule
  • SV-99209
The AppleTalk suite of protocols is no longer in common use. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause SLES for vRealize to dynamically load a protocol handler by opening a socket using the protocol.
Checks: C-42777r662081_chk

Verify the "AppleTalk" protocol handler is prevented from dynamic loading: # grep "install appletalk /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.

Fix: F-42736r662082_fix

Prevent the "AppleTalk" protocol handler from dynamic loading: # echo "install appletalk /bin/true" >> /etc/modprobe.conf.local

b
The DECnet protocol must be disabled or not installed.
CM-7 - Medium - CCI-000382 - V-239545 - SV-239545r662086_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000630
Vuln IDs
  • V-239545
  • V-88561
Rule IDs
  • SV-239545r662086_rule
  • SV-99211
The DECnet suite of protocols is no longer in common use. Binding this protocol to the network stack increases the attack surface of the host. Unprivileged local processes may be able to cause SLES for vRealize to dynamically load a protocol handler by opening a socket using the protocol.
Checks: C-42778r662084_chk

Check that the "DECnet" protocol handler is prevented from dynamic loading: # grep "install decnet /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no result is returned, this is a finding.

Fix: F-42737r662085_fix

Prevent the "DECnet" protocol handler from dynamic loading: # echo "install decnet /bin/true" >> /etc/modprobe.conf.local

b
Proxy Neighbor Discovery Protocol (NDP) must not be enabled on SLES for vRealize.
CM-7 - Medium - CCI-000382 - V-239546 - SV-239546r662089_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000635
Vuln IDs
  • V-239546
  • V-88563
Rule IDs
  • SV-239546r662089_rule
  • SV-99213
Proxy Neighbor Discovery Protocol (NDP) allows a system to respond to NDP requests on one interface on behalf of hosts connected to another interface. If this function is enabled when not required, addressing information may be leaked between the attached network segments.
Checks: C-42779r662087_chk

Determine if SLES for vRealize has proxy "NDP", and if it is enabled: # more /proc/sys/net/ipv6/conf/*/proxy_ndp If the file is not found, the kernel does not have proxy "NDP", this is not a finding. If the file has a value of "0", proxy "NDP" is not enabled, this is not a finding. If the file has a value of "1", proxy NDP is enabled, this is a finding.

Fix: F-42738r662088_fix

Disable proxy "NDP" on the system. For Appliance OS, "proxy_ndp" is disabled by default.

b
The SLES for vRealize must not have 6to4 enabled.
CM-7 - Medium - CCI-000382 - V-239547 - SV-239547r662092_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000640
Vuln IDs
  • V-239547
  • V-88565
Rule IDs
  • SV-239547r662092_rule
  • SV-99215
6to4 is an IPv6 transition mechanism that involves tunneling IPv6 packets encapsulated in IPv4 packets on an ad hoc basis. This is not a preferred transition strategy and increases the attack surface of SLES for vRealize.
Checks: C-42780r662090_chk

Check SLES for vRealize for any active "6to4" tunnels without specific remote addresses: # ip tun list | grep "remote any" | grep "ipv6/ip" If any results are returned the "tunnel" is the first field. If any results are returned, this is a finding.

Fix: F-42739r662091_fix

Disable the active "6to4" tunnel: # ip link set <tunnel> down Add this command to a startup script, or remove the configuration creating the tunnel.

b
The SLES for vRealize must not have Teredo enabled.
CM-7 - Medium - CCI-000382 - V-239548 - SV-239548r662095_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000645
Vuln IDs
  • V-239548
  • V-88567
Rule IDs
  • SV-239548r662095_rule
  • SV-99217
Teredo is an IPv6 transition mechanism that involves tunneling IPv6 packets encapsulated in IPv4 packets. Unauthorized tunneling may circumvent network security.
Checks: C-42781r662093_chk

Verify the "Miredo" service is not running: # ps ax | grep miredo | grep -v grep If the Miredo process is running, this is a finding. Note: For Appliance OS, "Miredo" is not included by default, this is not a finding.

Fix: F-42740r662094_fix

Kill the "Miredo" service. Edit startup scripts to prevent the service from running on startup.

b
The DHCP client must be disabled if not needed.
CM-7 - Medium - CCI-000382 - V-239549 - SV-239549r662098_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000650
Vuln IDs
  • V-239549
  • V-88569
Rule IDs
  • SV-239549r662098_rule
  • SV-99219
DHCP allows for the unauthenticated configuration of network parameters on SLES for vRealize by exchanging information with a DHCP server.
Checks: C-42782r662096_chk

Check that no interface is configured to use "DHCP": # grep -i bootproto=dhcp4 /etc/sysconfig/network/ifcfg-* If any configuration is found, this is a finding.

Fix: F-42741r662097_fix

Edit the "/etc/sysconfig/network/ifcfg-*" file(s) and change the "bootproto" setting to "static".

b
The SLES for vRealize must have IEEE 1394 (Firewire) disabled unless needed.
CM-7 - Medium - CCI-000382 - V-239550 - SV-239550r662101_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
VROM-SL-000655
Vuln IDs
  • V-239550
  • V-88571
Rule IDs
  • SV-239550r662101_rule
  • SV-99221
Firewire is a common computer peripheral interface. Firewire devices may include storage devices that could be used to install malicious software on a system or exfiltrate data.
Checks: C-42783r662099_chk

If SLES for vRealize needs IEEE 1394 (Firewire), this is not applicable. Check if the firewire module is not disabled: # grep "install ieee1394 /bin/true" /etc/modprobe.conf /etc/modprobe.conf.local /etc/modprobe.d/* If no results are returned, this is a finding.

Fix: F-42742r662100_fix

Prevent SLES for vRealize from loading the firewire module: # echo "install ieee1394 /bin/true" >> /etc/modprobe.conf.local

b
Duplicate User IDs (UIDs) must not exist for users within the organization.
IA-2 - Medium - CCI-000764 - V-239551 - SV-239551r662104_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000764
Version
VROM-SL-000660
Vuln IDs
  • V-239551
  • V-88573
Rule IDs
  • SV-239551r662104_rule
  • SV-99223
To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of SLES for vRealize. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: 1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; and 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
Checks: C-42784r662102_chk

Verify that SLES for vRealize contains no duplicate UIDs for organizational users by running the following command: # awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If output is produced, this is a finding.

Fix: F-42743r662103_fix

Edit the file "/etc/passwd" and provide each organizational user account that has a duplicate UID with a unique UID.

c
The SLES for vRealize must prevent direct logon into the root account.
IA-2 - High - CCI-000770 - V-239552 - SV-239552r662107_rule
RMF Control
IA-2
Severity
High
CCI
CCI-000770
Version
VROM-SL-000685
Vuln IDs
  • V-239552
  • V-88575
Rule IDs
  • SV-239552r662107_rule
  • SV-99225
To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the UNIX OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account. For example, the UNIX and Windows operating systems offer a 'switch user' capability allowing users to authenticate with their individual credentials and, when needed, 'switch' to the administrator role. This method provides for unique individual authentication prior to using a group authenticator. Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the operating system without identification or authentication. Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.
Checks: C-42785r662105_chk

Verify SLES for vRealize prevents direct logons to the root account by running the following command: # grep root /etc/shadow | cut -d "":"" -f 2 If the returned message contains any text, this is a finding.

Fix: F-42744r662106_fix

Configure SLES for vRealize to prevent direct logins to the root account by performing the following operations: Add this line to the "/etc/group" file: admin:x:[UNIQUE_NUMBER]:[USERNAME] USERNAME is the user you wish to add to the admin group. UNIQUE_NUMBER is a number entered into the ID field of an entry that is unique to all other IDs in the file. Comment out the following lines in "/etc/sudoers" file: Default targetpw ALL ALL=(ALL) ALL Under the line in the "/etc/sudoers" file: root ALL=(ALL) All Add the following line: %admin ALL=(ALL) ALL Run the following command: # passwd -d root

b
The SLES for vRealize must enforce SSHv2 for network access to privileged accounts.
IA-2 - Medium - CCI-001941 - V-239553 - SV-239553r852586_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-001941
Version
VROM-SL-000690
Vuln IDs
  • V-239553
  • V-88577
Rule IDs
  • SV-239553r852586_rule
  • SV-99227
A replay attack may enable an unauthorized user to gain access to SLES for vRealize. Authentication sessions between the authenticator and SLES for vRealize validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A privileged account is any information system account with authorizations of a privileged user. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
Checks: C-42786r662108_chk

Verify that SLES for vRealize enforces SSHv2 for network access to privileged accounts by running the following command: Replace [ADDRESS] in the following command with the correct IP address based on the current system configuration. # ssh -1 [ADDRESS] An example of the command usage is as follows: # ssh -1 localhost The output must be the following: Protocol major versions differ: 1 vs. 2 If it is not, this is a finding. OR Verify that the ssh is configured to enforce SSHv2 for network access to privileged accounts by running the following command: # grep Protocol /etc/ssh/sshd_config If the result is not "Protocol 2", this is a finding.

Fix: F-42745r662109_fix

Configure SLES for vRealize to enforce SSHv2 for network access to privileged accounts by running the following commands: # sed -i 's/^.*\bProtocol\b.*$/Protocol 2/' /etc/ssh/sshd_config Restart the ssh service. # service sshd restart

b
The SLES for vRealize must enforce SSHv2 for network access to non-privileged accounts.
IA-2 - Medium - CCI-001942 - V-239554 - SV-239554r852587_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-001942
Version
VROM-SL-000695
Vuln IDs
  • V-239554
  • V-88579
Rule IDs
  • SV-239554r852587_rule
  • SV-99229
A replay attack may enable an unauthorized user to gain access to SLES for vRealize. Authentication sessions between the authenticator and SLES for vRealize validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. A non-privileged account is any SLES for vRealize account with authorizations of a non-privileged user. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.
Checks: C-42787r662111_chk

Verify that SLES for vRealize enforces SSHv2 for network access to privileged accounts by running the following command: Replace [ADDRESS] in the following command with the correct IP address based on the current system configuration. # ssh -1 [ADDRESS] An example of the command usage is as follows: # ssh -1 localhost The output must be one of the following items: Protocol major versions differ: 1 vs. 2 OR Protocol 1 not allowed in the FIPS mode. If it does not, this is a finding. OR Verify that the ssh is configured to enforce SSHv2 for network access to privileged accounts by running the following command: # grep Protocol /etc/ssh/sshd_config If the result is not "Protocol 2", this is a finding.

Fix: F-42746r662112_fix

Configure SLES for vRealize to enforce SSHv2 for network access to non-privileged accounts by running the following commands: # sed -i 's/^.*\bProtocol\b.*$/Protocol 2/' /etc/ssh/sshd_config Restart the ssh service. # service sshd restart

b
The SLES for vRealize must disable account identifiers of individuals and roles (such as root) after 35 days of inactivity after password expiration.
IA-4 - Medium - CCI-000795 - V-239555 - SV-239555r662116_rule
RMF Control
IA-4
Severity
Medium
CCI
CCI-000795
Version
VROM-SL-000705
Vuln IDs
  • V-239555
  • V-88581
Rule IDs
  • SV-239555r662116_rule
  • SV-99231
Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. SLES for vRealize need to track periods of inactivity and disable application identifiers after 35 days of inactivity.
Checks: C-42788r662114_chk

Verify SLES for vRealize disables account identifiers after "35" days of inactivity after the password expiration, by performing the following commands: # grep "INACTIVE" /etc/default/useradd The output must indicate the "INACTIVE" configuration option is set to an appropriate integer as shown in the example below: grep "INACTIVE" /etc/default/useradd INACTIVE=35 If "INACTIVE" is not set to a value 0&lt;[VALUE]&lt;=35, this is a finding.

Fix: F-42747r662115_fix

Configure SLES for vRealize to disable account identifiers after "35" days of inactivity after the password expiration. Run the following command to change the configuration for useradd: Replace [VALUE] in the command with any integer from the range 0<[VALUE]<= 35. # sed -i "s/^.*\bINACTIVE\b.*$/INACTIVE=[VALUE]/" /etc/default/useradd DoD recommendation is "35" days, but a lower value is acceptable. The value "-1" will disable this feature and "0" will disable the account immediately after the password expires.

b
The SLES for vRealize must use mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
IA-7 - Medium - CCI-000803 - V-239556 - SV-239556r662119_rule
RMF Control
IA-7
Severity
Medium
CCI
CCI-000803
Version
VROM-SL-000710
Vuln IDs
  • V-239556
  • V-88583
Rule IDs
  • SV-239556r662119_rule
  • SV-99233
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. SLES for vRealize utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.
Checks: C-42789r662117_chk

Check the "/etc/default/passwd" file: # grep CRYPT /etc/default/passwd If the "CRYPT" setting in the "/etc/default/passwd" file is not present, or not set to "SHA256" or "SHA512", this is a finding. If the "CRYPT_FILES" setting in the "/etc/default/passwd" file is not present, or not set to "SHA256" or "SHA512", this is a finding.

Fix: F-42748r662118_fix

Edit the "/etc/default/passwd" file and add or change the "CRYPT" variable setting so that it contains: CRYPT=sha256 OR CRYPT=sha512 Edit the "/etc/default/passwd" file and add or change the "CRYPT_FILES" variable setting so that it contains: CRYPT_FILES=sha256 OR CRYPT_FILES=sha512

b
The SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).
IA-8 - Medium - CCI-000804 - V-239557 - SV-239557r662122_rule
RMF Control
IA-8
Severity
Medium
CCI
CCI-000804
Version
VROM-SL-000715
Vuln IDs
  • V-239557
  • V-88585
Rule IDs
  • SV-239557r662122_rule
  • SV-99235
Lack of authentication and identification enables non-organizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compromise resources within the application or information system. Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status of an employee (e.g., contractors and guest researchers). Non-organizational users must be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access.
Checks: C-42790r662120_chk

Run the following command to check for duplicate account names: # pwck -rq If there are no duplicate names, no line will be returned. If a line is returned, this is a finding.

Fix: F-42749r662121_fix

Change usernames, or delete accounts, so each has a unique name.

b
The SLES for vRealize must uniquely identify and must authenticate non-organizational users (or processes acting on behalf of non-organizational users).
IA-8 - Medium - CCI-000804 - V-239558 - SV-239558r662125_rule
RMF Control
IA-8
Severity
Medium
CCI
CCI-000804
Version
VROM-SL-000720
Vuln IDs
  • V-239558
  • V-88587
Rule IDs
  • SV-239558r662125_rule
  • SV-99237
Lack of authentication and identification enables non-organizational users to gain access to the application or possibly other information systems and provides an opportunity for intruders to compromise resources within the application or information system. Non-organizational users include all information system users other than organizational users, which include organizational employees or individuals the organization deems to have equivalent status of an employee (e.g., contractors and guest researchers). Non-organizational users must be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization when related to the use of anonymous access.
Checks: C-42791r662123_chk

Verify the SLES for vRealize uniquely identifies and authenticates non-organizational users by running the following commands: # awk -F: '{print $3}' /etc/passwd | sort | uniq -d If the output is not blank, this is a finding.

Fix: F-42750r662124_fix

Configure the SLES for vRealize to uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). UNIQUE_USER_ID is a unique numerical value that must be non-negative. USERNAME is the username of the user whose user ID you wish to change. # usermod -u [UNIQUE_USER_ID] [USERNAME]

b
The SLES for vRealize must be configured such that emergency administrator accounts are never automatically removed or disabled.
AC-2 - Medium - CCI-001682 - V-239559 - SV-239559r662128_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001682
Version
VROM-SL-000730
Vuln IDs
  • V-239559
  • V-88589
Rule IDs
  • SV-239559r662128_rule
  • SV-99239
Emergency administrator accounts are privileged accounts which are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation may bypass normal account authorization processes. If these accounts are automatically disabled, system maintenance during emergencies may not be possible, thus adversely affecting system availability. Emergency administrator accounts are different from infrequently used accounts (i.e., local logon accounts used by system administrators when network or normal logon/access is not available). Infrequently used accounts also remain available and are not subject to automatic termination dates. However, an emergency administrator account is normally a different account that is created for use by vendors or system maintainers. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.
Checks: C-42792r662126_chk

For each emergency administrator account run the following command: chage -l [user] If the output shows an expiration date for the account, this is a finding.

Fix: F-42751r662127_fix

For each emergency administrator account run the following command to remove the expiration date: chage -E -1 [user]

b
The SLES for vRealize must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
MA-4 - Medium - CCI-000877 - V-239560 - SV-239560r877395_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-000877
Version
VROM-SL-000735
Vuln IDs
  • V-239560
  • V-88591
Rule IDs
  • SV-239560r877395_rule
  • SV-99241
If maintenance tools are used by unauthorized personnel, they may accidentally or intentionally damage or compromise the system. The act of managing systems and applications includes the ability to access sensitive application information, such as system configuration details, diagnostic information, user information, and potentially sensitive application data. Some maintenance and test tools are either standalone devices with their own operating systems or are applications bundled with an operating system. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric.
Checks: C-42793r662129_chk

Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the sshd_config file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr

Fix: F-42752r662130_fix

Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart

b
The SLES for vRealize must terminate all sessions and network connections related to nonlocal maintenance when nonlocal maintenance is completed.
MA-4 - Medium - CCI-000879 - V-239561 - SV-239561r662134_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-000879
Version
VROM-SL-000740
Vuln IDs
  • V-239561
  • V-88593
Rule IDs
  • SV-239561r662134_rule
  • SV-99243
If a maintenance session or connection remains open after maintenance is completed, it may be hijacked by an attacker and used to compromise or damage the system. Some maintenance and test tools are either standalone devices with their own operating systems or are applications bundled with an operating system. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection.
Checks: C-42794r662132_chk

Check for the existence of the "/etc/profile.d/tmout.sh" file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to "900" seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set to "900", this is a finding.

Fix: F-42753r662133_fix

Ensure the file exists and is owned by "root". If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file "/etc/profile.d/tmout.sh", and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null

b
The SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
SC-5 - Medium - CCI-001095 - V-239562 - SV-239562r662137_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001095
Version
VROM-SL-000760
Vuln IDs
  • V-239562
  • V-88595
Rule IDs
  • SV-239562r662137_rule
  • SV-99245
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
Checks: C-42795r662135_chk

Check that SLES for vRealize is configured to use TCP syncookies when experiencing a TCP SYN flood. # cat /proc/sys/net/ipv4/tcp_syncookies If the result is not "1", this is a finding.

Fix: F-42754r662136_fix

Configure SLES for vRealize to use TCP syncookies when experiencing a TCP SYN flood. # sed -i 's/^.*\bnet.ipv4.tcp_syncookies\b.*$/net.ipv4.tcp_syncookies=1/' /etc/sysctl.conf Reload sysctl to verify the new change: # sysctl -p

b
The SLES for vRealize must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
SC-5 - Medium - CCI-001095 - V-239563 - SV-239563r662140_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-001095
Version
VROM-SL-000765
Vuln IDs
  • V-239563
  • V-88597
Rule IDs
  • SV-239563r662140_rule
  • SV-99247
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
Checks: C-42796r662138_chk

Check that SLES for vRealize has an appropriate TCP backlog queue size to mitigate against TCP SYN flood DOS attacks with the following command: # cat /proc/sys/net/ipv4/tcp_max_syn_backlog The recommended default setting is "1280". If the TCP backlog queue size is not set to "1280", this is a finding.

Fix: F-42755r662139_fix

Configure the TCP backlog queue size with the following command: # sed -i 's/^.*\bnet.ipv4.tcp_max_syn_backlog\b.*$/net.ipv4.tcp_max_syn_backlog=1280/' /etc/sysctl.conf Reload sysctl to verify the new change: # sysctl -p

b
The SLES for vRealize must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity; and for user sessions (non-privileged session), the session must be terminated after 15 minutes of inactivity, except to fulfill documented and validated mission requirements.
SC-10 - Medium - CCI-001133 - V-239564 - SV-239564r662405_rule
RMF Control
SC-10
Severity
Medium
CCI
CCI-001133
Version
VROM-SL-000770
Vuln IDs
  • V-239564
  • V-88599
Rule IDs
  • SV-239564r662405_rule
  • SV-99249
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that SLES for vRealize terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
Checks: C-42797r662141_chk

Check for the existence of the "/etc/profile.d/tmout.sh" file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to "900" seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set to "900", this is a finding.

Fix: F-42756r662142_fix

Ensure the file exists and is owned by "root". If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file "/etc/profile.d/tmout.sh", and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null

b
The /var/log directory must be group-owned by root.
SI-11 - Medium - CCI-001314 - V-239565 - SV-239565r662146_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
VROM-SL-000795
Vuln IDs
  • V-239565
  • V-88601
Rule IDs
  • SV-239565r662146_rule
  • SV-99251
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Checks: C-42798r662144_chk

Verify the "/var/log" directory is group-owned by "root" by running the following command: # ls -lad /var/log | cut -d' ' -f4 The output must look like the following example: ls -lad /var/log | cut -d' ' -f4 root If "root" is not returned as a result, this is a finding.

Fix: F-42757r662145_fix

Change the group of the directory "/var/log" to "root" by running the following command: # chgrp root /var/log

b
The /var/log directory must be owned by root.
SI-11 - Medium - CCI-001314 - V-239566 - SV-239566r662149_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
VROM-SL-000800
Vuln IDs
  • V-239566
  • V-88603
Rule IDs
  • SV-239566r662149_rule
  • SV-99253
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Checks: C-42799r662147_chk

Verify that the "/var/log" directory is owned by "root" by running the following command: # ls -lad /var/log | cut -d' ' -f3 The output must look like the following example: ls -lad /var/log | cut -d' ' -f3 root If "root" is not returned as a result, this is a finding.

Fix: F-42758r662148_fix

Change the owner of the directory "/var/log" to "root" by running the following command: # chown root /var/log

b
The /var/log directory must have mode 0750 or less permissive.
SI-11 - Medium - CCI-001314 - V-239567 - SV-239567r662152_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
VROM-SL-000805
Vuln IDs
  • V-239567
  • V-88605
Rule IDs
  • SV-239567r662152_rule
  • SV-99255
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Checks: C-42800r662150_chk

Verify that the "/var/log" directory is the mode 0750 or less permissive by running the following command: # ls -lad /var/log | cut -d' ' -f1 The output must look like the following example: ls -lad /var/log | cut -d' ' -f1 drwxr-x--- If "drwxr-x---" is not returned as a result, this is a finding.

Fix: F-42759r662151_fix

Change the permissions of the directory "/var/log" to "0750" by running the following command: # chmod 0750 /var/log

b
The /var/log/messages file must be group-owned by root.
SI-11 - Medium - CCI-001314 - V-239568 - SV-239568r662155_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
VROM-SL-000810
Vuln IDs
  • V-239568
  • V-88607
Rule IDs
  • SV-239568r662155_rule
  • SV-99257
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Checks: C-42801r662153_chk

Verify that the "/var/log/messages" file is group-owned by "root" by running the following command: # ls -la /var/log/messages | cut -d' ' -f4 The output must look like the following example: ls -la /var/log/messages | cut -d' ' -f4 root If "root" is not returned as a result, this is a finding.

Fix: F-42760r662154_fix

Change the group of the file "/var/log/messages" to "root" by running the following command: # chgrp root /var/log/messages

b
The /var/log/messages file must be owned by root.
SI-11 - Medium - CCI-001314 - V-239569 - SV-239569r662158_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
VROM-SL-000815
Vuln IDs
  • V-239569
  • V-88609
Rule IDs
  • SV-239569r662158_rule
  • SV-99259
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Checks: C-42802r662156_chk

Verify that the "/var/log/messages" file is owned by "root" by running the following command: # ls -la /var/log/messages | cut -d' ' -f3 The output must look like the following example: ls -la /var/log/messages | cut -d' ' -f3 root If "root" is not returned as a result, this is a finding.

Fix: F-42761r662157_fix

Change the owner of the file "/var/log/messages" to "root" by running the following command: # chown root /var/log/messages

b
The /var/log/messages file must have mode 0640 or less permissive.
SI-11 - Medium - CCI-001314 - V-239570 - SV-239570r662161_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
VROM-SL-000820
Vuln IDs
  • V-239570
  • V-88611
Rule IDs
  • SV-239570r662161_rule
  • SV-99261
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Checks: C-42803r662159_chk

Verify that the "/var/log/messages" file is 0640 or less permissive by running the following command: # ls -lad /var/log/messages | cut -d' ' -f1 The output must look like the following example: ls -lad /var/log/messages | cut -d' ' -f1 -rw-r----- If "-rw-r-----" is not returned as a result, this is a finding.

Fix: F-42762r662160_fix

Change the permissions of the file "/var/log/messages" to "0640" by running the following command: # chmod 0640 /var/log/messages

b
The SLES for vRealize must reveal error messages only to authorized users.
SI-11 - Medium - CCI-001314 - V-239571 - SV-239571r662164_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
VROM-SL-000825
Vuln IDs
  • V-239571
  • V-88613
Rule IDs
  • SV-239571r662164_rule
  • SV-99263
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Checks: C-42804r662162_chk

Check the permissions of the syslog configuration file(s): # ls -lL /etc/syslog-ng/syslog-ng.conf If the mode of the file is more permissive than "0640", this is a finding.

Fix: F-42763r662163_fix

Change the permissions of the syslog configuration file(s): # chmod 640 /etc/syslog-ng/syslog-ng.conf

b
The SLES for vRealize must reveal error messages only to authorized users.
SI-11 - Medium - CCI-001314 - V-239572 - SV-239572r662167_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
VROM-SL-000830
Vuln IDs
  • V-239572
  • V-88615
Rule IDs
  • SV-239572r662167_rule
  • SV-99265
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Checks: C-42805r662165_chk

Check the permissions of the syslog configuration file(s): # ls -lL /etc/syslog-ng/syslog-ng.conf If the file is not owned by "root", this is a finding.

Fix: F-42764r662166_fix

Use the chown command to set the owner to "root": # chown root /etc/syslog-ng/syslog-ng.conf

b
The SLES for vRealize must reveal error messages only to authorized users.
SI-11 - Medium - CCI-001314 - V-239573 - SV-239573r662170_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
VROM-SL-000835
Vuln IDs
  • V-239573
  • V-88617
Rule IDs
  • SV-239573r662170_rule
  • SV-99267
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the SLES for vRealize system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Checks: C-42806r662168_chk

Check the permissions of the syslog configuration file(s): # ls -lL /etc/syslog-ng/syslog-ng.conf If the file is not group owned by "root", this is a finding.

Fix: F-42765r662169_fix

Change the group-owner of the "/etc/rsyslog.conf" file to "root": # chgrp root /etc/syslog-ng/syslog-ng.conf

b
The SLES for vRealize must audit all account modifications.
AC-2 - Medium - CCI-001403 - V-239575 - SV-239575r662176_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001403
Version
VROM-SL-000845
Vuln IDs
  • V-239575
  • V-88621
Rule IDs
  • SV-239575r662176_rule
  • SV-99271
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method for mitigating this risk. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
Checks: C-42808r662174_chk

Determine if execution of the "usermod" and "groupmod" executable are audited. # auditctl -l | egrep '(usermod|groupmod)' | grep perm=x If either "usermod" or "groupmod" are not listed with a permissions filter of at least "x", this is a finding.

Fix: F-42767r662175_fix

Configure execute auditing of the "usermod" and "groupmod" executables run the DoD.script with the following command as "root": # /etc/dodscript.sh OR Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the audit.rules file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Restart the auditd service. # service auditd restart

b
The SLES for vRealize must audit all account modifications.
AC-2 - Medium - CCI-001403 - V-239576 - SV-239576r662179_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001403
Version
VROM-SL-000850
Vuln IDs
  • V-239576
  • V-88623
Rule IDs
  • SV-239576r662179_rule
  • SV-99273
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method for mitigating this risk. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
Checks: C-42809r662177_chk

Determine if "/etc/passwd", "/etc/shadow", "/etc/group", and "/etc/gshadow" are audited for writing. # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow)' | grep perm=w If any of these are not listed with a permissions filter of at least "w", this is a finding.

Fix: F-42768r662178_fix

Configure append auditing of the "passwd", "shadow", "group", and "gshadow" files run the DoD.script with the following command as root: # /etc/dodscript.sh OR Configure append auditing of the "passwd", "shadow", "group", and "gshadow" files. Add the following to the audit.rules file: -w /etc/passwd -p w -k passwd -w /etc/shadow -p w -k shadow -w /etc/group -p w -k group -w /etc/gshadow -p w -k gshadow Restart the auditd service. # service auditd restart

b
The SLES for vRealize must audit all account-disabling actions.
AC-2 - Medium - CCI-001404 - V-239577 - SV-239577r662182_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001404
Version
VROM-SL-000855
Vuln IDs
  • V-239577
  • V-88625
Rule IDs
  • SV-239577r662182_rule
  • SV-99275
When SLES for vRealize accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the SLES for vRealize processes themselves. In order to detect and respond to events affecting user accessibility and system processing, SLES for vRealize must audit account disabling actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that SLES for vRealize accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
Checks: C-42810r662180_chk

Determine if execution of the "passwd" executable is audited: # auditctl -l | grep watch=/usr/bin/passwd If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding.

Fix: F-42769r662181_fix

Configure SLES for vRealize to automatically audit account-disabling actions by running the following command: # /etc/dodscript.sh OR # echo '-w /usr/bin/passwd -p x -k passwd' >> /etc/audit/audit.rules Restart the auditd service. # service auditd restart

b
The SLES for vRealize must audit all account removal actions.
AC-2 - Medium - CCI-001405 - V-239578 - SV-239578r662185_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-001405
Version
VROM-SL-000860
Vuln IDs
  • V-239578
  • V-88627
Rule IDs
  • SV-239578r662185_rule
  • SV-99277
When SLES for vRealize accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the SLES for vRealize processes themselves. In order to detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions and, as required, notify the appropriate individuals so they can investigate the event. Such a capability greatly reduces the risk that SLES for vRealize accessibility will be negatively affected for extended periods of time and provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
Checks: C-42811r662183_chk

Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding.

Fix: F-42770r662184_fix

Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel

b
The SLES for vRealize must implement cryptography to protect the integrity of remote access sessions.
AC-17 - Medium - CCI-001453 - V-239579 - SV-239579r877394_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-001453
Version
VROM-SL-000865
Vuln IDs
  • V-239579
  • V-88629
Rule IDs
  • SV-239579r877394_rule
  • SV-99279
Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the secret key used to generate the hash.
Checks: C-42812r662186_chk

Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr

Fix: F-42771r662187_fix

Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart

b
The SLES for vRealize must initiate session audits at system start-up.
AU-14 - Medium - CCI-001464 - V-239580 - SV-239580r662191_rule
RMF Control
AU-14
Severity
Medium
CCI
CCI-001464
Version
VROM-SL-000870
Vuln IDs
  • V-239580
  • V-88631
Rule IDs
  • SV-239580r662191_rule
  • SV-99281
If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.
Checks: C-42813r662189_chk

Check for the "audit=1" kernel parameter. # grep "audit=1" /proc/cmdline If no results are returned, this is a finding.

Fix: F-42772r662190_fix

Edit the grub bootloader file "/boot/grub/menu.lst" by appending the "audit=1" parameter to the kernel boot line. Reboot the system for the change to take effect.

b
The SLES for vRealize must produce audit records containing information to establish the identity of any individual or process associated with the event.
AU-3 - Medium - CCI-001487 - V-239581 - SV-239581r662194_rule
RMF Control
AU-3
Severity
Medium
CCI
CCI-001487
Version
VROM-SL-000875
Vuln IDs
  • V-239581
  • V-88633
Rule IDs
  • SV-239581r662194_rule
  • SV-99283
Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.
Checks: C-42814r662192_chk

Verify SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.

Fix: F-42773r662193_fix

Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start

b
The SLES for vRealize must protect audit tools from unauthorized access.
AU-9 - Medium - CCI-001493 - V-239582 - SV-239582r662197_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001493
Version
VROM-SL-000880
Vuln IDs
  • V-239582
  • V-88635
Rule IDs
  • SV-239582r662197_rule
  • SV-99285
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SLES for vRealize systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Checks: C-42815r662195_chk

The following command will list which audit files on the system have permissions different from what is expected by the RPM database: # rpm -V audit | grep '^.M' If there is any output, for each file or directory found, compare the RPM-expected permissions with the permissions on the file or directory: # rpm -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" audit | grep [filename] # ls -lL [filename] If the existing permissions are more permissive than those expected by the RPM database, this is a finding.

Fix: F-42774r662196_fix

For each file that has permissions that are more permissive than those expected by the RPM database, alter the permission of the file with the following command: # chmod <permission> <filename>

b
The SLES for vRealize must protect audit tools from unauthorized modification.
AU-9 - Medium - CCI-001494 - V-239583 - SV-239583r662200_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001494
Version
VROM-SL-000885
Vuln IDs
  • V-239583
  • V-88637
Rule IDs
  • SV-239583r662200_rule
  • SV-99287
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SLES for vRealize systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user has in order to make access decisions regarding the modification of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Checks: C-42816r662198_chk

The following command will list which audit files on the system where the group ownership has been modified: # rpm -V audit | grep '^......G' If there is output, this is a finding.

Fix: F-42775r662199_fix

For each file that has the incorrect group modification, alter the group ownership of the file with the following command: # chgrp <group> <filename>

b
The SLES for vRealize must protect audit tools from unauthorized deletion.
AU-9 - Medium - CCI-001495 - V-239584 - SV-239584r662203_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001495
Version
VROM-SL-000890
Vuln IDs
  • V-239584
  • V-88639
Rule IDs
  • SV-239584r662203_rule
  • SV-99289
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. SLES for vRealize systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user has in order to make access decisions regarding the deletion of audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Checks: C-42817r662201_chk

The following command will list which audit files on the system where the ownership has been modified: # rpm -V audit | grep '^.....U' If there is output, this is a finding.

Fix: F-42776r662202_fix

For each file that has the incorrect owner modification, alter the ownership of the file with the following command: # chown <owner> <filename>

b
The SLES for vRealize must enforce password complexity by requiring that at least one special character be used.
IA-5 - Medium - CCI-001619 - V-239585 - SV-239585r662206_rule
RMF Control
IA-5
Severity
Medium
CCI
CCI-001619
Version
VROM-SL-000900
Vuln IDs
  • V-239585
  • V-88641
Rule IDs
  • SV-239585r662206_rule
  • SV-99291
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.
Checks: C-42818r662204_chk

Verify SLES for vRealize enforces password complexity by requiring that at least one special character be used by using the following command: Check the password "ocredit" option: # grep pam_cracklib.so /etc/pam.d/common-password Confirm the "ocredit" option is set to "-1" as in the example: password requisite pam_cracklib.so ocredit=-1 There may be other options on the line. If no such line is found, or the "ocredit" is not "-1", this is a finding.

Fix: F-42777r662205_fix

Configure SLES for vRealize to enforce password complexity by requiring that at least one special character be used by running the following command: If "ocredit" was not set at all in "/etc/pam.d/common-password-vmware.local" file then run the following command: # sed -i '/pam_cracklib.so/ s/$/ ocredit=-1/' /etc/pam.d/common-password-vmware.local If "ocredit" was set incorrectly, run the following command: # sed -i '/pam_cracklib.so/ s/ocredit=../ocredit=-1/' /etc/pam.d/common-password-vmware.local

a
The SLES for vRealize must notify System Administrators and Information Systems Security Officer when accounts are created.
AC-2 - Low - CCI-001683 - V-239586 - SV-239586r662209_rule
RMF Control
AC-2
Severity
Low
CCI
CCI-001683
Version
VROM-SL-000910
Vuln IDs
  • V-239586
  • V-88643
Rule IDs
  • SV-239586r662209_rule
  • SV-99293
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Notification of account creation is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of SLES for vRealize user accounts and notifies System Administrators and Information System Security Officers (ISSO) that it exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
Checks: C-42819r662207_chk

Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.

Fix: F-42778r662208_fix

Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };

a
The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are modified.
AC-2 - Low - CCI-001684 - V-239587 - SV-239587r662212_rule
RMF Control
AC-2
Severity
Low
CCI
CCI-001684
Version
VROM-SL-000915
Vuln IDs
  • V-239587
  • V-88645
Rule IDs
  • SV-239587r662212_rule
  • SV-99295
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Notification of account modification is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of SLES for vRealize user accounts and notifies System Administrators and Information System Security Officers (ISSO) that it exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
Checks: C-42820r662210_chk

Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.

Fix: F-42779r662211_fix

Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };

a
The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are disabled.
AC-2 - Low - CCI-001685 - V-239588 - SV-239588r662215_rule
RMF Control
AC-2
Severity
Low
CCI
CCI-001685
Version
VROM-SL-000920
Vuln IDs
  • V-239588
  • V-88647
Rule IDs
  • SV-239588r662215_rule
  • SV-99297
When SLES for vRealize accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual SLES for vRealize users or for identifying the SLES for vRealize processes themselves. In order to detect and respond to events that affect user accessibility and system processing, operating systems must audit account disabling actions and, as required, notify System Administrators and Information System Security Officers (ISSO) so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
Checks: C-42821r662213_chk

Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.

Fix: F-42780r662214_fix

Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };

a
The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are removed.
AC-2 - Low - CCI-001686 - V-239589 - SV-239589r662218_rule
RMF Control
AC-2
Severity
Low
CCI
CCI-001686
Version
VROM-SL-000925
Vuln IDs
  • V-239589
  • V-88649
Rule IDs
  • SV-239589r662218_rule
  • SV-99299
When SLES for vRealize accounts are removed, user accessibility is affected. Accounts are utilized for identifying individual SLES for vRealize users or for identifying the SLES for vRealize processes themselves. In order to detect and respond to events that affect user accessibility and system processing, SLES for vRealize must audit account removal actions and, as required, notify System Administrators and Information System Security Officers (ISSO) so they can investigate the event. Such a capability greatly reduces the risk that operating system accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
Checks: C-42822r662216_chk

Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.

Fix: F-42781r662217_fix

Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };

b
The SLES for vRealize must use cryptographic mechanisms to protect the integrity of audit tools.
AU-9 - Medium - CCI-001496 - V-239590 - SV-239590r877393_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001496
Version
VROM-SL-000930
Vuln IDs
  • V-239590
  • V-88651
Rule IDs
  • SV-239590r877393_rule
  • SV-99301
Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.
Checks: C-42823r662219_chk

The following command will list which audit files on the system have file hashes different from what is expected by the RPM database: # rpm -V audit | grep '$1 ~ /..5/ &amp;&amp; $2 != "c"' If there is output, this is a finding.

Fix: F-42782r662220_fix

The RPM package management system can check the hashes of audit system package files. Run the following command to list which audit files on the system have hashes that differ from what is expected by the RPM database: # rpm -V audit | grep '^..5' A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file that has changed was not expected to, refresh from distribution media or online repositories. rpm -Uvh [affected_package]

b
The SLES for vRealize must automatically terminate a user session after inactivity time-outs have expired or at shutdown.
AC-12 - Medium - CCI-002361 - V-239591 - SV-239591r852588_rule
RMF Control
AC-12
Severity
Medium
CCI
CCI-002361
Version
VROM-SL-000935
Vuln IDs
  • V-239591
  • V-88653
Rule IDs
  • SV-239591r852588_rule
  • SV-99303
Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. This capability is typically reserved for specific operating system functionality where the system owner, data owner, or organization requires additional assurance.
Checks: C-42824r662222_chk

Check for the existence of the "/etc/profile.d/tmout.sh" file: # ls -al /etc/profile.d/tmout.sh Check for the presence of the "TMOUT" variable: # grep TMOUT /etc/profile.d/tmout.sh The value of "TMOUT" should be set to "900" seconds (15 minutes). If the file does not exist, or the "TMOUT" variable is not set to "900", this is a finding.

Fix: F-42783r662223_fix

Ensure the file exists and is owned by "root". If the files does not exist, use the following commands to create the file: # touch /etc/profile.d/tmout.sh # chown root:root /etc/profile.d/tmout.sh # chmod 644 /etc/profile.d/tmout.sh Edit the file "/etc/profile.d/tmout.sh", and add the following lines: TMOUT=900 readonly TMOUT export TMOUT mesg n 2>/dev/null

b
The SLES for vRealize must control remote access methods.
AC-17 - Medium - CCI-002314 - V-239592 - SV-239592r852589_rule
RMF Control
AC-17
Severity
Medium
CCI
CCI-002314
Version
VROM-SL-000950
Vuln IDs
  • V-239592
  • V-88655
Rule IDs
  • SV-239592r852589_rule
  • SV-99305
Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. SLES for vRealize functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).
Checks: C-42825r662225_chk

Check the SSH daemon configuration for listening network addresses: # grep -i Listen /etc/ssh/sshd_config | grep -v '^#' If no configuration is returned, or if a returned "Listen" configuration contains addresses not designated for management traffic, this is a finding.

Fix: F-42784r662226_fix

Edit the SSH daemon configuration with the following command: # sed -i "/^[^#]ListenAddress/ c\ListenAddress = 0.0.0.0" /etc/ssh/sshd_config Replace "0.0.0.0" with the listening network addresses designated for management traffic.

b
The SLES for vRealize must audit all account enabling actions.
AC-2 - Medium - CCI-002130 - V-239593 - SV-239593r852590_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-002130
Version
VROM-SL-000970
Vuln IDs
  • V-239593
  • V-88657
Rule IDs
  • SV-239593r852590_rule
  • SV-99307
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of SLES for vRealize user accounts and notifies System Administrators and Information System Security Officers (ISSO) that it exists. Such a process greatly reduces the risk that accounts will be surreptitiously created and provides logging that can be used for forensic purposes. To address access requirements, many SLES for vRealize systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
Checks: C-42826r662228_chk

Determine if execution of the usermod and groupmod executable are audited: # auditctl -l | egrep '(usermod|groupmod)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of "useradd" and "groupadd" are audited: # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the passwd executable is audited: # auditctl -l | grep "/usr/bin/passwd" If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding. Determine if "/etc/passwd", "/etc/shadow", "etc/group", and "etc/security/opasswd" are audited for writing: # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)' If any of these are not listed with a permissions filter of at least "w", this is a finding.

Fix: F-42785r662229_fix

Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Configure execute auditing of the "passwd" executable. Add the following to the aud.rules: -w /usr/bin/passwd -p x -k passwd Configure write auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the "/etc/audit/audit.rules" file: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/security/opasswd -p wa -k opasswd Restart the auditd service: # service auditd restart

b
The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are created, or enabled when previously disabled.
AC-2 - Medium - CCI-002132 - V-239594 - SV-239594r852591_rule
RMF Control
AC-2
Severity
Medium
CCI
CCI-002132
Version
VROM-SL-000975
Vuln IDs
  • V-239594
  • V-88659
Rule IDs
  • SV-239594r852591_rule
  • SV-99309
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail, which documents the creation of SLES for vRealize user accounts and notifies System Administrators and Information System Security Officers (ISSO) that it exists. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. In order to detect and respond to events that affect user accessibility and application processing, SLES for vRealize systems must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
Checks: C-42827r662231_chk

Determine if execution of the "usermod" and "groupmod" executable are audited: # auditctl -l | egrep '(usermod|groupmod)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of "useradd" and "groupadd" are audited: # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "passwd" executable is audited: # auditctl -l | grep "/usr/bin/passwd" If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding. Determine if "/etc/passwd", "/etc/shadow", "/etc/group", and "/etc/security/opasswd" are audited for writing: # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)' If any of these are not listed with a permissions filter of at least "w", this is a finding.

Fix: F-42786r662232_fix

Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Configure execute auditing of the "passwd" executable. Add the following to the aud.rules: -w /usr/bin/passwd -p x -k passwd Configure write auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the "/etc/audit/audit.rules" file: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/security/opasswd -p wa -k opasswd Restart the auditd service: # service auditd restart

a
The SLES for vRealize must audit the execution of privileged functions.
AC-6 - Low - CCI-002234 - V-239595 - SV-239595r852592_rule
RMF Control
AC-6
Severity
Low
CCI
CCI-002234
Version
VROM-SL-001005
Vuln IDs
  • V-239595
  • V-88661
Rule IDs
  • SV-239595r852592_rule
  • SV-99311
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
Checks: C-42828r662234_chk

To verify that auditing of privileged command use is configured, run the following command to find relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2&gt;/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: # grep path /etc/audit/audit.rules It should be the case that all relevant setuid programs have a line in the audit rules. If it is not the case, this is a finding.

Fix: F-42787r662235_fix

At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Then, for each setuid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid program in the list: -a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -k privileged OR # /etc/dodscript.sh

a
The SLES for vRealize must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes occur.
AC-7 - Low - CCI-002238 - V-239596 - SV-239596r852593_rule
RMF Control
AC-7
Severity
Low
CCI
CCI-002238
Version
VROM-SL-001010
Vuln IDs
  • V-239596
  • V-88663
Rule IDs
  • SV-239596r852593_rule
  • SV-99313
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
Checks: C-42829r662237_chk

Check the "pam_tally2" configuration: # more /etc/pam.d/common-auth Confirm the following line is configured: auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_ti me=86400 root_unlock_time=300 # more /etc/pam.d/common-account Confirm the following line is configured: account required pam_tally2.so If no such lines are found, this is a finding.

Fix: F-42788r662238_fix

Edit "/etc/pam.d/common-auth" file and add the following line: auth required pam_tally2.so deny=3 onerr=fail even_deny_root unlock_time=86400 root_unlock_time=300 Edit "/etc/pam.d/common-account" file and add the following line: account required pam_tally2.so

a
The SLES for vRealize must off-load audit records onto a different system or media from the system being audited.
AU-4 - Low - CCI-001851 - V-239597 - SV-239597r877390_rule
RMF Control
AU-4
Severity
Low
CCI
CCI-001851
Version
VROM-SL-001035
Vuln IDs
  • V-239597
  • V-88665
Rule IDs
  • SV-239597r877390_rule
  • SV-99315
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Checks: C-42830r662240_chk

Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.

Fix: F-42789r662241_fix

Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };

b
The SLES for vRealize must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
AU-5 - Medium - CCI-001855 - V-239598 - SV-239598r877389_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-001855
Version
VROM-SL-001040
Vuln IDs
  • V-239598
  • V-88667
Rule IDs
  • SV-239598r877389_rule
  • SV-99317
If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.
Checks: C-42831r662243_chk

Check "/etc/audit/auditd.conf" file for the "space_left_action" parameter with the following command: # cat /etc/audit/auditd.conf | grep space_left_action If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding Expected Result: space_left_action = SYSLOG Notes: If the "space_left_action" parameter is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding. If the "space_left_action" parameter is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding. The "action_mail_acct" parameter, if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system "sendmail" must be available.

Fix: F-42790r662244_fix

Set the "space_left_action" parameter to the valid setting "SYSLOG", by running the following command: # sed -i "/^[^#]*space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf Restart the audit service: # service auditd restart

b
The SLES for vRealize must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.
AU-5 - Medium - CCI-001858 - V-239599 - SV-239599r852596_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-001858
Version
VROM-SL-001045
Vuln IDs
  • V-239599
  • V-88669
Rule IDs
  • SV-239599r852596_rule
  • SV-99319
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).
Checks: C-42832r662246_chk

Check "/etc/audit/auditd.conf" file for the "space_left_action" parameter with the following command: # cat /etc/audit/auditd.conf | grep space_left_action If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding Expected Result: space_left_action = SYSLOG Notes: If the "space_left_action" parameter is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding. If the "space_left_action" parameter is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding. The "action_mail_acct" parameter, if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system "sendmail" must be available.

Fix: F-42791r662247_fix

Set the "space_left_action" parameter to the valid setting "SYSLOG", by running the following command: # sed -i "/^[^#]*space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf Restart the audit service: # service auditd restart

b
The SLES for vRealize must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).
AU-8 - Medium - CCI-001891 - V-239600 - SV-239600r878121_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001891
Version
VROM-SL-001085
Vuln IDs
  • V-239600
  • V-88671
Rule IDs
  • SV-239600r878121_rule
  • SV-99321
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider endpoints that may not have regular access to the authoritative timeserver (e.g., mobile, teleworking, and tactical endpoints).
Checks: C-42833r662249_chk

A remote NTP server should be configured for time synchronization. To verify one is configured, open the following files: # cat /etc/ntp.conf | grep server | grep -v '^#' # cat /etc/ntp.conf | grep peer | grep -v '^#' # cat /etc/ntp.conf | grep multicastclient | grep -v '^#' Confirm the servers and peers or multicastclient (as applicable) are local or an authoritative U.S. DoD source. If a non-local/non-authoritative time-server is used, this is a finding.

Fix: F-42792r662250_fix

To specify a remote NTP server for time synchronization, edit the file "/etc/ntp.conf". Add or correct the following lines, substituting the IP or hostname of a remote NTP server for ntpserver by using the following command: # echo "server [ntpserver]" >> /etc/ntp.conf Replace [ntpserver] with one of the USNO time servers. This instructs the NTP software to contact that remote server to obtain time data. Restart the service with: # service ntp restart

b
The time synchronization configuration file (such as /etc/ntp.conf) must be owned by root.
AU-8 - Medium - CCI-001891 - V-239601 - SV-239601r877038_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001891
Version
VROM-SL-001090
Vuln IDs
  • V-239601
  • V-88673
Rule IDs
  • SV-239601r877038_rule
  • SV-99323
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system account, unauthorized modifications could result in the failure of time synchronization.
Checks: C-42834r662252_chk

Check the ownership of the NTP configuration file: # ls -l /etc/ntp.conf If the owner is not "root", this is a finding.

Fix: F-42793r662253_fix

Change the owner of the NTP configuration file to "root": # chown root /etc/ntp.conf

b
The time synchronization configuration file (such as /etc/ntp.conf) must be group-owned by root, bin, sys, or system.
AU-8 - Medium - CCI-001891 - V-239602 - SV-239602r877038_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001891
Version
VROM-SL-001095
Vuln IDs
  • V-239602
  • V-88675
Rule IDs
  • SV-239602r877038_rule
  • SV-99325
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not owned by a system group, unauthorized modifications could result in the failure of time synchronization.
Checks: C-42835r662255_chk

Check the group ownership of the NTP configuration file: # ls -lL /etc/ntp.conf If the group-owner is not "root", "bin", "sys", or "system", this is a finding.

Fix: F-42794r662256_fix

Change the group-owner of the NTP configuration file: # chgrp root /etc/ntp.conf

b
The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive.
AU-8 - Medium - CCI-001891 - V-239603 - SV-239603r877038_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001891
Version
VROM-SL-001100
Vuln IDs
  • V-239603
  • V-88677
Rule IDs
  • SV-239603r877038_rule
  • SV-99327
A synchronized system clock is critical for the enforcement of time-based policies and the correlation of logs and audit records with other systems. If an illicit time source is used for synchronization, the integrity of system logs and the security of the system could be compromised. If the configuration files controlling time synchronization are not protected, unauthorized modifications could result in the failure of time synchronization.
Checks: C-42836r662258_chk

Check that the mode for the NTP configuration file is not more permissive than "0640": # ls -l /etc/ntp.conf If the mode is more permissive than "0640", this is a finding.

Fix: F-42795r662259_fix

Change the mode of the NTP configuration file to "0640" or less permissive: # chmod 0640 /etc/ntp.conf

b
The SLES for vRealize must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.
AU-8 - Medium - CCI-002046 - V-239604 - SV-239604r852601_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-002046
Version
VROM-SL-001105
Vuln IDs
  • V-239604
  • V-88679
Rule IDs
  • SV-239604r852601_rule
  • SV-99329
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems). Organizations should also consider endpoints that may not have regular access to the authoritative timeserver (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the time difference.
Checks: C-42837r662261_chk

Run the following command to determine the current status of the "ntpd" service: # service ntp status If the service is configured, the command should show a list of the ntp servers and the status of the synchronization. If nothing is returned, this is a finding. If the service is configured, but does not show a status of "on", this is a finding.

Fix: F-42796r662262_fix

The "ntp" service can be enabled with the following command: # chkconfig ntp on # service ntp start

b
The SLES for vRealize must notify designated personnel if baseline configurations are changed in an unauthorized manner.
CM-3 - Medium - CCI-001744 - V-239605 - SV-239605r852602_rule
RMF Control
CM-3
Severity
Medium
CCI
CCI-001744
Version
VROM-SL-001130
Vuln IDs
  • V-239605
  • V-88681
Rule IDs
  • SV-239605r852602_rule
  • SV-99331
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the SLES for vRealize. SLES for vRealize’s IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
Checks: C-42838r662264_chk

Verify SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.

Fix: F-42797r662265_fix

Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start

b
The SLES for vRealize must audit the enforcement actions used to restrict access associated with changes to the system.
CM-5 - Medium - CCI-001814 - V-239606 - SV-239606r852603_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001814
Version
VROM-SL-001140
Vuln IDs
  • V-239606
  • V-88683
Rule IDs
  • SV-239606r852603_rule
  • SV-99333
Without auditing the enforcement of access restrictions against changes to the application configuration, it will be difficult to identify attempted attacks and an audit trail will not be available for forensic investigation for after-the-fact actions. Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Audit items may consist of lists of actions blocked by access restrictions or changes identified after the fact.
Checks: C-42839r662267_chk

Verify SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.

Fix: F-42798r662268_fix

Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start

b
The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
CM-5 - Medium - CCI-001749 - V-239607 - SV-239607r877463_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001749
Version
VROM-SL-001145
Vuln IDs
  • V-239607
  • V-88685
Rule IDs
  • SV-239607r877463_rule
  • SV-99335
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or SLES for vRealize components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. SLES for vRealize should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.
Checks: C-42840r662270_chk

Verify RPM signature validation is not disabled: # grep nosignature /usr/lib/rpm/rpmrc ~root/.rpmrc The result should either respond with no such file or directory, or an empty return. If any configuration is found, this is a finding.

Fix: F-42799r662271_fix

Edit the RPM configuration files containing the "nosignature" option and remove the option.

b
The SLES for vRealize must audit all activities performed during nonlocal maintenance and diagnostic sessions.
MA-4 - Medium - CCI-002884 - V-239608 - SV-239608r852605_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-002884
Version
VROM-SL-001220
Vuln IDs
  • V-239608
  • V-88687
Rule IDs
  • SV-239608r852605_rule
  • SV-99337
If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch.
Checks: C-42841r662273_chk

Verify that all commands run by "root" are being audited with the following command: # cat /etc/audit/audit.rules | grep execve If the following lines are not displayed, this is a finding. -a exit,always -F arch=b64 -F euid=0 -S execve -a exit,always -F arch=b32 -F euid=0 -S execve

Fix: F-42800r662274_fix

Configure SLES for vRealize to log all commands run by "root" with the following command: # echo "-a exit,always -F arch=b64 -F euid=0 -S execve" >> /etc/audit/audit.rules # echo "-a exit,always -F arch=b32 -F euid=0 -S execve" >> /etc/audit/audit.rules Restart the audit service: # service auditd restart

b
The SLES for vRealize must implement cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.
MA-4 - Medium - CCI-002890 - V-239609 - SV-239609r877382_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-002890
Version
VROM-SL-001225
Vuln IDs
  • V-239609
  • V-88689
Rule IDs
  • SV-239609r877382_rule
  • SV-99339
Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms, such as a hash function or digital signature, to protect integrity. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. The SLES for vRealize can meet this requirement through leveraging a cryptographic module. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch).
Checks: C-42842r662276_chk

Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr

Fix: F-42801r662277_fix

Update the Ciphers directive with the following command: # sed -i '/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr' /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart

b
The SLES for vRealize must implement cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications, when used for nonlocal maintenance sessions.
MA-4 - Medium - CCI-003123 - V-239610 - SV-239610r877381_rule
RMF Control
MA-4
Severity
Medium
CCI
CCI-003123
Version
VROM-SL-001230
Vuln IDs
  • V-239610
  • V-88691
Rule IDs
  • SV-239610r877381_rule
  • SV-99341
Privileged access contains control and configuration information and is particularly sensitive, so additional protections are necessary. This is maintained by using cryptographic mechanisms such as encryption to protect confidentiality. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system (e.g., the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch). The SLES for vRealize can meet this requirement through leveraging a cryptographic module.
Checks: C-42843r662279_chk

Check the SSH daemon configuration for allowed MACs: # grep -i macs /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding.

Fix: F-42802r662280_fix

Edit the SSH daemon configuration and remove any MACs other than "hmac-sha1". If necessary, add a "MACs" line. # sed -i "/^[^#]*MACs/ c\MACs hmac-sha1" /etc/ssh/sshd_config

c
The SLES for vRealize must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SC-13 - High - CCI-002450 - V-239611 - SV-239611r877380_rule
RMF Control
SC-13
Severity
High
CCI
CCI-002450
Version
VROM-SL-001240
Vuln IDs
  • V-239611
  • V-88693
Rule IDs
  • SV-239611r877380_rule
  • SV-99343
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The SLES for vRealize must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
Checks: C-42844r662282_chk

Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr

Fix: F-42803r662283_fix

Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart

c
The SLES for vRealize must protect the confidentiality and integrity of transmitted information.
SC-8 - High - CCI-002418 - V-239612 - SV-239612r916422_rule
RMF Control
SC-8
Severity
High
CCI
CCI-002418
Version
VROM-SL-001285
Vuln IDs
  • V-239612
  • V-88695
Rule IDs
  • SV-239612r916422_rule
  • SV-99345
Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
Checks: C-42845r662285_chk

Check the SSH daemon configuration for DoD-approved encryption to protect the confidentiality of SSH remote connections by performing the following commands: Check the Cipher setting in the "sshd_config" file. # grep -i Ciphers /etc/ssh/sshd_config | grep -v '#' The output must contain either none or any number of the following algorithms: aes128-ctr, aes256-ctr. If the output contains an algorithm not listed above, this is a finding. Expected Output: Ciphers aes256-ctr,aes128-ctr

Fix: F-42804r662286_fix

Update the Ciphers directive with the following command: # sed -i "/^[^#]*Ciphers/ c\Ciphers aes256-ctr,aes128-ctr" /etc/ssh/sshd_config Save and close the file. Restart the sshd process: # service sshd restart

c
The SLES for vRealize must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by alternative physical safeguards, such as, at a minimum, a Protected Distribution System (PDS).
SC-8 - High - CCI-002421 - V-239613 - SV-239613r878122_rule
RMF Control
SC-8
Severity
High
CCI
CCI-002421
Version
VROM-SL-001290
Vuln IDs
  • V-239613
  • V-88697
Rule IDs
  • SV-239613r878122_rule
  • SV-99347
Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions that have common application in digital signatures, checksums, and message authentication codes. Use of this requirement will be limited to situations where the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. When transmitting data, operating systems need to leverage transmission protection mechanisms such as TLS, SSL VPNs, or IPsec. Alternative physical protection measures include PDS. PDSs are used to transmit unencrypted classified National Security Information (NSI) through an area of lesser classification or control. Since the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation.
Checks: C-42846r662288_chk

Check the SSH daemon configuration for allowed MACs: # grep -i macs /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding.

Fix: F-42805r662289_fix

Edit the SSH daemon configuration and remove any MACs other than "hmac-sha1". If necessary, add a "MACs" line. # sed -i "/^[^#]*MACs/ c\MACs hmac-sha1" /etc/ssh/sshd_config

b
The SLES for vRealize must implement non-executable data to protect its memory from unauthorized code execution.
SI-16 - Medium - CCI-002824 - V-239614 - SV-239614r852611_rule
RMF Control
SI-16
Severity
Medium
CCI
CCI-002824
Version
VROM-SL-001310
Vuln IDs
  • V-239614
  • V-88699
Rule IDs
  • SV-239614r852611_rule
  • SV-99349
Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.
Checks: C-42847r662291_chk

The stock kernel has support for non-executable program stacks compiled in by default. Verify that the option was specified when the kernel was built: # grep -i "execute" /var/log/boot.msg The message: "NX (Execute Disable) protection: active" will be written in the boot log when compiled in the kernel. This is the default for x86_64. To activate this support, the "noexec=on" kernel parameter must be specified at boot time. Check for a message with the following command: # grep –i "noexec" /var/log/boot.msg The message: "Kernel command line: &lt;boot parameters&gt; noexec=on" will be written to the boot log when properly appended to the "/boot/grub/menu.lst" file. If non-executable program stacks have not been configured, this is a finding.

Fix: F-42806r662292_fix

Edit the "/boot/grub/menu.lst" file and add "noexec=on" to the end of each kernel line entry. A system restart is required to implement this change.

b
The SLES for vRealize must implement address space layout randomization to protect its memory from unauthorized code execution.
SI-16 - Medium - CCI-002824 - V-239615 - SV-239615r852612_rule
RMF Control
SI-16
Severity
Medium
CCI
CCI-002824
Version
VROM-SL-001315
Vuln IDs
  • V-239615
  • V-88701
Rule IDs
  • SV-239615r852612_rule
  • SV-99351
Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Examples of attacks are buffer overflow attacks.
Checks: C-42848r662294_chk

Verify "randomize_va_space" has not been changed from the default "1" setting. # sysctl kernel.randomize_va_space If the return value is not "kernel.randomize_va_space = 1", this is a finding.

Fix: F-42807r662295_fix

Run the following command: #sysctl kernel.randomize_va_space=1

b
The SLES for vRealize must shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered.
SI-6 - Medium - CCI-002702 - V-239616 - SV-239616r852613_rule
RMF Control
SI-6
Severity
Medium
CCI
CCI-002702
Version
VROM-SL-001335
Vuln IDs
  • V-239616
  • V-88703
Rule IDs
  • SV-239616r852613_rule
  • SV-99353
If anomalies are not acted upon, security functions may fail to secure the system. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include messages to local computer consoles, and/or hardware indications, such as lights. This capability must take into account operational requirements for availability for selecting an appropriate response. The organization may choose to shut down or restart the information system upon security function anomaly detection.
Checks: C-42849r662297_chk

Check the syslog configuration file for remote syslog servers: # cat /etc/syslog-ng/syslog-ng.conf | grep logserver If no line is returned, or the "logserver" is commented out, this is a finding.

Fix: F-42808r662298_fix

Edit the syslog configuration file and add an appropriate remote syslog server: In the "/etc/syslog-ng/syslog-ng.conf" file, the remote logging entries must be uncommented and the IP address must be modified to point to the remote syslog server: # # Enable this and adopt IP to send log messages to a log server. # #destination logserver { udp("10.10.10.10" port(514)); }; #log { source(src); destination(logserver); };

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access security objects occur.
AU-12 - Medium - CCI-000172 - V-239617 - SV-239617r662302_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001340
Vuln IDs
  • V-239617
  • V-88705
Rule IDs
  • SV-239617r662302_rule
  • SV-99355
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42850r662300_chk

To verify that auditing is configured for system administrator actions, run the following command: # auditctl -l | grep "watch=/etc/sudoers" The result should return a rule for sudoers, such as: LIST_RULES: exit,always watch=/etc/sudoers perm=wa key=sudoers If there is no output, this is a finding.

Fix: F-42809r662301_fix

At a minimum, the audit system should collect administrator actions for all users and "root". Add the following to the "/etc/audit/audit.rules" file: -w /etc/sudoers -p wa -k sudoers OR # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur.
AU-12 - Medium - CCI-000172 - V-239618 - SV-239618r662305_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001345
Vuln IDs
  • V-239618
  • V-88707
Rule IDs
  • SV-239618r662305_rule
  • SV-99357
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42851r662303_chk

Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.

Fix: F-42810r662304_fix

Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify privileges occur.
AU-12 - Medium - CCI-000172 - V-239619 - SV-239619r662308_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001350
Vuln IDs
  • V-239619
  • V-88709
Rule IDs
  • SV-239619r662308_rule
  • SV-99359
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42852r662306_chk

To determine if SLES for vRealize is configured to audit calls to the "chmod" system call, run the following command: # auditctl -l | grep syscall | grep chmod If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid&gt;=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=1073741827 (0x40000003) syscall=chmod,lchown,sethostname,fchmod,fchown,adjtimex,init_module,delete_module,chown,lchown32,fchown32,chown32,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime,fchownat,fchmodat If no lines are returned, this is a finding.

Fix: F-42811r662307_fix

At a minimum, the audit system should collect file permission changes for all users and "root". Add the following to the "/etc/audit/audit.rules" file: -a always,exit -F arch=b64 -S chmod -F auid=0 -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -a always,exit -F arch=b32 -S chmod OR # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify security objects occur.
AU-12 - Medium - CCI-000172 - V-239620 - SV-239620r662311_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001355
Vuln IDs
  • V-239620
  • V-88711
Rule IDs
  • SV-239620r662311_rule
  • SV-99361
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42853r662309_chk

To verify that auditing is configured for system administrator actions, run the following command: # auditctl -l | grep "watch=/etc/sudoers" The result should return a rule for sudoers, such as: LIST_RULES: exit,always watch=/etc/sudoers perm=wa key=sudoers If there is no output, this is a finding.

Fix: F-42812r662310_fix

At a minimum, the audit system should collect administrator actions for all users and root. Add the following to the "/etc/audit/audit.rules" file: -w /etc/sudoers -p wa -k sudoers OR # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.
AU-12 - Medium - CCI-000172 - V-239621 - SV-239621r662314_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001360
Vuln IDs
  • V-239621
  • V-88713
Rule IDs
  • SV-239621r662314_rule
  • SV-99363
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42854r662312_chk

Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.

Fix: F-42813r662313_fix

Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete privileges occur.
AU-12 - Medium - CCI-000172 - V-239622 - SV-239622r662317_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001365
Vuln IDs
  • V-239622
  • V-88715
Rule IDs
  • SV-239622r662317_rule
  • SV-99365
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42855r662315_chk

To determine if SLES for vRealize is configured to audit calls to the "chmod" system call, run the following command: # auditctl -l | grep syscall | grep chmod If the system is configured to audit this activity, it will return several lines, such as: LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid=0 syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=3221225534 (0xc000003e) auid&gt;=500 (0x1f4) auid!=-1 (0xffffffff) syscall=chmod,fchmod,chown,fchown,fchownat,fchmodat LIST_RULES: exit,always arch=1073741827 (0x40000003) syscall=chmod,lchown,sethostname,fchmod,fchown,adjtimex,init_module,delete_module,chown,lchown32,fchown32,chown32,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr,clock_settime,fchownat,fchmodat If no lines are returned, this is a finding.

Fix: F-42814r662316_fix

At a minimum, the SLES for vRealize audit system should collect file permission changes for all users and root. Add the following to the "/etc/audit/audit.rules" file: -a always,exit -F arch=b64 -S chmod -F auid=0 -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -a always,exit -F arch=b32 -S chmod OR # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete security levels occur.
AU-12 - Medium - CCI-000172 - V-239623 - SV-239623r662320_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001370
Vuln IDs
  • V-239623
  • V-88717
Rule IDs
  • SV-239623r662320_rule
  • SV-99367
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42856r662318_chk

Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.

Fix: F-42815r662319_fix

Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start

b
The SLES for vRealize must generate audit records when successful/unsuccessful attempts to delete security objects occur.
AU-12 - Medium - CCI-000172 - V-239624 - SV-239624r662323_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001375
Vuln IDs
  • V-239624
  • V-88719
Rule IDs
  • SV-239624r662323_rule
  • SV-99369
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42857r662321_chk

To verify that auditing is configured for system administrator actions, run the following command: # auditctl -l | grep "watch=/etc/sudoers" The result should return a rule for sudoers, such as: LIST_RULES: exit,always watch=/etc/sudoers perm=wa key=sudoers If there is no output, this is a finding.

Fix: F-42816r662322_fix

At a minimum, the SLES for vRealize audit system should collect administrator actions for all users and root. Add the following to the "/etc/audit/audit.rules" file: -w /etc/sudoers -p wa -k sudoers OR # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful logon attempts occur.
AU-12 - Medium - CCI-000172 - V-239625 - SV-239625r662326_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001380
Vuln IDs
  • V-239625
  • V-88721
Rule IDs
  • SV-239625r662326_rule
  • SV-99371
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42858r662324_chk

The message types that are always recorded to the "/var/log/audit/audit.log" file include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" must be protected from tampering of the login records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" entries do not exist, this is a finding.

Fix: F-42817r662325_fix

Ensure the auditing of logins by modifying the "/etc/audit/audit.rules" file to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records for privileged activities or other system-level access.
AU-12 - Medium - CCI-000172 - V-239626 - SV-239626r662329_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001385
Vuln IDs
  • V-239626
  • V-88723
Rule IDs
  • SV-239626r662329_rule
  • SV-99373
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42859r662327_chk

To verify that auditing of privileged command use is configured, run the following command to find relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2&gt;/dev/null Run the following command to verify entries in the audit rules for all programs found with the previous command: # grep path /etc/audit/audit.rules It should be the case that all relevant setuid programs have a line in the audit rules. If it is not the case, this is a finding.

Fix: F-42818r662328_fix

At a minimum, the SLES for vRealize audit system should collect the execution of privileged commands for all users and "root". To find the relevant setuid programs: # find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null Then, for each setuid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid program in the list: -a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -k privileged OR # /etc/dodscript.sh

b
The SLES for vRealize audit system must be configured to audit the loading and unloading of dynamic kernel modules.
AU-12 - Medium - CCI-000172 - V-239627 - SV-239627r662332_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001390
Vuln IDs
  • V-239627
  • V-88725
Rule IDs
  • SV-239627r662332_rule
  • SV-99375
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42860r662330_chk

Determine if "/sbin/insmod" is audited: # cat /etc/audit/audit.rules | grep "/sbin/insmod" If the result does not start with "-w" and contain "-p x", this is a finding.

Fix: F-42819r662331_fix

Add the following to the "/etc/audit/audit.rules" file in order to capture kernel module loading and unloading events: -w /sbin/insmod -p x OR # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records showing starting and ending time for user access to the system.
AU-12 - Medium - CCI-000172 - V-239628 - SV-239628r662335_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001395
Vuln IDs
  • V-239628
  • V-88727
Rule IDs
  • SV-239628r662335_rule
  • SV-99377
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42861r662333_chk

The message types that are always recorded to the "/var/log/audit/audit.log" file include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" must be protected from tampering of the login records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" entries do not exist, this is a finding.

Fix: F-42820r662334_fix

Ensure the auditing of logins by modifying the "/etc/audit/audit.rules" file to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when concurrent logons to the same account occur from different sources.
AU-12 - Medium - CCI-000172 - V-239629 - SV-239629r662338_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001400
Vuln IDs
  • V-239629
  • V-88729
Rule IDs
  • SV-239629r662338_rule
  • SV-99379
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42862r662336_chk

The message types that are always recorded to the "/var/log/audit/audit.log" file include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" must be protected from tampering of the login records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" entries do not exist, this is a finding.

Fix: F-42821r662337_fix

Ensure the auditing of logins by modifying the "/etc/audit/audit.rules" file to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records when successful/unsuccessful accesses to objects occur.
AU-12 - Medium - CCI-000172 - V-239630 - SV-239630r662341_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001405
Vuln IDs
  • V-239630
  • V-88731
Rule IDs
  • SV-239630r662341_rule
  • SV-99381
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42863r662339_chk

Verify the SLES for vRealize produces audit records by running the following command to determine the current status of the "auditd" service: # service auditd status If the service is enabled, the returned message must contain the following text: Checking for service auditd running If the service is not running, this is a finding.

Fix: F-42822r662340_fix

Enable the "auditd" service by performing the following commands: # chkconfig auditd on # service auditd start

b
The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
AU-12 - Medium - CCI-000172 - V-239631 - SV-239631r662344_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001410
Vuln IDs
  • V-239631
  • V-88733
Rule IDs
  • SV-239631r662344_rule
  • SV-99383
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Checks: C-42864r662342_chk

Verify auditd is configured to audit failed file access attempts. There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall: # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S creat" | grep -e "-F exit=-EPERM" # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S creat" | grep -e "-F exit=-EACCES" There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall. If not, this is a finding.

Fix: F-42823r662343_fix

Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S creat -F exit=-EPERM -a exit,always -F arch=b64 -S creat -F exit=-EACCES -a exit,always -F arch=b32 -S creat -F exit=-EPERM -a exit,always -F arch=b32 -S creat -F exit=-EACCES

b
The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
AU-12 - Medium - CCI-000172 - V-239632 - SV-239632r662347_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001415
Vuln IDs
  • V-239632
  • V-88735
Rule IDs
  • SV-239632r662347_rule
  • SV-99385
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Checks: C-42865r662345_chk

Verify auditd is configured to audit failed file access attempts. There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall: # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S open" | grep -e "-F exit=-EPERM" # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S open" | grep -e "-F exit=-EACCES" There must be both an "-F exit=-EPERM" and "-F exit=-EACCES" for each access syscall. If not, this is a finding.

Fix: F-42824r662346_fix

Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S open -F exit=-EPERM -a exit,always -F arch=b64 -S open -F exit=-EACCES -a exit,always -F arch=b32 -S open -F exit=-EPERM -a exit,always -F arch=b32 -S open -F exit=-EACCES

b
The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
AU-12 - Medium - CCI-000172 - V-239633 - SV-239633r662350_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001420
Vuln IDs
  • V-239633
  • V-88737
Rule IDs
  • SV-239633r662350_rule
  • SV-99387
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Checks: C-42866r662348_chk

Verify auditd is configured to audit failed file access attempts. There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0) # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S openat" | grep -e "-F success=0" There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0). If not, this is a finding.

Fix: F-42825r662349_fix

Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S openat -F success=0 -a exit,always -F arch=b32 -S openat -F success=0

b
The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
AU-12 - Medium - CCI-000172 - V-239634 - SV-239634r662353_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001425
Vuln IDs
  • V-239634
  • V-88739
Rule IDs
  • SV-239634r662353_rule
  • SV-99389
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Checks: C-42867r662351_chk

Verify auditd is configured to audit failed file access attempts. There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0) # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S truncate" | grep -e "-F success=0" There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0). If not, this is a finding.

Fix: F-42826r662352_fix

Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S truncate -F success=0 -a exit,always -F arch=b32 -S truncate -F success=0

b
The SLES for vRealize audit system must be configured to audit failed attempts to access files and programs.
AU-12 - Medium - CCI-000172 - V-239635 - SV-239635r662356_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001430
Vuln IDs
  • V-239635
  • V-88741
Rule IDs
  • SV-239635r662356_rule
  • SV-99391
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Checks: C-42868r662354_chk

Verify auditd is configured to audit failed file access attempts. There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0) # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -e "-S ftruncate" | grep -e "-F success=0" There must be an audit rule for each of the access syscalls logging all failed accesses (-F success=0). If not, this is a finding.

Fix: F-42827r662355_fix

Edit the audit.rules file and add the following line(s) to enable auditing of failed attempts to access files and programs: -a exit,always -F arch=b64 -S ftruncate -F success=0 -a exit,always -F arch=b32 -S ftruncate -F success=0

b
The SLES for vRealize audit system must be configured to audit user deletions of files and programs.
AU-12 - Medium - CCI-000172 - V-239636 - SV-239636r662359_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001435
Vuln IDs
  • V-239636
  • V-88743
Rule IDs
  • SV-239636r662359_rule
  • SV-99393
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as detecting malicious processes that attempt to delete log files to conceal their presence.
Checks: C-42869r662357_chk

To determine if SLES for vRealize is configured to audit calls to the "unlink" system call, run the following command: # auditctl -l | grep syscall | grep unlink | grep -v unlinkat If the system is configured to audit this activity, it will return several lines. To determine if the system is configured to audit calls to the "unlinkat" system call, run the following command: # auditctl -l | grep syscall | grep unlinkat If the system is configured to audit this activity, it will return several lines. To determine if the system is configured to audit calls to the "rename" system call, run the following command: # auditctl -l | grep syscall | grep rename | grep -v renameat If the system is configured to audit this activity, it will return several lines. To determine if the system is configured to audit calls to the "renameat" system call, run the following command: # auditctl -l | grep syscall | grep renameat If the system is configured to audit this activity, it will return several lines. If no line is returned, this is a finding.

Fix: F-42828r662358_fix

Edit the audit.rules file and add the following line(s) to enable auditing of deletions of files and programs: -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid=0 -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid=0 -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295

b
The SLES for vRealize audit system must be configured to audit file deletions.
AU-12 - Medium - CCI-000172 - V-239637 - SV-239637r662362_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001440
Vuln IDs
  • V-239637
  • V-88745
Rule IDs
  • SV-239637r662362_rule
  • SV-99395
If the SLES for vRealize system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
Checks: C-42870r662360_chk

Check SLES for vRealize audit configuration to determine if file and directory deletions are audited: # cat /etc/audit.rules /etc/audit/audit.rules | grep -e "-a exit,always" | grep -i "rmdir" If no results are returned or the results do not contain "-S rmdir", this is a finding.

Fix: F-42829r662361_fix

Add the following to the "/etc/audit/audit.rules" file in order to capture file and directory deletion events: -a always,exit -F arch=b64 -S rmdir -S rm -a always,exit -F arch=b32 -S rmdir -S rm

b
Audit logs must be rotated daily.
AU-12 - Medium - CCI-000172 - V-239638 - SV-239638r662365_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001445
Vuln IDs
  • V-239638
  • V-88747
Rule IDs
  • SV-239638r662365_rule
  • SV-99397
Rotate audit logs daily to preserve audit file system space and to conform to the DISA requirement. If it is not rotated daily and moved to another location, then there is more of a chance for the compromise of audit data by malicious users.
Checks: C-42871r662363_chk

Check for a logrotate entry that rotates audit logs. # ls -l /etc/logrotate.d/audit If it exists, check for the presence of the daily rotate flag: # egrep "daily" /etc/logrotate.d/audit The command should produce a "daily" entry in the logrotate file for the audit daemon. If the daily entry is missing, this is a finding.

Fix: F-42830r662364_fix

Create or edit the "/etc/logrotate.d/audit" file and add the daily entry, such as: /var/log/audit/audit.log { compress dateext rotate 15 daily missingok notifempty create 600 root root sharedscripts postrotate /sbin/service auditd restart 2> /dev/null > /dev/null || true endscript }

b
The SLES for vRealize must generate audit records for all direct access to the information system.
AU-12 - Medium - CCI-000172 - V-239639 - SV-239639r662368_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001450
Vuln IDs
  • V-239639
  • V-88749
Rule IDs
  • SV-239639r662368_rule
  • SV-99399
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42872r662366_chk

The message types that are always recorded to the "/var/log/audit/audit.log" file include "LOGIN", "USER_LOGIN", "USER_START", "USER_END" among others and do not need to be added to audit.rules. The log files "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" must be protected from tampering of the login records: # egrep "faillog|lastlog|tallylog" /etc/audit/audit.rules If "/var/log/faillog", "/var/log/lastlog", and "/var/log/tallylog" entries do not exist, this is a finding.

Fix: F-42831r662367_fix

Ensure the auditing of logins by modifying the "/etc/audit/audit.rules" file to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa -w /var/log/tallylog -p wa OR # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records for all account creations, modifications, disabling, and termination events.
AU-12 - Medium - CCI-000172 - V-239640 - SV-239640r662371_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001455
Vuln IDs
  • V-239640
  • V-88751
Rule IDs
  • SV-239640r662371_rule
  • SV-99401
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42873r662369_chk

Determine if execution of the "usermod" and "groupmod" executable are audited: # auditctl -l | egrep '(usermod|groupmod)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the "userdel" and "groupdel" executable are audited: # auditctl -l | egrep '(userdel|groupdel)' If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of "useradd" and "groupadd" are audited: # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Determine if execution of the passwd executable is audited: # auditctl -l | grep "/usr/bin/passwd" If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding. Determine if "/etc/passwd", "/etc/shadow", "/etc/group", and "/etc/security/opasswd" are audited for writing: # auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)' If any of these are not listed with a permissions filter of at least "w", this is a finding.

Fix: F-42832r662370_fix

Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file: -w /usr/sbin/userdel -p x -k userdel -w /usr/sbin/groupdel -p x -k groupdel Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Configure execute auditing of the "passwd" executable. Add the following to audit.rules: -w /usr/bin/passwd -p x -k passwd Configure write auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the "/etc/audit/audit.rules" file: -w /etc/passwd -p wa -k passwd -w /etc/shadow -p wa -k shadow -w /etc/group -p wa -k group -w /etc/security/opasswd -p wa -k opasswd Restart the auditd service: # service auditd restart OR # /etc/dodscript.sh

b
The SLES for vRealize must generate audit records for all kernel module load, unload, and restart actions, and also for all program initiations.
AU-12 - Medium - CCI-000172 - V-239641 - SV-239641r662374_rule
RMF Control
AU-12
Severity
Medium
CCI
CCI-000172
Version
VROM-SL-001460
Vuln IDs
  • V-239641
  • V-88753
Rule IDs
  • SV-239641r662374_rule
  • SV-99403
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).
Checks: C-42874r662372_chk

Determine if "/sbin/insmod" is audited: # cat /etc/audit/audit.rules | grep "/sbin/insmod" If the result does not start with "-w" and contain "-p x", this is a finding.

Fix: F-42833r662373_fix

Add the following to "/etc/audit/audit.rules" in order to capture kernel module loading and unloading events: -w /sbin/insmod -p x OR # /etc/dodscript.sh

b
The SLES for vRealize must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
SC-13 - Medium - CCI-002450 - V-239642 - SV-239642r878123_rule
RMF Control
SC-13
Severity
Medium
CCI
CCI-002450
Version
VROM-SL-001465
Vuln IDs
  • V-239642
  • V-88755
Rule IDs
  • SV-239642r878123_rule
  • SV-99405
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The SLES for vRealize must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
Checks: C-42875r662375_chk

Check the SSH daemon configuration for allowed MACs: # grep -i macs /etc/ssh/sshd_config | grep -v '^#' If no lines are returned, or the returned MACs list contains any MAC other than "hmac-sha1", this is a finding.

Fix: F-42834r662376_fix

Edit the SSH daemon configuration and remove any MACs other than "hmac-sha1". If necessary, add a "MACs" line. # sed -i "/^[^#]*MACs/ c\MACs hmac-sha1" /etc/ssh/sshd_config

b
The SLES for vRealize must, at a minimum, off-load interconnected systems in real time and off-load standalone systems weekly.
AU-4 - Medium - CCI-001851 - V-239643 - SV-239643r852615_rule
RMF Control
AU-4
Severity
Medium
CCI
CCI-001851
Version
VROM-SL-001470
Vuln IDs
  • V-239643
  • V-88757
Rule IDs
  • SV-239643r852615_rule
  • SV-99407
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process